In today’s cyber security environment there is no way to prevent a determined intruder from getting into a network so long as one allows e-mail and web surfing. The reasons for this are due to the majority of Information Assurance architectures rely on patching and configuration control for protection. Raytheon thus believes the best way to address this is to recognize that attackers will get into your network and expand our defensive actions to detect, disrupt, and deny attacker’s command and control (C2) communications back out to the network. Raytheon’s suggested model involves a set of trusted entities developing threat information and reporting voluntarily (with non-attribution) to a central source, which consolidates the information and rapidly disseminates it to a very large user community which is already being used for the highly successful anti-virus and spam filtering industries. This is a voluntary Industry-Government Cooperative Model for Disrupting Malicious Cyber Command and Control which involve three types of entities:

• Threat Reporters: Threat Reporters are organizations with the detection and analytical capability to discover command and control sites via malware reverse engineering or traffic analysis.
• National Cyber Threat Response Center (NCTRC): The role of the NCTRC is to serve as a central threat clearing house for processing reports of C2 URLs and IP addresses from Threat Reporters and rapidly distributing them to the community of firewall device vendors. The NCTRC must be a single organization focused on rapid dissemination of actionable information.
• Firewall Vendors: Vendors for firewall devices (the term here being used in its most generic sense) would accept the new threat information and push it out to their devices in the field the same way anti-virus and spam filtering vendors push new definitions today. The vendors would differentiate themselves from each other not only on price, but also on their speed of updates and value-add services such as the ability of their customers to manually override the lists or their ability to provide reports to network owners.

Common Operational Picture

Perhaps one of the key side benefits of this model is that it could be the basis of a true Common Operational Picture which would represent a very accurate picture of the scope of any given attack or campaign.