网络杀伤链 一种全新的网络安全策略基础 - Network Kill Chain Chinese Use Of Same to Defeat Cyber Adversaries
2012-3-08 11:28 来源:搜狐网
Source Sohu
网络杀伤链:一种全新的网络安全策略基础
2012-3-08 11:28 来源:搜狐网
在网络安全世界的某些领域,传统的认识就是极端重要的信息技术资产保卫者被锁定在敌方享有无限优势的不对称战争中,处于极其不利地位。对于保卫者部署的每个“盾”(即防护措施或设施),对手都能发明数以百计甚至千计的新式武器或破解术予以击穿。只要对手数以百万次的进攻成功一次,就能穿透防御之“盾”,同时,保卫者只能面临因无法阻止各种攻击而出现的难以预料局面。
此种情形甚为常见,然而,传统看法被从根本上有点夸大其词了。确实,从敌方来看,此种形式的战斗是非对称的,但进攻方并非总是占有优势,除非我们允许对方肆意妄为。每位明智的指挥官都知道掌控战场——选择作战地点、时间和方法——要确保战略优势并最终击败敌人,这是最基本的。在网络空间里敌人有充裕的时间选择战斗方式。现在是时候改变了。鉴于美国网络资产的价值,不仅是国防方面,还包括关键的基础设施,如能源和医疗保健信息技术服务——采用新的网络安全构想不合适,且事关重大。防范性方案同时也预示了敌人也有此优势。如果保卫者改变视角(来对待此问题),这个优势并非一成不变。我们能获胜,意味着我们能阻止入侵者达成其目的,就要了解对手如何操控,就要调整防范措施卡住其进攻途径。我们的工业界已经有许多工具和处置方法可检测和禁绝网络入侵者,而我们也正在培训我们的员工并开发新技术和程序来弥补现有差距。网络安全团体作为一个整体还未形成,但我们仍有相当多的机会利用和分享敌人层出不穷的战术理解来发展新的作战概念。
要理解对手,首先需要对不同的威胁拥有不同的策略有个正确评价,将最阴险的攻击者群体分类为高级持久威胁(Advanced Persistent Threats,简称 APT)。其次,基于对当前攻击模式的分析,我们要区别对待 APT 侵扰。每个回合并非偶然性事件,都是有预谋行动的某个过程。每次侵扰,在他们达到最终目标之前,入侵者都需要通过连续的步骤进行。
在一条攻击性杀伤链中,以此方式审视攻击,可得出一个新的安全策略路线图。保卫者可一招制敌,只要一个步骤就能中断入侵,对攻击者而言,必须在所有步骤都要成功。而且防卫者还能进一步获得策略优势,即延缓杀伤链中的所有步骤。而后,敌人要想成功必须步步改变方法。最后,现今没有工具或处置方法能完成这个级别的智能分析;熟练的分析人员与其他人合作,分享(制止)入侵心得是此类成功策略的基本方法。在现今网络安全中反制威胁不像火箭科学(那样能取得突飞猛进),更需要集思广益、循序渐进地实现,并通过改进训练、做法和思路来支持。
安全重要性网络安全的极端重要性可用两个词来总结:任务弹性(resiliency)。在敏感数据、防御系统或公共与私人基础设施中,美国大部分重要系统与资产必须能在所有条件甚至是有干扰下能继续保持运营状态。在战场中,任务弹性依赖于随时随地快速而便捷地访问必需的可信赖信息,向指挥官汇报正确的态势感知情报并自由执行战场计划,即使甚至在敌人的决策环内也许如此。众所周知,执行重大任务普遍依赖于信息技术——横跨国防、政府和工业领域——赢得网络战争与本国在陆海空天领域一样重要。
由于我们执行各种范围的任务越来越依赖于信息技术,因此我们的对手也开始冲击网络。理解冲击的本质和幕后操控者的意图是设计有效的网络安全策略的基础。
引起重视的是考虑攻击的指数级增长。安全软件的领先开发者——赛门铁克公司在《全球互联网安全威胁报告》第 15 卷中指出,2009年就有大约300万新的有署名的恶意代码出现,超过之前15年的总和。这些数据表明未知威胁多于已知威胁,今天的许多网络安全解决方案偏向于用防堵法来解决已知威胁——完全不需要查清楚根本原因。
通用识别对于防御来说,还是不可或缺的重要部分。已退休的国家安全局信息查证科主任迪克?斯查夫(Dick Schaeffer)曾谈到,在业界最佳实践下,我们能——当然是措施得当——成功抵住来自网络访问节点上约80%的网络攻击。这是因为大多数攻击发起者——尽管他们也与时俱进,变得更加诡计多端——在本质上仍然主要是机会主义者,目的是破坏一下网络就离开,或者窃取个人数据。他们依靠大量的试探,希望能进入未设防护的或防护不足的系统中。实现最佳实践并接近一体化防务之后,各组织能反制大多数此类攻击。能管制现存情况的解决方案和程序正在被许多前瞻性机构使用,每个组织自身必须找到利用这些(解决方案和程序)的最佳方式。80%攻击之外的是什么概念?这就是网络安全团体面对的强大挑战。未知威胁和 APT ,理论上归于这 20% 部分,我们相信我们有能力预测并反制这部分。
高级持久威胁(APT)由于现在的 IT 资产均具有高价值,我们对手的意图也改变了,所以也有了他们的策略。我们发现我们今天面临的对手,包括有组织犯罪、恐怖分子和单一民族国家在搜寻经济、政治或军事机密时更有威胁且更强大。这些目的性很强且资金充裕的组织和个人更有隐秘性、忍耐性、持久性。他们意图不是“破坏和窃取”,而是在目标网络中建立深度存在,以便在不惊动受害者的情形下随意进出“数据”战场,并能长期如此。他们可称之为网络中的间谍鼹鼠。
此类 APT 不能用部署更大更多的防御盾的传统方法来阻拦。对方经常使用社会工程战略,目标在于将特定的个人作为入口点——这个实际做法名为“长矛刺探”——他们有资源来开发定制化的“致病件”和“零日”,规避补丁(程序)和反病毒软件检测或降低暴露可能性。总而言之,这些现象将持久存在。一旦他们对外部防御的“弹幕射击”获得成功,就在网络本体这放置一把“长矛”(即刺探性扫描软件),他们不断地探察,寻找(网络系统)弱点,以使他们能从内部肆意妄为,在外部看来防御已无实效。因此,APT 干扰并非孤立或离散事件,但一场神不知鬼不觉的战役能跨越数年。持久威胁适应了保卫者,达成企图之后再次评估并选择分头活动和结束战役。
Rough Mandarin Chinese Translation:
Network kill chain: A new network security policy foundation
In network security in some areas of the world, traditional knowledge is extremely important IT assets defenders locked in asymmetric warfare the enemy enjoy unlimited advantage in a very unfavorable position. Defenders deployed "shield" (ie, protective measures or facilities), opponents invention can be hundreds or even thousands of new weapons or crack the surgery be breakdown. The rivals the number of millions offensive success once, will be able to penetrate the defense "shield", at the same time, the defender can only face the unpredictable situation can not prevent various attacks.
Such situations are very common, the traditional view, however, is fundamentally a bit exaggerated. Indeed, from the enemy's point of view, this form of fighting asymmetric, but the offensive is not always an advantage, unless we allow the other acts recklessly. Every wise commanders know to control the battlefield - select combat the place, time and method - to ensure that the strategic advantage and ultimately defeat the enemy, this is the most basic. Enemies in cyberspace have plenty of time to choose a way of fighting. Now is the time to change. Given the value of network assets in the United States , it is not only the defense aspects, including critical infrastructure, such as energy and health care information technology services - a new network security concept is inappropriate, and the stakes. Preventive programs are also indicative of the enemies also have this advantage. If the defenders to change the viewing angle (to deal with this problem), this advantage is not static. We can win, that means that we can stop the intruder to achieve its purpose, it is necessary to understand how opponents control, it is necessary to adjust the precautions stuck their offensive ways. Our industry has many tools and disposal methods to detect and ban network intruders, and we are training our staff and the development of new technologies and procedures to fill the existing gap. Network security community as a whole has not yet formed, but we still have quite a few opportunities to use and sharing of the enemy of the endless stream of tactical understanding to develop new operational concepts.
To understand the opponent, you first need to have a different strategy for different threats have a correct evaluation of the most insidious attacks by groups classified as advanced persistent threats (Advanced Persistent Threats, APT). Secondly, based on the analysis of the current attack mode, we have to distinguish between the APT intrusion. Each round is not a chance event, is a premeditated action of a process. Each intrusion, the intruder through successive steps before they reach the ultimate goal.
An aggressive anti-chain in this way look attack can be drawn from a new security strategy roadmap. The defender can trick enemy, one step will be able to interrupt the invasion, the attacker must be in all the steps to be successful. Defender can further gain strategic advantage, ie, slowing down all the steps in the kill chain. Then, the enemy to be successful must be step by step to change the method. Finally, today, no tools or disposal methods to accomplish this level of intelligence analysis; skilled analysts and others to cooperate, share (Suppression) invasion experience such a successful strategy. Unlike rocket science (as can be made leaps and bounds in today's network security, counter-threat), need more brainstorming, step-by-step implementation, and support through improved training, practices and ideas.
The extreme importance of the safety of the importance of network security is available in two words to sum up: mission flexibility (resiliency). Sensitive data, defense systems, or public and private infrastructure, the most important systems and assets must be in all conditions even remain operational state interference. The battlefield, the task elasticity depends on anytime, anywhere to quickly and easily access trusted information necessary to report to the commander of the correct situational awareness intelligence and freedom to perform battlefield plan, even in the enemy's decision-making within the ring may. As we all know, the implementation of major tasks generally rely on information technology - across defense, government and industrial sectors - to win the the network war with their as important as in the field of land, sea and air days.
We perform a diverse range of tasks is increasingly dependent on information technology, so our opponents also begun to impact the network. Understand the nature of the shocks and the intent of the behind-the-scenes manipulation by the basis of the design of effective network security strategy.
Attention is considering the exponential growth of the attack. A leading developer of security software - Symantec Global Internet Security Threat Report Volume 15, 2009, there are approximately 300 million new signature malicious code, the sum of more than 15 years before. These data suggest that the unknown threat than known threats, many of today's network security solutions biased in favor of attempts to prevent the law to solve the known threats - no need to check the root cause.
Universal recognition for the defense, or an indispensable part. Information to verify, director of the National Security Agency has retired Dick? Sri Lanka Cha husband (Dick Schaeffer) talked about the best practices in the industry, we can - of course - successfully withstood the proper measures from network access node on about 80 % of network attacks. This is the initiator - even though they are also the times, because most of the attacks become more crafty - in essence still opportunists to destroy the network on the left, or to steal personal data. They rely on a lot of temptation, hoping to enter an unguarded or inadequately protected systems. Best practices and close integration of defense, organizations can counter most of these attacks. Solutions and procedures for the control of the existing situation are many forward-looking organizations, each organization must find the best way to use these (solutions and procedures). 80% of attacks outside the concept? This is the the powerful challenges faced by the network security community. Unknown threats and APT, theoretically attributed to the 20% part, we believe we have the ability to anticipate and counter this part.
Advanced persistent threats (APT) has a high-value IT assets now, our opponent's intentions has changed, so has also been their strategy. We found that the opponents we face today, including organized crime, terrorists, and nation-state in search of economic, political or military secrets more threatening and more powerful. Purpose highly-funded organizations and individuals are more secretive, patience and persistence. Their intention is not to "undermine and steal" to establish the depth of existence, but the target network, in order not to disturb the circumstances of the victim at random out of the "data" battlefield, and the long-term case. They called network spy Mole.
Such APT cannot deploy more traditional defense shield to block. Other frequently used social engineering strategies, objectives - a practice called "spear fishing expeditions" - they have the resources to develop customized pathogenic pieces "and" zero-day ", to avoid that particular individual as the entry point patch (program), and anti-virus software to detect or reduce exposure potential. Taken together, these phenomena will be persistent. Once they are on the external defense of the "barrage" to be successful on the Web Ontology This placed a "spear" (ie spying scanning software), they constantly detectors to find the weakness of the (network), in order to enable them to from internal acts recklessly, seems that defense is no longer in the external effectiveness. Therefore, APT interference is not an isolated or discrete event, but a God, I do not know hesitate campaign spanning several years. The persistent threat adapt to defend reached attempt again to evaluate and select separately, and the end of the Battle of APTs.
由于有目的的干扰耗时费力,所以攻击者关注高价值信息——政府和关键性基础设施信息技术系统和网络。除了这些目标代表高价值之外,还由于这些系统的结构复杂以及存在特别脆弱部分。政府网络,包括民用和国防都是跨机构的,交叉复杂,经常是许多必须的系统和网络的合并,构建时所依赖的都是不同标准。这些系统和网络以及其中软件的安全问题解决方案并未被统筹考虑,更未被作为一个整体来实现,对于经验丰富的入侵者来说简直漏洞百出。从未考虑各类系统集成的架构,到开发人员在代码开发是未考虑安全且留有应用级漏洞,这类基础设施和环境的诸多糟糕设计造成今天的高级威胁比比皆是。
更有甚者,APT 不单瞄准今天已安置好的网络和系统,还可能将其作为供应链加以利用,一旦在目标环境中安装成功,便可让其他有威胁的“带菌者”插入恶意代码或(控制)硬件,从而建立指挥与控制通道。我们必须实现电子系统制造的可视性和审核机制,在这些我们不能进行物理控制的设备上要考虑应用反篡改技术。
在保卫者赢得对APT作战胜利之前,他们必须理解对手如何操作。在洛克希德?马丁公司(Lockheed Martin),我们分析过 APT 感染,并鉴定了这个过程的七大步骤及各步骤特征,我们用防务学术界的说法称之为“杀伤链”。我们每天都用此方法保卫我们的企业网络。对于保卫者来说,杀伤链最重要的课题是在敌人达成其期望目标之前要洞悉敌人从每一步成功进入下一步的详情;仅需一次反制即可打断链条并击败敌方。保卫者在整个链条上反制措施越多,国防系统就变得越有弹力(resilient)。杀伤链各部分如下所示:
1、侦查。目标的研判、识别和选定通常表现为用特定技术在互联网网站上搜索电子邮箱或有关信息。
2、“武器”准备。通常用私自开发的自动工具连接一个远程访问木马进入一个可传递(信息)的负载系统中。逐渐地,像微软 Office 文档或 Adobe PDF 文件等数据文件等都可作为“武器”传递“设备”。
3、传递。“武器”向目标(网络或系统)的传递。最常见的“武器载体”传送物件(vector)是电子邮件、网站和USB可移动介质。
4、探察。触发攻击者的代码。最常见的方式是探察一个应用程序或操作系统的漏洞。简单的探察方式是劝诱用户打开邮件所带的可执行附件,或利用操作系统自动执行代码的特性。
5、安装。在被感染的系统中安装一个具有远程访问功能的木马或后门,允许攻击者影响系统的所有用户,且在系统重启仍能保持存在。
6、指挥与控制(C2)。最常见的做法是利用一个连入互联网服务器的国外设备完成建立C2通道的目标。这种连接提供手动的“键盘控制”访问,这也是大多数 APT 恶意件必定提供的功能。
7、针对目标的活动。最终步骤必须在入侵成功后展开。最常见的目标是数据窃取,以及搜集、加密和窃取危及系统的信息。攻击者也可能会试图破坏数据完整性和可用性。其他目的可能是从受害者的IT环境中侧向转移,在后来的目标中展开新的杀伤链。
攻击重组与综合从敌人的视角探明和理解杀伤链式过程,在检测他们入侵时分析其意图是相当有价值的指导。一次检测通常提供单步攻击的特征很有限,但进一步分析能揭示许多其他特征并提供防范这种活动的多种选项。此外,在某步骤中检查一次入侵可让保卫者跟踪攻击过程,查明在之前未检测时成功执行的步骤。早期的入侵步骤能用来分析和收集信息,有助于提前切断杀伤链中的后续攻击。
从入侵之初就开始分析(入侵)过程到未被检测出就能顺其路数得出结论同等重要。通过综合分析已经发生的情况,保卫者能查明攻击者计划在后续步骤中部署方法,如安装后门等。
例如,敌人发送刺探邮件给某组织中的某个人进行“零日”(zero day,一个着名网络窥探组织)式的探察。这种探察手段不会被网关或工作站中的反病毒软件发现,但邮件投送包括众所周知的 APT 战役相关迹象,而入侵在投送步骤就被阻断了。这种恶意代码经调试已被识别为一个“零日”式探查,在国防工业界内已共享(此类信息)了。敌人有新的探查方式,但不会改变投送机制;如果他们做了,最可能的是指挥与控制(C2)通道,会与其一直用的方式相同,入侵行为于此即可被抓获。这个实现方式可让保卫者更有效地开发弹性反制(软件等)并用于预防,而不是进行抓捕活动、优先投资新技术和新程序。
Rough Mandarin Chinese Translation:
What is more, APT not only targeting the placement has been good network and systems may also be utilized as a supply chain, once installed in the target environment, you can insert malicious code or other threats "carriers" (Control) hardware, in order to establish a command and control channel. We must implement electronic systems manufacturing visibility and audit mechanisms, we cannot control physical devices to consider the application of the anti-tampering technology.
Defender to win the the before the APT combat victory, they must understand how to operate the opponents. Lockheed? Martin Corporation (Lockheed Martin), we analyze the APT infection, and identified seven steps and each step of the process characteristics with the argument of the defense academia, we call it the "kill chain". Every day we use this method to defend our corporate network. For defenders, the kill chain is the most important issue is to achieve their desired goals in the enemy before insight into the enemy from every step successfully into the details of the next; only a counter to interrupt the chain and defeat the enemy. More defenders in the entire chain countermeasures defense system becomes more elastic (resilient). The anti chain is as follows:
1, for investigation. Target judgments identified and selected usually in the form of technology-specific search on the Internet website E-mail or information.
2, "weapons" ready. Usually privately developed automated tools to connect to a remote access Trojan horse into a transfer system (information) load. Gradually, such as Microsoft Office documents, Adobe PDF files, such as data files can be used as "weapons" pass "device."
3, passed. "Weapon" passed to the target (network or system). The most common "weapons carrier" send objects (vector) is the e-mail, Web sites and USB removable media.
4 detectors. Trigger the attacker's code. The most common way is exploratory application or operating system vulnerabilities. Simple exploratory way to persuade the user to open the the mail brought executable attachments, or take advantage of the characteristics of the operating system automatically performs code.
5, is installed. Install a remote access Trojans or backdoors in the infected system, allowing the attacker to affect all users of the system, and still maintain there is in the system reboots.
6, command and control (C2). The most common approach is to use a foreign equipment connected to the Internet server to complete the goal of establishing C2 channel. This connection provides manual keyboard control access, which is most APT malware must provide functionality.
7, the target activity. The final step must be commenced after the success of the invasion. The most common goal is to steal data, as well as to collect, encrypt and steal information system-threatening. Attacker might try to destroy data integrity and availability. Other purpose may be from the IT environment of the victims lateral transfer, to launch a new anti-chain in the later target.
Attack reorganization and comprehensive proven from the enemy's perspective and understanding of anti-chain process, analyze its intent is quite valuable guidance in the detection of their invasion. Detection usually provides the characteristics of the single-step attack time is very limited, but further analysis can reveal many other features and offers a variety of options to prevent such activities. In addition, in a step to check an invasion allows defenders to track the course of the attack, to identify not detected before the successful implementation of the steps. Early invasion of steps can be used to analyze and to gather information, which helps to advance cutting anti chain subsequent attacks.
Analysis started the beginning of the invasion (invasion) process to undetected along its large ones can conclude as important. Through a comprehensive analysis of what has happened, the defender can identify the attacker planned deployment method in the follow-up steps, such as installing backdoors.
For example, the enemy sent the spying mail to someone in an organization "zero" (zero day, a famous network snoop organization), exploratory. This exploratory means not the gateway or workstation anti-virus software, but the e-mail delivery, including the well-known Battle of APT signs invasion delivery steps blocked. This malicious code after debugging has been identified as a "zero-day" type exploration, has shared in the defense industry (such information). There are new ways of probing enemy, but will not change the delivery mechanism; if they do, most likely channel of command and control (C2), the same way it’s been used, the intrusion here can be captured. This implementation allows defenders more effectively develop flexibility counter (software) for the prevention, instead of arrest activities, give priority to investment in new technology and new procedures.
网络防御的企业方法在有我们的敌人策略相关知识武装下,保卫者为了确保任务弹性,如何拥有开发强大防御系统的知识以应对千变万化的干扰?答案是重新配置网络防御的方案,在训练有素的工作人员使用成熟程序的情况下,借助高级工具对付最高优先级的威胁。另有紧密合作的伙伴,共享更多信息可让网络安全团体抵消目前攻击者的优势。这个方案的本质是企业方法,即从整体上掌控网络安全,而非零散功能的集合——从网络存取控制和数据泄密防范到系统审核与“法医检定”(forensic analysis)——诸如此类的坐井观天式的传统做法。这个新式方法建立在三个支柱之上:集成方案、主动服务和抗灾难系统。
集成方案支柱通常接近由分散的信息技术组织单独部署的优秀的商业产品,无需多少协调。单点方案就能有效达到其所拥有的特定能力,但其本身不是一个全面的防御(方案)。这些方案需要无缝集成到一个安全组织内,这将横跨所有的软硬件企业。其他技术,如多系统中的端对端系统也可例证分析师们并不能仅仅是使用单个工具或技术的专家,相反,必须是具备多学科知识的专家,用新的途径将数据联系起来,解决迫在眉睫的挑战。集成方案的其他重要方面是性能指标。例如,攻击检测与抵御等传统指标,对摆脱实际的网络数据泄露等尴尬困境几乎没有体现。度量此事的糟糕程度以提供安全方面的一个负面感觉,必须用一组更成熟的指标来代替。最近,政府和业界网络防御专家提出20项网络控制——称为共识审计准则(Consensus Audit Guidelines ,简称CAG)——帮助各类组织更有效认识他们需要防范什么以及如何做好防范工作。CAG文件鉴别出由各种控制所能抵消的攻击,列举了自动控制的最佳实践方法,并确定了有效实现各种控制的测试方法。作为集成方案的一部分,CAG能作为连续测度网络安全和确保审核合格的基准线,确实能解决80%的网络攻击。
有了一个适当的集成方案,企业方法的第2个支柱——主动服务就可提供技术方案,以及解决已知和未知威胁的计划。开发和整合最佳信息技术安全产品是一项团队运动,要通过公共/私营的合作伙伴、实验室和大学的研发,实现国防业大合作。如果我们打算走在敌人的前面,则这种团队精神必不可少。
我们(美国军方)已经与业界联手,准备组建一个网络安全技术联盟。参与联盟的有思科(Cisco)、因特尔(Intel)、McAfee、微软、赛门铁克、Juniper 网络公司、EMC、RSA、VMWare、NetApp、CA科技、戴尔、惠普和APC等。这些合作伙伴向我们的新一代网络创新与技术中心(Next-Gen Cyber Innovation and Technology Center)都提交了有它们专家支持的最新方案。它们正在高速互联的全球网络范围内测试现实的、仿真的客户方案。这些方案提供了一个安全的端对端基础,能有效保护(系统)不受已知的和未知的威胁(危害),构建出一个用于了解敌人进攻策略的环境,这反过来又让我们了解(如何)通过全球网络保卫自己。该联盟利用测试环境进行反复的高级练习,用当前的入侵技巧让保卫者加速学习应对复杂攻击。
与此同时,联盟伙伴、国家实验室和重点大学合作研发解决(方案)以应对已知的严峻挑战,并弱化未知的威胁。这些方案已得到测试,并整合到客户环境中可有效确保同一性。
这项研究和实验的目的是尽可能提前找出危险(点)并消除难以预料的部分。在敌人达成其目的之前,数据量本身具有的指示和警示意义能提供潜在危害性入侵的能见度。分析攻击者行为模式有助于在一次真正的入侵之前预测恶性事件,防患于未然,因而可作为保卫者的指示器和告警铃。企业方法的第三个支柱——抗灾难系统须解决系统可能发生的任何事情,系统防范措施无论有多良好都有或多或少的漏洞,都可能在某个点上被攻陷。鉴于这个现实,一个整合完全且经过测试的方案应被视为一个坚实的基础,但针对持久、复杂且不断变化的威胁未必能做到尽善尽美的防范。为了达到实效的下一层次(即下文所述的系统完整恢复),这个方案必须确保任务弹性——即使在一次入侵期间和之后都应如此。
手工技巧及方法不足以应付这种严重型威胁。恢复速度相当重要,当我们执行耗时的操作时就会体现出来。这意味着施行自动恢复——机器对机器的交互,能在入侵发生的同时就能对威胁做出快速响应。数据库(libraries of data,指收集和保存的各种数据,并非指专业意义上实现表状化存储的database)同化(Assimilation,对现有数据进行分门别类整理,使之符合某种规范且便于管理)、多源情报与网络作战数据熔合、行动科目选择和跨全球网络行动的实现需要比现有更高级的自动指挥与控制网络。自动恢复的一个方法是是自修复系统,软件和硬件能自己修复或恢复到受信任状态,在受到攻击的同时还能持续运行。
挑战正在加剧实现80%安全的方案并非具有革命性意义。这方面的技术和方法今天都已存在。然而,有效实现需要的是文化的改变——这已被证明为难以企及的事。我们的敌人并非比我们更聪明或更有经验,但要击败他们,我们必须采用新的方法——如何、何时和何地部署我们的资源来对付他们。在敌友皆存的全球网络空间中,我们不能挖掘出宽阔的城池来阻止敌人攻入我们的城门。然而,我们能阻止敌人实现它们的目标——禁绝它们盗窃我们的数据和破坏我们的系统。对复杂的高级持久威胁余下20%部分的作战胜利在望。我们正在国家实验室、研发团队内观察现代灾难恢复系统的演示。我们已总结了杀伤链过程对逆转不对称作战为保卫者的优势。如果业界能利用伙伴关系,加上有更好的信息共享下进行合作,保卫者能赢得(网络战争)。
为此,保卫者必须实现集成方案以克服拥有强悍工具和系统的零散组织障碍。我们也必须认识到网络防御是什么——是整个组织的危机管理方面的挑战。网络空间的防卫对整个组织来说堪称重大使命,且影响着网络防御资源部署的决策折射了(严峻的)现实状况。指挥官们必须领导这场变革。同时也是指挥官们的重要使命。我们最重要的使命是什么?我们最有价值的信息是什么?它存于于何处?如何长期保持其价值呢?又要保护多长时间呢?
为了切实有效地打击最新一代网络敌人,我们必须扩展我们的战场视野。我们必须利用诸如在杀伤链上建立入侵模型等情报驱动方式实现新的战略。我们必须发展新技术,并以综合化程度更高的方式部署,让熟练的分析人员掌握成熟方法。最后,我们必须能随机应变,适应不断变化的威胁环境以达到和维持得心应手的程度。
如果我们和高度训练有素的专业人士一样达到企业级视野,与我们的敌人一样持之以恒,我们就能赢得网络战争。
Rough Mandarin Chinese Translation:
Enterprise network defense related knowledge in our enemy strategy armed, to defend in order to ensure that the task of elasticity, how has the knowledge to develop a strong defense system to cope with the ever-changing interference? The answer is to reconfigure the network defense programs, trained staff to use mature program, with advanced tools to deal with the threat of the highest priority. Otherwise work closely with partners to share more information allows the network security community to offset the attacker's advantage. The nature of this program is the method that overall control of network security, rather than fragmented set of functions - from network access control and data leak prevention system audit and forensic test (forensic analysis) - sort of narrow view -traditional practices. This new approach is built on three pillars: integrated programs, initiatives and anti-disaster system.
The backbone of the integrated solution is usually close to the decentralized IT organizations to deploy a separate outstanding commercial products, without the number of co-ordination. A single point of the program will be able to effectively achieve the specific capacity it has, but in itself is not a comprehensive defense (program). These programs need to be seamlessly integrated into a security organization, which will be across all hardware and software companies. Other technologies, such as multi-system end-to-end system can also exemplifies analysts can not just use a single tool or technology experts, on the contrary, must have knowledge of multidisciplinary experts, new ways to link data solve the looming challenges. The other important aspect of the integration program performance indicators. For example, attack detection, and resist traditional indicators, to get rid of the predicament of the actual network data leakage almost no expression. To provide a negative feeling of security, and must be replaced with a more mature set of indicators to measure the matter worse. Recently, 20 experts from government and industry network defense network control - called consensus audit guidelines (Consensus Audit Guidelines, referred CAG) - to help all types of organizations to more effectively recognize that they need to guard against what and how to do preventive work. CAG files identified can be offset by the various control attacks, cited the best practice methods of automatic control, and determine effective test various control methods. As part of the integrated program, CAG baseline as a continuous measure of network security and ensure that the audit qualified can really solve 80% of network attacks.
With an appropriate integration scheme, the two pillars of the corporate approach - active service can provide technical solutions, as well as plan to solve the known and unknown threats. Development and integration of the best IT security products is a team sport, through public / private partners, R & D laboratories and universities, defense Goes cooperation. If we're going to go in front of the enemy, this teamwork is essential.
We ( the U.S. military) has teamed up with the industry, ready to set up a network security technology alliance. Cisco (Cisco), Intel (Intel), of McAfee, Microsoft, Symantec, Juniper Networks, EMC, RSA, VMWare, NetApp, CA Technology, Dell, HP and APC, etc. involved in the Union. These partners to our new generation of Network Innovation and Technology Center (Next-Gen Cyber Innovation and Technology Center) have submitted them expert support latest program. Customers they are testing within the global network of high-speed Internet reality simulation program. These programs provide a secure end-to-end (system), can effectively protect against known and unknown threats (hazards), to build an environment for understanding of the enemy offensive strategy, which, in turn, brings us understand (How to) through a global network to defend itself. The Alliance test environment repeatedly advanced practice accelerated learning to deal with complex attack the defender with the current invasion of skills.
At the same time, coalition partners, national laboratories and major universities R & D cooperation to solve the (program) to deal with known serious challenge, and weaken the threat of the unknown. These programs have been tested, and integrated into the customer's environment can effectively ensure the identity.
This study and the purpose of the experiment is as far in advance as possible to identify dangerous (points) and eliminate the unpredictable part. Before the enemy to achieve its purpose, the amount of data that has instructions and cautionary visibility of the potential dangers of invasion. Analysis of attacker behavior patterns can help predict serious incidents and take preventive measures before a real invasion, and thus can be used as the defenders indicator and alarm bell. The third pillar of the enterprise - anti-disaster system to solve the system may occur anything, no matter how good has more or less vulnerability system precautions may be compromised at some point on. Given this reality, it is an integrated and tested programs should be regarded as a solid foundation for lasting, complex and ever-changing threat may not be able to do a perfect prevention. In order to reach the next level of effectiveness (ie, the system described below full recovery), the program must ensure that the task elastic - even once during the invasion and after should.
Manual techniques and methods are inadequate to cope with this serious threat. The speed of recovery is very important, will be reflected when we perform a time-consuming operation. This means that implementation of automatic recovery - the machine-to-machine interaction, while in the invasion threat can respond quickly. Databases (libraries of data, collected and saved data, does not refer to database tabular stored in a professional sense) assimilation (Assimilation, of existing data disaggregated finishing, to meet certain specifications and easy to manage) multi-source intelligence and network the combat data fusion, the action subject selection and implementation requires action across a global network of more advanced than existing automated command and control network. A method of automatic recovery is self-healing systems, software and hardware can repair or recovery to trusted status in the attack while also continuing to run.
The challenges are intensified to achieve 80% of the security program is not revolutionary. The techniques and methods in this regard already exist today. However, the effective realization of the need to culture change - which has been proved to be difficult to match. Our enemies are not smarter than us or more experienced, but to beat them, we must adopt a new method - how, when and where to deploy our resources to deal with them. The global network of friends and foes are kept space, we can not dig out the wide city to prevent the enemy invaded our gates. However, we can stop the enemy to achieve their goal - to ban the theft of our data and the destruction of our system. Complex advanced persistent threat to the remaining 20% of the combat victory in sight. We are a national laboratory, R & D team observed a demonstration of the modern disaster recovery system. We have summarized the kill chain process of reversal of asymmetric warfare to defend the advantage. If the industry can take advantage of the partnership, coupled with better information sharing, cooperation, defending to win the the (network war).
To this end, the defenders must implement integrated solutions to overcome the obstacles of the fragmented organization with powerful tools and systems. We must also recognize that the network defense - the challenges of the crisis management of the entire organization. The cyberspace defense called the great mission of the organization as a whole, decision-making and the impact of network defense resources deployed refraction (grim) reality. Commanders must lead this revolution. Is also important for mission commanders. What is the most important mission? What is our most valuable information? Stored in where? How long to maintain its value? And protect for how long?
In order to effectively combat the latest generation network enemy, we must expand our vision of the battlefield. We must take advantage of the invasion of the model, such as intelligence-driven approach to achieve new strategies, such as on the kill chain. We must develop new technologies and higher integration and deployment, so that those skilled in the analysis of master proven methods. Finally, we must be able to act according to circumstances, to adapt to the changing threat environment in order to achieve and maintain a degree of handy.
If like us and highly trained professionals to achieve enterprise-class vision with our enemies perseveres, we will be able to win the cyber war.