CA2899243A1 - Data exfiltration safeguards in classified processing environments - Google Patents
Data exfiltration safeguards in classified processing environments Download PDFInfo
- Publication number
- CA2899243A1 CA2899243A1 CA2899243A CA2899243A CA2899243A1 CA 2899243 A1 CA2899243 A1 CA 2899243A1 CA 2899243 A CA2899243 A CA 2899243A CA 2899243 A CA2899243 A CA 2899243A CA 2899243 A1 CA2899243 A1 CA 2899243A1
- Authority
- CA
- Canada
- Prior art keywords
- classified
- data structure
- computing environment
- steganographic
- signature
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/556—Detecting local intrusion or implementing counter-measures involving covert channels, i.e. data leakage between processes
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
System and methods for detecting exfiltration of data from classified information processing environments and the integration of automated incident response workflows are disclosed.
Through the use of covert system modifications on classified workstations, common data structures are tagged with steganographic signatures which are detectable by both host and network based detection methods. A covert software agent installed on unclassified hosts within the same work environment will provide host-based detection methods while the steganographic signature will be compatible with existing network analysis and detection tools used by Cyber Defence Signals Intelligence Analysts allowing the reuse and repurposing of attack detection infrastructure for counter-intelligence purposes.
Through the use of covert system modifications on classified workstations, common data structures are tagged with steganographic signatures which are detectable by both host and network based detection methods. A covert software agent installed on unclassified hosts within the same work environment will provide host-based detection methods while the steganographic signature will be compatible with existing network analysis and detection tools used by Cyber Defence Signals Intelligence Analysts allowing the reuse and repurposing of attack detection infrastructure for counter-intelligence purposes.
Description
BLG File No.: PAT 83291-1 Data Exfiltration Safeguards In Classified Processing Environments Field The present invention generally relates to information security in computer systems and more specifically to monitoring and detection of data exfiltration.
Background Theft of sensitive data from classified or high security environments has been a challenge and a concern for governments and other organizations for thousands of years.
Archeologists have discovered early applications of Cryptography and Steganography attributed to the Egyptians circa 1500 BC. More recently in 2012 the first prosecution in Canada under the Security of Information Act (SOIA) resulted in the sentencing and incarceration of a naval officer accused of selling military secrets to a foreign state.
Hostile insiders have unfettered access to sensitive and classified information. Security safeguards which are designed to prevent access to sensitive information to unauthorised individuals provide no protection whatsoever to insider threat agents, as these threat agents are already authorised to access the sensitive information assets.
The present inventor concluded in a classified threat analysis report published for the Government of Canada (GoC), that insider human threat agents were extremely difficult to detect, and based on analysis of known historical security breaches, operate for long periods of time, often many years before they are caught, and that there is a very high likelihood that at least one hostile human threat agent is operating within the Canadian Intelligence Community at any given time.
The existing operational security trust model relies for the most part on the personnel security screening performed on individuals before they are granted access to classified information. While this safeguard greatly reduces the risk of granting access to classified information to individuals who pose an increased risk, it will never eliminate it. In many of the historical security breaches BLG File No.: PAT 83291-1 reviewed by the inventor, the hostile insider did not become hostile until some external motivating factor triggered the response. In some cases it was financial (e.g. bribery), while in others the motivation was driven by some ideological reasoning. Workplace and marital stress were also identified as key motivators.
Information processing within classified environments is usually performed on separate air-gapped networks. These classified or "RED" networks are usually wholly contained within a physically secured boundary.
Existing commercial data exfiltration detection products have generally not been designed with the air-gap separation between classified and unclassified networks in mind.
Emphasis is often placed on detection of information by keyword as the information crosses the boundary separating the private corporate network with the public internet. This approach often results in a high number of false positives, with no guarantee that the incident response resources are being efficiently tasked. This approach also relies on a list of keywords that must be continually updated and "tuned".
Other competing commercial products may perform behavioural analysis of the user's actions.
While this tactic can produce favourable results, the processing and information collection and analysis required often has a detrimental, and noticeable performance impact on the monitored workstation. Behavioural analysis is also more privacy intrusive, and projects which have proposed the implementation of behavioural analytics within the Canadian Government and associated Crown Corporations have met with strong resistance from privacy advocates.
Accordingly, there remains an urgent need for, and a substantial material value in, solutions to monitor and detect exfiltration of sensitive information, including particularly in systems employing air-gapped network security.
Background Theft of sensitive data from classified or high security environments has been a challenge and a concern for governments and other organizations for thousands of years.
Archeologists have discovered early applications of Cryptography and Steganography attributed to the Egyptians circa 1500 BC. More recently in 2012 the first prosecution in Canada under the Security of Information Act (SOIA) resulted in the sentencing and incarceration of a naval officer accused of selling military secrets to a foreign state.
Hostile insiders have unfettered access to sensitive and classified information. Security safeguards which are designed to prevent access to sensitive information to unauthorised individuals provide no protection whatsoever to insider threat agents, as these threat agents are already authorised to access the sensitive information assets.
The present inventor concluded in a classified threat analysis report published for the Government of Canada (GoC), that insider human threat agents were extremely difficult to detect, and based on analysis of known historical security breaches, operate for long periods of time, often many years before they are caught, and that there is a very high likelihood that at least one hostile human threat agent is operating within the Canadian Intelligence Community at any given time.
The existing operational security trust model relies for the most part on the personnel security screening performed on individuals before they are granted access to classified information. While this safeguard greatly reduces the risk of granting access to classified information to individuals who pose an increased risk, it will never eliminate it. In many of the historical security breaches BLG File No.: PAT 83291-1 reviewed by the inventor, the hostile insider did not become hostile until some external motivating factor triggered the response. In some cases it was financial (e.g. bribery), while in others the motivation was driven by some ideological reasoning. Workplace and marital stress were also identified as key motivators.
Information processing within classified environments is usually performed on separate air-gapped networks. These classified or "RED" networks are usually wholly contained within a physically secured boundary.
Existing commercial data exfiltration detection products have generally not been designed with the air-gap separation between classified and unclassified networks in mind.
Emphasis is often placed on detection of information by keyword as the information crosses the boundary separating the private corporate network with the public internet. This approach often results in a high number of false positives, with no guarantee that the incident response resources are being efficiently tasked. This approach also relies on a list of keywords that must be continually updated and "tuned".
Other competing commercial products may perform behavioural analysis of the user's actions.
While this tactic can produce favourable results, the processing and information collection and analysis required often has a detrimental, and noticeable performance impact on the monitored workstation. Behavioural analysis is also more privacy intrusive, and projects which have proposed the implementation of behavioural analytics within the Canadian Government and associated Crown Corporations have met with strong resistance from privacy advocates.
Accordingly, there remains an urgent need for, and a substantial material value in, solutions to monitor and detect exfiltration of sensitive information, including particularly in systems employing air-gapped network security.
2 BLG File No.: PAT 83291-1 Summary Embodiments of the invention allows organizations to detect files and data constructs created in a classified environment when those files or data constructs are stored, and/or transmitted in an unclassified environment. A two-part steganographic signature may be embedded into a data structure in the classified environment, and the signature may be detected in unclassified environments.
The steganographic signature may be composed of two parts. A first, static part may be a common identifying part and may be used by detection components as described hereinafter. A second, dynamic part of the steganographic signature may be a dynamic part, and may include technical information useful to an investigating authority. This may include, but is not limited to: a login ID, a workstation ID, an IP address, date/time stamps, etc. The dynamic part may be encrypted and may not be readily viewable by anyone other than the investigating authority.
The steganographic signature may be detectable by the organization using a layered detection methodology. The signature may be detected by detection agents installed on all unclassified workstations within the environment. The signature may also be detected by network based surveillance tools monitoring the unclassified networks at the perimeter and within the networks, and the signature may be detected by existing Signals Intelligence infrastructure monitoring global network infrastructure.
The unclassified workstation detection agent may include covert command and control channels to notify the investigating authority of the signature detection. The detection agent may transmit a copy of the detected data structure to the investigating authority for manual verification. This data transfer may utilize steganographic techniques such as share splits to multiple IPs using known and expected protocol ports and channels to make it very difficult to detect, and the content will be encrypted in transit.
The steganographic signature may be composed of two parts. A first, static part may be a common identifying part and may be used by detection components as described hereinafter. A second, dynamic part of the steganographic signature may be a dynamic part, and may include technical information useful to an investigating authority. This may include, but is not limited to: a login ID, a workstation ID, an IP address, date/time stamps, etc. The dynamic part may be encrypted and may not be readily viewable by anyone other than the investigating authority.
The steganographic signature may be detectable by the organization using a layered detection methodology. The signature may be detected by detection agents installed on all unclassified workstations within the environment. The signature may also be detected by network based surveillance tools monitoring the unclassified networks at the perimeter and within the networks, and the signature may be detected by existing Signals Intelligence infrastructure monitoring global network infrastructure.
The unclassified workstation detection agent may include covert command and control channels to notify the investigating authority of the signature detection. The detection agent may transmit a copy of the detected data structure to the investigating authority for manual verification. This data transfer may utilize steganographic techniques such as share splits to multiple IPs using known and expected protocol ports and channels to make it very difficult to detect, and the content will be encrypted in transit.
3 BLG File No.: PAT 83291-1 Embodiments of the invention may include an Investigative Authority management console. The Investigative Authority management console may receive alerts and copies of triggering data structures from the agents installed on the unclassified workstations.
Embodiments of the invention may include a means by which previously created data structures may be marked as "classified" in bulk.
Embodiments of the invention may include a means by which the steganographic signature may be removed from the data structure as part of an authorized cross-domain transfer solution.
Brief Description of the Drawings Figure 1 shows a network diagram of a typical classified network environment.
Figure 2 shows a network diagram of a typical unclassified network environment.
Figure 3 shows a workflow diagram of the data marking process.
Figure 4 shows a workflow diagram of the detection & reporting process for both workstation, and network based detection.
Figure 5a shows a high-level deployment of the marking agents in a multi-department environment.
Figure 5b shows a high-level deployment of the detection components in a multi-department environment.
Figure 6 shows foreign remote detection objects.
Figure 7 shows "chained" steganographic signatures in multi-agency settings.
Embodiments of the invention may include a means by which previously created data structures may be marked as "classified" in bulk.
Embodiments of the invention may include a means by which the steganographic signature may be removed from the data structure as part of an authorized cross-domain transfer solution.
Brief Description of the Drawings Figure 1 shows a network diagram of a typical classified network environment.
Figure 2 shows a network diagram of a typical unclassified network environment.
Figure 3 shows a workflow diagram of the data marking process.
Figure 4 shows a workflow diagram of the detection & reporting process for both workstation, and network based detection.
Figure 5a shows a high-level deployment of the marking agents in a multi-department environment.
Figure 5b shows a high-level deployment of the detection components in a multi-department environment.
Figure 6 shows foreign remote detection objects.
Figure 7 shows "chained" steganographic signatures in multi-agency settings.
4 BLG File No.: PAT 83291-1 Detailed Description Generally the present disclosure provides a method and system for marking classified data structures and detecting those data structures for the purposes of identifying classified information residing outside of classified information processing domains.
FIG. 1 shows a classified computing environment 101. A classified workstation 100 may include a physical desktop computer, a laptop/tablet, or a virtual machine hosted on a virtualization platform like VMWareTm. The classified workstation 100 may be a device that personnel working in the classified environment may perform work on. The classified workstation 100 may run Microsoft WindowsTM, Linux, APP1eOSTM, or any other operating system.
Personnel using the classified workstation 100 may use a combination of common-off-the-shelf (COTS) productivity applications (such as MS Office and Adobe Reader), and custom line-of-business (LOB) applications depending upon their role.
The classified workstation 100 may be connected via internal classified network devices 110 (e.g.
switches, routers, firewalls) to classified data repositories 114 such as database servers 115, file servers 116, and enterprise document and records management systems 117. The classified data repositories 114 may be connected to a bulk agent 170 as further described below.
The classified workstation 100 may also be connected via the internal classified network devices 110 via a de-militarized zone (DMZ) 120 to classified special operations networks 130, which are connected via a cross domain transfer solution 140 to unclassified special operations networks 150 as discussed further below.
FIG. 2 shows an unclassified computing environment 201. An unclassified workstation 200 may include either a physical or virtual machine and may be used by personnel within classified environments to communicate to external parties via email, and often to browse the Internet. No classified work or data processing is ordinarily permitted on such an unclassified workstation,
FIG. 1 shows a classified computing environment 101. A classified workstation 100 may include a physical desktop computer, a laptop/tablet, or a virtual machine hosted on a virtualization platform like VMWareTm. The classified workstation 100 may be a device that personnel working in the classified environment may perform work on. The classified workstation 100 may run Microsoft WindowsTM, Linux, APP1eOSTM, or any other operating system.
Personnel using the classified workstation 100 may use a combination of common-off-the-shelf (COTS) productivity applications (such as MS Office and Adobe Reader), and custom line-of-business (LOB) applications depending upon their role.
The classified workstation 100 may be connected via internal classified network devices 110 (e.g.
switches, routers, firewalls) to classified data repositories 114 such as database servers 115, file servers 116, and enterprise document and records management systems 117. The classified data repositories 114 may be connected to a bulk agent 170 as further described below.
The classified workstation 100 may also be connected via the internal classified network devices 110 via a de-militarized zone (DMZ) 120 to classified special operations networks 130, which are connected via a cross domain transfer solution 140 to unclassified special operations networks 150 as discussed further below.
FIG. 2 shows an unclassified computing environment 201. An unclassified workstation 200 may include either a physical or virtual machine and may be used by personnel within classified environments to communicate to external parties via email, and often to browse the Internet. No classified work or data processing is ordinarily permitted on such an unclassified workstation,
5 BLG File No.: PAT 83291-1 while work of an unclassified nature is typically permitted. Personnel who work in classified environments are usually provisioned with at least one unclassified workstation. Software installed on unclassified workstations often mirrors the software installed on classified workstations. In some cases, an unclassified workstation may be installed with unclassified LoB
applications instead of classified LoB applications, but most if not all of the common office productivity applications may be the same.
On the unclassified workstation 200, personnel may store files locally, or may transmit files over an internal network 210 for storage in an unclassified data repository 214 such as a database server 215, a file server 216, or an enterprise document and records management system 217. Files may also be communicated through a network which may include a demilitarized zone (DMZ) 220 connecting to the Internet 225.
Marking Methods 301, 302 of modifying a classified data structure are shown in Figure 3.
In a first method 301, the classified workstation 100 may run a marking agent 105 function which inserts a steganographic signature into a classified data structure. This may be implemented in at least one of two ways:
(1) By deploying a software shim that intercepts write calls made by applications or the operating system to the target data structure (Microsoft WordTM document, Adobe PDF
file, etc.) which would then insert or append the steganographic signature into the data structure OR
(2) Modify the source application which generates the data structure to deliberately introduce the steganographic signature into the data structure.
In either case, the software shim or the modified application may be regarded as a marking agent 105.
applications instead of classified LoB applications, but most if not all of the common office productivity applications may be the same.
On the unclassified workstation 200, personnel may store files locally, or may transmit files over an internal network 210 for storage in an unclassified data repository 214 such as a database server 215, a file server 216, or an enterprise document and records management system 217. Files may also be communicated through a network which may include a demilitarized zone (DMZ) 220 connecting to the Internet 225.
Marking Methods 301, 302 of modifying a classified data structure are shown in Figure 3.
In a first method 301, the classified workstation 100 may run a marking agent 105 function which inserts a steganographic signature into a classified data structure. This may be implemented in at least one of two ways:
(1) By deploying a software shim that intercepts write calls made by applications or the operating system to the target data structure (Microsoft WordTM document, Adobe PDF
file, etc.) which would then insert or append the steganographic signature into the data structure OR
(2) Modify the source application which generates the data structure to deliberately introduce the steganographic signature into the data structure.
In either case, the software shim or the modified application may be regarded as a marking agent 105.
6 BLG File No.: PAT 83291-1 Thus, in the first method 301, a user saves a classified data structure such as a document, image, or data structure to a local or network storage of the classified computing environment 101 (step 305). For example, the storage may be in the classified workstation 100 or may be in the classified data repositories 114. If the classified data structure is in a supported format (decision 310) then the marking agent embeds the steganographic signature into the classified data structure (step 315) and the process ends (step 320). If the classified data structure is not in a supported format (decision 310), then the process ends (step 320).
The means used to embed the steganographic signature in the classified data structure, or otherwise to modify the classified data structure so as to contain the steganographic signature, will be dependent on the data structure, and the various tools and utilities that are expected to manipulate the data in that data structure.
In particular, the manner of inserting or embedding persistent steganographic signatures into data structures may be dependent upon the format and syntax of the data structure.
For example, the file structure of a Microsoft WordTM document (.doc, docx) includes many locations where a steganographic signature could be concealed without any visible change to the document.
The placement and exact location of the steganographic signature may vary with the file structure, and may change or evolve over time as common file structures change or are replaced by newer more popular products which have their own unique data structure.
The steganographic signature may be a concatenation of two parts:
1) A static binary string which may be sufficiently complex to reduce the likelihood of accidental collision with random values exhibited in unmarked file structures below a predetermined threshold level; and 2) A dynamic encrypted string which may contain system and user information which may be useful to investigators.
There may be no visible signs that the marking agent is installed on the classified workstation. The marking agent may be designed to be as covert as possible. If a software shim is deployed, for
The means used to embed the steganographic signature in the classified data structure, or otherwise to modify the classified data structure so as to contain the steganographic signature, will be dependent on the data structure, and the various tools and utilities that are expected to manipulate the data in that data structure.
In particular, the manner of inserting or embedding persistent steganographic signatures into data structures may be dependent upon the format and syntax of the data structure.
For example, the file structure of a Microsoft WordTM document (.doc, docx) includes many locations where a steganographic signature could be concealed without any visible change to the document.
The placement and exact location of the steganographic signature may vary with the file structure, and may change or evolve over time as common file structures change or are replaced by newer more popular products which have their own unique data structure.
The steganographic signature may be a concatenation of two parts:
1) A static binary string which may be sufficiently complex to reduce the likelihood of accidental collision with random values exhibited in unmarked file structures below a predetermined threshold level; and 2) A dynamic encrypted string which may contain system and user information which may be useful to investigators.
There may be no visible signs that the marking agent is installed on the classified workstation. The marking agent may be designed to be as covert as possible. If a software shim is deployed, for
7 BLG File No.: PAT 83291-1 example, the true purpose of the software may be obfuscated and appear to perform some other function, such as performance monitoring or asset inventory control. The marking agent may be made difficult to detect for a person with a high-level of technical skills and training.
If modifications to the source application are made deliberately to introduce the steganographic signature into the marked classified data structures, the changes to the executable code may be signed using the software vendor's code-signing key, making the software changes appear to be legitimate vendor-supplied code.
The marked classified data structures may be stored locally on 100 classified workstation or they may be transmitted over the 110 classified network and reside on one of the 115-117 classified data repositories 114.
In some embodiments, at no point in time will the agent block access to any data. If data were blocked by the agent, the blocking activities would increase the likelihood that the marking process would be exposed to the potential hostile insider. The insider would then likely alter their means and method of exfiltration to evade the detection mechanisms. Research of insider threat agents has revealed that they usually operate within classified environments for many years.
Embodiments of the invention may facilitate the collection of forensic evidence to support the prosecution of the insider. There is often greater value in allowing an insider threat agent to exfiltrate data from a classified environment in order to identify other parties in the intelligence collection process, such as the agent's handler, and other human assets under that handler's control.
Existing DLP products are not designed with this requirement in mind.
The marking agent 105 may begin marking file structures created or edited as soon as the marking agent 105 is deployed. For existing data structures, a bulk agent 170 may embed the steganographic signature into the vast collection of files and data structures generally created prior to the deployment of the marking agent 105 in the classified computing environment 101.
Thus, in a second method 302, the bulk agent 170 may be operated by security administrators or system administrators with elevated permissions. Once initiated by a security or system
If modifications to the source application are made deliberately to introduce the steganographic signature into the marked classified data structures, the changes to the executable code may be signed using the software vendor's code-signing key, making the software changes appear to be legitimate vendor-supplied code.
The marked classified data structures may be stored locally on 100 classified workstation or they may be transmitted over the 110 classified network and reside on one of the 115-117 classified data repositories 114.
In some embodiments, at no point in time will the agent block access to any data. If data were blocked by the agent, the blocking activities would increase the likelihood that the marking process would be exposed to the potential hostile insider. The insider would then likely alter their means and method of exfiltration to evade the detection mechanisms. Research of insider threat agents has revealed that they usually operate within classified environments for many years.
Embodiments of the invention may facilitate the collection of forensic evidence to support the prosecution of the insider. There is often greater value in allowing an insider threat agent to exfiltrate data from a classified environment in order to identify other parties in the intelligence collection process, such as the agent's handler, and other human assets under that handler's control.
Existing DLP products are not designed with this requirement in mind.
The marking agent 105 may begin marking file structures created or edited as soon as the marking agent 105 is deployed. For existing data structures, a bulk agent 170 may embed the steganographic signature into the vast collection of files and data structures generally created prior to the deployment of the marking agent 105 in the classified computing environment 101.
Thus, in a second method 302, the bulk agent 170 may be operated by security administrators or system administrators with elevated permissions. Once initiated by a security or system
8 BLG File No.: PAT 83291-1 administrator, the bulk agent 170 may scan an existing classified repository 114 and insert the appropriate steganographic signature into all compatible file types. The dynamic part of the signature may comprise a generic marker indicating that the associated data structure was marked during a bulk marking operation.
Within government classified environments, there are business requirements which require certain data structures developed within classified environments to be shared with entities outside of this classified environment. In these cases, embodiments of the invention may integrate with an organization's Cross Domain Transfer Solution 140 to properly remove all traces of the steganographic signature prior to the transfer of that data to an external security domain such as an unclassified special operations network 150. The signature removal method may obfuscate the presence of the signature and at the same time potentially remove other unknown steganographic payloads.
Detection Methods 400, 410, 420, 430 of detecting and reporting a marked classified data structure are shown in FIG. 4.
In general, a detection agent may operate to monitor and detect marked classified data structures which contain a steganographic signature as described herein. In some embodiments, the detection agent resides and runs on an unclassified workstation in an unclassified computing environment.
In other embodiments, the detection agent resides and runs on a network element in the unclassified computing environment. In yet further embodiments, the detection agent resides and runs on a network device outside of the unclassified computing environment.
Local Host Detection In some embodiments, a detection agent 205 may reside on an unclassified workstation 200 in the unclassified computing environment 201 and monitor operations by the unclassified workstation
Within government classified environments, there are business requirements which require certain data structures developed within classified environments to be shared with entities outside of this classified environment. In these cases, embodiments of the invention may integrate with an organization's Cross Domain Transfer Solution 140 to properly remove all traces of the steganographic signature prior to the transfer of that data to an external security domain such as an unclassified special operations network 150. The signature removal method may obfuscate the presence of the signature and at the same time potentially remove other unknown steganographic payloads.
Detection Methods 400, 410, 420, 430 of detecting and reporting a marked classified data structure are shown in FIG. 4.
In general, a detection agent may operate to monitor and detect marked classified data structures which contain a steganographic signature as described herein. In some embodiments, the detection agent resides and runs on an unclassified workstation in an unclassified computing environment.
In other embodiments, the detection agent resides and runs on a network element in the unclassified computing environment. In yet further embodiments, the detection agent resides and runs on a network device outside of the unclassified computing environment.
Local Host Detection In some embodiments, a detection agent 205 may reside on an unclassified workstation 200 in the unclassified computing environment 201 and monitor operations by the unclassified workstation
9 BLG File No.: PAT 83291-1 200 to detect any interaction with a data structure that possesses a "classified" steganographic signature. In particular:
1) The detection agent may be covert, and there may be no outward sign that it is operating.
Detection of the detection agent may be made difficult for an adversary of high technical proficiency. For example, the agent may use mimicry of an existing business support process to hide its true purpose, such as performance monitoring, asset inventory, or other service desk related technical applications.
2) The detection agent may be configured only to monitor and report. There may be no "block" feature as implementing a block feature may increase the visibility of the detection agent and hinder the evidence collection process in a counter-intelligence or SOIA
investigation.
3) The detection agent may send alerts to an investigative authority via an encrypted and covert command & control channel. This channel may be used to send a copy of the triggering data structure directly to the investigating authority management console 230 for analysis.
Thus, in a workstation-based method 400 of detecting a classified data structure, when a user opens, copies or otherwise manipulates a data structure (step 401) the detection agent will determine if the data structure is a supported type (step 402), the agent will then determine whether the supported document structure contains a steganographic signature of interest (step 403), and if a steganographic signature is detected, the workstation reporting process will be initiated (step 430). If the data structure is not a supported type, or does not contain a steganographic signature, then the process ends (step 405).
A workstation reporting process (step 430) begins when the workstation detects a data structure with a steganographic signature (step 431). When an event is triggered and an alert, which may include or accompany a copy of the data structure, is sent by the detection agent 205 to the investigative authority management console 230 (step 432) there may be three causes:
1) False positive: In this scenario, the detection agent detects and reports a data structure as originating from the classified environment when in fact it never did. The steganographic signature used by the marking agent 105 may use an identifier which provides a likelihood BLG File No.: PAT 83291-1 of false positive less that a predetermined level. Review of the forwarded data structure by the investigative authority may quickly determine if the alert is a false positive or not.
2) Soft Positive: In this scenario the detection agent may detect an unclassified data structure that has been created on a classified computing device, and then transferred to the unclassified computing environment without performing an appropriate and approved data transfer processes to remove the steganographic signature. This may be a minor security violation and may be addressed through an administrative process likely involving re-education of proper processes and procedures.
3) Hard Positive: In this scenario the detection agent may detect a classified document in an unclassified domain. This may be a serious security breach and may be an indicator of malicious insider threat activity.
If upon review it is determined that the data structure is classified (decision 433), then a measure such as a Security of Information Act investigation (step 434) may be performed, and otherwise an alternative measure such as an administrative review (step 435) may be performed.
By design, embodiments of the invention may facilitate the rapid determination of which of the above three use cases has occurred and provide investigators with near real-time alerting and response capability.
Network-based Detection Network based detection may be performed at various points including an existing network monitoring and alerting capability 221 in an unclassified computing environment 201, as well as, with reference to FIG. 5b, an existing operational monitoring facility 527 in a multi-agency scenario, such as Shared Services Canada(SSC)/Government of Canada Network(GCNET) 528 which accesses the internet 530 via an existing Common Government of Canada (GoC) Internet Access Gateway 529. With reference to FIG. 6, network based detection may also employ an existing foreign monitoring and alerting facility such as existing FV EY
SIGINT infrastructure 601 which interfaces the Internet 602 and/or a foreign state network 603.
BLG File No.: PAT 83291-1 Network based detection may be performed using existing government network monitoring and alerting infrastructure. Signatures may be developed which are compatible with existing commercial products and may identify agency specific steganographic signatures, including signatures attributed to common classified environments such as Canadian Top Secret Network (CTSN).
Alerts may be generated using existing monitoring tools and forwarded to organizational specific Security Incident & Event Management (SIEM) consoles.
As shown in FIG. 6, compatible signature detection may be extended to existing Five Eyes (FVEY) Signals Intelligence (SIGINT) assets to allow detection of Canadian Classified data structures resident on foreign networks.
Thus, with reference to FIG. 4, a method of monitoring and detecting classified data structures on a network 410 begins when a security appliance, such as a network node configured for monitoring and alerting, passively monitors traffic on the network (step 410). If a monitored data structure contains a steganographic signature which matches a custom intrusion detection system (IDS) signature (decision 412), then a network reporting process may initiate (step 413), and otherwise the process may end (step 414). The network reporting process 420 begins when a data structure with a steganographic signature is detected (step 421), and may continue with a step of following existing IDS or intrusion prevention system (IPS) security monitoring procedures (step 422). An investigative authority (IA) may then be notified (step 423) and an investigation may be initiated (step 424).
Multi-Agency Deployment Scenario FIG.' s 5a and 5b illustrate an embodiment deployed in a multi-agency or multi-department context.
In FIG. 5a, by way of example, each federal agency or department may have a corresponding steganographic signature attributed to it. Common or shared environments such as the Canadian TOP SECRET Network (CTSN) may either leverage the signature of the managing agency, or a BLG File No.: PAT 83291-1 new signature could be developed. Thus, for example, each of a Canadian Security Intelligence Service (CSIS) network 501, a Communications Security Establishment (CSE) network 502, and a Department of National Defence (DND) network 503, may have associated with it a corresponding unique steganographic signature, as may a CTSN network 504. This may provide more useful information to the investigating authority if the document is detected via an externally monitored network segment.
As shown in FIG. 7, steganographic signatures may be "chained" to provide a record of custody or control. For example, a chained steganographic signature 701 is shown in FIG. 7. The chained steganographic signature 701 has two portions, a first portion 702 associated with a first agency/department 1, and a second portion 703 associated with a second agency/department 2.
The first portion 702 has a first static steganographic signature 704 associated with agency 1, as well as a dynamic identification information part 705, as described above. The first part 704 may comprise 8k of data, and the second part 705 may also comprise 8k, by way of non-limiting example only. Similarly, the second portion 703 has a first static steganographic signature 706 associated with agency 2, as well as a dynamic identification information part 706, as described above. The first part 706 may comprise 8k of data, and the second part 706 may also comprise 8k, by way of non-limiting example only. Thus, for example, where a classified document which originated from one entity, e.g. DND, is then shared with a second entity, e.g. the CSE, and the document is later intercepted in transit between two foreign parties, it is useful for the investigating authority to have the attributable system and user information from both entities available for investigative purposes, and to determine when/where in the chain of custody the leak occurred.
Thus, in FIG. 5b an embodiment is shown with tiered management and reporting capability for local host based detection, allowing individual agencies having corresponding networks 501-503 to respond to events internally via corresponding investigative authority management consoles 523-525, and to also allow a centralized Joint Counter-Intelligence Investigative team (JCIIT) 526 comprised of resources from multiple agencies (RCMP, CSIS, CSE, others) to investigate the event with broad cross-department cooperation and the legal authority to investigate Canadians suspected of espionage, or SOIA violations.
BLG File No.: PAT 83291-1 The JCIIT 526 may also receive alerts if the steganographic signature is detected using network based detection methods by Shared Services Canada's Network Operations support personnel who monitor the Government of Canada's Common Internet Access Gateway 529, for example using the operational monitoring facility 527.
In the preceding description, for purposes of explanation, numerous details are set forth in order to provide a thorough understanding of the embodiments. However, it will be apparent to one skilled in the art that these specific details are not required. In other instances, well-known electrical, computer, or network structures and circuits are shown in block diagram form in order not to obscure the understanding. For example, specific details are not provided as to whether the embodiments described herein are implemented as a software routine, hardware circuit, firmware, or a combination thereof.
Embodiments of the disclosure can be represented as a computer program product stored in a machine-readable medium (also referred to as a computer-readable medium, a processor-readable medium, or a computer usable medium having a computer-readable program code embodied therein). The machine-readable medium can be any suitable tangible, non-transitory medium, including magnetic, optical, or electrical storage medium including a diskette, compact disc read only memory (CD-ROM), memory device (volatile or non-volatile), or similar storage mechanism.
The machine-readable medium can contain various sets of instructions, code sequences, configuration information, or other data, which, when executed, cause a processor to perform steps in a method according to an embodiment of the disclosure. Those of ordinary skill in the art will appreciate that other instructions and operations necessary to implement the described implementations can also be stored on the machine-readable medium. The instructions stored on the machine-readable medium can be executed by a processor or other suitable processing device, and can interface with circuitry to perform the described tasks.
The above-described embodiments are intended to be examples only. Alterations, modifications, and variations can be effected to the particular embodiments by those of skill in the art. The scope of the claims should not be limited by the particular embodiments set forth herein, but should be construed in a manner consistent with the specification as a whole.
1) The detection agent may be covert, and there may be no outward sign that it is operating.
Detection of the detection agent may be made difficult for an adversary of high technical proficiency. For example, the agent may use mimicry of an existing business support process to hide its true purpose, such as performance monitoring, asset inventory, or other service desk related technical applications.
2) The detection agent may be configured only to monitor and report. There may be no "block" feature as implementing a block feature may increase the visibility of the detection agent and hinder the evidence collection process in a counter-intelligence or SOIA
investigation.
3) The detection agent may send alerts to an investigative authority via an encrypted and covert command & control channel. This channel may be used to send a copy of the triggering data structure directly to the investigating authority management console 230 for analysis.
Thus, in a workstation-based method 400 of detecting a classified data structure, when a user opens, copies or otherwise manipulates a data structure (step 401) the detection agent will determine if the data structure is a supported type (step 402), the agent will then determine whether the supported document structure contains a steganographic signature of interest (step 403), and if a steganographic signature is detected, the workstation reporting process will be initiated (step 430). If the data structure is not a supported type, or does not contain a steganographic signature, then the process ends (step 405).
A workstation reporting process (step 430) begins when the workstation detects a data structure with a steganographic signature (step 431). When an event is triggered and an alert, which may include or accompany a copy of the data structure, is sent by the detection agent 205 to the investigative authority management console 230 (step 432) there may be three causes:
1) False positive: In this scenario, the detection agent detects and reports a data structure as originating from the classified environment when in fact it never did. The steganographic signature used by the marking agent 105 may use an identifier which provides a likelihood BLG File No.: PAT 83291-1 of false positive less that a predetermined level. Review of the forwarded data structure by the investigative authority may quickly determine if the alert is a false positive or not.
2) Soft Positive: In this scenario the detection agent may detect an unclassified data structure that has been created on a classified computing device, and then transferred to the unclassified computing environment without performing an appropriate and approved data transfer processes to remove the steganographic signature. This may be a minor security violation and may be addressed through an administrative process likely involving re-education of proper processes and procedures.
3) Hard Positive: In this scenario the detection agent may detect a classified document in an unclassified domain. This may be a serious security breach and may be an indicator of malicious insider threat activity.
If upon review it is determined that the data structure is classified (decision 433), then a measure such as a Security of Information Act investigation (step 434) may be performed, and otherwise an alternative measure such as an administrative review (step 435) may be performed.
By design, embodiments of the invention may facilitate the rapid determination of which of the above three use cases has occurred and provide investigators with near real-time alerting and response capability.
Network-based Detection Network based detection may be performed at various points including an existing network monitoring and alerting capability 221 in an unclassified computing environment 201, as well as, with reference to FIG. 5b, an existing operational monitoring facility 527 in a multi-agency scenario, such as Shared Services Canada(SSC)/Government of Canada Network(GCNET) 528 which accesses the internet 530 via an existing Common Government of Canada (GoC) Internet Access Gateway 529. With reference to FIG. 6, network based detection may also employ an existing foreign monitoring and alerting facility such as existing FV EY
SIGINT infrastructure 601 which interfaces the Internet 602 and/or a foreign state network 603.
BLG File No.: PAT 83291-1 Network based detection may be performed using existing government network monitoring and alerting infrastructure. Signatures may be developed which are compatible with existing commercial products and may identify agency specific steganographic signatures, including signatures attributed to common classified environments such as Canadian Top Secret Network (CTSN).
Alerts may be generated using existing monitoring tools and forwarded to organizational specific Security Incident & Event Management (SIEM) consoles.
As shown in FIG. 6, compatible signature detection may be extended to existing Five Eyes (FVEY) Signals Intelligence (SIGINT) assets to allow detection of Canadian Classified data structures resident on foreign networks.
Thus, with reference to FIG. 4, a method of monitoring and detecting classified data structures on a network 410 begins when a security appliance, such as a network node configured for monitoring and alerting, passively monitors traffic on the network (step 410). If a monitored data structure contains a steganographic signature which matches a custom intrusion detection system (IDS) signature (decision 412), then a network reporting process may initiate (step 413), and otherwise the process may end (step 414). The network reporting process 420 begins when a data structure with a steganographic signature is detected (step 421), and may continue with a step of following existing IDS or intrusion prevention system (IPS) security monitoring procedures (step 422). An investigative authority (IA) may then be notified (step 423) and an investigation may be initiated (step 424).
Multi-Agency Deployment Scenario FIG.' s 5a and 5b illustrate an embodiment deployed in a multi-agency or multi-department context.
In FIG. 5a, by way of example, each federal agency or department may have a corresponding steganographic signature attributed to it. Common or shared environments such as the Canadian TOP SECRET Network (CTSN) may either leverage the signature of the managing agency, or a BLG File No.: PAT 83291-1 new signature could be developed. Thus, for example, each of a Canadian Security Intelligence Service (CSIS) network 501, a Communications Security Establishment (CSE) network 502, and a Department of National Defence (DND) network 503, may have associated with it a corresponding unique steganographic signature, as may a CTSN network 504. This may provide more useful information to the investigating authority if the document is detected via an externally monitored network segment.
As shown in FIG. 7, steganographic signatures may be "chained" to provide a record of custody or control. For example, a chained steganographic signature 701 is shown in FIG. 7. The chained steganographic signature 701 has two portions, a first portion 702 associated with a first agency/department 1, and a second portion 703 associated with a second agency/department 2.
The first portion 702 has a first static steganographic signature 704 associated with agency 1, as well as a dynamic identification information part 705, as described above. The first part 704 may comprise 8k of data, and the second part 705 may also comprise 8k, by way of non-limiting example only. Similarly, the second portion 703 has a first static steganographic signature 706 associated with agency 2, as well as a dynamic identification information part 706, as described above. The first part 706 may comprise 8k of data, and the second part 706 may also comprise 8k, by way of non-limiting example only. Thus, for example, where a classified document which originated from one entity, e.g. DND, is then shared with a second entity, e.g. the CSE, and the document is later intercepted in transit between two foreign parties, it is useful for the investigating authority to have the attributable system and user information from both entities available for investigative purposes, and to determine when/where in the chain of custody the leak occurred.
Thus, in FIG. 5b an embodiment is shown with tiered management and reporting capability for local host based detection, allowing individual agencies having corresponding networks 501-503 to respond to events internally via corresponding investigative authority management consoles 523-525, and to also allow a centralized Joint Counter-Intelligence Investigative team (JCIIT) 526 comprised of resources from multiple agencies (RCMP, CSIS, CSE, others) to investigate the event with broad cross-department cooperation and the legal authority to investigate Canadians suspected of espionage, or SOIA violations.
BLG File No.: PAT 83291-1 The JCIIT 526 may also receive alerts if the steganographic signature is detected using network based detection methods by Shared Services Canada's Network Operations support personnel who monitor the Government of Canada's Common Internet Access Gateway 529, for example using the operational monitoring facility 527.
In the preceding description, for purposes of explanation, numerous details are set forth in order to provide a thorough understanding of the embodiments. However, it will be apparent to one skilled in the art that these specific details are not required. In other instances, well-known electrical, computer, or network structures and circuits are shown in block diagram form in order not to obscure the understanding. For example, specific details are not provided as to whether the embodiments described herein are implemented as a software routine, hardware circuit, firmware, or a combination thereof.
Embodiments of the disclosure can be represented as a computer program product stored in a machine-readable medium (also referred to as a computer-readable medium, a processor-readable medium, or a computer usable medium having a computer-readable program code embodied therein). The machine-readable medium can be any suitable tangible, non-transitory medium, including magnetic, optical, or electrical storage medium including a diskette, compact disc read only memory (CD-ROM), memory device (volatile or non-volatile), or similar storage mechanism.
The machine-readable medium can contain various sets of instructions, code sequences, configuration information, or other data, which, when executed, cause a processor to perform steps in a method according to an embodiment of the disclosure. Those of ordinary skill in the art will appreciate that other instructions and operations necessary to implement the described implementations can also be stored on the machine-readable medium. The instructions stored on the machine-readable medium can be executed by a processor or other suitable processing device, and can interface with circuitry to perform the described tasks.
The above-described embodiments are intended to be examples only. Alterations, modifications, and variations can be effected to the particular embodiments by those of skill in the art. The scope of the claims should not be limited by the particular embodiments set forth herein, but should be construed in a manner consistent with the specification as a whole.
Claims (45)
1. A method of detecting transfer of a classified data structure from a classified computing environment to an unclassified computing environment, the method comprising:
in the classified computing environment, modifying the classified data structure to contain a steganographic signature thereby to create a marked classified data structure detectable by detection means outside of the classified computing environment.
in the classified computing environment, modifying the classified data structure to contain a steganographic signature thereby to create a marked classified data structure detectable by detection means outside of the classified computing environment.
2. The method according to claim 1, further comprising:
in the unclassified computing environment, monitoring data structures accessed in, transferred to or from, or stored in, the unclassified computing environment to detect the marked classified data structure by determining that the marked classified data structure contains the steganographic signature.
in the unclassified computing environment, monitoring data structures accessed in, transferred to or from, or stored in, the unclassified computing environment to detect the marked classified data structure by determining that the marked classified data structure contains the steganographic signature.
3. The method according to claim 2, wherein the data structures are monitored in the unclassified computing environment by a detection agent running in the unclassified computing environment.
4. The method according to claim 2, wherein the detection agent runs on an unclassified workstation or a network device in the unclassified computing environment.
5. The method according to claim 4, wherein the detection agent runs on the network device, wherein the network device is connected at a perimeter of the unclassified computing environment.
6. The method according to claim 4, wherein the detection agent runs on the network device, wherein the network device is connected within the unclassified computing environment.
7. The method according to claim 4, wherein the detection agent runs on the network device, wherein the network device is a node on a public network.
8. The method according to claim 7, wherein the public network is the Internet.
9. The method according to any one of claims 2 to 8, further comprising covertly transmitting a notification to an investigative authority management console when the marked classified data structure is detected in the unclassified computing environment.
10. The method according to claim 9, wherein the notification comprises a copy of the marked classified data structure.
11. The method according to claim 9 or 10, wherein the notification is transmitted to the investigative authority management console over a covert command and control channel.
12. The method according to claim 11, wherein the notification is transmitted from an unclassified workstation in the unclassified computing environment over the covert command and control channel.
13. The method according to claim 12, wherein the notification is transmitted by a detection agent running on the unclassified workstation.
14. The method according to any one of claims 1 to 13, wherein the steganographic signature comprises a static part common to the marked classified data structure and a further marked classified data structure, wherein the further marked classified data structure contains the further steganographic signature comprising the static part, and wherein the steganographic signature further comprises a dynamic part, wherein the further steganographic signature comprises a further dynamic part different from the dynamic part.
15. The method according to claim 14, wherein determining that the marked classified data structure contains the steganographic signature comprises determining that the marked classified data structure contains the static part.
16. The method according to claim 14 or 15, wherein the static part comprises a binary string.
17. The method according to claim 16, wherein the binary string has a complexity sufficient to limit a likelihood of accidental collisions with random strings to a predetermined level.
18. The method according to any one of claims 15 to 17, wherein the dynamic part comprises information associated with the unclassified computing environment, the information comprising a login identifier, a workstation identifier, an Internet protocol (IP) address, and/or a date or time stamp.
19. The method according to any one of claims 15 to 18, wherein the dynamic part is encrypted.
20. The method according to any one of claims 14 to 19, wherein the classified computing environment is a first classified computing environment, the steganographic signature is a first steganographic signature, the static part is a first static part, and the dynamic part is a first dynamic part, the method further comprising:
in a second classified computing environment, further modifying the classified data structure to contain a second steganographic signature further to create the marked classified data structure detectable by the detection means outside of the classified computing environment, wherein the second steganographic signature comprises a second static part different from the first static part, and a second dynamic part.
in a second classified computing environment, further modifying the classified data structure to contain a second steganographic signature further to create the marked classified data structure detectable by the detection means outside of the classified computing environment, wherein the second steganographic signature comprises a second static part different from the first static part, and a second dynamic part.
21. The method according to claim 20, further comprising:
in the unclassified computing environment, monitoring the data structures accessed in, transferred to or from, or stored in, the unclassified computing environment to detect the marked classified data structure by determining that the marked classified data structure contains the second steganographic signature.
in the unclassified computing environment, monitoring the data structures accessed in, transferred to or from, or stored in, the unclassified computing environment to detect the marked classified data structure by determining that the marked classified data structure contains the second steganographic signature.
22. The method according to claim 20 or 21, wherein the second classified computing environment is different from the first classified computing environment.
23. The method according to any one of claims 20 to 22, wherein the classified data structure is modified to contain the first steganographic signature by a first marking agent running in the first classified computing environment, and is modified to contain the second steganographic signature by a second marking agent running in the second classified computing environment.
24. The method according to any one of claims 1 to 22, wherein the classified data structure is modified to contain the steganographic signature by a marking agent running in the classified computing environment.
25. The method according to claim 24, wherein the marking agent runs on a classified workstation in the classified computing environment.
26. The method according to claim 25, wherein the marking agent comprises a software shim that intercepts a write call made by an application or operating system running on the classified workstation in association with the classified data structure, wherein the software shim inserts or appends the steganographic signature to the classified data structure to create the marked classified data structure.
27. The method according to claim 25, wherein the marking agent comprises an aspect or component of a modified application running on the classified workstation.
28. The method according to claims 1 to 19, wherein the classified data structure is modified to contain the steganographic signature by a bulk agent running in the classified computing environment, wherein the bulk agent further modifies at least one further classified data structure stored in the classified computing environment to contain at least one further steganographic signature.
29. The method according to claim 28, wherein the classified data structure and the at least one further classified data structure are each stored in a database server, a file server, or an enterprise document and records management system in the classified computing environment.
30. A system comprising at least one computing device, each computing device comprising a processor and a memory storing instructions executable by the processor, to perform the method according to any one of claims 1 to 29.
31. A device for enabling detection of the transfer of a classified data structure from a classified computing environment to an unclassified computing environment, the device comprising a processor and a memory storing instructions executable by the processor:
in the classified computing environment, to modify the classified data structure to contain a steganographic signature thereby to create a marked classified data structure detectable by detection means outside of the classified computing environment.
in the classified computing environment, to modify the classified data structure to contain a steganographic signature thereby to create a marked classified data structure detectable by detection means outside of the classified computing environment.
32. The device according to claim 31, wherein the steganographic signature comprises a static part common to the marked classified data structure and a further marked classified data structure, wherein the further marked classified data structure contains the further steganographic signature comprising the static part, and wherein the steganographic signature further comprises a dynamic part, wherein the further steganographic signature comprises a further dynamic part different from the dynamic part.
33. The device according to claim 32, wherein the static part comprises a binary string.
34. The device according to claim 33, wherein the binary string has a complexity sufficient to limit a likelihood of accidental collisions with random strings to a predetermined level.
35. The device according to any one of claims 32 to 34, wherein the dynamic part comprises information associated with the unclassified computing environment, the information comprising a login identifier, a workstation identifier, an Internet protocol (IP) address, and/or a date or time stamp.
36. The device according to any one of claims 32 to 35, wherein the dynamic part is encrypted
37. The device according to any one of claims 31 to 36, wherein the classified data structure is modified to contain the steganographic signature by a marking agent running on the device.
38. The device according to any one of claims 31 to 37, wherein the device is a classified workstation in the classified computing environment.
39. The device according to claim 38, wherein the marking agent comprises a software shim that intercepts a write call made by an application or operating system running on the classified workstation in association with the classified data structure, wherein the software shim inserts or appends the steganographic signature to the classified data structure to create the marked classified data structure.
40. The device according to claim 38, wherein the marking agent comprises an aspect or component of a modified application running on the classified workstation.
41. The device according to claims 31 to 36, wherein the device runs a bulk agent to modify the classified data structure to contain the steganographic signature, wherein the bulk agent further modifies at least one further classified data structure stored in the classified computing environment to contain at least one further steganographic signature.
42. The device according to claim 41, wherein the classified data structure and the at least one further classified data structure are each stored in a database server, a file server, or an enterprise document and records management system in the classified computing environment.
43. The method according to claim 1, wherein the steganographic signature is detectable by existing Signals Intelligence infrastructure monitoring global network infrastructure.
44. The method according to claim 2 comprising monitoring the data structures and detecting the marked classified data structure using an existing foreign monitoring and altering facility comprising an existing FVEY SIGINT infrastructure which interfaces the Internet and/or a foreign state network.
45. The method according to claim 2 comprising monitoring the data structures and detecting the marked classified data structure using an existing foreign monitoring and altering facility comprising existing Five Eyes (FVEY) Signals Intelligence (SIGINT) assets to detect Canadian Classified data structures resident on foreign networks.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA2899243A CA2899243A1 (en) | 2015-07-30 | 2015-07-30 | Data exfiltration safeguards in classified processing environments |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CA2899243A CA2899243A1 (en) | 2015-07-30 | 2015-07-30 | Data exfiltration safeguards in classified processing environments |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CA2899243A1 true CA2899243A1 (en) | 2017-08-28 |
Family
ID=59775495
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA2899243A Abandoned CA2899243A1 (en) | 2015-07-30 | 2015-07-30 | Data exfiltration safeguards in classified processing environments |
Country Status (1)
| Country | Link |
|---|---|
| CA (1) | CA2899243A1 (en) |
-
2015
- 2015-07-30 CA CA2899243A patent/CA2899243A1/en not_active Abandoned
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10380368B1 (en) | Data field masking and logging system and method | |
| US11831785B2 (en) | Systems and methods for digital certificate security | |
| JP6736657B2 (en) | A computerized system that securely delivers and exchanges cyber threat information in a standardized format | |
| US9516062B2 (en) | System and method for determining and using local reputations of users and hosts to protect information in a network environment | |
| Duncan et al. | An overview of insider attacks in cloud computing | |
| Johnson | Computer incident response and forensics team management: Conducting a successful incident response | |
| Filiz et al. | On the effectiveness of ransomware decryption tools | |
| US20190018751A1 (en) | Digital Asset Tracking System And Method | |
| Johansen | Digital forensics and incident response: Incident response techniques and procedures to respond to modern cyber threats | |
| Kobis | Human factor aspects in information security management in the traditional IT and cloud computing models | |
| Bajpai et al. | Know thy ransomware response: a detailed framework for devising effective ransomware response strategies | |
| Lock | Five steps to beating ransomware's five-minute warning | |
| CA2899243A1 (en) | Data exfiltration safeguards in classified processing environments | |
| Pamnani et al. | Incident Handling in SCADA & OT Environments | |
| Vishnu et al. | Identifying key strategies for reconnaissance in cybersecurity | |
| Shivakumara et al. | Review Paper on Dynamic Mechanisms of Data Leakage Detection and Prevention | |
| Waziri et al. | Data loss prevention and challenges faced in their deployments | |
| US20230336573A1 (en) | Security threat remediation for network-accessible devices | |
| Lozito | Mitigating risk: Analysis of security information and event management | |
| Hedemalm | An empirical comparison of the market-leading IDS's | |
| Sykosch et al. | Stix 2 ids | |
| Ashawa et al. | Digital Forensics Challenges in Cyberspace: Overcoming Legitimacy and Privacy Issues Through Modularisation | |
| Manco | Automation in the Cybersecurity Incident Handling Process | |
| WO2023249577A1 (en) | Systems and methods for detection of advanced persistent threats in an information network | |
| Koutsourelis | Designing a free Data Loss Prevention System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| FZDE | Dead |
Effective date: 20190611 |