10/02/2012

Lab technology tapped as one of most important cyber security innovations

Donald B Johnston, LLNL, (925) 423-4902, johnston19@llnl.gov



Matt Myrick

Editor's note: October is National Cyber Security Awareness Month and Newsline will publish articles about cyber security and related events at LLNL sponsored by the Cyber Security Program and the Office of the Chief Information Officer).

The development of a simple tool for quickly sharing information about cyber threats has earned Matt Myrick and a multi-lab team of collaborators recognition as one of the most important cyber security innovations of the year.

Myrick will accept the award today for one of the 25 top cyber security innovations of 2012 at the National Cyber Security Innovation Conference in Baltimore, Md. He will also present the tool to the cyber security experts gathered for the conference, including representatives from the White House, National Security Agency and Department of Defense.

The Master Block List (MBL), a service and data aggregation tool, was developed by the LLNL-led Focused Advanced Persistent Threat (FAPT) group, convened by DOE/NNSA to leverage the collective cyber security expertise resident across the complex. The service allows the 10 DOE/NNSA labs and plants to share in real-time domain names that are known or suspected to be untrustworthy. These lists are used to create filters or blocks against cyber attacks.

In creating the service, the FAPT group took a page from their adversaries' playbook. "Using a command and control technique learned from our persistent adversaries, the block list sharing protocol is extremely lightweight and agile," said Myrick, who co-founded the FAPT group and led the effort to develop and deploy the MBL.

MBL allows any application to be easily hooked to automatically share malicious websites, hashes and spear phishers with all members of the MBL group.

The idea for the tool grew out of discussions about how to better share information and avoid duplication of effort. "We were always in catch-up mode, reacting to events," he said. "We needed to find a way to harness the power of the collective, so we said 'let's build a tool'."

"Through the use of tools like MBL, DOE is increasing its ability to leverage the intelligence of the community as opposed to the fragmented, individual pieces," Myrick said.

The original version was built in a single afternoon and has been steadily evolving since. "The tool's flexibility makes it easy to share among enterprises despite the use of disparate tools and complex networks," Myrick said.

The tool has attracted the attention of private industry. Myrick made a presentation in San Francisco last week to the Bay Area Advanced Persistent Threat -- Special Interest Group, made up of such companies as Intel, Cisco, Symantec, Google, Bechtel, Qualcom, eBay, McKesson, Adobe and Visa.

"In the face of persistent cyber threats, organizations both public and private realize that sharing information through a tool like MBL improves their ability to respond quickly to cyber attacks," Myrick said. "Everyone contributes. It's all based on trust among the members. MBL was designed on the premise that sharing doesn't have to be complicated."

Myrick has also worked on other cyber security tools including "Mailman," a system that allows security responders to maintain an archive of all incoming email for the purpose of increased "out-of-band interrogation" - examining emails more closely for problems such as malicious links. This allows cyber security responders to quickly notify recipients and/or block links.

"Through the use of this tool, we are able to perform checks on email not currently supported by leading security mail gateways," Myrick said, noting that this includes -- but is not limited to -- additional A/V (anti-virus) scanning, sandboxing, hashing, and developing custom heuristics "to aid in the detection of spear phishing attacks."

Sandboxing is a method of virtually isolating and executing untrusted code from unverified and untrusted sources without endangering the originally targeted networks and systems. "Mailman" was developed by Myrick with assistance from intern John Donaldson of the Monterey Naval Postgraduate School.

The task the Lab's cyber security team faces daily is daunting. Over the last 30 days, LLNL received 7.3 million emails of which 73 percent is spam or malicious -- a percentage that ranges from the 50s to a high of 97 percent. This is not atypical for a national lab. "This is why information sharing and leveraging our collective strength is so important," Myrick said.

The members of the FAPT group include: Sandia National Laboratories; Los Alamos National Laboratory; Kansas City Plant; Pantex; Pacific Northwest National Laboratory; Argonne National Laboratory; Idaho National Laboratory; National Renewable Energy Laboratory; and MOX (NNSA's Mixed Oxide Fuel Fabrication Facility).

The cyber security conference in Baltimore is sponsored by the SysAdmin, Audit and Network Security (SANS) Institute, an information and education resource for computer security.

Deanna Willis, editor of Computation's Bits & Bytes, contributed to this article.



Founded in 1952, Lawrence Livermore National Laboratory provides solutions to our nation's most important national security challenges through innovative science, engineering and technology. Lawrence Livermore National Laboratory is managed by Lawrence Livermore National Security, LLC for the U.S. Department of Energy's National Nuclear Security Administration.