Decision makers are required to know the reliability of intelligence being provided for situational awareness; therefore, a single metric is inadequate to effectively measure the performance of a system. A set of metrics measuring the various dimensions are required to fully characterize and provide a gauged understanding of the performance of the systems. Techni-Core’s metrics and methodology will reduce uncertainty in perceived data, inherent uncertainties associated with inaccurate interpretations of intrusion detection sensor reports, and incomplete knowledge of friendly forces.
Cyber Situational Awareness (SA) focuses on the relationship of an infrastructure’s status to the operational mission impact. Cyber SA provides a complete, accurate, productive and timely base of information essential for commanders and other decision makers to develop the ability to predict or operate a Cyber attack, outage, or activity and accomplish the operational mission. Cyber SA recognizes cyberspace as a domain and calls for a clear understanding of function, security and impact. This capability has become increasingly important as the Department of Defense (DoD) continues exploitation of net-centric operations and establishes cyberspace as a core domain.
A common misconception of the cyberspace domain is that it supports computer and network operations; however, cyberspace is a communication infrastructure that primarily supports the air, land, sea, and space domains during military operations. Cyberspace operations gather intelligence, pass information, establish communication in support of all domains, and improve efficiency of information dissemination.
Techni-Core enhances support for shifting from a traditional, reactive network defense posture to one that is more predictive and dynamic. This significantly improves the DoD’s ability to predict, deter, and possibly counter attacks prior to an event of interest. A true defense-in-depth strategy segregates internal assets based on their sensitivity, classification, and prioritization as determined during planning.
To incorporate proper cyber SA, our forces must know whether a friendly or adversary’s cyber network is operational and understand what information is flowing over the network and how it supports the operational mission of friendly or adversary forces. The key is not to limit cyber SA to physical hardware, software, communication lines, etc., that make up the network, but to include the information that is flowing through the physical aspects of the network. The informational aspect of cyber SA is key.
The most important aspect of cyberspace that is that it is constantly changing, and it does so at the will of the malicious source or adversary. Cyberspace can be expanded, contracted, or segmented at will. Each hardware, configuration, or software modification effectively changes the domain. This inherent malleability makes it vitally important for to have a real-time picture of cyberspace. The consequences of a Cyber attack or even espionage can have impact in microseconds.
A primary critical component required to operate effectively in cyberspace is to transition from a perimeter-defense strategy to a true active defense-in-depth strategy. The DoD approach to cyberspace security has been to fortify the network perimeter. Primary protection has been placed at our perimeter and protects everything inside the perimeter to the same standard. The cyberspace perimeter-defense strategy has proven ineffective. Once a malicious source or adversary breaches our defensive perimeter, it is extremely difficult to track and expel the threat. The transition to an active defense has greatly increased the opportunity to develop the systems, tools, and methodologies required for effective cyberspace operations.
The importance of a one system knowing the status of other systems upon which it’s mission is dependent becomes evident when it is not a question of whether or not a particular system or network is up or down. A malicious source or adversary could be in the system changing data without affecting the performance of the system or the network. An end node may not notice any difference in the services being provided and trust data coming over the network. Notifications of potential infections that may be reducing the integrity of the data need to be passed to systems downstream.
Modeling assista cyber SA architects in defining a consolidated cyber SA picture. Programs and agencies implement modeling tools in which they can test their systems against future adversary cyber threats. Modeling tools examine current and future cyber threats against a system’s cyber architecture and allow program offices to adapt their systems and strategically stay ahead of the adversary. In cyberspace an effective Common Operating Picture (COP) must provide SA of the domain. A variety of network modeling tools show the link between nodes, traffic flow between those nodes, and rough orientation on a geo-spatial map where significant or critical nodes can be physically mapped. Most enterprise network administration tools do not emphasize physical location because the rack in the data center is typically irrelevant, but in some situations, understanding the physical location of possible activities and attacks may be important for assessing mission impact.
Cyber SA overlaps with SA in the physical battle space. Activities, threats and attacks in the cyberspace could affect a mission in multiple ways. Therefore, it is important to integrate the cyber SA with the SA in the physical space. Combining the SA in the two spaces facilitate cyber professionals and decision makers in better detecting, predicting, preventing, and responding to activities or attacks in each space by fusing information from both spaces. A key to integrating cyberspace SA with the physical SA is to introduce context that describes situations across multiple layers. The proposed cyber SA methodologies assist analyst and other cyber professionals in maintaining a situational understanding about the dynamic evolution of multiple situations, so that they can maintain a holistic view in larger context, connect cross-domain situations when their relationship emerges, predict the evolution of situations, and choose decisions and actions based on their predictive and holistic understanding of both the situation in the cyber space and the mission in the physical space.