2. About me – Shawn Riley, CDO & CISO, DarkLight
20+ years supporting NSA/CSS Cyber Missions
• US Navy Cryptology Community Vet
• Lockheed Martin Senior Fellow
• 9+ years assigned to the UK
• Technical Mentor to joint NSA & GCHQ
cyber team & UK cybercrime teams
Another 8 years on applied science w/A.I.
NSA Science of Security Virtual Organization
Industry Expert
NSA & DHS sponsored Integrated Cyber
Community A.I. Expert
I’m on the Autism Spectrum, I have Asperger’s
Syndrome. Support Neurodiversity!
4. ► Security science is taken to mean a body of knowledge containing laws, axioms
and provable theories relating to some aspect of cyber security. Security science
should provide an understanding of what is possible in the security domain, by
providing objective and qualitative or quantifiable descriptions of security
properties and behaviors. The notions embodied in security science should have
broad applicability - transcending specific systems, attacks, and defensive
mechanisms.
► There are a set of 7 core themes that together form the foundational basis for
security science discipline. The themes are strongly interrelated, and mutually
inform and benefit each other. They are: Common Language, Core Principles,
Attack Analysis, Measurable Security, Risk, Agility, and Human Factors.
What is Cybersecurity Science?
6. There Are Three Sources of Knowledge
►Deductive Inference - Deductive
Inference establishes new facts from
existing facts. Top-Down Method
►Communication - Communication
relays information found using other
methods.
►Inductive Inference - Inductive
Inference establishes new facts
from data. Bottom-Up Method
7. Symbolic AI (Top-Down) & Non-Symbolic AI (Bottom-Up)
►Deductive Inference -
Deductive Inference
establishes new facts from
existing facts. Top-Down
Method
►Communication -
Communication relays
information found using
other methods.
►Inductive Inference -
Inductive Inference
establishes new facts from
data. Bottom-Up Method
Symbolic AI / Top-Down
Non-Symbolic AI / Bottom-Up
8. Artificial Intelligence (AI)
Symbolic AI
Knowledge Engineering
Expert System
Cognitive Playbooks & Ontologies
Deductive Inference & Contextual Reasoning
Validation of Hypotheses & Explanation
Transparent & Explainable
Non-symbolic AI
Data Science
Machine Learning
Algorithms & Models
Inductive Inference & Probabilistic Reasoning
Predictions & Tentative Hypotheses
Black Box
Comparing Symbolic AI & Non-symbolic AI
9.
10. Tentative
Hypothesis
Pattern
Observation
Confirmation
Observation
Hypothesis
Knowledge Representation
And Reasoning
Expert System
Machine Learning
Predictive Analytics
Scoring Engines
Deductive Reasoning
Top-Down Approach
General to Specific
Inductive Reasoning
Bottom-Up Approach
Specific to Generalization
Machine Learning focuses on prediction,
based on known properties learned from
the training data. Inductive Reasoning
uses patterns to arrive at a conclusion
(conjecture). Note: A conclusion derived
through inductive reasoning is called a
hypothesis and is always less certain than
the evidence itself. In other words, the
conclusion is probable.
An expert system is an A.I. system that emulates
the sense-making and decision-making ability of a
human expert. Expert systems are designed to solve
complex problems by reasoning about knowledge.
Deductive Reasoning uses facts, rules, definitions
or properties to arrive at a conclusion.
PropertyGraphs
KnowledgeGraphs
11.
12.
13. Automating Argument-Driven Inquiry
The playbooks capture the human analyst’s cognitive experience in
applying the knowledge from the knowledge-base and can
automate the Claim Evidence Reasoning framework.
Cognitive Playbooks, their ontologies (knowledge models), and reify
configuration are all sharable through import and export features
allowing communities of trust to share knowledge and experience.
22. Object-Based Production & Activity-Based Intelligence
Sensing
Cognitive
Playbooks
Sense-making
Decision-making
Acting
“Organize what is known” “Discover the unknown unknowns”
Object-based production (OBP) and activity-based intelligence (ABI) are related IC analysis methodologies that rapidly integrates
data from multiple sources to discover relevant patterns, determine and identify change, and characterize those patterns to
create decision advantage and drive the sensing, sense-making, decision-making, and acting of the cyber OODA loop in the
cyber environment. Activity-Based Intelligence promotes a deductive approach to analytic reasoning which reduces the space of
potential outcomes by eliminating the impossible. Note: ABI can be automated with cognitive playbooks with symbolic AI!!!
26. Cybersecurity Decision Pattern
►Formal codification of cybersecurity operations
knowledge with minimal content of context,
problem, and solution:
▪ Problem: a source of perplexity, distress, or
vexation
▪ Context: the interrelated conditions in which
something exists or occurs
▪ Solution: an answer to a problem
-K. Willett
28. Cyber Resiliency Effects on Adversary Activities
►Deter, divert, and deceive in support of redirect;
►Prevent, preempt, and expunge in support of preclude;
►Contain, degrade and delay in support of impede;
►Shorten and recover in support of limit; and
►Detect, reveal, and scrutinize in support of expose
►NIST 800-160 vol 2 DRAFT
33. Feedback
►Gaps in sensors / observations
►Inductive Inference / Predictions About Adversary Activities
▪ Fallacies
▪ Cognitive Bias
►Deductive Inference / Scientific Arguments
▪ Peer Review of Cognitive Playbooks
▪ Domain Knowledge
►Acting
▪ Effectiveness of action in having desired effect on adversary activity
▪ Feedback on decision
34. Your IT Enterprise & Security Technologies Your IT Enterprise & Security Technologies
Your Information Sharing Services Your Information Sharing Services
#1 Sensing (Security Events & Logs)
#2A Sense-Making (Analytics, Machine
Learning, & Scoring Engines Applied to
Data Sets = Tentative Hypothesis
(Conjecture))
#2B Sense-Making (KR&R Validation of
Hypothesis & Explanation of Activity
w/Domain Knowledge and Human
Experience Captured in Cognitive
Playbooks)
#3 Decision-Making (KR&R Cognitive
Playbooks for Decision-Making Based
On Sense-Making Results/Explanation
of Activity and Human Domain Expert
Experience In The Enterprise)
#4A Acting (Security Orchestrator
w/Mechanistic Response Action
Playbooks Following OpenC2
Commands)
#4B Feedback Loop
Integrated Cyber Defense Knowledge Integrated Cyber Threat Intelligence
AI-Driven Integrated Adaptive Cyber Defense Overview
CASE/UCO Investigation Packages STIX via TAXII such as AIS
Knowledge Representation & Reasoning Knowledge Representation & Reasoning
35. Discussion / Future IACD Collaboration
▪ Applying NSA/CSS Technical Cyber Threat Framework
▪ Semantic Interoperability of Adversary Playbooks
▪ STIX 2.x JSON/JSON Schema limited to syntactic and structural interoperability
▪ Activity-Based Intelligence (looking for adversary actions)
▪ Effects of Actions mapped to OpenC2 Action Commands
▪ Automating Human Decision Making with Human Knowledge
▪ Context – immediate environment in which decision options are considered
▪ 4 R’s
▪ Reference Points (good/bad)
▪ Reasons Matter (contextual / argumentation)
▪ Resources Matter
▪ Replacement (work-arounds, doing easy instead of right)
▪ Framing
▪ Status Que (default options)
▪ Gain/Loss (Gains=Risk Adverse & Loss=Risk Seeking)
▪ Opportunity Cost Neglect