4.1.1 Technical Scenarios and Critical Security Controls (CSCs)

Technical scenarios primarily deal with network anomalies. As a preventive example, the Australian Signal Directorate’s “Top 4” is popular for its reported ability to prevent 85% of cyberattacks (Defense). Similar to the ASD opposition force is the NIST 800‐53‐based CSCs.

A clear advantage to using operational scenarios, as shown in Table 4.3, is that the evaluations are in numbers (number of nefarious nodes, time to respond, etc.). Operational scenarios are more challenging with the story line needing to be developed for the specific threat of interest.

4.1.2 ARMOUR Operational Scenarios (Canada)

ARMOUR (DRDC (Canada) 2013a, b, 2014a, b) was a Canadian effort to develop an architecture‐based framework, leveraging cyber models, to build a test bed for training and technology evaluations. The ARMOUR framework performs operational scenarios using the same underlying technical architecture, changing the focus from measurable network goals to more human‐oriented evaluations (Table 4.4).

As shown in Table 4.4, ARMOUR scenarios are practical, mirroring actual network events that are easily duplicated on real or emulated networks. In addition, operational scenarios often involve a story line, usually from a real incident (Table 4.2), that is generalized to a training objective (Kick 2014). As shown in Figure 4.1, cyber events are developed with both the event goals and the estimated environment in mind.

Each of the Scenarios in Table 4.4 will require a structured process to determine how well the team did in defending their system. Figure 4.1 provides a standardized approach for conducting cyber events for security evaluation.

Figure 4.1 (Damodaran and Couretas 2015) provides an example exercise flow, often used with a scenario designed to emulate real‐world events; e.g. operational examples for ICSs shown in Table 4.2.

4.2.1 State Diagram Models/Scenarios of Cyberattacks

One approach (Leversage and Byres 2007) is to (i) decompose the network into its respective sections and (ii) use CIA language to describe the course of an attack (Figure 4.2).

Figure 4.2’s method provides an approach for answering strategic questions. For example, the likelihood of succeeding along one of the CIA paths, the time it takes, or any associated operational costs to improve threat path defense.

4.2.2 McCumber Model

While Figure 4.2 provides a path model for a cyberattack, it is a natural next step to ask for more detail concerning the underlying system and its security posture. The McCumber model, well known to information security researchers, is reviewed here for cyber M&S scenario development. In addition to describing cyber security processes, the McCumber model “protects” the confidentiality, integrity, and availability (CIA) of mission systems “during” data storage/processing/transmission, while “using” technology/people/procedure and policy (Figure 4.3). From an M&S perspective, the McCumber model provides a conceptual approach to explore the impact of cyber activity on technology (i.e. a physical system) as well as people (i.e. behavior). In modeling a particular cyber phenomenon, the model captures all the parameters that must be addressed within the M&S environment. For a technology, the effect must be adequately modeled to represent its storage and processing capability during a transmission as well as all activities taken to protect the data from cyber activities.

The functional aspects of the McCumber model dovetail with the more structured requirements of M&S, generally, and scenario development, more specifically. An extension to the McCumber model includes:

• Authentication: guaranty vis‐à‐vis the destination that the information’s origin/content is confirmed and certified as such. Each party to an exchange of information on both sides should be able to guarantee the identity of the other parties involved.
• Non‐repudiation: guaranty vis‐à‐vis the origin, that the information reached the destination intact and unaltered. It is a guaranty that the information has been delivered to the destination, preventing the recipient from later denying receiving it. Non‐repudiation protects against counterfeit information.

In addition to providing data provenance, the McCumber Cube provides a straightforward approach for looking at data, at rest or in transmission, to add a layer of technical detail to the IA CIA evaluation (Figure 4.2). Modeling both forms of data is of interest for scenario development.

4.2.3 Military Activity and Cyber Effects (MACE) Taxonomy

In addition to the McCumber model’s more detailed description of the cyber terrain, we further narrow the scope of our cyber scenario development efforts with the Military Activity and Cyber Effects (MACE) taxonomy (Bernier 2015), which consists of six main categories:

• Attack Types: covers the most significant types of cyber‐attacks.
• Levels of Access: describes the different levels of access to the targeted system or network required to launch a type of attack.
• Attack Vectors: includes the methods and tools used to infiltrate computers and install malicious software.
• Adversary Types: identifies the various types of cyber attackers.
• Cyber Effects: describes the effects that can be produced in the cyber environment by employing the various cyber‐attacks.
• Military Activities: includes the military effects that can be produced in the cyber environment.

In addition, the MACE taxonomy provides a means for cross‐referencing cyber effects with military activities to provide an overall impact estimate:

Leveraging MACE, we develop attack types, with the goal of looking at their corresponding information security effects (Figure 4.4).

From the M&S perspective, these six categories should be considered. In particular, the cyber effect combined with the military activity represents the impact a particular cyber threat may have on an operation. Table 4.5 captures the relationship between various cyber effects and military activities for consideration during scenario development.

While MACE provides an initial approach for providing a cyber/military effects description, the Cyber Operational Architecture Training System (COATS) leveraged actual range effects to inform cyber training simulation.

4.2.4 Cyber Operational Architecture Training System (COATS) Scenarios

COATS explores methods for using M&S to support training. The COATS program demonstrated several interoperability approaches for supporting M&S to include the exploring of extensions to data models to specifically model cyber effects. The objects of the COATS program are to:

• Enable synchronous execution of traditional training and cyber operations.
• Accurately model and simulate traditional training and cyber events/interactions.
• Draft interoperability guidelines for cyber‐traditional federation.
• Distribute realistic cyber effects to the entire staff.

4.2.4.1 Cyber M&S Operational View Architecture (OV‐1) (COATS Example)

For all the scenarios described, the operational architecture remains the same; the cyber range provides a safe environment to deploy a cyber operation. The key parameters representing the cyber operation are identified, captured, and represented in the model. The cyber effect is then transitioned from the cyber range, to a training environment, to emulate an actual cyberattack on an operator’s workstation. This general approach has proven effective for training operators in identifying and responding to cyber activities. Figure 4.5 depicts the generalized OV‐1.

As shown in Figure 4.5, a cyber range environment is used for mission operator training. We will next provide a few examples that leverage several scenarios from the COATS (Wells and Bryan 2015) project.

COATS was evaluated via Table 4.6’s four scenarios, which presented both cyber and mission effects. Both the full motion video degradation and the command and control examples dealt with packet loss (i.e. Integrity in the CIA triad) in simulating performance deterioration, from a transmission and process standpoint, respectively. In addition, the SYN Flood (i.e. denial of service attack) and data diddling examples (i.e. critical asset blue screen of death) were both processing phase attacks, requiring more refined information (i.e. McCumber Cube description) on the part of the attacker.

Scenario	Description
Computer Network Attack (CNA)	Live red CNA against virtual blue systems to demonstrate virtual host degradation effects on live operator workstations.
Node Attack	Constructive red kinetic attack on a constructive blue communications facility to demonstrate C2 disruption effects on live operator workstations.
Distributed Denial of Service	Live red CNA on virtual blue systems to demonstrate virtual full‐motion video degradation effects on live operator workstations.
Threat Network Degradation	Live blue CNA on virtual red networks to demonstrate constructive system degradation on constructive red systems.

One of the key takeaways of Table 4.6’s four scenarios is the applicability of the McCumber model to cyber M&S scenario development. The McCumber model provides clarity on what is being protected (e.g. CIA), when (transmission, storage, processing) and how (technology/people/procedure). Using this approach provides a clear language for how and why scenarios are constructed for cyber modeling and simulation, clarifying some of the uncertainty now found in applying cyber to standard training models.

Leveraging Table 4.5’s definitions, one example is of mapping the COATS (Wells and Bryan 2015; Morse et al. 2014a, b) vignettes to Table 4.7’s cyber effects; along with attack examples and McCumber Cube (Figure 4.3) descriptions of how the attack may occur.

Military activity	Cyber effect	Attack type	System performance effect	Using	During
Deny (degrade, disrupt, destory)	Interruption (Availability)	Full Motion Video (FMV) degradation	Latency, jitter, packet loss	Technology	Transmission
	Degradation (Availability)	Interrupt supply chain and/or force flow	ICS, Location fidelity	All	Transmission, Storage
	Interruption (Availability)	System Shutdown	Memory Utilization	Technology P&P	Processing
Manipulate	Modification (Integrity, Authenticity	Reduce Situational Awareness, interrupt/delay C2	Packet loss	Technology	Transmission

The Attack Types represent the cyber effect modeled in each scenario and the two columns, “Using” and “During” detail the systems (technology), people, and timing of the effect in the scenario. Cyber effects in Table 4.7’s first column are the four specific vignettes developed by the COATS program. While the MACE and McCumber approaches capture cyber effects and system operations in Table 4.7, accounting for CIA in standard IA terminology, constructive modeling will likely occur at a lower level of description.

1. 1 Name some common approaches for describing Figure 4.2’s attack path model. For example,
   1. A Bayesian approaches
   2. B Markov Modeling
   3. C Discrete Event System Specification (DEVS)
2. 2 How are CSCs used in M&S for cyber defense? (Figure 4.8)
3. 3 How do architectural constructs, subjects of M&S, form alternatives for strategic cyber decision making (Figure 4.8)?
4. 4 Why is the McCumber model a better choice for developing cyber security scenarios (e.g. compared to Bell‐LaPadula, Biba, Clark‐Wilson, etc.)?
5. 5 Who is the primary target customer for the MACE Taxonomy?
6. 6 What are the key differences between Threat Models and Attack Scenarios?
7. 7 Why is it important to differentiate between Cyber Effects and Military Activities in the MACE Taxonomy?
   1. A Are cyber effects always related to CIA?
8. 8x How can the MACE Taxonomy be used in the standard threat modeling approaches (e.g. DREAD, STRIDE, etc.)?