There already are battles in cyberspace. The Defense Information Systems Agency (DISA) has got the warriors — and the weapons — to prove it. And just as in kinetic war, it takes constant adaptation, new strategies, tactics and weapons to engage adversaries whose own means and methods are constantly changing.
DISA’s Acropolis is the infrastructure upon which the agency runs its platforms and tools – the weapons – to track down and fight off opponents.
“This division has been working with Acropolis since it was invented about 15 years ago,” said DISA’s Dr. Jim Travis, chief of the Cyber Situational Awareness/Cyber NetOps Solution Division. “It’s lots and lots of servers that we run defensive cyber solution operations on top of…Acropolis is a stack of things, with specialists at each layer.”
The Big Data Platform (BDP), the layer immediately above Acropolis, provides a common computing solution that’s able to ingest, store, process, share and visualize multiple petabytes of data drawn from the Department of Defense Information Network (DoDIN), sources such as the Joint Regional Security Stacks, Defense Information Systems Network (DISN) Operational Support System, enclaves and endpoints, and gateways – it provides the network of alerts that notify DISA when something is wrong.
“We do, in fact, use commercial threat intelligence sources, and we have one vendor that does external scanning of the DoD space, [the kinds of] things adversaries might do so we can have context for how well we’re preparing. … We can’t wait until they get to our doorstep.”
“I have [ten] different platforms for ingesting data,” Travis said. “There are different security classifications, different need-to-knows, different accreditation boundaries, so we have different domains.” DISA is looking at ways to collapse those into a smaller number; it won’t save money, he said, since the amount of data in storage will stay the same, “but it allows me to increase the potential surface of what can be correlated.”
The third layer is Cyber Situational Awareness Analytic Capability, or CSAAC, the collection of tools – weapons – to respond to threats and provide a common situational awareness across DoDIN Operations and Defense Cyberspace Operations. “The tools are of limited value unless they’ve been set up to be used by warfighters,” Travis said. Data scientists, visualizers and others with specific cyber and programming skills work with warfighters to find the solutions they need and deploy them.
The agency is looking to expand on Acropolis’ capabilities by incorporating commercial cloud as on an as-needed basis.
“Some of the kinds of queries that need to be run need more compute [power] than we can have standing around idle,” Travis explained, “so we’re redesigning to take advantage of cloud providers, [so that] we can spin up, then turn off…My branch chief can’t get a thousand cores to show up in 10 seconds.”
Another area that DISA is evolving toward is the use of a DevOps approach in order to create tools more quickly, using a new open source environment called Zeppelin.
“My target is four days from requirement to development to production,” he said. “From a pure analytics approach, that’s the way ahead.”
This sounds like a straightforward operation, until one considers the vast scope of the threats.
“In our number one application right now, we have 219,532 [threat] indicators,” he said, “102,732 countermeasures are approved for use. This is from 150 different reporting sources, with 10,157 active or passive detection signatures, more than a million attributes.”
With waves of threats of that magnitude, machine learning and artificial intelligence come into play.
When a sensor detects a threat indicator, an alert is sent upstream, where the threat is referenced against countermeasures that already have been approved; if there is an approval, the system itself releases the counterattack order. If there is no approved countermeasure, the alert is sent to another division for a human to consider what response is appropriate.
“There will come a day when there’s a cyber war with machines fighting machines,” Travis said. “We’re doing some [now], but only against known attack sources. If you want to deal with the unknown unknowns, you want to get [auto] orchestration. But it’s still going to be a warfighter decision whether to turn it on or not, [and] once it’s turned on, it will allow the warfighter to make tweaks to allow the good guys through.”