Cyber threat hunting is defined in current standards as a proactive search capability in organizational systems to search, detect, track, identify, and disrupt advanced persistent cyber threats. While emerging control system architectures support cyber hygiene and rudimentary defense and response, well-tailored cyber-attacks remain elusive to current detection technology. The next generation of surface tactical platforms is heavily reliant on computer and network technology for combat systems and navigation functions leading to a growing concern of cyberattacks at sea. We propose a Combat System Cyberspace Operations Module (CSCOM) comprised of an integrated estimation process coupled with a sensor/source management process that has matured over a series of programs coupled with Elastics established and ever-evolving cyberspace capabilities. This integrated approach addresses the various functions which need to be integrated into a complete real-time analysis process. Leveraging and adapting the Data Fusion (DF) Level 0-3 functions of Silver Bullets Phase II SBIR Cyber Ontology and Data Fusion project at the Army Intelligence and Information Warfare Directorate (I2WD) will provide three functions: 1) make inferences from combat system (CS) cyber sensors and source data to possible threat objects and events, 2) develops linkages between them, and 3) assert predictions about those objects and events. The Resource Manager (RM) Level 4 DF function exploits an information-theoretic approach that optimizes data/information collection to disambiguate DF hypotheses utilizing data-pull. This process, called Information Based Cyber Sensor/Source Management (IBCSM), measures information by the expected decrease in uncertainty in the object or event hypotheses to maximize the expected information value rate (EIVR) through sensor cues and source requests. DF and RM algorithms are wrapped by Elastics cyber threat capabilities which are well-known at the enterprise-level and in many commercial spaces. In CSCOM, Elastics device interfaces and normalizations support MOSA through use of open cyber data standard such as Elastic Common Schema, Schema One, or Structured Threat Information Expression (STIX) and could be adapted to Navy cyber schemas such as NAVWAR MBSE Cybersecurity Schema. As well, Elastics cyber displays and UI can be adapted to the CS displays using Navy MBSE and DevSecOps environments and tools for renowned cyberspace situation awareness of threats, ownforce condition, and planned or ongoing cyberspace operations and mitigations.
Benefit: The Combat System is an Industrial Control System (ICS), specifically a Supervisory Control and Data Acquisition (SCADA), such as those in factories, utilities, and automated warehouses. Another type, Programmable Logic Controllers (PLC) can control few to thousands of input/output interfaces. Related in the medical community are facilities where many devices can be categorized as Internet of Things (IoT). Like the Combat System, the diverse subsystems are not merely copies of commonly-used applications (e.g., MS Office) but often limited-use sometimes unique so the system has an inherit complexity that cannot be exhaustively tested. Though often isolated from the Internet by layers of firewalls, all of these types of systems are vulnerable to cyber attack in the same way as the Combat System, e.g., through the Internet gateway or access point, malicious code embedded in COTS products, older-generation operating systems, or overlooked cyber hygiene (e.g., printers). The ability of CSCOM to fuse low-observable signals into further cyber sensor hunting leading to actionable mitigations and countermeasures is as applicable in these types of systems as in a Combat System. Elastic is already in the Federal, State, Local, Tribal, and commercial markets and with Silver Bullet and the result of this research and development the team will be able to provide enhanced offering for these ICS, SCADA, PLC, and IoT-heavy systems.
Keywords: Ontology, Ontology, Activity-Based Intelligence, data fusion, Combat system, IBCSM, Cyber hunting, CAPEC/ATT&CK, cyberspace operations
