Measuring agility in cyber defense
To better train cyber defenders to protect systems and networks, researchers have developed a cyber agility framework that measures the speed and effectiveness of responses to attacks.
To better train cyber defenders to protect systems and networks, Army researchers have developed a cyber agility framework that measures the speed and effectiveness of responses to attacks.
In a partnership with the University of Texas, San Antonio (UTSA) and the Army Research Laboratory, cybersecurity researchers developed a set of metrics to help operators measure how well their methods and tactics work during an active intrusion.
Shouhuai Xu, director of the UTSA's laboratory for cybersecurity dynamics, said that agility, as the framework's name implies, is a cornerstone of cybersecurity.
"We realized that agility is an important aspect of cybersecurity and is poorly understood. Through the framework and limited empirical study, we observed that cyber attackers are more agile than cyber defenders in many cases," Xu said via email.
Researchers used a honeypot to attract and analyze time and effectiveness of malicious traffic and responses. As both attackers and defenders developed new techniques, the researchers saw how a series of engagements revealed a pattern.
The framework uses a suite of 14 metrics to measure agility based on timeliness and effectiveness, Xu said, namely how long it takes for a cyber defender to counter an attacker and adapt. He said cyber practitioners can use the framework on real-world cyber datasets -- even classified or sensitive ones.
"The cyber agility framework offers a better way of identifying (and predicting) attacks, by taking into account past history of traffic, and allowing an analyst to concentrate on higher order reasoning," said Purush Iyer, division chief of network sciences at Army Research Office, which is a part of Army Research Laboratory. "It's a big step in enhancing cybersecurity predictability."
It's not just about plugging a security hole, said Jose Mireles, who co-developed the framework as part of his graduate thesis at UTSA. "It's about understanding what happens over time. Sometimes when you protect one vulnerability, you expose yourself to 10 others."
He said the research team couldn't find any "quantitative number with respect to time" related to the interactions between attackers and defenders in existing literature.
"A lot of people will give you a qualitative number," such as a system is pretty good and catches 90% of attackers, "but the figures don't stack up" when comparing vendor products, Mireles said. So the researchers set out to find common ground.
"The framework's intent is to try to measure with an actual number some of these performance standards or questions that we've proposed," Mireles said. "If you [monitor] attackers and defenders …how are you doing? Are you effectively catching or not?" he said. Framework users get a hard number that they "can present and compare against for improvement."
For now, the framework is in the foundational research phase, but Xu said researchers are "investigating how to improve the framework and possibly establish some use cases to make it easier to adopt the framework in practice." The ultimate goal, he said, is for it to be widely adopted and improved upon via collaborations with industry.
Xu said the research team is reaching out to industry partners and Army Science and Technology program, but the future is unclear.
Iyer told FCW the project isn't quite ready for prime time, but given the current threat environment, it is definitely necessary with the U.S. and Iran "hacking each other ... and DOD is in the thick of things."
But hopefully, the framework will be ready to make its way to U.S. Cyber Command or elsewhere in the Defense Department in the next three to five years, Iyer said.
This article was first posted to FCW, a sibling site to GCN.