Case Studies 2

Chair: Saurabh Shintre

Anchoring Trust in a Totally Open Platform, Elaine R Palmer and George Wilson

Abstract: Can a system be totally open at the same time that it is secure? IBM® teams from research, development, and manufacturing succeeded in creating a system with an open hardware design that runs open firmware and software. From power-on through the host operating system, everything about the IBM® Power System™ AC922 is open. This presentation discusses a few of the security problems faced by our teams and how we solved them. We chose the following ones to present, so that others could learn from our experiences, or simply because misery loves company, as the saying goes.

• How did we set the system's very first secure boot key, so that it can be controlled by business partners, customers, developers, and testers in manufacturing, without requiring IBM to pre-program their keys, nor sign their keys nor their firmware?

• How did we use a Trusted Platform Module to serve as a trust anchor and to protect the integrity of insecure storage?

• How did we use the built-in mechanisms of Linux® to implement secure and measured boot?

• How many keys do you need to secure an entire stack, from core root of trust to secure boot to firmware to host operating system?

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

IBM, the IBM logo, and Power System are trademarks of IBM Corp., registered in many jurisdictions worldwide.

Biography: Elaine Palmer is a Senior Technical Staff Member at the IBM T.J. Watson Research Center. Her current interests are in extending principles of secure boot, measured boot, and attestation to subsystems of high availability cloud and enterprise servers. She participates in the Open Compute Project's Security and Open System Firmware projects.

George Wilson is a security architect and security development team lead in IBM's Linux Technology Center. Since joining the LTC in 2004, he has led IBM's Linux security certifications and the continued development and product exploitation of open source security technology including cryptographic coprocessor support, Trusted Computing, and Mandatory Access Control.

Chris Engel is a security architect and team lead in the Power Hypervisor Development team.  He is
involved in server firmware security aspects including secure and trusted boot of host and BMC firmware
and other system peripherals.

Nayna Jain is a software designer and developer at the IBM Linux Technology Center. She is involved in
the secure and trusted boot development in IBM for OpenPOWER. Her experience is in the Linux
Kernel security subsystem, secure boot, trusted computing, and security advocacy

Incident Response Planning for Election Cybersecurity: Designing a Workshop for County Clerks, Tom Edelberg and Mark Bruhn

Abstract: There is a growing need to address election cybersecurity incidents at the county-level. In an effort to engage every county clerk and their staff to mitigate cybersecurity threats, we developed and delivered Incident Response Planning (IRP) workshops to county clerks across the State of Indiana. The purpose was to enable counties to begin building an IRP team to respond to and mitigate threats to election security and bolster voter confidence. In this paper, we describe the evolution of this IRP workshop, including the initial design decisions made, the outreach and access to participants and context, and the constraints encountered, as well as the modules, illustrative scenarios, and playbook templates provided to participants to help them develop IRPs according to their particular county context. This case study focuses on the design, development, and deployment of the workshop, as well as the participant feedback that unearthed new considerations for the next iteration of the workshop. We end with a reflection on insights gleaned from the process and a discussion of developing an online component including a virtual workshop and recorded webinar.

Biography: Tom Edelberg – Tom is a postdoctoral researcher at Center for Applied Cybersecurity Research (CACR). He holds a Ph.D. in Instructional Systems Technology from Indiana University. His research centers on instructional design and technology, with a particular interest on assessing methods of instruction with technology to achieve measurable learning outcomes, as well as evaluating and refining such methods. Recent research activities include advancing knowledge about integrating digital technologies to support instructional settings, both face-to-face and online.

Mark Bruhn - Mark is an adjunct faculty member in the Indiana University School of Informatics and Computing and contributes to student education in cybersecurity and other assurance topics through guest lectures and course development. Mark also serves in the Office of the Vice President for University Regional Affairs Planning and Policy (OVPURAPP), in which he provides executive leadership and oversight for and advises the Vice President and President on issues related to: emergency preparedness, planning, and response; policing and community safety; homeland security; emergency communications; business and academic continuity; physical security of facilities; and environmental health and safety.

Summarizing Intrusion Alerts to Attack Models for Higher-Ed SOC, Shanchieh (Jay) Yang, Ryan Kiser, Emily Adams, and Scott Orr

Abstract: Critical and sophisticated cyberattacks often take multitudes of reconnaissance, exploitations, and obfuscation techniques to penetrate through well protected enterprise networks. The discovery and detection of attacks, though needing continuous efforts, is no longer sufficient. Security Operation Center (SOC) analysts are overwhelmed by the significant volume of intrusion alerts without being able to extract actionable intelligence. Recognizing this challenge, PI Yang’s research group developed ASSERT (Attack Strategy Synthesis for Enhanced Threat Recognition) to summarize intrusion alerts into statistical “attack models” to assist SOC analysts comprehending ongoing and emerging attacks in a timely manner [1,2]. Since fall of 2019, PI Yang has been collaborating with the Center for Applied Cybersecurity Research (CACR – cacr.iu.edu) and OmniSOC (omnisoc.iu.edu) at Indiana University to deploy ASSERT into a test environment where it can consume anonymized OmniSOC intrusion alerts. The collaborative effort has morphed ASSERT into a truly unsupervised learning system that processes steaming alerts to generate and update empirical attack models based on information theoretic measures. Instead of viewing and sorting through the large number of alerts, SOC analysts can focus on diagnosing and comparing a few critical attack models and derive timely incident reports and recommended defense postures. This case-study presentation will demonstrate ASSERT and several attack models found through the collaborative effort. With information theoretical measures, each attack model is accompanied with characterizing features in “Attack-Intent-Stage” [3], targeted services, time-elapsed, and target maneuvers. Such summary enables SOC analysts to quickly identify and examine indicator-of-compromise as well as the “attack behaviors” through a custom visualization of the attack models. By sharing the lessons learned, we will discuss the benefits, limitations, and opportunities in the paradigm shift to analyze “attack models” generated by machine learning techniques instead of “intrusion alerts”. We will plan for an engaging case-study team presentation and show the interactive attack models to ACSAC participants to generate a lively conversation about the paradigm shift.

[1] A. Okutan and S. J. Yang, “ASSERT: Attack Synthesis and Separation with Entropy Redistribution towards Predictive Cyber Defense”, Springer Journal on Cybersecurity, 2:15, May 2019.

[2] A. Okutan, F.-Y. Cheng, S.-H. Su, and S. J. Yang, “Dynamic Generation of Empirical Cyberattack Models with Engineered Alert Features,” in Proceedings of IEEE MILCOM, November 12-14, 2019, Norfolk VA, USA.

[3] S. Moskal and S. J. Yang, “Cyberattack Action-Intent-Framework for Mapping Intrusion Observables,” arXiv:2002.07838 [cs.CR]

Biography: S. Jay Yang received his MS and Ph.D. degrees in Electrical and Computer Engineering from the University of Texas at Austin in 1998 and 2001, respectively. He is currently a Professor in the Department of Computer Engineering and Director of Global Outreach for Global Cybersecurity Institute at Rochester Institute of Technology. He and his research group have developed several pioneering machine learning, attack modeling, and simulation systems to enhance cyber situational awareness and enable anticipatory cyber defense. His earlier works included FuSIA, VTAC, ViSAw, F-VLMM, and attack obfuscation modeling. His recent works include ASSERT which employs information theoretic unsupervised learning to provide timely generation and synthesis of attack models, CASCASE which simulates cyberattack scenarios by integrating data-driven and theoretically grounded understanding of adversary behaviors, and CAPTURE which forecasts cyberattacks before they happen using unconventional signals from the open sources. He was one of the six NSF Trusted CI Fellow in 2019, and received IEEE Region 1 Outstanding Teaching in an IEEE Area of Interest Award – for outstanding leadership and contributions to cybersecurity and computer engineering education.

Ryan Kiser is a Senior Security Analyst at the Indiana University Center for Applied Cybersecurity Research. Ryan has worked on information security projects across a wide variety of domains including leading efforts to assess and improve the security of automotive systems, performing risk assessments for university central IT systems and research cyberinfrastructure, and supporting researchers in efforts to adhere to regulated data requirements such as HIPAA, FISMA, and various CUI requirements. Ryan has been heavily involved in organizations serving information security needs for higher-ed and national research communities. Some of these include the Open Science Grid (OSG) as a member of the OSG Security Team, the NSF Cyberinfrastructure Center of Excellence Pilot as a member of the identity management working group, and Trusted CI where he works to assist NSF-funded research projects in improving their security posture.

Emily K. Adams is a Principal Security Analyst at the Indiana University Center for Applied Cybersecurity Research (CACR). Emily’s career includes serving IU’s University Information Security Office (UISO) as a Lead Security Engineer focused on protecting and defending the university’s information technology environment with expertise in security consulting, network intrusion detection and analysis, incident response, and security systems administration. Emily also worked with the Department of Defense as an Information Analyst integrating NIST security controls into the FISMA certification and accreditation process for strategic information systems. Previous to her work with the DoD, she served IU's University Information Technology Services (UITS) for over eleven years in project management, systems administration, and client support. She holds Bachelor of Arts in Sociology from Indiana University and a Masters of Science in Secure Computing from the Luddy School of Informatics, Computing, and Engineering at Indiana University.

Scott Orr is the SOC Operations Manager with the IU-based OmniSOC, a shared cybersecurity operations center for higher education. Founded by Northwestern University, Purdue University, Rutgers University, the University of Nebraska-Lincoln, and Indiana University, this pioneering initiative strives to help higher education institutions reduce the time from first awareness of a cybersecurity threat anywhere to mitigation everywhere for members. Scott overseas a team of security engineers tasked with analyzing security and network event telemetry for and indications of compromise. When security issues are discovered, this team works with the member SOCs to mitigate those incidents. Prior to joining OmniSOC, Scott spent 30 years as an IT manager for the Indianapolis campus Schools of Science and Engineering & Technology, overseeing server and research computing needs for school academic and research missions. Over the last 20 years, he has also been part time faculty for both schools, developing and teaching courses in system administration and security.

Video