The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) works closely with private business and academic partners to evolve the traditional reactive cyber defense approach to one that is more collaborative, proactive and timely. This work on a new cybersecurity paradigm could eliminate some of the manual steps in cyber protection and enable effective collective defense.
Traditionally, a system identifies a breach in a single network, and analysts mitigate the vulnerability. S&T recently demonstrated a new Federated Command and Control (FC2) infrastructure with the Florida Institute of Technology (FIT) that can protect a multitude of organizations at once—a federation. FC2 protects a federation from potential threats using a variety of preventative measures and automated responses where malicious activity is detected, shared and mitigated.
FC2 moves beyond simple threat information sharing by utilizing existing sensors and techniques to detect and mitigate suspected malicious activity. It allows federated organizations with shared interests to collaboratively identify threat and attack indicators, recommend defenses and evaluate playbooks all in a semi-automatic manner.
The demo began with Edward Rhyne, S&T Program Manager for Federated Security, highlighting work between S&T and FIT to pilot the infrastructure as well as the benefits of a federated cybersecurity system that has the ability to orchestrate defense protocols. During the demo, a mix of physically separated hardware network spaces and virtualized enclaves automatically joined to form federations. These federations then automatically shared attack indicators, recommended and applied defensive responses, and performed various privacy-preserving joint calculations.
S&T and partners had previously set up a federated environment at FIT comprised of organizations exposed to simulated attacks. The system successfully responded to those attacks through the environment’s command and control functions.
“The federation should enable defenders to get ahead of the spread of malicious activity,” Rhyne said.
Automating communication between organizations in a federated environment is a more efficient and effective method of alerting the different groups when they may be vulnerable to cyberattacks. Rather than simply sharing indicators without context, the system can autonomously share them with context and recommend necessary actions to prevent or mitigate the effects of a potential attack.