land report: cybersecurity plan and budget framework

Posted by tetley at 2020-04-14


The United States Department of Homeland Security (DHS) has the primary responsibility for the security of unclassified networks. The increasing dependence of the national economy and government on reliable and secure networks makes this task more and more important.

This study examines the capabilities mentioned in the DHS report blueprint for a secure network future and how these capabilities can be applied to network security activities. This paper proposes a method to evaluate the behavior of network security defense.


In cyberspace, hackers have many choices, and defenders have to deal with all possible attacks. These defensive preparations and responses should cover a wide range of possibilities. When each activity is applied separately, it is easy to handle and execute. However, no one activity (or part of it) is enough to ensure network security. Therefore, network security professionals are faced with choosing a set of appropriate network security defense measures from various options.

In the private and public sectors, including the U.S. Department of Homeland Security (DHS), this dilemma exists. In 2011, the DHS leadership conducted a comprehensive review of the challenges it faced in implementing its charter to ensure the country's unclassified cybersecurity. The final report, blueprint for the future of secure networks, outlines the challenges posed by hostile actors, operator errors, and software design errors. The DHS blueprint identifies 75 capabilities (25 of which are critical) that will enhance the security of the national network.

One of the challenges of using the DHS blueprint as a programming and budgeting framework is that features are listed on an itemized list. This has resulted in several difficulties:

Lack of relationship between capabilities: it is difficult to determine from the DHS blueprint how any two capabilities depend or interact.

Lack of priority

Lack of influence

In this report, our goal is to address these difficulties and help explain these actions. We propose more than 100 actions that can be used as elements of network defense strategy. We support the selection process by determining the interrelationship between activities.

We organize relationships through hierarchical decomposition. This decomposition process assumes that any two directly related activities can be characterized as having a parent-child relationship. In our presentation, parent-child links represent one of two types of relationships: composition or acquisition. In a composite relationship, a parent activity is a combination of two or more child activities (for example, a meal consists of salad, appetizer, and dessert activities). In a "requisition" relationship, one or more child activities must be completed before the parent activity can be carried out (for example, a meal can only be carried out after an activity such as buying, cooking, etc.).

There are many forms of hierarchical decomposition. We chose the sun chart to place the overall goal at the center of the chart, and the actions were continuously decomposed from the center. The sun chart is represented by a ring. Ring 0 (the center of the chart) contains the primary target to reduce the expected cost of network attack. Ring 1 is composed of policies supporting ring 0, and ring n + 1 supports ring n. The network sunshine diagram is shown in Figure S.1.

In summary, it should be noted that the actions proposed are valuable to many different communities. CISO (Chief Information Security Officer) and other actions are of concern to policymakers within the federal government. We believe that the content of this report will be of interest to both public and private sector professionals involved in policy development and in the development of strategies to ensure cybersecurity.

(1) Motivation

"Today we are unfortunate, but remember that we only need to be lucky once, and you need to be lucky all the time," IRA said after the defeat of Prime Minister Margaret Thatcher at the Brighton Hotel. "This warning is not only applicable to network security, but also more prominent in the network environment than in the physical field from the perspective of the defender. Cyberspace and computing systems have several characteristics that make them more vulnerable to attacks from physical opponents. First, the computing system is highly connected, providing many access points for attackers. Second, the computing system is very complex, many access points are unknown to their owners. Third (and perhaps most importantly), computing systems are dynamic, changing, and new installations and application upgrades complicate connectivity and complexity. Cyber security experts can never rest.

Considering the network attack against Home Depot announced in September 2014, multiple attack points are used to obtain malicious access, including stealing supplier credentials, exploiting Microsoft vulnerability, attacking company sales system and automatic checkout system. The defensive work and response required to avoid such attacks cover a wide range of possibilities, including updating software systems to minimize vulnerabilities, installing effective tools to intercept known types of attacks, encouraging employees and suppliers to use appropriate passwords and conduct security training to avoid social engineering, and recording logs to support ex post evidence collection.

Since most (if not all) organizations operate with limited resources, the prospect of implementing all activities is unrealistic, and in fact many chief information security officers (cisos) believe that the cost of conducting multiple security actions is nonlinear. Network security professionals face the challenge of choosing a set of network security defense measures, which must be based on reality rather than optimization.

The United States Department of Homeland Security (DHS), as a federal agency responsible for maintaining the security of national unclassified networks, is also facing severe challenges in developing and selecting Cyber Defense Strategies. Given that the network maintained by DHS is largely owned and operated by private companies, the challenge for DHS is particularly serious. DHS is not authorized to enforce standards, so it must rely heavily on recommendations to encourage providers to comply with security standards and best practices. DHS has resources ($3.82 billion in fy2015 budget), a growing research and development (R & D) program, and gateway services to control a widely used network (. Gov domain).

In 2011, the DHS leadership conducted a comprehensive review of the challenges it faced in implementing its charter to ensure the country's unclassified cybersecurity. The final report, blueprint for the future of secure networks, outlines the challenges posed by hostile actors, operator errors, and software design errors. The DHS blueprint identifies 75 capabilities (25 of which are critical) that will enhance the security of the national network.

The purpose of this report is to provide a way for organizations to address these difficulties and to help interpret actions as a list.

(2) Core concepts

In this report, we propose more than 100 actions that can be used as elements of Cyber Defense Strategy. As mentioned above, not all activities need to be implemented, nor are they equally important. It is up to the organization to make specific choices. Our approach provides a basis for security personnel to assign and sort activities based on their dependencies.

2.1 Objective: reduce the expected cost of network attack

We believe that network security has an overall goal: to reduce the expected cost of network attacks. This goal involves several assumptions. First of all, we use cost to express the impact, which is expressed in a quasi monetary way. In some cases, cyber attacks result in a clear monetary cost involving personnel and / or computing resources, while in other cases, the cost is less obvious (for example, military impact may not necessarily be reduced to us dollars and US cents). Organizations see lost reputations as costs. May reduce personal privacy or increase the risk of national security. Second, we use "expected" costs to cover the risk of low probability, high impact events, such as cyber attacks or military failures on the grid. This is the opposite of the increasing cost because of more common cyber attacks, such as cybercrime. Third, many of the costs of even the cyber attacks that have occurred are unknown.

2.2 ring 1: four basic strategies

Four basic strategies support the goal of reducing the expected cost of cyber attacks, as shown in the figure:

• reduce exposed surfaces.

• minimize attacks

• enhance resilience.

• accelerate recovery.

Although these four strategies are unique, they overlap in practice. As shown in the angle of the four top-level strategies in Figure 2.2, the angle of "neutralization attack" is 180 degrees, the angle of "accelerated recovery" is assigned to 40 degrees, and the angle of "reduced exposure" and "increased resilience" is 70 degrees. These angles are intended as an approximation of relative importance and as a reference for the precise allocation of resources (i.e., "neutralization attack" is more important than "accelerated recovery"). The thumbnail definition of the strategy is as follows:

• reduce exposure: the vulnerability of the system, which is related to the level of access by personnel. There are two components to this operation: reducing the connection between the system and others (including internal personnel's access to the system), and reducing the accessible information and calculation process (for example, software programs and executable files). In some cases, the disconnection of internal links in the system can limit the damage of attacks. • reduce the impact of attacks: prevent attacks and reduce the impact of attacks that occur. • improve resilience. • accelerate recovery.

2.3 basis of methodology

Our approach is based on a "strategy task" decomposition approach developed in Rand in the late 1980s. The "strategy task" framework provides a link between objectives (strategies) and operational activities (tasks). The framework explicitly decomposes activities into functional tasks that can successfully implement the strategy, and emphasizes the interrelationship between tasks. In addition, the strategy task framework uses a hierarchy so that each task can then be broken down into subtasks.

The strategic mission framework was originally developed for the U.S. air force. One example is to prevent North Korea from attacking South Korea by maintaining a strong forward military strategy. Through the application of the "strategic mission" framework, it is recognized that the goal of preventing North Korea includes two supporting goals: (1) maintaining a strong frontier military presence; and (2) diplomatic isolation of North Korea. These supporting objectives can be further decomposed into subordinate activities through hierarchy.

In this report, "strategy task" is applied to the field of network security, and visualization is improved by using sunshine map.

(3) Ring 2

All actions of ring 1 are supported by more specific actions of ring 2.

3.1 ring 2: reduce exposed surface

We can organize strategies to reduce unnecessary exposure by considering the types of access (attack) to physical and virtual assets:

• reduce the number of networked machines.

• reduce the number of network access points on networked computers.

• reduce the amount of computing resources on network computers.

• minimize the amount of sensitive data on networked computers.

As shown in the figure below.

3.2 ring 2: neutralize attacks

• reduce the number of network attacks.

• implement remediation for specific known threats.

• prevent cyber attacks

• ensure the quality of software and hardware in the network.

• systematically reduce the risks inherent in the network.

• improve safety related capabilities of system management.

• test the system against simulated attacks.

• reduce the amount of penetration in an attack.

Add distributed denial of service (DDoS) defense.

• increase internal threat defense.

3.3 ring 2: enhance the ability of rehabilitation

Increasing resilience involves preparing the organization to be least affected in the event of a successful cyber attack. It is supported by the following more specific operations:

Take (specific) rehabilitation steps.

• comply with rehabilitation guidelines.

• improve cross system engineering.

3.24 ring 2: accelerated recovery

Although the speed of recovery from network attacks can only be known after the attack, and depends on the efforts made in the recovery phase, experience (especially other system failure sources) shows that many actions taken before the attack can accelerate the speed and reduce the cost. Therefore, the overall action to accelerate recovery can be promoted if the organization takes the following specific actions:

• prepare a quick response plan.

• improve responsiveness.

• build the ability to recover the system.

• install systems to quickly detect attacks.

• develop methods to rapidly isolate infected systems.

• remove malware from the system.

(4) Ring 3

The following content will not be translated. Please refer to "download" for details.

4.1 Ring 3: Resilience → Take Resilience Steps

Add channels: note that the attack surface is also increased.

Develop procedures to prioritize Communications: the US military has a mechanism that enables high priority information to be transmitted first when communication lines are limited.

 Create backup power sources:

  Created uplicate assets where necessary:

  Develop anduse un-erasable backups:

  Make it easy to sever misperforming subsystems:

  Document resilience steps:

4.2 Ring 3: Resilience →    Conform to Resilience Guidelines

  Write resilience standards

 Educateengineers on resilience standards

 Audit against resiliencestandards:

4.3 Ring 3: Resilience →    Improve Cross-System Engineering

Minimize cascading system failures:

 Avoid common-mode failure in software:

4.4 Ring 3: Recovery →    Generate Rapid Response Plans

 Draft rapidresponse plans

Develop partnerships for rapid recovery

 Exercise rapid response plans:

4.5 Ring 3: Recovery →    Increase Response Competence

  Exercisecrisis response within sectors:

  Exercisecrisis response across sectors:

  Developbusiness continuity plans:

 Train first responders

4.6  Ring 3: Recovery →    Build the Ability to Restore Systems

Create a priority data plan that identifies which data (or data flows) are critical to business continuity and takes steps to ensure continuous access.

4.7 Ring 3: Exposure →    Reduce the Number of Networked Machines

Reduce thenumber of externally addressable machines:

 Determinewhich systems should be isolated:

 Isolate systems as per this determination:

Test isolation: Shodan (www.shodanhq. Com) is a test tool.

-Tools for test isolation: the prerequisite operation is to acquire and / or develop tools for test isolation. Organizations can decide whether to buy or not.

4.8 Ring 3: Neutralize Attack →    Reduce the Number of Cyberattack Attempts

 Reduce the number of hackers:

Reduce the incentive to hack:

  Preempt attacks upon discovery:

4.9 Ring 3: Neutralize Attack →    Counter the Insider Threat

Physically secure computing spaces:

Reduce attacks by employees:

Limit privileges of contractors:

4.10 Ring 3: Neutralize Attack →    Develop Mitigations for Specific Known Threats

Develop ways to identify and characterize hackers

4.11 Ring 3: Neutralize Attack →    Block Cyberattacks

Block cyberattacks on client computers:

Develop best client practices:

Vet employees likely to be unwitting conduits for attack:

Authenticate users securely:

Block cyberattacks passing from computers of affiliates:

Block harmful traffic at gateways:

Find and block infections after they have taken root onthe network:

Improve procedures for managing the network in a crisis:

Erect internal firewalls and/or filters:

4.12Ring 3: Neutralize Attack →    Ensure the Quality of a System’s Hardware andSoftware

Develop processes and designs that can co-evolve withinnovation:

Adopt security-enabled hardware and software:

Develop acquisition processes to ensure delivery oftrustworthy components:

Improve the knowledge behind the engineering of softwareand hardware

Mitigate vulnerabilities in software:

Patch systems expeditiously

4.13 Ring 3: Neutralize Attack →    Systematically Reduce Risks Inherent in the Network

Ensure performance standards for cyber risk managementare met

Develop sets of mitigation actions

Incorporate new technology when cost-effective:

4.14 Ring 3: Neutralize Attack →    Improve the Security-Related Competence ofSystem Administrators

Improve the information that system administrators canaccess:

Improve the competence of system administrators:

Outsource system administration

4.15 Ring 3: Neutralize Attack →    TestSystems Against Simulated Attacks

Deploy people to red-team systems

Acquire red-teaming tools:

Use the results to prioritize subsequent investments:

4.16 Ring 3: Neutralize Attack →    Defend Against DDOS Attacks

Adopt counter-DDOS policies:

Adopt counter-DDOS mitigations

4.17Ring 3: Neutralize Attack →    Reduce the Amount of Material Exfiltrated byAttacks

Reduce the quantity of exfiltrated data

Reduce the quality of exfiltrated data

(5) Conclusion

The development of network defense strategy needs to choose defensive and preventive activities from many possible actions. This selection process is very difficult, we must determine a strategy, pay attention to the effectiveness and practicality, especially in the context of limited resources.

We believe that the recognition of the interrelationship between actions can facilitate the selection process, and the priority of actions can be assigned and determined according to the dependency between them. In this regard, we organize network prevention actions according to their relationship levels. If the two behaviors are directly related, we describe the relationship as one of two possible relationship types: combination or request. We used a sun chart to show the related actions.

This approach aims to help CISO and its support team observe the organization's Cyber Defense Strategy. As resources move between different components of a cyber defense strategy, the approach proposed in this paper should be able to review costs transparently in terms of money, time and other ways. By applying this approach to a group of organizations (for example, within the same department, across different departments or different government agencies), you can understand best practices.