Tech Briefs

This method provides continuous monitoring across network-attached devices to identify and mitigate targeted cyber attacks.

System administrators and cyber defenders continue to face challenges in securing systems as attacks keep increasing in the level of sophistication, and the number of connected systems keeps increasing. To support and automate manual activities associated with obtaining information about systems and taking corrective action in response to suspicious activities, an increasing number of technologies for remote monitoring are becoming available with the premise of increasing resiliency by decreasing the time-to-detect and time-to-mitigate targeted attacks.

The Gestalt system introduces two primary system components: the Discovery and Query Nodes (DQNs), and the Query Management Service (QMS). The DQNs provide the interface between the devices on the network and the Gestalt system. Rather than adding new protocols to be implemented by end devices, the DQNs leverage existing protocols where possible.
While the functional benefit of new protocols and tools that support continuous monitoring and incident response is clear, it is quite common for these tools to fail on the security front by either (1) providing inadequate security, e.g., by adding to the attack surface and thereby enabling adversaries to remotely monitor/ manage critical infrastructure; or (2) requiring a very stringent set of security controls that is prohibitively difficult to implement, thereby limiting adoption.

The Gestalt system is an innovative framework for remote monitoring that strengthens overall security by limiting unintentional increase to the resulting attack surface, and operating in contested network environments including transient and high-latency network links. Such a remote monitoring framework is a key enabler for the larger concepts of reactive and proactive cyber resiliency, as cyber decision-making is inevitably driven by sensor information capturing the effects of both attacks and defender-initiated actions.

The objective of Gestalt is to provide federated access to a large, diverse set of cyber observables to enable detection of targeted cyber attacks. Gestalt automatically discovers available data sources, unifies access to observables via a comprehensive common ontology, automatically decomposes and federates queries, and semantically integrates the results. The Gestalt system eliminates tedious manual inspection by providing access to all data sources on the network via a federated query interface. Using a new Cyber Defense Language, a single query can access data residing on multiple devices, across disparate device types and data formats, and return the query results in a semantically integrated and immediately useful format.

Gestalt allows the cyber defender to focus on the forensic data itself by abstracting away the actual methods and techniques required to access that forensic data. Through its Semantic Query Decomposition capabilities, Gestalt infers the types of data sources that can be used to satisfy a given query, and identifies where instances of those data source types can be found on the network. Next, it dispatches native queries to the device containing each data-source instance to process the request. The results are semantically integrated and returned to the cyber defender. Gestalt provides a single interface to the cyber defender, dramatically improving their effectiveness and allowing them to focus their time and expertise on forensic analysis of the results of their search queries, rather than on the laborious process of data collection and processing.

This remote monitoring framework can integrate with existing data sources in a secure manner, dispatch queries from a unified presentation to specific data sources at hand, and securely integrate results back into a consistent and reliable cyber operational picture. The framework strategically combines strong network resiliency and protection with process-level resiliency techniques, including isolation, rejuvenation, and adaptive monitoring/response.

This work was done by Michael Atighetchi and Aaron Adler of Raytheon BBN Technologies for the Defense Advanced Research Projects Agency. DARPA-0014