Publications

Van Leeuwen, Brian P.; Urias, Vincent U.; Stout, William M.S.; Lin, Han W.

Abstract not provided.

Han, Eunsil H.; Urias, Vincent U.; Van Leeuwen, Brian P.; Stout, William M.S.; Kao, Gio K.; Lin, Han W.

Abstract not provided.

Urias, Vincent U.

Abstract not provided.

Stout, William M.S.; Urias, Vincent U.

Abstract not provided.

Proceedings - International Carnahan Conference on Security Technology

Urias, Vincent U.; Stout, William M.S.; Luc-Watson, Jean; Grim, Cole; Liebrock, Lorie; Merza, Monzy

Computer network defense has traditionally been provided using reactionary tools such as signature-based detectors, white/blacklisting, intrusion detection/protection systems, etc. While event detection/correlation techniques may identify threats - those threats are then dealt with manually, often employing obstruction-based responses (e.g., blocking). As threat sophistication grows, we find these perimeter-planted security efforts ineffective in combating competent adversaries. In 2015 Gartner, Inc. examined the potential for organizations to use deception as a strategy for thwarting attackers and making it costlier for adversaries to engage in threat campaigns. In today's current research, there are a limited number of deception platforms (tools, etc.) that have successfully been shown to enable strategic deception in a computer network operations environment. Through a deception framework, we conjecture that deception platforms can aid and assist in deceiving the adversary by: obscuring the real target, devaluing information gathering, causing the adversary to waste time and resources, forcing the adversary to reveal advanced capabilities, exposing adversary intent, increasing the difficulty of attack planning, limiting the scope of the attack, and limiting the duration of a successful attack. The objective of this paper is to survey the technological trends in cyber deception research, identify gaps in the techniques, and provide research in the emergent environment. Current findings suggest that network deception tools are attracting the interest of researchers as a valuable security technique that can be implemented to learn more about the nature of cyber attacks; however, there are significant shortcomings in the current approaches and the ability to reason about the adversary.

Van Leeuwen, Brian P.; Eldridge, John M.; Urias, Vincent U.

Abstract not provided.

Stout, William M.S.; Urias, Vincent U.

Abstract not provided.

Clem, John F.; Atkins, William D.; Baker, Roger J.; Daley, Joshua M.; Urias, Vincent U.

Abstract not provided.

Stout, William M.S.; Urias, Vincent U.; Loverro, Caleb; Anthony, Benjamin A.

Abstract not provided.

2017 IEEE International Symposium on Technologies for Homeland Security, HST 2017

Urias, Vincent U.; Van Leeuwen, Brian P.; Stout, William M.S.; Lin, Han W.

A cybersecurity training environment or platform provides an excellent foundation tool for the cyber protection team (CPT) to practice and enhance their cybersecurity skills, develop and learn new knowledge, and experience advanced and emergent cyber threat concepts in information security. The cyber training platform is comprised of similar components and usage methods as system testbeds which are used for assessing system security posture as well as security devices. To enable similar cyber behaviors as in operational systems, the cyber training platforms must incorporate realism of operation for the system the cyber workforce desires to protect. The system's realism is obtained by constructing training models that include a broad range of system and specific device-level fidelity. However, for cyber training purposes the training platform must go beyond computer network topology and computer host model fidelity - it must include realistic models of cyber intrusions and attacks to enable the realism necessary for training purposes. In this position paper we discuss the benefits that such a cyber training platform provides, to include a discussion on the challenges of creating, deploying, and maintaining the platform itself. With the current availability of networked information system emulation and virtualization technologies, coupled with the capability to federate with other system simulators and emulators, including those used for training, the creation of powerful cyber training platforms are possible.

Stout, William M.S.; Urias, Vincent U.; Van Leeuwen, Brian P.; Lin, Han W.

Abstract not provided.

Proceedings - IEEE Military Communications Conference MILCOM

Van Leeuwen, Brian P.; Stout, William M.S.; Urias, Vincent U.

Moving Target Defense (MTD) is based on the notion of controlling change across various system attributes with the objective of increasing uncertainty and complexity for attackers; the promise of MTD is that this increased uncertainty and complexity will increase the costs of attack efforts and thus prevent or limit network intrusions. As MTD increases complexity of the system for the attacker, the MTD also increases complexity and cost in the desired operation of the system. This introduced complexity may result in more difficult network troubleshooting and cause network degradation or longer network outages, and may not provide an adequate defense against an adversary in the end. In this work, the authors continue MTD assessment and evaluation, this time focusing on application performance monitoring (APM) under the umbrella of Defensive Work Factors, as well as the empirical assessment of a network-based MTD under Red Team (RT) attack. APM provides the impact of the MTD from the perspective of the user, whilst the RT element provides a means to test the defense under a series of attack steps based on the LM Cyber Kill Chain.

Stout, William M.S.; Urias, Vincent U.; Loverro, Caleb

Abstract not provided.

Urias, Vincent U.; Loverro, Caleb

Abstract not provided.

Van Leeuwen, Brian P.; Stout, William M.S.; Urias, Vincent U.

Abstract not provided.

2016 IEEE Symposium on Technologies for Homeland Security, HST 2016

Urias, Vincent U.; Stout, William M.S.; Lin, Han W.

The threat landscape is changing significantly; complexity and rate of attacks is ever increasing, and the network defender does not have enough resources (people, technology, intelligence, context) to make informed decisions. The need for network defenders to develop and create proactive threat intelligence is on the rise. Network deception may provide analysts the ability to collect raw intelligence about threat actors as they reveal their Tools, Tactics and Procedures (TTP). This increased understanding of the latest cyber-Attacks would enable cyber defenders to better support and defend the network, thereby increasing the cost to the adversary by making it more difficult to successfully attack an enterprise. Using a deception framework, we have created a live, unpredictable, and adaptable Deception Environment leveraging virtualization/cloud technology, software defined networking, introspection and analytics. The environment not only provides the means to identify and contain the threat, but also facilitates the ability to study, understand, and develop protections against sophisticated adversaries. By leveraging actionable data, in real-Time or after a sustained engagement, the Deception Environment may be easily modified to interact with and change the perception of the adversary on-The-fly. This ability to change what and where the attacker is on the network, as well as change and modify the content of the adversary on exfiltration and infiltration, is the defining novelty of our Deception Environment.

Urias, Vincent U.; Loverro, Caleb

Abstract not provided.

Proceedings - International Carnahan Conference on Security Technology

Stout, William M.S.; Urias, Vincent U.

Great advances in technology have paved the way for the computerization and interconnectedness of the world around us. The Internet of Things (IoT) describes a network comprised of physical objects or 'things' embedded with electronics, software, sensors and connectivity to achieve greater value and service by exchanging data with manufacturers, users, and/or other connected devices. However, it is often the case that some of these devices are constrained by limited processing power, memory, and power consumption. These limitations may enable adverse effects as the IoT becomes pervasive, reaching into infrastructure, vehicles, and homes. As history has shown, the architects of the Internet were focused primarily on the efficiency and scaling aspects of data transfer protocols; at the dawn of the Internet, network and computer security were vacant research areas. The current trend shows the IoT market growing at an accelerated rate-will security again become an afterthought? The goal of this paper is to provide to not only a better understanding of the various IoT domains, but to survey the shortcomings and challenges to securing IoT devices and their interactions with cloud and enterprise applications.

Proceedings - International Carnahan Conference on Security Technology

Van Leeuwen, Brian P.; Stout, William M.S.; Urias, Vincent U.

Moving Target Defense (MTD) has received significant focus in technical publications. The publications describe MTD approaches that periodically change some attribute of the computer network system. The attribute that is changed, in most cases, is one that an adversary attempts to gain knowledge of through reconnaissance and may use its knowledge of the attribute to exploit the system. The fundamental mechanism an MTD uses to secure the system is to change the system attributes such that the adversary never gains the knowledge and cannot execute an exploit prior to the attribute changing value. Thus, the MTD keeps the adversary from gaining the knowledge of attributes necessary to exploit the system. Most papers conduct theoretical analysis or basic simulations to assess the effectiveness of the MTD approach. More effective assessment of MTD approaches should include behavioral characteristics for both the defensive actor and the adversary; however, limited research exists on running actual attacks against an implemented system with the objective of determining the security benefits and total cost of deploying the MTD approach. This paper explores empirical assessment through experimentation of MTD approaches. The cyber-kill chain is used to characterize the actions of the adversary and identify what classes of attacks were successfully thwarted by the MTD approach and what classes of attacks could not be thwarted In this research paper, we identify the experiment environments and where experiment fidelity should be focused to evaluate the effectiveness of MTD approaches. Additionally, experimentation environments that support contemporary technologies used in MTD approaches, such as software defined networking (SDN), are also identified and discussed.

Proceedings - International Carnahan Conference on Security Technology

Urias, Vincent U.; Stout, William M.S.; Loverro, Caleb

Computer Network Defense (CND) has traditionally been provided using reactionary tools such as signature-based detectors, white/blacklisting, intrusion detection/protection systems, etc. While event detection/correlation techniques may identify threats - those threats are then dealt with manually, often employing obstruction-based responses (e.g., blocking). Literature has shown that as threat sophistication grows, perimeter-planted security efforts are ineffective in combating competent adversaries; malicious actors are already seated behind enterprise defenses, navigating the controls. We have developed a novel approach to CND: the Deception Environment. Under the Deception Environment framework, we have created a live, unpredictable, and adaptable deception network leveraging virtualization/cloud technology, software defined networking, introspection and analytics. The environment not only provides the means to identify and contain the threat, but also facilitates the ability to study, understand, and develop protections against sophisticated adversaries. Its extensibility has enabled us to explore its application as a Moving Target Defense (MTD).

Proceedings - IEEE Military Communications Conference MILCOM

Van Leeuwen, Brian P.; Stout, William M.S.; Urias, Vincent U.

Moving Target Defense (MTD) is the concept of controlling change across multiple information system dimensions with the objective of increasing uncertainty and complexity for attackers. Increased uncertainty and complexity will increase the costs of malicious probing and attack efforts and thus prevent or limit network intrusion. As MTD increases complexity of the system for the attacker, the MTD also increases complexity in the desired operation of the system. This introduced complexity results in more difficult network troubleshooting and can cause network degradation or longer network outages. In this research paper the authors describe the defensive work factor concept. Defensive work factors considers in detail the specific impact that the MTD approach has on computing resources and network resources. Measuring impacts on system performance along with identifying how network services (e.g., DHCP, DNS, in-place security mechanisms) are affected by the MTD approach are presented. Also included is a case study of an MTD deployment and the defensive work factor costs. An actual experiment is constructed and metrics are described for the use case.

Clem, John F.; Urias, Vincent U.; Atkins, William D.; Symonds, Christopher J.

Sandia National Laboratories has funded the research and development of a new capability to interactively explore the effects of cyber exploits on the performance of physical protection systems. This informal, interim report of progress summarizes the project’s basis and year one (of two) accomplishments. It includes descriptions of confirmed cyber exploits against a representative testbed protection system and details the development of an emulytics capability to support live, virtual, and constructive experiments. This work will support stakeholders to better engineer, operate, and maintain reliable protection systems.

Stout, William M.S.; Urias, Vincent U.; Van Leeuwen, Brian P.

Abstract not provided.

Clem, John F.; Atkins, William D.; Urias, Vincent U.

Abstract not provided.

Wright, Brian J.; Urias, Vincent U.; Van Leeuwen, Brian P.; Stout, William M.S.

Abstract not provided.