Sandia LabNews

Cybersecurity researchers take spotlight at national showcase

Two Sandia computer scientists are earning national recognition for cybersecurity platforms they conceived. Adrian Chavez and Vince Urias were invited to pitch their software to investors, entrepreneurs and prospective customers at a special virtual event sponsored by DOE to accelerate the commercialization of federally developed technologies.

Combined, Adrian and Vince led the development of four of the technologies showcased.

“We’re developing tools to even the playing field between cybersecurity analysts and hackers,” Vince said. “Analysts are outnumbered, and hackers only need one vulnerability to get into a system and hide.”

Adrian describes some of these tools as “frameworks for automated defenses that respond at machine speed instead of human speed,” empowering defenders.

Cyber Capital Partners, a Washington, D.C.-based investment and consulting firm made the final selection of technologies and hosted the event in support of DOE.

The Cybersecurity Technology Virtual Showcase ran July 21-30.

CAPSec: Containerized Application Security for Realtime Software Upgrade and Patching

Adrian Chavez
ZERO DOWNTIME — Sandia computer scientist Adrian Chavez pitched two cybersecurity tools, CAPSec and ADDSec, to potential investors at the DOE-sponsored Cybersecurity Technology Virtual Showcase in July.

In an iconic scene from the movie Raiders of the Lost Ark, treasure hunter Indiana Jones deftly attempts to replace a small statue with a counterfeit, without disrupting a sensitive array of booby traps.

Security upgrades for power grids, oil refineries, water pipelines and other critical infrastructure systems sometimes can be just as perilous. Taking software offline for updates can incur costly service disruptions, but putting off updates until maintenance is scheduled leaves systems vulnerable to attack.

Sandia has created an ability to continuously update software without any downtime, making these systems more secure without affecting the availability of critical systems.

Called Containerized Application Security for Realtime Software Upgrade and Patching, or CAPSec, the platform runs multiple copies of software simultaneously. One runs while another is updated. Then they seamlessly swap places without dropping any information.

ADDSec: Artificial Diversity and Defense Security

Critical infrastructure environments are increasingly connected to the internet, creating new risks for cyberattacks. Yet they continue to use predictable communication paths, static configurations and unpatched software, all of which benefit adversaries.

Sandia has developed Artificial Diversity and Defense Security, or ADDSec, which automatically detects threats within industrial-control-system computing environments in real time. Machine-learning algorithms recognize anomalous behavior and then classify these anomalies into categories of attacks. The response approach randomizes IP addresses (numbers that identify the system’s location on the internet), application port numbers and communication paths between computers, rendering useless any knowledge the hacker might have gained about the network when they return to deploy an attack.

CHIRP: Cloud Hypervisor Forensics and Incident Response Platform

Vince Urias
MASTER OF DECEPTION — Sandia computer scientist Vince Urias pitched two cybersecurity tools, CHIRP and HADES, to potential investors at the DOE-sponsored Cybersecurity Technology Virtual Showcase in July.

Businesses that use cloud-based services lose some degree of control over their cybersecurity because they don’t have access to every part of the system.

One method to restore this visibility is the Cloud Hypervisor Forensics and Incident Response Platform, or CHIRP, a cloud-based platform that enables analysts to track and record attacker actions for forensic analysis. The platform also may be used to disrupt malicious copying, deleting, encrypting and relocating of data in a cloud-based environment.

A hypervisor is a link between a cloud service and its users.

The platform collects evidence when adversaries attempt to gain access to unauthorized information through malicious online activity and provides information to incident responders in real time, without disturbing the user’s work or alerting the intruder.

HADES: High-fidelity Adaptive Deception & Emulation System

Rather than simply blocking a discovered intruder, Sandia technology can ensnare them in an alternative reality. The High-fidelity Adaptive Deception & Emulation System feeds a hacker not what he needs to know but what he wants to believe.

The discovered hacker is led unobtrusively into HADES, where cloned virtual hard drives, memory and data sets simulate reality. Certain artifacts have been deliberately, but not obviously, altered.

When hackers discover the deception, they aren’t in any better shape. The value of all their data is thrown into question as they attempt to unravel how long they’ve been misled and which assets are real. They expose themselves and their techniques as they try to discern truth from fiction.