Cyberwarfare has long since moved beyond the imaginations of Hollywood producers and science fiction aficionados. Countries, corporate entities, rogue states and motivated hackers are all online and actively testing the defenses of networks.
To get security news and tips delivered to your inbox,
Understanding how automated cyberwarfare works and how to defend against coordinated cyberattacks has become critical to the national defense interest. Researchers at Sandia National Laboratories have been mapping out attacks against large-scale computer networks to develop massive cyberattack simulations. Their work could impact the cybersecurity industry by enhancing security defense mechanisms.
Cyberattack maps developed by Sandia researchers were presented to the public during a seminar last week at Harvard University. Steven Y. Goldsmith, a member of the technical staff at Sandia, depicts cyberwarfare as a series of colored dots, lines and cryptic graphs. Those measurements make up a complex computer simulation of a massive botnet attack against a large-scale network.
Goldsmith presented the Sandia research as part of the "Cyber Internal Relations" series sponsored by MIT and the Belfer Center for Science and International Affairs at the Harvard Kennedy School. The series examines the issues rising from cyberwarfare, including developing a "multi-dimensional view of international conflict and cooperation within and regarding cyberspace."
Goldsmith and his research team have created complex simulations of cyberagents on computer networks as a means to understand how cyberattacks may be anticipated, mitigated and ultimately defended against. He broached the matter of cybersecurity quite simply:
"Security is only available online if a network is offline."
The researchers chose to examine a root attack, a Byzantine attempt to gain control of a target system at its most basic level of operation. Applications of such simulations aren't academic at all; such large-scale IT infrastructures would of course include those of state and federal agencies or defense contractors.
Goldsmith and other attendees at the lecture assert that the "Holy Grail" of cyberwarfare is to quickly and accurately map out the network of an attacker or defender. Such a map could produce a decisive advantage, just as understanding the local geography of a country is a crucial advantage in real-world warfare.
But the research goes beyond mapping. Goldsmith is the lead scientist on a project creating intelligent white hat software agents that enable networks to be self defending. The agents function as a collective in a cloud computing model on a network. The agents can communicate securely within the collective and conduct port scans looking for suspicious requests from external or internal sources. When a malicious attack is detected, the malicious agents associated with it are cut off from the group, which only authorizes authenticated data.
The Sandia research could impact the security industry. Enterprise intrusion detection software in the future may include network topography and intelligent agents in a collective to improve its effectiveness. Applications already use metrics like CPU utilization to gauge whether network attacks may be under way. Network administrators, for instance, might see only 10% utilization, if the bulk of processing power is being turned towards cyberdefense.
One application discussed during the lecture is how mapping could improve trust and reputation systems. Currently, massive botnets with fast-moving, adaptive attacks may hold a strategic advantage. In the future, defenders may be able to slow or blunt cyberattacks by posing the agents complex algorithmic problems to solve, buying time for the network to ratchet up its defenses.
There are other lessons coming from the complex simulations run at Sandia. The developers of high-level enterprise architecture policies, including service-oriented architectures, will need to consider where and how to build in a level of autonomous intelligence into networks. Nodes in a defended network would need to immediately warn other nodes of an attack and react in a coordinated defense posture. Automated escalations of responses to changes in the threat level or termination of infected nodes could be crucial to effective cyberdefense, Goldsmith said. These nodes may then be rejuvenated and put back into the fight.
The issues raised at the lecture are no longer theoretical, Goldsmith said. The U.S. military has moved to a model of networked warfare that includes soldiers and equipment as nodes in a vast geospatial network. Scenarios where an individual vehicle or second lieutenant is captured and used to compromise the network aren't academic. In a more horizontal architecture, "command and control" nodes are still valuable but less important. The adoption of universal white lists, a common approach in enterprise IT security, would not be proof against such an inside attack.
Improved defenses against large-scale network cyberattacks will be even more crucial if U.S. Army chief information officer Lt. Gen. Jeffrey Sorenson successfully moves the Army's networks towards a cloud computing model. In an address Feb. 26 at an Armed Forces Communications and Electronics Association meeting in Baghdad, Sorenson called for greater information sharing on a single communications network.
"The Army will be transitioning a lot of independent networks into a single network enterprise," he said, according to a Multinational Force Iraq press release. The current network we have is not a single enterprise and we have to do a lot to make it function to the expeditionary level."