Advancing Cybersecurity for Advanced Threats

Back to top

Back to top

Graphic of a padlock and key on a dark blue background.

 

Every day, individuals, businesses, and agencies around the  world ward off bad actors’ attempts to skirt their network defenses to obtain information. Cybersecurity threats facing Lawrence Livermore can be particularly malicious and cunning due to the Laboratory’s national security and technology focus. “We’re a three-billion-dollar laboratory that performs cutting-edge scientific research in the national interest,” says Matthew Myrick, Livermore’s Chief Information Security Officer and lead for the Laboratory’s Cyber Security Program (CSP). “We have capabilities and facilities found nowhere else, and as we tout our scientific excellence by publishing academic studies and generating intellectual property, we inevitably become a larger target of cyber threats.” 

Surveying the Threat Landscape

Cyber threats come in many forms, from lone “script kiddies” searching for trivial network vulnerabilities, to carefully orchestrated operations by well-trained specialists, possibly including insiders. While Livermore must defend against indiscriminate attacks in search of susceptibilities and vulnerabilities, much of CSP’s effort is tailored to the techniques of more sophisticated actors. Most disconcerting are cyberattack attempts by advanced persistent threats (APTs) which act at the behest of foreign governments and militaries. “In the modern age, real-world skirmishes almost always have a cyber component evolving concurrently,” says Myrick. “CSP is especially concerned with detecting malicious activity from nation states who pose constant security threats to the United States, namely the ‘Big Four’: China, Russia, Iran, and North Korea. The sophisticated threats these actors pose are the ones that keep our cybersecurity professionals on their toes.” These actors are the most likely to directly target the Laboratory to obtain sensitive intellectual property or to compromise its operations.

CSP’s primary responsibility is operational cybersecurity, the day-to-day activities that safeguard the Laboratory’s cyber infrastructure and information. CSP works to maintain a balance between security and usability. “We need to ensure our systems are as secure as reasonably possible, but we also don’t want security measures to negatively impact employees’ ability to work efficiently and effectively,” says Myrick. 

Operating in tandem with the Livermore Information Technology program (LivIT), CSP’s work spans many hosts, applications, and operating systems (Mac, Windows, and Linux). Such diversity requires CSP to adopt a “team sport” mentality so that LivIT can keep enterprise systems in compliance and act in the event of an active threat. “CSP cannot operate alone. We must coordinate with other service owners who have expertise with specific applications, configurations, servers, firewalls, or patch systems to respond appropriately to threats,” says Myrick. He adds that having all relevant services organized under the Laboratory’s Office of the Chief Information Officer ensures responsive actions can be prioritized and escalated as needed when minutes matter. 

CSP collects and monitors a continuous, comprehensive stream of activity within Livermore’s enterprise network of nearly 10,000 employees and 50,000 computers to locate anomalous activity. A user making unauthorized network access, viewing large swaths of data outside their organization, or running atypical processes and applications are just some of the activities that can sound alarms for CSP. “At an institution our size, cybersecurity is essentially a data problem,” says Kevin Hamilton, a cybersecurity engineer who specializes in incident response and digital forensics—disciplines that involve identifying, investigating, containing, and remediating cyberattacks. “Our machines generate terabytes of data through regular activity. Our task is to find the needle in the haystack, that is, the extremely small subset of suspicious events that are relevant. If the Laboratory is threatened, my priority is to be an incident responder first and a cybersecurity engineer second.” 

Sophisticated cyber breaches present a further challenge as adversaries can dwell in the network for months, making calculated decisions about when to risk detection by attempting to breach another system in the network. “Unlike Mission: Impossible, no single, critical device enables an adversary to rappel into a building and steal. In a hypothetical network break-in, we would still retain all the data related to our intellectual property on our machines, but an infiltrator would have seen and copied it,” says Myrick. To expand the reach of an attack, adversaries use lateral movements to spread through networks and identify the next weakest link. This tactic stresses the importance of detecting any intrusions as soon as possible.

Hunting Threats

Like many enterprises, Livermore often uses endpoint detection and response (EDR) as an initial line of defense. Endpoints refer to any individual component connected to a network, for instance, a user, a phone, a laptop, or a server. CSP configures its EDR tools to detect malicious or otherwise abnormal behavior at any endpoint, especially the presence of malware and the functions it may be executing. Facing the significant variety of endpoints that the Laboratory monitors, CSP has been instrumental in supporting interdepartmental collaboration on cybersecurity. 

As a file-centric methodology, EDR lacks the context of how endpoints are connected on a network. “We’re looking for the whole attack vector—not solely the fact that a file is present—based on matching its hash, an alphanumeric representation of a file’s contents obtained through a one-way mathematical operation. We need to know how the file got there and what specifically it is executing,” says cybersecurity analyst Katrina Herweg. CSP also employs several network-based intrusion detection systems (NIDS) to analyze data exchanges between endpoints without peering into their local files. Most traffic crossing the Laboratory’s enterprise network is benign and work-related; finding the needle in the haystack requires a comprehensive view of the network to single out anomalous processes associated with attack signatures.

Flow chart of cyber hunt process.
Lawrence Livermore and other nuclear security enterprise (NSE) sites collaborate through the Center of Excellence (COE) in Cyber Threat Intelligence (TI). The TI team evaluates trends in TI feeds and engages the hunt team to track down signatures of threats across the NSE (known as a “bounty”). Using endpoint detection and response (EDR), network-based intrusion detection systems (NIDS), and security information and event management (SIEM) platforms, the hunt team identifies and resolves these incidents, if present, and shares results with the TI team for further analysis.

Activity logs from EDR and NIDS are aggregated on a security information and event management (SIEM) platform through which cybersecurity analysts search activity histories, configure alerts, and run reports. Hamilton explains, “Suppose malware were downloaded following a Google search. Individual sensors don’t have full knowledge of where on the Internet the user navigated, what they downloaded, and what activity a malware file may be causing. SIEM allows us to correlate host events to the network and elucidate the entire chain of events.” 

Using its array of cybersecurity tools, Livermore contributes to the Center of Excellence (COE) in Cyber Threat Intelligence, a collaborative effort Sandia National Laboratories leads to streamline cyber responses across the National Nuclear Security Administration (NNSA). Alongside other national laboratories and nuclear security enterprise (NSE) centers, Livermore takes part in coordinated cyberhunts, jointly poring over NSE-wide data to identify potential threats in real time and strengthen the muscle memory of NSE cyber responders. During cyberhunts, which occur every two weeks, threat intelligence teams provide logs thousands of lines long listing the types of files or activity for the hunt teams to pursue. The hunt teams take this “bounty,” execute searches, and report back their findings. 

“Cyberhunts are proactive. We attempt to seek out event signatures in the data even before any alarms have been raised,” says Hamilton. “COE members frequently see related cybersecurity events because our business is closely coupled. If we catch malicious activity, we can share that information with partners right away.” COE is implementing shared platforms to expedite cross-site searches. For instance, an analyst at Livermore could run a SIEM query that surveys NNSA-wide activity. “Shared platforms are a force multiplier. I can perform my duties at Livermore while maintaining visibility across NNSA sites—this way, we play to our individual strengths while covering each other’s back,” says Hamilton. 

Graphic of clouds with labels connected to boxes containing different icons and labels.
Lawrence Livermore is the first National Nuclear Security Administration (NNSA) laboratory to adopt cloud-based cybersecurity services to supplement its own operations. This transition allows round-the-clock monitoring and analysis by the Laboratory’s Security Operations Center with continuous NNSA oversight. 

Looking to the Cloud

Until recently, Livermore processed and managed all cybersecurity data in-house, as did all other NNSA institutions. But in 2020, Livermore became the first national security laboratory to incorporate cloud-based cybersecurity services. (See S&TR, March 2023, LivIT Meets the Demand.) Using cloud services reduces some of the load for CSP and provides the team with greater elasticity and coverage by partnering with the world’s largest information technology companies. Myrick explains the move resulted from assessing CSP headcount and increasing security demands. “We must strike a balance between building and buying as the cybersecurity field rapidly evolves. Too much focus on building tools might detract from our capacity for routine data analysis,” he says. However, the shift to cloud services for Livermore required a secure platform vetted by the General Service Administration’s Federal Risk and Authorization Management Program (FedRAMP).

A major advantage for cloud users is that existing products can be pieced together rather than built independently. Cloud analytics provide valuable insight into attack behaviors, and providers rapidly update signatures and detections in response to the latest intelligence feeds. Additionally, cloud services provide round-the-clock monitoring, supplementing coverage during business hours and providing after-hours detection services. “Since implementing cloud services, we have benefitted from critical activity detections and analysis that otherwise may have taken longer on our own,” says Herweg. 

Only services that meet stringent security requirements defined by FedRAMP are trusted to interact with Laboratory data. “The cloud is software and infrastructure that we ourselves do not own. We trust another entity to keep our data safe and stable,” says Herweg. Federal agencies must ensure the cloud-based products they plan to acquire from private vendors implement the appropriate security controls for each sensitivity level as defined by the National Institute of Standards and Technology. FedRAMP acts as a disinterested third party that can evaluate whether a product will perform as needed for a federal entity. 

Assurance is more necessary now that Livermore uses cloud services for EDR and identity protection, which covers additional cyberattack vectors. APTs may attempt to obtain employee credentials and pose as vetted individuals to access protected systems and information. CSP maintains logs of official usernames, their associations, and approved access. “If a user suddenly starts accessing systems they never have before, or their password is entered incorrectly dozens of times, these are signals that malware could be present or that a user’s identity has been compromised,” says Herweg. 

Image of open email on a laptop screen.
Phishing emails appeal to victims’ sense of security by posing as trustworthy contacts in attempts to prompt interaction and information sharing. Tell-tale signs of phishing emails—such as urgent requests for information, suspicious attachments, and unverified domain names—are some of the signatures detected by CSP-POST, a new Livermore-developed email security tool which uses machine learning techniques to identify suspicious content for quarantine.

Adversaries most often attempt to steal employee credentials through phishing attacks in which deceptive emails capture information by providing a harmful internet link and sometimes prompting a user to log in to a seemingly legitimate website. Filtering out spam emails is standard cybersecurity practice—according to Myrick, nearly three-quarters of emails destined for Livermore employee mailboxes are found to be spam and are automatically disposed of. But, for the occasional email that evades detection, phishing attempts remain a low-effort and high-reward cyberattack strategy that exploits users’ sense of security. 

To further thwart phishing attempts, Livermore researcher and software engineer Jeff Fairbanks recently developed a new forensics tool, CSP-POST, to identify malicious emails. Operating entirely within the cloud, CSP-POST applies machine learning techniques to survey the tens of millions of emails crisscrossing the Laboratory’s network each month. The tool parses email text and attachments for semantic meaning and determines whether phishing, scam, or social engineering activities are present by using the natural language processing capabilities of large language models and open-source static analysis tools such as YARA (Yet Another Recursive Acronym). “Using CSP-POST, incident responses can search for all aspects of any email that comes into or out of the organization,” says Fairbanks. CSP-POST transforms emails and their attachments, embedded links, and sender–receiver information into searchable metadata ready for analysis by cybersecurity experts. 

Cybersecurity activities are expected to become more sophisticated and consequential in the future and have become progressively important political priorities for U.S. leadership. “The last three presidential administrations each issued executive orders mandating federal organizations continue evolving and innovating cybersecurity measures. The requests become increasingly demanding each time, and the changes we are tasked with making grow more complex,” says Myrick. For example, following the APT-launched cyberattack on the American software company SolarWinds in 2020 and noting the months-long periods associated with similar intrusion events, a 2021 executive order mandated federal agencies increase the volume and retention of cybersecurity information logs. Myrick acknowledges the challenging velocity of change in the field but adds that Livermore’s expanding staff of cybersecurity analysts are increasingly educated and capable of addressing cyber threats.

—Elliot Jaffe

For further information contact Matthew Myrick (925) 422-0361 (myrick3 [at] llnl.gov (myrick3[at]llnl[dot]gov))