Modeling the Complex Landscape of Cybersecurity

By Yanfeng Jin | April 19, 2018 • Atlanta, GA

“I made the very model, but the model was too general: modeling every cyber vegetable, animal, and mineral.”

David Jakob Fritz, a principle member of the technical staff at Sandia National Labs, visited Georgia Tech on Friday, April 13 to discuss his experience leading Sandia’s Emulytics program with the Georgia Tech community, as part of the Cybersecurity Lecture Series. Organized by the Institute for Information Security and Privacy (IISP), the free and open-to-public Series invites thought leaders in the field of information security and privacy to give one-hour lectures about their research.

Sandia’s Emulytics Program

Fritz currently leads Sandia’s Emulytics program, which aims to advance the state of the art in experimental cybersecurity through large-scale network and cyber-physical emulation.

“It is generally not possible to run experiments on live networks of systems and to do that in a repeatable fashion, which is required for effectively… [testing] hypotheses for different architectures and techniques in the space of cybersecurity,” said Fritz.

Traditionally, system analysis and cyber defender training are often performed via either physical testbeds, which are costly to maintain and scale, or simulators, which fail to represent cyber misbehavior adequately. Sandia Emulytics blends virtual-machine-based testbeds, hardware in the loop, and simulators as needed to maximize fidelity and scale. It supports heterogeneous modeling of IT, electric power, telephony, Internet of Things (IoT), cyber-physical phenomena, and user behavior, and scales to millions of endpoints.

For example, Sandia Emulytics is able to emulate a typical corporate network, with tens of thousands of virtual machines (VMs) and services like Microsoft Active Directory (AD) services and demilitarized zones (DMZs).  It also emulates how employees bring in their mobile devices to work by including VMs for Android devices, with simulated sensors and radios.

“If you had one of the VMs bring up [its] map application, we would have fake GPS information cooked into the model, and you could actually see the device moving around,” said Fritz. “That gets correlated with things like access point locations, so you can see an authentic view of the wireless landscape along with spatial locality.”

Fritz’s team is then able to add a behavioral model with different kinds of actors, including malicious ones, and run an experiment on that model to, for example, test firewalls or train cyber defense teams.

Career in Cybersecurity

“As anyone in the cybersecurity world will tell you, we as researchers play a game of catch-up,” Fritz said as he discussed careers in cybersecurity.

Just like how other cybersecurity professionals are always a step behind the attackers in figuring out ways to analyze an attack and defend a system, Fritz’s team cannot get ahead to model domains in cybersecurity that not yet exist.

“We’re necessarily fast followers,” said Fritz. “To that end, our engineering work is never done, and that creates a constant stream of interesting research.”

The two major research avenues in Emulytics include research in the platform itself and research enabled by the platform. Fritz’s team focuses mostly on the former, but their research is always in service of the latter.

Fritz also emphasized the interdisciplinary nature of cybersecurity.

“Cyber doesn’t happen in a vacuum,” said Fritz. “A lot of research fields are naturally very narrow and that enables the researcher to focus on the true depth of a very specific problem. Not so in cybersecurity—it blends engineering, sociology, psychology, politics, economics, etc. If you aren’t aware of the scope of all of cybersecurity, you’ll get lost very quickly, especially if you get involved in national security work like we do at Sandia.”

Therefore, Fritz suggested that current students should not overspecialize in one topic, but should instead explore a variety of disciplines to gain different perspectives, and to learn how cybersecurity relates to the rest of the world.

“Often times it takes someone with an outside view to bring novel solutions to problems,” said Fritz. “[This] is an often-used platitude …, but it’s true in every aspect.”