You are here

Passive Analytics for Remote Quantification of External Resources (PARQER)

Description:

OUSD (R&E) CRITICAL TECHNOLOGY AREA(S): Integrated Sensing and Cyber, Advanced computing and Software OBJECTIVE: The Passive Analytics for Remote Quantification of External Resources (PARQER) SBIR topic seeks to develop and demonstrate novel techniques to passively assess the security posture of remote networks/subnetworks, without requiring any special network accesses. DESCRIPTION: The near-constant stream of news reports on the compromise of systems and networks across government and commercial sectors reveals the challenges of securing large networks of systems with complicated topologies [1] [2] [3] [4]. The inherent asymmetry of effort required to defend an asset vs. effort to gain illicit access to an asset favors attackers that can spend as much time as necessary to locate vulnerable targets (e.g., a server that administrators neglected to patch [5], or a network configured with overly permissive firewall policies [6]). In such an environment where the attacker is advantaged, network administrators and security officers practice defense in depth [7] [8] by reducing the network attack surface and deploying an array of security mechanisms and technologies such as firewalls and intrusion detection/ prevention systems. The extent of an organization’s efforts to minimize network attack surfaces and deploy defensive mechanisms can be largely unknown (e.g., due to poor documentation), even to the organization itself [9]. Often and unfortunately, details about the deployed security mechanisms (or the lack thereof) are only made available after an organization’s network is compromised, and when forensic analysts conduct a postmortem of the attack [10] [11]. For the Department of Defense (DoD) and Intelligence Community (IC), the same problem exists and is compounded by the distinction between, and respective operational responsibilities of, network owners/operators and defenders such as Cybersecurity Service Provider (CSSPs) and Cyber Protection Teams (CPTs). Within the DoD/IC, CPTs are tasked with defending critical military networks; whereas CSSPs are responsible for the continuous monitoring and vulnerability patching of networks, and conducting threat-oriented missions to defeat cyber adversaries. [12] Similar to commercial organizations, critical details of network topology, configuration [13], and security posture [14] are often poorly documented and not immediately available to external responders (such as CPTs). An additional complicating factor of having network knowledge spread among different organizations and individuals (CPTs and CSSPs) is that it makes it difficult to have an accurate holistic picture of the security posture of lower-tier networks at any given time. It is therefore of critical importance for the DoD/IC and large commercial network owners to be able to quickly and passively assess the defensive posture of a remote network/subnetwork in a way that does not require any special access to the network. PHASE I: The PARQER SBIR topic is soliciting Direct to Phase II (DP2) proposals only, which must include supporting documentation of Phase 1 feasibility. Phase I feasibility must be demonstrated through evidence of: a completed proof of concept/principal or basic prototype system; definition and characterization of system properties/technology capabilities desirable for DoD/IC/Government and civilian/commercial use; and capability/performance comparisons with existing state-of-the-art technologies/methodologies (competing approaches). Entities interested in submitting a DP2 proposal must provide documentation to substantiate that the scientific/technical merit and feasibility described above has been achieved and also describe the potential commercial applications. DP2 Phase I feasibility documentation should include, at a minimum: • technical reports describing results and conclusions of existing work, particularly regarding the commercial opportunity or DoD/IC insertion opportunity, risks/mitigations, and technology assessments; • presentation materials and/or white papers; • technical papers; • test and measurement data; • prototype designs/models; • performance projections, goals, or results in different use cases; and, • documentation of related topics such as how the proposed PARQER solution can enable passive, remote assessment of network/subnetwork security posture. The collection of Phase I feasibility material will verify mastery of the required content for DP2 consideration. DP2 proposers must also demonstrate knowledge, skills, and abilities in the technical areas of software engineering, data analytics, network security, and cybersecurity. For detailed information on DP2 requirements and eligibility, please refer to the DoD Broad Agency Announcement and the DARPA Instructions for this topic. PHASE II: The PARQER DP2 SBIR topic seeks to develop and demonstrate novel techniques to enable passive assessment of the security posture of remote networks/subnetworks, without requiring any special access to the network. Most current tools and techniques employed by security operations centers are based on active interrogation. The tools and techniques are often too noisy (e.g., high volumes of alerts and high false positive rates), do not generalize across security mechanisms (i.e., the tools are siloed), and have significant blind spots (e.g., false negatives). Ideal PARQER solutions would overcome such limitations of active techniques, as well as be resistant to intentional misdirection and evasion. PARQER solutions must have the ability to provably scale yet provide fine resolution of the analyzed network. Successful PARQER proposals should clearly describe how proposed combinations of data and analytic techniques will provide high accuracy results in a landscape of ever-evolving security products.Phase II will culminate in a prototype system demonstration using one or more compelling use cases consistent with commercial opportunities and/or insertion into a DARPA program (e.g., Signature Management using Operational Knowledge and Environments (SMOKE), which seeks to develop data-driven tools to automate the planning and execution of threat-emulated cyber infrastructure needed for network security assessments). The Phase II Option period will further mature the technology for insertion into a DoD/Intelligence Community (IC) Acquisition Program, another Federal agency; or commercialization into the private sector. The below schedule of milestones and deliverables is provided to establish expectations and desired results/end products for the Phase II and Phase II Option period efforts. Schedule/Milestones/Deliverables: Proposers will execute the research and development (R&D) plan as described in the proposal, including the below: • Month 1: Phase I Kickoff briefing (with annotated slides) to the DARPA Program Manager (PM) including: any updates to the proposed plan and technical approach, risks/mitigations, schedule (inclusive of dependencies) with planned capability milestones and deliverables, proposed metrics, and plan for prototype demonstration/validation; • Months 4, 7, 10: Quarterly technical progress reports detailing technical progress to date, tasks accomplished, risks/mitigations, a technical plan for the remainder of Phase II (while this would normally report progress against the plan detailed in the proposal or presented at the Kickoff briefing, it is understood that scientific discoveries, competition, and regulatory changes may all have impacts on the planned work and DARPA must be made aware of any revisions that result), planned activities, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM; • Month 12: Interim technical progress briefing (with annotated slides) to the DARPA PM detailing progress made (including quantitative assessment of capabilities developed to date), tasks accomplished, risks/mitigations, planned activities, technical plan for the second half of Phase II, the demonstration/verification plan for the end of Phase II, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM; • Months 15, 18, 21: Quarterly technical progress reports detailing technical progress made, tasks accomplished, risks/mitigations, a technical plan for the remainder of Phase II (with necessary updates as in the parenthetical remark for Months 4, 7, and 10), planned activities, trip summaries, and any potential issues or problem areas that require the attention of the DARPA PM; • Month 24: Final technical progress briefing (with annotated slides) to the DARPA PM. Final architecture with documented details; a demonstration of the passive assessment of the security posture of remote networks/subnetworks; documented APIs; and any other necessary documentation (including, at a minimum, user manuals and a detailed system design document; and the commercialization plan); • Month 30 (Phase II Option period): Interim report of matured prototype performance against existing state-of-the-art technologies, documenting key technical gaps towards productization; and, • Month 36 (Phase II Option period): Final Phase II Option period demonstration and technical progress briefing (with annotated slides) to the DARPA PM including prototype performance against existing state-of-the-art technologies, including quantitative metrics of system performance. PHASE III DUAL USE APPLICATIONS: Phase III Dual use applications (Commercial DoD/Military): PARQER has potential applicability across DoD/IC/Government and commercial entities. For DoD/IC/Government, PARQER is extremely well-suited to address one of the biggest issues in government information security today by providing the ability to quickly and passively assess the defensive posture of a remote network/subnetwork. PARQER has the same applicability for the commercial sector. Phase III refers to work that derives from, extends, or completes an effort made under prior SBIR funding agreements, but is funded by sources other than the SBIR Program. The Phase III work will be oriented towards transition and commercialization of the developed PARQER technologies. For Phase III, the proposer is required to obtain funding from either the private sector, a non-SBIR Government source, or both, to develop the prototype into a viable product or non-R&D service for sale in government or private sector markets. Primary PARQER support will be to national efforts to help secure government and commercial networks. Results of PARQER are intended to improve the ability of network owners across government and industry to quickly find the root causes of network compromise incidents, and rapidly mitigate the situation, ultimately improving the security posture of their networks. REFERENCES: 1. PortSwigger. 2022. The Daily Swig, Cybersecurity News and Views. https://portswigger.net/daily-swig/data-breach 2. SecureLink. 2022. Recent Data Breaches in the News. https://www.securelink.com/resources/data-breach-news/ 3. Cybersecurity Ventures. 2022. Today’s Top Cybersecurity News Stories. https://cybersecurityventures.com/cybercrime-news/ 4. The New York times. “How a Cyberattack Plunged a Long Island County Into the 1990s.” 2022. https://www.nytimes.com/2022/11/28/nyregion/suffolk-county-cyber-attack.html 5. Robb, Drew. “Is Neglect Driving the Surge in Cybersecurity Breaches?” 2022. https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/neglect-driving-surge-cybersecurity-breaches.aspx 6. Fugue. “A Technical Analysis of the Capital One Cloud Misconfiguration Breach.” 2019. https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-misconfiguration-breach 7. The Department of Homeland Security’s National Cybersecurity and Communications Integration Center and Industrial Control Systems Cyber Emergency Response Team. Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies. 2016. (Available at https://www.cisa.gov/uscert/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf) 8. National Security Agency. Defense in Depth: A practical strategy for achieving Information Assurance in today’s highly networked environments. 2010. (Available at https://citadel-information.com/wp-content/uploads/2010/12/nsa-defense-in-depth.pdf) 9. Burton, Dave. “The Dangers of Firewall Misconfigurations and How to Avoid Them.” 2020. https://www.akamai.com/blog/security/the-dangers-of-firewall-misconfigurations-and-how-to-avoid-them 10. Gartner. “Is the Cloud Secure?” 2019. https://www.gartner.com/smarterwithgartner/is-the-cloud-secure 11. Whittaker, Zack. “Equifax breach was ‘entirely preventable’ had it used basic security measures, says House report.” 2018. https://techcrunch.com/2018/12/10/equifax-breach-preventable-house-oversight-report/ 12. Joint Publication 3-12. Cyberspace Operations. 2018. Available at https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp3_12.pdf 13. Marius Musch, Robin Kirchner, Max Boll, and Martin Johns. 2022. Server-Side Browsers: Exploring the Web's Hidden Attack Surface. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security (ASIA CCS '22). Association for Computing Machinery, New York, NY, USA, 1168–1181. https://doi.org/10.1145/3488932.3517414. Available at https://loxo.ias.cs.tu-bs.de/papers/2022_AsiaCCS_SSBrowsers.pdf 14. Bo Lu, Xiaokuan Zhang, Ziman Ling, Yinqian Zhang, and Zhiqiang Lin. 2018. A Measurement Study of Authentication Rate-Limiting Mechanisms of Modern Websites. In Proceedings of the 34th Annual Computer Security Applications Conference (ACSAC '18). Association for Computing Machinery, New York, NY, USA, 89–100. https://doi.org/10.1145/3274694.3274714. Available at https://yinqian.org/papers/acsac18a.pdf KEYWORDS: network security, cybersecurity, defense in depth, passive network analytics
US Flag An Official Website of the United States Government