In today’s cyber security environment there is no way to prevent a determined intruder from getting into a network as long as one allows e-mail and web surfing. The reasons for this are due to the majority of information assurance architectures rely on patching and configuration control for protection. It also relies on signatures for both protection and detection. Therefore, when you have to let the attack vector (an e-mail or a web address) past your perimeter to the desktop, you are virtually guaranteed to have successful penetrations. Raytheon thus believes the best way to address this is to recognise that attackers will get into your network and expand our defensive actions to detect, disrupt, and deny attacker’s command and control (C2) communications back out to the network. Such a strategy focuses on identifying the websites and IP addresses that attackers use to communicate with malicious code already infiltrated onto our computers. While some of these sites are legitimate sites which have been compromised, the majority are usually new domains registered by attackers solely for the purposes of command and control. There is little danger of unintended consequences from blocking these websites and their associated IP addresses for outbound traffic. Raytheon has had success with this strategy, but it requires a significant investment. It is of primary importance to measure the threat is the intruder’s dwell time in the network then the number of penetrations thus the effort should be for making the effective dwell time zero.

Dwell Time

There are two ways to reduce the dwell time of an intruder, both of which are being pursued by Raytheon. The first is to detect the malicious outbound traffic in a network but requires a large investment. The other method is collaboration with other operational entities which is affordable by all. Many other organisations regularly report C2 channels which can be shared with others formally or informally through Information sharing and analysis centres, defence industrial base cyber task force, infraguard, etc. It is in the collaboration realm that Raytheon believes there is an opportunity for a national scale effort that can turn collective effort to our advantage in the cyber battle.

While there is no national-scale framework in place, there is a model that has already proven effective fighting other cyber security problems. The model involves a set of trusted entities developing threat information and reporting voluntarily (with non-attribution) to a central source, which consolidates the information and rapidly disseminates it to a very large user community which is already being used for the highly successful antivirus and spam filtering industries. Raytheon proposes the same model be used to disseminate information on attacker C2 URLs and IP addresses and automatically block outbound traffic to them. If attackers get into your network but cannot get back out the attack is effectively thwarted.

Raytheon thus proposes a model for setting up a National Cyber Threat Protection Service to implement a C2 disruption strategy. The model includes positive incentives for every participant. This is a voluntary Industry-Government Cooperative Model for Disrupting Malicious Cyber Command and Control which involve three types of entities:

• Threat Reporters. Threat reporters are organisations with the detection and analytical capability to discover command and control sites via malware reverse engineering or traffic analysis. Organisations, be they commercial, private, or governmental, would apply to be certified as threat reporters and have their reports of C2 channels accepted as valid.
  Some third party, presumably a government entity, an industry consortium or some hybrid of the two, would be responsible for certifying potential threat reporters against a moderate standard of inhouse capabilities.
• National Cyber Threat Response Centre (NCTRC). The role of the NCTRC is to serve as a central threat clearing house for processing reports of C2 URLs and IP addresses from threat reporters and rapidly distributing them to the community of firewall device vendors. By having a central point disseminating the information to all vendors equally we avoid the problem we face with antivirus today where not all vendors detect all threats. The NCTRC would also deconflict erroneous reporting that resulted in disruption to legitimate activities. The NCTRC would maintain a ‘reputation index’ (e.g. credibility rating) for each reporter much like seller ratings on eBay. By this feedback loop a threat reporter could be decertified (i.e. no longer have their reports accepted or be able to claim Threat reporter status in their marketing). The NCTRC must be a single organisation focused on rapid dissemination of actionable information.
• Firewall Vendors. Vendors for firewall devices (the term here being used in its most generic sense) would accept the new threat information and push it out to their devices in the field the same way antivirus and spam filtering vendors push new definitions today. Producers of devices that are capable of blocking outbound web traffic would accept the data from the clearing house, reformat it as appropriate for their device, and push it out to their customers as quickly as possible. Traditional desktop or network firewalls, web proxies, and routers would all be capable of performing this function, thus giving network owners a wide variety of products from which to select based on their architecture and investment tolerance. The vendors would differentiate themselves from each other not only on price, but also on their speed of updates and value-added services such as the ability of their customers to manually override the lists or their ability to provide reports to network owners.

Common Operational Picture

Perhaps one of the key side benefits of this model is that it could be the basis of a true Common Operational Picture (COP). If every firewall device supporting this model not only blocked the outbound traffic, but also—again, voluntarily—reported back to the clearing house that there was a blocked C2 attempt from their IP address it would, given the potentially hundreds of thousands of devices reporting in, represent a very accurate picture of the scope of any given attack or campaign. For example if the IP space of all nuclear power plants is known, a COP could show attempts to access the same C2 sites from multiple power plants which could indicate a concerted effort to compromise the plants.

Risks

The main risk associated with this model is the risk of blocking a legitimate website that has been taken over by an attacker for use as a C2 site or downloader site but this risk will be small compared to the gain.