RSS feed Add to your Facebook page Watch us on Youtube

Activity title

Cyber Attack Detection, Forensics and Attribution for Assessment of Mission Impact

Activity Reference

IST-128

Panel

Information Systems Technology

Security Classification

NATO UNCLASSIFIED

Status

Awaiting Publication

Activity type

RWS

Start date

2014

End date

2015

Keywords

Mission Capability, Impact Analysis, Cyber Battle Damage Assessment, Attack Detection, Computer Forensics, Attribution, Cyber Operation, Computer Information Systems, Digital Evidence, Information & Communications Technology (ICT), Cyber Intelligence Sharing

Background

Today, the success of military missions is highly dependent on ICT systems and their use in the cyber battle space. The increased use of COTS information technology and dependency on CIS for weapons, intelligence, communication, and logistics will increase vulnerability to various threats, including attacks. Furthermore, current and future cyber operations will provide new challenges for use of CIS in military missions. Attacks on ICT systems or other cyber incidents, which degrade or even disrupt the usage and the resulting mission capability, performance, and completion, is expected to increase. Therefore there is a need to address the technology and procedures to characterize the cyber attacks impact on the mission. Such an impact analysis must necessarily include a broad range of cyber analysis activities: detect attacks in a mission-supporting manner, assess the damages relevant to the mission, investigate the impacts on mission elements, recover from the attack in order to continue the mission to the maximum extent possible, and decide on how to respond in a manner that maximizes the success of the mission. Additionally, use of forensics methods and tools are necessary to determine key facts relevant to assessing mission impact; such tools are used for evidence collection, analysis of the attack, identification of the attacker, understanding the attack, damage assessment, and attribution of attackers. Thus - dependent on the mission and the type of an attack - there may be different degree of relative importance and resources attached to attack detection, continuity of the military mission, damage assessment, evidence collection, attribution, etc. Therefore, usage of related methods, procedures, tools or technology should be correlated or even harmonized largely depending on mission.

Objectives

The main objective of the activity is to provide a tech watch on assessment of mission impact due to cyber battle damage, including related challenges of forensics technology and methods in the military environment; - including a gap analysis, i.e. what is missing and what should be done? For example, can principles known from the traditional military battle damage assessment be utilized in the cyber domain? The aim of the workshop is to have relevant stakeholders brought together to address issues related to mission impact assessment through attack detection, battle damage identification, forensics and attribution for military CIS environment, where continuity of operations may be mission critical. A major challenge is to have the right balance between CIS resources for ongoing military operations and mission success, resources used for attack detection, battle damage assessment, and investigation - including forensics methods - and resources used to identify origin of attacker in order to decide what to do with the attacker, e.g. attack response, while optimizing the likelihood of mission success.

Topics

- Analysis and modeling of mission and mission dependencies of CIS assets; - Incident analysis from mission impact perspective - methods, tools and technology; - Mission-focused Attack Detection with prioritization for mission needs, including early warning; - Advanced Data Analysis tools (tech watch), for characterizing attackers tools used in the incident; - Automated damage assessment; - Mission-focused Information/Computer/Network Forensics; - Automation of forensics triage Visualization tools and methods how to visualize damage and the impact on mission dependencies; - Correlation/Fusion of damage and evidence data; - Attribution and trace back; - Current and future trends, including potential for real-time or large scale forensics and other analysis that characterizes impact on a particular mission, - Metrics for mission impact assessments; - Use of simulation, e.g. event (re)construction methods and tools, and simulation of impact on mission, such as dependencies propagation.

Contact Panel Office