Mission Dependency Modeling for Cyber Situational Awareness

This paper describes a hierarchical graph-based model that captures mission dependencies at various levels of abstraction, showing interdependencies among mission objectives, tasks, information, and cyber assets. For this work, we employ established tools within a structured methodology for cyber resiliency analysis. Our model is focused on a strategic-level military scenario defined in a formal Request for Information (RFI) to industry and research partners by the NATO Multinational Cyber Defense Capability Development (MN CD2) Work Package 2 (WP2). We enhance this scenario with additional mission and operational context, and then build a mission dependency model for the enhanced scenario. It is anticipated that our mission dependency model will be part of an upcoming demonstration of cyber defense situational awareness capabilities in a NATO Communications and Information (NCI) Agency test environment, integrated with data sources that represent the operational military environment. 1.0 INTRODUCTION A key aspect of maintaining situational awareness in cyberspace is understanding the interdependencies among mission elements, how mission elements depend on cyber assets, and how cyberattacks can potentially impact missions. Capturing the dependencies for realistic missions requires a structured methodology and automated tool support for dealing with complex interrelationships. Such a hierarchical mission dependency model should include high-level mission objectives, tasks that support those objectives, the information required for each mission task, down to the cyber assets that contain and process the information. Employing a graph-based mission dependency model can help show the transitive (nth order) mission impacts of cyberattacks. For example, a graph traversal query can begin at the victim host of an attack, and traverse the graph to enumerate the mission components that depend on it, showing impact on all effected levels of the mission dependency hierarchy. A query could also traverse in the opposite direction, e.g., to show the “cyber key terrain” supported by a given mission component. Moreover, a mission dependency model must go beyond a pure mathematical graph, to include important semantics such as the underlying logical nature of dependencies (conjunctive or disjunctive), relative criticality, ownership, geographic location, etc. A Request for Information (RFI) published by NATO in May 2015 [1] articulates requirements for cyber defense situational awareness and decision support. The RFI describes in detail the required cyber defense capabilities. However, its scenarios lack a depth of mission operational dependency tracking and potential courses of action desired for demonstrating advanced tool capabilities, especially for RFI use cases involving asset and mission dependencies. We therefore expand the scenarios with additional operational context, which forms a basis for our dependency modelling. Mission Dependency Modeling for Cyber Situational Awareness PAPER NBR 5 Approved for Public Release; Distribution Unlimited. 16-2764, 16-0800, 15-2592 STO-MP-IST-148 UNCLASSIFIED UNCLASSIFIED 2.0 MODEL BUILDING PROCESS To build our mission dependency model, we employ MITRE’s Structured Cyber Resiliency Analysis Methodology (SCRAM) [2]. Illustrated in Figure 1, SCRAM defines the processes for performing varying levels of cyber resiliency analyses at different points in the lifecycle of a system, system-of-systems, or mission. SCRAM also details resources such as frameworks and models, value scales, and datasets to support these analyses. Figure 1: Overview of the SCRAM Process. In applying SCRAM to develop the model, we leverage a number of MITRE dependency analysis tools: • Crown Jewels Analysis (CJA) [3] is a process and corresponding toolset for “identifying those cyber assets that are most critical to the accomplishment of an organization’s mission.” • CyCS (Cyber Command System) [4] is MITRE’s proof-of-concept cyber situational awareness tool for addressing “mission-assurance challenges for highly distributed enterprise systems of systems through vulnerability, threat, and consequence management.” • CyGraph [5][6] is a tool for real-time cyber situational awareness that combines isolated data and events into an ongoing overall picture for decision support and situational awareness. SCRAM typically relies on dependency maps to help understand what is most critical, beginning in system development and continuing through system deployment. The dependency map starts by identifying missions and assigning relative prioritization. From there, dependencies flow down through operational tasks and system Heinbockel, Noel, and Curbo (MITRE) STO-MP-IST-148 Approved for Public Release; Distribution Unlimited. 16-2764, 16-0800, 15-2592 PAPER NBR 5 UNCLASSIFIED UNCLASSIFIED function to cyber assets. These dependencies are expressed qualitatively in terms of impact on a parent node resulting from a failed or degraded child node, with provisions to minimize subjectivity. With a complete model, SCRAM tools can predict the impact of a cyber asset failure or degradation as the realization of each parent/child logical statement, tracing the potential impact upward to high-level mission tasks and objectives. Analysis within SCRAM provides a dependency map to associate missions, data flows, and cyber assets, along with the methodology to “roll up” cyber asset criticality based on higher-order associations, such as mission or operational priorities. The dependency model can also be inverted (Figure 2), to identify potential mission impacts of an incident. Figure 2: Assessing Failure Impact. 3.0 SCENARIO ENHANCEMENTS AND MISSION DEPENDENCY MODEL Our effort focuses on enhancing the strategic-level “Oranjeland APT” scenario of the RFI. As appropriate for the early design and development stages, we concentrate on the first and third SCRAM steps of Figure 1: Understanding Mission & Threat Context and Analyze Architecture & Mission Threads. For the mission and threat context, the RFI documents the APT threat in the scenario, but gives limited insights into the supported operational mission of medical evacuations (Medevac). Here is an excerpt of the RFI scenario and operational context [1]: “A network administrator in the RATM Network Operations Centre (NOC) notices unusual network activity, which has not been detected by the antivirus, on a server at Regional Command North (RC-N), and suspects an Advanced Persistent Threat (APT). He contacts the NATO Cyber Security Operations (CSOps), who create an incident ticket. CSOps does a series of initial investigations using the CDSAS [cyber defense situational awareness Mission Dependency Modeling for Cyber Situational Awareness PAPER NBR 5 Approved for Public Release; Distribution Unlimited. 16-2764, 16-0800, 15-2592 STO-MP-IST-148 UNCLASSIFIED UNCLASSIFIED system], and identifies this to be an Integrated Command and Control system (ICC) server. They collate all relevant information and options into a report and then they contact the Comprehensive Crisis and Operations Management Centre (CCOMC) Cybercell (CCC), recommending the course of action to disconnect the ICC server to disrupt the APT. CCC is aware of a planned mission in the area affected. Planned downtime is an important factor along with the negative impacts of the APT (e.g. exfiltration of data)... The system can also then show the risk that if the server is turned off, CHAT would become unavailable as it is hosted on the same server. Loss of CHAT would appear with an impact of Medical Evacuations (Medevac) being hindered significantly as they are mainly done over CHAT. With a mission about to commence in the area, Medevac is likely to be an essential service. The Commander would need to judge whether the risk should be taken of running the mission without a CHAT capability, or whether it is essential to run the mission, and essential to have CHAT available, in which case the server will need to remain on. The system should allow him to compare the risks of keeping the server on, and whether that in itself will pose a threat to his mission.” The next section (Section 3.1) describes scenario enhancements through expanded courses of action for maintaining mission readiness, applying the SCRAM methodology. In Section 3.2, we describe the mission model for the RFI scenario. Section 3.3 then describes the data requirements for this model. 3.1 Expanded Courses of Action It is important that solutions for cyber defense situational awareness incorporate the full scope of the available courses of action. Sometimes the best course of action is obvious (e.g., use a redundant server). Other times the best course of action lies within a different command. A key capability of a situational awareness solution is to understand the mission dependencies and common operating picture (COP), and to help a commander make the best decisions, leveraging the maximum amount of information available. We recommend approaching the courses of action in order of resource intensity. Priority should be given to those courses of action that are fast, efficient, and require the least amount of coordination. In general, a solution should be able to provide courses of action within these three domains: • Technical – redundant or spare cyber assets • Service – redirect from other area or fall back on alternative functionality • Operational – leverage concept of operations (CONOPS), call alternative commands for support Within each of these domains, there are at least two categories of alternatives for courses of action: • Technical • Replace: Can the cyber asset (e.g., system, network) be replaced with redundant components (e.g., spare servers, redundant network paths)? • Reconstitute: Can the cyber asset be reconstituted? For example, can the system replicate a server instance from a gold master virtual machine image, or dynamically reconfigure the network. Hein