Federated Access to Cyber Observables for Detection of Targeted Attacks

Current DoD enterprise networks routinely face targeted cyber attacks, and even though attack-related information is recorded in various places, this information is often left unexamined until after attacker objectives have been achieved. This is especially true for large networks consisting of continuously changing networked devices, including laptops, servers, printers, IP phones, and more. This paper describes the design of Gestalt, a next-generation cyber information management platform that simplifies access to cyber event data stored in the nooks and crannies of a distributed enterprise. The ready and secure access to cyber information provided by Gestalt is a key enabler for a new set of techniques that can detect and mitigate targeted cyber attacks within hours instead of months. Current state-of-the-art approaches to automated and operator assisted cyber defense are ill-suited to counter targeted cyber attacks because these technol-ogies (1) focus only on aggregated one-dimensional features across multiple devices, (2) do not provide the required coverage over all networked devices and observables accessible on those devices, and (3) lack the expressiveness and deeper semantic backing required to detect targeted attacks across a sea of low-level observables. Gestalt provides innovations in (1) automati-cally discovering devices and useful data sources in the enterprise (beyond simple IP connectivity), (2) maintaining a metadata in-dex of devices and observable information (even of devices with-out schemas and connectors), and (3) transparently decomposing and federating semantic graph queries to devices (rather than extracting and aggregating information in a central store), and integrating the results back into a well-defined ontology.