Situational awareness – the perception of “what is going on” – is crucial in every field of human endeavor, especially so in the cyber world where most of the protections afforded by physical time and distance are taken away. Since ancient times, military science emphasized the importance of preserving your awareness of the battlefield and at the same time preventing your adversary from learning the true situation for as long as possible. Today cyber is officially recognized as a contested military domain like air, land, and sea. Therefore situational awareness in computer networks will be under attacks of military strength and will require military-grade protection. This chapter describes the emerging threats for computer SA, and the potential avenues of defense against them.
TopIntroduction
Hence the saying: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
Sun Tzu, The Art of War
Situational Awareness (SA) is the knowledge or perception of “what is going on” around you in time and space, perception both accurate and timely (definition based on (Endsley, 1995) and (Fracker, 1991)). Having Situational Awareness is crucial in every field or occupation known to mankind. SA is especially important in combat applications, as the payment exacted for lack of awareness is often very severe.
Closely related to the knowledge of what is going on now is the ability to determine trends and predict what is likely to happen in the future.
Merging of and bridging between Kinetic (“real”, “physical”) and Cyber (“virtual”, “electronic”, “computer”) worlds that started some time ago, is on the rise. Not only military, but also many critical infrastructures and systems – such as banking, power grid, air traffic control to name a few – are permeated by computers and are interconnected. For example, battlefield in Cyber domain, requires action to defend it with at least as much effort as other domains (Land, Sea, Air and Space) – or even more, because of the ease to launch an attack in Cyber domain and of the difficulty of attribution that makes a response (and deterrence!) much harder.
Traditionally Situational Awareness was a factor for human decision-making. Today with the time window available for reaction in Cyber domain being so narrow – we must consider Situational Awareness for automatic systems and algorithms (as humans would not be able to react quickly enough to deal with some computer attacks).
John Boyd (Boyd, 1995) introduced the OODA loop (Observe, Orient, Decide and Act) – a concept ruling strategic thinking in both military and business. In a conflict situation the consistency and integrity of the OODA loop will be challenged by the adversary, whose goals are to gain understanding of our intentions while obscuring his own.
This leads to the need to protect our OODA loop – and its SA part in particular – by means of Information Security.
We assume that the “first half” of the OODA loop comprises detectors that provide raw data, and processors that “digest” the raw information and create CND SA picture for the network operators and/or automatic “first-response” programs, as shown in Figure 1.
Figure 1. Relationship between defended network and SA system
Figure 1 shows overlap of SA and the network it monitors. For security reasons it may be beneficial to place the critical components of SA outside of the network it is observing. It would place the SA system out of reach for network-borne direct attacks.
We assume that the components of the network are protected, and individual detectors monitor those components. The components and detectors are assumed to work, but not perfectly. They are subject to both misses and false alarms. The detectors themselves may be attacked by the adversary, who can cause them to fail or deliver misleading information.
This chapter describes the security needs of a Situational Awareness system, and mentions the basic techniques that can be applied to achieve these goals and discusses some of the issues. This chapter will discuss advantages and benefits of certain approaches and solutions, and weigh them against the cost of maintaining, difficulty to implementing them or to obtaining the desired degree of reliability. Rather than being a guide for an IT manager or Network Security administrator, this section would serve as a sounding board for a scientist that pushes to expand the boundaries of the Computer Network Defense field, or a designer that evaluates his or her options to decide on the acceptable set of compromises (residual risks) for the given system. We hope that the following discourse brings to light what the designer should pay attention to.