Posted on by Critical Infrastructure Protectionin
According to a report issued by the Government Accountability Office (GAO) in February 2013, the number of cybersecurity incidents reported that could impact "federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector, and personal information" has increased by 782 percent--from 5,503 in 2006 to 48,562 in 2012. In that report, GAO also stated that while there has been incremental progress in coordinating the federal response to cyber incidents, "challenges remain in sharing information among federal agencies and key private sector entities, including critical infrastructure owners."
Progress in this area was hindered by "difficulties in sharing and accessing classified information and the lack of a centralized information-sharing system," the report stated. This blog post describes a tool that members of the CERT Cyber Security Solutions (CS2) Directorate are developing to provide the various agencies and organizations that respond to cyber incidents a platform by which to share information and forge collaborations.
I have witnessed these challenges to effective collaboration first-hand. In my role, I am often called upon to observe subject matter experts who advise incident responders while they manage cyber incidents to assist in collecting evidence and presenting it to authorities working criminal cases. In this role, I have repeatedly observed incident responders, including law enforcement and subject matter experts, operating in disconnected siloes. Representatives from these agencies literally set up separate work stations.
While attackers are organized and well-coordinated in their efforts, agencies and organizations that respond to these cyber incidents operate in disconnected siloes that are in need of a shared platform for trusted collaboration. The aim of our work is to create this platform. We intend the platform to be used across a range of groups, such as computer security incident response teams (CSIRTs), incident responders, commercial companies, and law enforcement.
Our Approach: Cerebro
At its core, Cerebro is a prototype that allows collaborators to identify and tag actionable information. The information is collected at a level of granularity that allows collaborators to specify the extent to which they want to share this information: at a group level, an organizational level, or with all participants of an organization.
As outlined in the IEEE paper Cerebro: A Platform for Collaborative Incident Response and Investigation, which I co-authored along with Tim Palko, our approach incorporates a six-phase model that represents the process an incident responder/assessor goes through when responding to a cyber incident:
Cerebro takes a practical approach to defining a system model that collects and analyzes data in a trusted cloud-computing platform, which allows us to store large volumes of data while simultaneously processing them to find, store, and categorize evidence of malicious attacks. We will host our tool on an extensible large-scale analysis platform for managing and analyzing data (such as logs and communications). The analysis platform provides better management and a better security mode, and is equipped with a suite of open-source tools for log and data extraction, data and evidence storage, data and log analysis, and forensics.
In a cyber attack, organizations may encounter an adversary who targets communication between administrators to disrupt the effectiveness of their response. In designing a framework to foster collaboration in the wake of a large-scale cyber attack, we envisioned role-based access control that draws upon the principle of least privilege.
Cerebro comprises two main components:
Together, these components ensure that the response and investigation team members are able to effectively manage the required tasks. In particular, the system model integrates the technical incident response and the legal investigation and prosecution process in a multi-site collaborative manner.
Our approach builds on several well-known principles for effective collaboration. For trust establishment, we rely on an incentive-based approach in which organizations learn more about vital watch-list information and obtain access to tools and resources to respond to and recover from attacks.
Cerebro also relies on an approach involving organizational access policy; organizations providing value in the identification and response process can collectively define important pieces (IP addresses, type of attack, pattern identification) of an investigation.
For managing tasks and processes, we focus on identifying and indexing areas of interest that warrant collaboration to integrate them into an well-defined process workflow for each organization.
Challenges of Our Approach
One challenge of our approach with Cerebro involves addressing security issues so that potential users can be assured that their information will circulate within an intended audience. To address this issue, we designed a system that uses two-factor authentication: role-based and signature-based.
Ideally, our tool fosters 100 percent participation by all involved. Cerebro observes the 90-9-1 rule. This is the basic observation that in a collaborative platform, such as a wiki
Our approach hypothesizes that if only 9 percent of participants are involved in information analysis, that group can act on the information and ideally retain enough so it doesn't compromise their organization. The lurkers will hopefully retain some of the lessons learned by the methodologies employed by the real subject matter experts. The lurkers, however, cannot be relied upon to provide actionable intelligence.
Early Influences and Collaborations
As with any research effort, our work has been influenced by many other researchers including Dr. Eric Nyberg, a professor in the Language Technologies Institute in Carnegie Mellon University's School of Computer Science. Dr. Nyberg's research in this field helped us gain a greater understanding of machine learning and rule generation.
This research also draws upon theories introduced by Dr. Carolyn Rosé who teaches an applied machine learning vlass in the Human Computer Interaction Institute. Dr. Rose's research focuses on better understanding the social and pragmatic nature of conversatio, and using this understanding to build computational systems that can improve the efficacy of conversation between people, and between people and computers.
Working with our customers over the past few years, we developed prototypes of tools that contribute to the data collection, analysis, and collaboration space. Alongside the development efforts for these prototypes, we are working on a version of Cerebro that will act as the trusted platform between them.
To read the paper Cerebro: A Platform for Collaborative Incident Response and Investigation, by Anne Connell, Tim Palko, and Hasan Yasar, please visit
To read the February 2013 report, CYBERSECURITY: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented, please visit http://www.gao.gov/assets/660/652170.pdf
Visit the SEI Digital Library for other publications by Anne