ISU project to develop new cyber-defense techniques
What if your company had the resources to field a simulated cyber-attack on your network so your information technology people could develop and test their best defense?
With a state-of-the-art system that’s under construction by Iowa State University’s Information Assurance Center, that vision will be more than a cyber-dream.
This spring, the center plans to launch ISEAGE — the Internet-Scale Event and Attack Generation Environment — at the ISU Research Park. Though the small room with racks connecting 64 processors won’t be much to look at, the result will be a virtual Internet on which defenders can practice protecting their computer systems against thousands of simulated cyber-attackers.
“The thought behind the ISEAGE [pronounced “ice age”] project was to build an environment that was as close to the Internet as we could get,” said Doug Jacobson, the center’s director. “In order for us to show our defenses are good, we need to try out various attacks, and in an environment that closely models the real Internet.”
Being able to stage attacks on a copy of an organization’s production environment has myriad applications, Jacobson said, from training personnel and developing “what-if” scenarios for dealing with emergencies, to trying out new security technologies.
ISEAGE, which has so far received $1.2 million in funding from the U.S. Department of Justice, is a logical extension of the work ISU’s Information Assurance Center has been doing for nearly a decade, he said. One goal of the program is to bring private companies to the table as donors, sponsors or members that will contribute to the project and in turn benefit by using its resources to test their systems.
Already, Deere & Co. has contributed $30,000 to support the initial design of the laboratory.
West Des Moines-based FBL Financial Group Inc. is among the Central Iowa companies that are in discussions with the center about using ISEAGE.
“One of the things it would provide for us is the ability to see a lot of the threats out there,” said Kip Peters, FBL’s vice president for enterprise information protection. “We see a limited picture with our systems, whereas with ISEAGE you can look at the whole scale of the Internet, and have the ability to do better risk assessments.”
Because the potential risks on the Internet are so varied, companies tend to look at security more in terms of vulnerabilities rather than specific threats, Peters said.
“If we had a better idea of the threat, we could put that into our risk equations and have a better idea of what we’re defending against,” he said. “Right now, it’s a one or a zero — either there is a threat, or there isn’t.”
In the past, Jacobson said, other organizations have attempted to simulate the Internet by “seeing how many routers they could stuff in a room.” By contrast, “ISEAGE takes the viewpoint that at any point on the Internet, it’s nothing more than a series of packets on the wire,” he said. “Whatever points we’re concerned about, we can generate traffic streams that look like the real Internet at those points.”
Using specialized equipment, attacks that appear to be coming from thousands of sources on the Internet can be added to an exercise, Jacobson said.
Of the threats to an organization’s network, Jacobson said, the vast majority are generated by so-called “script kiddies” — highly intelligent, bored high school students.
“Their motivation really is the same as yours or mine was in painting your name on the side of the bridge or the water tower: making a statement or declaring your independence,” he said. They’re a mere annoyance compared with the threat to be most worried about — the small community of hackers who are continually coming up with new ways to infiltrate networks.
“What makes it interesting is that our adversaries are other people,” Jacobson said. “They are probably better networked; they may or may not be smarter than we are. They definitely seem to spend more time at it than we do. It’s quite a challenge. They have the advantage of having to find only one weakness, and we as the defenders of security have to protect against all weaknesses. They really have a clear advantage over us.”
Once the ISEAGE structure is built, a cyber-defense competition is planned on the campus to kick off the system. About a half-dozen teams of information technology students will defend their “corporate networks” against a hostile “red team” consisting of IT professionals from the Des Moines area.
That will lead to a second phase for ISEAGE, in which Jacobson anticipates participation from corporate end users as well as from vendors that want to provide their systems for testing.
“Part of our model once it is stood up is to make it available to organizations outside of Iowa through some kind of charge-back arrangement,” he said. “This is not just an internal research tool. Down the road, we’re also going to have the ability to take ISEAGE mobile to carry out tests.
“It will be a great resource for the IT community.”