A Decision Engine for Configuration of Proactive Defenses— Challenges and Concepts Michael Atighetchi, Brett Benyo Raytheon BBN Technologies Cambridge, MA {matighet, bbenyo}@bbn.com Thomas C Eskridge Florida Institute of Technology Melbourne, FL teskridge@fit.edu David Last Air Force Research Laboratory Rome, NY david.last.1@us.af.mil Abstract — Selecting appropriate cyber defense mechanisms for an enterprise network and correctly configuring them is a challenging problem. Identifying the set of defenses and their configurations in a way that maximizes security without exhausting system re- sources or causing unintended interference (a situation known as cyber friendly-fire) is a multi-criteria decision problem, which is difficult for humans to solve effectively and efficiently. Proactive defenses are especially difficult to configure due to their temporal nature. This paper describes the challenges and solution concepts for a decision engine that (1) intelligently searches for optimal cyber defense configurations in a way that leads to continuously improving solutions; (2) uses compute clusters to scale computa- tion to realistic enterprise-level networks; and (3) presents mean- ingful choices to operators and incorporates their feedback to im- prove the suggested solutions. Keywords: cyber security analysis, modeling, threat assessment I. INTRODUCTION In current cyber warfare, the odds are inherently stacked against the defender. According to the 2015 Verizon Data Breach Investigation Report [1], attackers were able to compro- mise an organization within minutes in 60% of cases and many of these attack can go undetected for months. Cyber attackers frequently automate much of their work through management platforms, such as Metasploit, that enable rapid sharing and re- use of code. Furthermore, malware has evolved to the point where botnets and viruses make autonomous decisions, e.g., to remain dormant if they detect monitoring in an environment or to intertwine attacks with regular user activities to stay within the variance of observable parameters. This level of sophistica- tion and the time pressure introduced by automated execution makes targeted attacks difficult to detect and mitigate. One way the system owners and cyber defenders have re- sponded to counter this threat is to use proactive defenses to make targets less predictable, giving rise to what is known as Moving Target Defenses (MTDs) [2]. State-of-the-art MTDs continuously change attack surfaces of applications, hosts, and networks to increase adversarial work load and uncertainty. While there is great value in proactive defenses in general and in MTDs specifically, it is also quite easy to add defenses that pro- vide little added value, introduce unacceptable cost or overhead, inadvertently increase the attack surface, or exhibit unintended side effects when combined with other defenses. A Command and Control of Proactive Defense (C2PD) solution is needed to prevent such cyber friendly fire. We envision a decision engine as an integral component of C2PD to help cyber defenders choose from among available proactive defenses, configure de- ployed defenses, and achieve the best protection for the target system with the least impact on the system’s mission effective- ness. As shown in Fig. 1, such a decision engine will enable de- fenders to select and configure the most appropriate cyber de- fenses for a given target environment supporting multiple con- current mission operations more effectively and efficiently. By automating activities at multiple levels, the decision engine transforms a cyber defense management process that is currently dominated by manual operations into a streamlined computer- assisted workflow, which delegates heavyweight computation to a compute cluster and leverages human insight to guide the search for optimal configurations. Using the decision engine, cyber defenders will be able to explore a large space of possible configuration settings in a short amount of time, enabling an agile defense posture that continu- ously incorporates and adapts defenses based on new proactive Fig. 1. High-Level Approach of Attack Surface Reasoning Distribution Statement “A” (Approved for Public Release, Distribution Unlimited). Case #88ABW-2016-1829. This effort is sponsored by the Air Force Research Laboratory (AFRL). 978-1-5090-2002-7/16/$31.00 ©2016 IEEE 8