There is work in development for a new cybersecurity paradigm that could eliminate some of the manual steps in cyber protection and enable effective collective defense.
In the everyday world, a system identifies a breach in a single network, and analysts mitigate the vulnerability. A new Federated Command and Control (FC2) infrastructure developed by the Florida Institute of Technology (FIT) can protect a multitude of organizations at once, said officials at the Department of Homeland Security (DHS) Science and Technology Directorate (S&T). FC2 protects a federation from potential threats using a variety of preventative measures and automated responses where malicious activity is detected, shared and mitigated.
FC2 moves beyond simple threat information sharing by utilizing existing sensors and techniques to detect and mitigate suspected malicious activity. It allows federated organizations with shared interests to collaboratively identify threat and attack indicators, recommend defenses and evaluate playbooks all in a semi-automatic manner.
The project began with Edward Rhyne, S&T program manager for federated security, highlighting work between S&T and FIT to pilot the infrastructure as well as the benefits of a federated cybersecurity system that can orchestrate defense protocols. During a demo, a mix of physically separated hardware network spaces and virtualized enclaves automatically joined to form federations. These federations then automatically shared attack indicators, recommended and applied defensive responses, and performed various privacy-preserving joint calculations.
S&T and its partners had previously set up a federated environment at FIT comprised of organizations exposed to simulated attacks. The system successfully responded to those attacks through the environment’s command and control functions.
“The federation should enable defenders to get ahead of the spread of malicious activity,” Rhyne said.
Automating communication between organizations in a federated environment is a more efficient and effective method of alerting the different groups when they may be vulnerable to cyberattacks. Rather than simply sharing indicators without context, the system can autonomously share them with context and recommend necessary actions to prevent or mitigate the effects of a potential attack.
The FC2 infrastructure evolved from S&T’s exploration of “moving target defense” (MTD), which began in 2011. MTD is an approach involving the controlled change of system properties to provide a constantly shifting and unpredictable attack surface. This raises uncertainty and complexity for potential attackers as they attempt to learn the system.
The federated defense concept, which followed MTD in 2015, creates an environment for different organizations to enhance their local decision making ability based on global knowledge, enabling stronger protections through greater awareness and common cybersecurity operations across the federated enterprises.
One of the main tenets of the federated defense concept is to preserve existing defensive systems and their unique properties and policies within member organizations to increase the diversity of the federation. Another tenet of FC2 is privacy, with built in protocols for participants in a federation to maintain it. Organizations may not be comfortable with sharing specific information about a cyberattack with outside parties, but the FC2 infrastructure is arranged to notify the federation of potential malicious activity while concealing the identity of the organization that identified it. Additionally, the FC2 environment leverages advancements made in Secure Multi-Party Computing, which allows federation members to perform joint computations on data without needing to know the details of each member’s specific inputs.