Security

The DoD Does Not Have a Cyber-Agility Framework.

• BLUF: While the DoD doesn't have a single, publicly announced "DoD Cyber Agility Framework," it prioritizes and implements various methods and best practices to enhance its cyber agility. 

• Some potential approaches the DoD uses/Ad-Hoc/NoAuthS: (5)

  1. Embracing a Culture of Security:

• 1. 1. • Security awareness training: Regularly educating personnel about cyber threats and best practices is essential. 

        • Incentivize reporting: Encouraging employees to report suspicious activity promptly allows for faster response and mitigation.

        • Shared responsibility: Fostering a culture where everyone feels responsible for cybersecurity strengthens overall defense.

     2. Adopting Agile Security Practices:

        • DevSecOps Integration: Integrating security throughout the software development lifecycle allows for earlier identification and rectification of vulnerabilities.

        • Threat Intelligence Sharing: Sharing information about emerging threats and vulnerabilities across different departments and agencies improves overall preparedness.

        • Automation and Orchestration: Automating routine security tasks and leveraging orchestration tools enable faster response and resource allocation during incidents.

     3. Continuous Monitoring and Improvement:

        • Network monitoring: Implementing robust systems to continuously monitor network activity for suspicious behavior.

        • Vulnerability scanning: Regularly scanning systems for potential weaknesses and patching them promptly.

        • Incident Response: Having a well-defined incident response plan ensures a swift and coordinated response to security breaches.

        • Lessons Learned: Analyzing past incidents and incorporating learnings into future strategies strengthens overall defense.

     4. Leveraging Advanced Technologies:

        • Machine Learning and AI: Utilizing AI and machine learning to detect anomalies and potential threats in real-time.

        • Cyber Threat Intelligence Platforms: Employing platforms that aggregate and analyze threat intelligence data from various sources.

        • Deception Technologies: Deploying honeypots (decoy systems) to lure attackers and gain valuable insights into their tactics.

     5. Collaboration & Training Investments:

        • Collaboration: Partnering with other government agencies, private industry, and international allies strengthens collective cyber defense capabilities.

        • Investment in Training and Workforce Development: Equipping personnel with the necessary skills and knowledge to address evolving cyber threats is crucial.

        • Red Teaming and Exercises: Conducting regular simulations and exercises helps identify weaknesses and refine response strategies.

        • (Used >) Maturity Assessment Plan: An Excel worksheet/checklist to audit systems and systems-of-systems at specific durations to assure security maturity. 

Resources:

• While specific information about the DoD's methods might be limited, these resources offer insights into their broader cybersecurity strategy:

  1. Department of Defense Cyber Strategy: https://media.defense.gov/2023/Sep/12/2003299076/-1/-1/1/2023_DOD_Cyber_Strategy_Summary.PDF

  2. DoD Cyber Command (USCYBERCOM): https://www.cybercom.mil/

The UTSA Cyber Agility Framework.

• BLUF (2): (1) The University of Texas at San Antonio (UTSA) developed by researchers, is a relatively new approach specifically designed to measure the agility of both attackers and defenders in the cybersecurity domain. (2) While not a universally adopted standard yet, the UTSA Cyber Agility Framework presents a valuable approach for evaluating the dynamic nature of cybersecurity and the ability of both sides to adapt and counter threats effectively.

• Quotes: 

  1. "Cyber agility isn't just about patching a security hole, it's about understanding what happens over time. Sometimes, when you protect one vulnerability, you expose yourself to 10 others." -- Jose Mireles, a researcher.

  2. "Allows cyber defenders to test out numerous and varied responses to an attack". -- Shouhuai Xu, professor

• Focus: It assesses the ability of attackers to adapt their tactics and the ability of defenders to respond and counter those tactics effectively.

• Benefits:

1. Provides a quantifiable measure of cyber agility.

2. Enables comparison between different defenders and attackers.

3. Helps identify areas for improvement in both offensive and defensive strategies.

• Limitations:

  1. Currently in the early stages of development and may require further refinement.

  2. Limited widespread adoption within the cybersecurity industry.

  3. Measuring cyber agility is a complex task, and the framework might not capture all aspects perfectly

Core Functions of the Framework: (4)

1. Data Collection:

   • Monitors network activity using honeypots (decoy systems that mimic real systems to lure attackers).

   • Analyzes attacker behavior and defender response actions.

2. Feature Extraction:

   • Extracts relevant data points from the collected information, such as:

     1. Time taken to detect an attack.

     2. Type of response implemented by defenders.

     3. Changes in attacker tactics.

3. Modeling:

   • Develops a mathematical model to score the agility of both attackers and defenders based on the extracted features.

   • This score reflects how quickly and effectively each side adapts to the situation.

4. Evaluation:

   • The framework's effectiveness is validated through simulations and potentially real-world scenarios..

Resources:

• Research paper: "A Framework for Measuring Cyber Agility" by Jose Mireles, Eric Ficke, Shouhuai Xu et al. (https://www.mdpi.com/1999-5903/15/10/324)

• News articles:

  • SecureWorld: https://www.secureworld.io/

  • UTSA Today: https://future.utsa.edu/programs/undergraduate/cyber-security/

Important Note:

• The UTSA framework primarily focuses on measuring the response and adaptation during cyberattacks. It doesn't solely assess the overall cybersecurity posture or preventative measures.

Future of the Framework:

• The concept of cyber agility is gaining traction, and the UTSA framework serves as a potential foundation for further development in this area.

• Continued research and refinement are expected to enhance the framework's accuracy and applicability.

key differences between Cyber Agility and Cyber Maturity, along with their purposes and the ideal scenario for using each:

Cyber Agility:

• Focus: Measures the ability to adapt and respond effectively to evolving cyber threats.

• Emphasis: Rapid detection, quick containment, and continuous improvement in response strategies.

• Analogy: Think of it like a boxer's ability to react swiftly and adjust tactics during a fight.

Cyber Maturity:

• Focus: Assesses the overall security posture of an organization.

• Emphasis: Establishing a robust defense system with preventative measures, clearly defined processes, and incident response capabilities.

• Analogy: Think of it as the boxer's overall strength, training, and defensive techniques.

Choosing the Right Option:

• Cyber Maturity is the foundation: It establishes a strong starting point by building a comprehensive security posture with preventative measures and well-defined processes.

• Cyber Agility complements Maturity: It ensures the organization can effectively respond to unexpected threats and adapt to evolving tactics.

Both are crucial for a holistic cybersecurity strategy.

Here's when each is most beneficial:

1. Prioritize Cyber Maturity:

   • When establishing a baseline security posture.

   • During periods of system upgrades or significant changes in the threat landscape.

2. Prioritize Cyber Agility:

   • When dealing with ongoing cyberattacks or situations requiring immediate response and adaptation.

   • When focusing on improving incident response capabilities and team preparedness.

Ideal Scenario:

Organizations should strive for a balance between Cyber Maturity and Cyber Agility.

• A strong Cyber Maturity lays the groundwork for a secure environment.

• Cyber Agility ensures the organization can effectively respond to breaches and continuously improve its defenses.

Additional Points:

• The UTSA Cyber Agility Framework primarily focuses on measuring response and adaptation, aligning with the core aspects of cyber agility.

• Several established frameworks exist to assess Cyber Maturity, such as the NIST Cybersecurity Framework (CSF) and ISO 27001.

In conclusion:

• Cyber Maturity establishes a robust foundation.

• Cyber Agility ensures efficient response and adaptation.

• Both are essential for a comprehensive cybersecurity strategy.

What is IDS / IPS (Network Security Posture)?

• Intrusion Detection System (IDS): A solution that monitors network events and analyzes them to detect security incidents and imminent threats. 

• Intrusion Prevention System (IPS): A solution that performs intrusion detection and then goes one step ahead and prevents any detected threats.

• OV-1: https://www.juniper.net/us/en/research-topics/what-is-ids-ips.html 

Steps to Implement IDS / IPS: (4)

By following these steps, you can establish a strong foundation for IDS/IPS within your network security posture. Remember, this is a general guideline, and specific configurations may vary depending on your chosen IDS/IPS solution

• 1. Define Your Security Policy:

     • Identify Critical Assets: Recognize the most important systems and data within your network that require extra protection.

     • Threat Assessment: Evaluate the potential threats your organization faces based on your industry and data sensitivity.

     • Acceptable Use Policy: Establish guidelines for authorized network activity to differentiate it from suspicious behavior.

  2. Select and Deploy IDS/IPS System:

     • Choose a Solution: There are various hardware and software options available. Cloud-based solutions like Azure Firewall offer a managed approach.

     • Deployment Location: Decide on strategic placement for the IDS/IPS system, often at network perimeters or critical segments.

     • Initial Configuration: Follow the vendor's instructions for basic setup and network integration.

  3. IDS/IPS Policy Configuration:

     • Signature Selection: Enable relevant signatures that align with the threats identified in your assessment. Most systems come with pre-configured signatures categorized by attack type.

     • Action Definition: Determine how the IDS/IPS should respond to detected threats. Options typically include Alert (log only), Deny (block traffic), or a combination based on severity.

     • Fine-Tuning: You might need to adjust signatures or actions to minimize false positives (alerts for harmless activity).

  4. Monitoring and Maintenance:

     • Alerts and Logs: Regularly review IDS/IPS alerts to identify potential threats and investigate suspicious activity.

     • Signature Updates: Ensure your IDS/IPS system receives regular signature updates to stay protected against evolving threats.

     • Performance Monitoring: Monitor the impact of IDS/IPS on network performance and adjust configurations if necessary.

Additional Tips:

• Start with a Baseline: Deploy the IDS/IPS with default rules initially to understand your network's typical traffic patterns.

• Testing: Conduct simulated attacks in a controlled environment to validate your IDS/IPS effectiveness.

• Documentation: Maintain clear documentation of your IDS/IPS policies and configurations for future reference and auditing.

.

Azure Firewall Premium tier offers built-in IDS/IPS capabilities. Here's how to implement policies using this tool:

1. Deploy Azure Firewall Premium:

   • Provision an Azure Firewall Premium resource within your virtual network.

2. Configure IDS (Intrusion Detection System) Settings:

   • Navigate to the Firewall policy for your Azure Firewall.

   • Go to Settings and then click on "IDPS".

3. Define IDPS (Intrusion Prevention Systems) Policy Actions:

   • Azure Firewall offers three IDPS policy action modes:

     1. Alert: Suspicious traffic is identified and logged but allowed to pass through.

     2. Deny: Suspicious traffic is identified, logged, and blocked.

     3. Off: Disables IDPS for specific rules or entirely.

4. Manage IDPS Signatures:

   • Azure Firewall comes with a predefined set of IDS signatures categorized for various threats.

   • You can customize these signatures to:

     1. Disable specific signatures (addressing false positives).

     2. Adjust the action mode (Alert or Deny) for individual signatures based on severity.

Additional Considerations:

• TLS Inspection:  For deeper inspection of encrypted traffic (HTTPS), enable TLS inspection on your Azure Firewall.

• IDPS Bypass List (Optional): You can configure an optional bypass list to exclude specific IP addresses, ranges, or subnets from IDPS inspection. This is not recommended for performance optimization as the firewall processing still applies.

Benefits of using Azure Firewall for IDS/IPS:

• Continuously Updated Signatures: Microsoft automatically updates the IDS signatures to ensure protection against evolving threats.

• Granular Control: You can define policy actions (Alert/Deny) for individual signatures based on your security needs.

• Integration with Azure Security Services: Azure Firewall integrates with other Azure security services for a comprehensive defense strategy.

Leverage Industry Standards. (3)

• NIST Cybersecurity Framework (CSF): The National Institute of Standards and Technology (NIST) Cybersecurity Framework offers a comprehensive approach to managing cybersecurity risk. Its Identify, Protect, Detect, Respond, and Recover (IDRP2) functions provide a solid foundation for IDS/IPS implementation. You can map your IDS/IPS policies to relevant NIST CSF functions like "Detect" and "Respond." https://www.nist.gov/cyberframework

• CIS Controls: The Center for Internet Security (CIS) Controls provide a prioritized set of actions to mitigate cybersecurity risks. Specific controls within CIS Critical Security Controls (CSC) map directly to IDS/IPS implementation, such as "Continuous Monitoring and Defense (Control 5)" which emphasizes continuous threat detection using IDS/IPS. https://www.cisecurity.org/controls

• Information Security Forum (ISF) Standard of Good Practice for Intrusion Detection and Prevention Systems (STD 010): This standard provides detailed guidance on the selection, deployment, configuration, operation, and maintenance of IDS/IPS systems. While not a strict requirement, it offers a comprehensive approach for robust IDS/IPS implementation. (ISF: https://www.informationsecurityforum.com/) might require membership for access to the full standard.

CISA.

• Traffic Light Protocol (TLP): Definitions and Usage.