12
Appendix: Cyber M&S Supporting Data, Tools, and Techniques
One of the challenges in developing engineering approaches for current cyber systems is the availability of principles‐based building blocks, derived from empirical understanding, to be used as models. Table 12.1 gives examples of current accepted knowledge, well known in physical security, and potentially applicable to cyber, along with sources of both empirical understanding and developing ideas in the cyber domain.
Table 12.1 Cyber M&S knowledge categories and examples.
| Knowledge category | Example |
| Accepted knowledge | Net Working Time (NWT) (i.e. time to “crack” a safe) |
| Psychological limits for Situational Awareness (SA) | |
| Critical Security Controls (CSCs) | |
| Current empirical understanding | Threat data |
| Market‐proven tools currently providing value for cyber operators and professionals | |
| Developing ideas | Published patents |
| Patent applications | |
| Journal and conference publications |
Table 12.1’s knowledge categories, initial taxonomic building blocks for cyber M&S, require additional system context, including cyber modeling considerations, for designing secure cyber systems.
12.1 Cyber Modeling Considerations
Cyber modeling leverages accepted knowledge from both physical security and computer‐based system evaluations. For example, popular technology platforms, their availability, and required levels of expertise should be accounted for in the context of evaluating a cyber system. Evaluating technology via physical security analogs (e.g. Net Working Time (NWT) to access a safe) provides an opportunity for the modeler to validate candidate cyber models. This is especially useful if open‐source cyber threat data complements model evaluation. While well‐known critical security controls (CSCs) codify best practices for cybersecurity, developing evaluation approaches use situational awareness (SA) measures that are especially useful if the system/model is designed to automate a human task currently performed in a cyber environment (e.g. to detect or remediate threats).
12.1.1 Factors to Consider for Cyber Modeling
Factors that influence how a system is modeled are provided in Table 12.2 (Velez and Morana 2015).
Table 12.2 Factors affecting time requirements for threat modeling.
| Factor | Description | Example |
| Number of use cases | The number of actions that an application can perform as a result of a client request, scheduled job, or Application Programming Interface (API) | Actions that include buying items online, paying bills, exchanging content between entities, or managing accounts |
| Popularity of technology | The notoriety of a platform or software technology will provide attackers with the ability to have a sophisticated level of understanding on how to better exploit the software or platform | Any distributed servers, both open source and commercial |
| Availability of technology | The rarity of technology will affect probability levels of malicious users obtaining a copy of similar technologies to study its vulnerabilities for exploitation | Legacy software or proprietary software |
| Accessibility to technology | Cost of technology is not only a deterrent for legitimate, law‐abiding companies, but also for those organizations that subsidize cybercrimes | Proprietary developed systems, kernels, or software |
| Level of expertise | Given that exploit scenarios move beyond the theoretical in application threat modeling, the appropriate level of expertise is needed to exploit vulnerabilities and take advantage of attack vectors. Depending on the level expertise, a threat modeler or team of security professionals may have varying levels of time constraints in trying to exploit a given vulnerability. This is very common and would require the security expert to be well versed in multiple talents to exploit vulnerable systems (Cho et al. 2016; Ben‐Asher et al. 2015; Jones et al. 2015) | Experience with rare software/platforms |
Table 12.2 spans the considerations for cyber threat modeling. While computer‐based systems present attack surfaces that require combinatoric description, known practices in physical security use simple time estimates to abstract on access complexities (e.g. time to “crack” a safe).
12.1.2 Lessons Learned from Physical Security
Determining the burglary rating of a safe is a similar problem to determining the security rating of a network. Both involve a malicious threat agent attempting to compromise the system and take action resulting in loss. Safes in the United States are assigned a burglary and fire rating based on well‐defined Underwriters Laboratory (UL) testing methodologies such as UL Standard 687. A few selected UL safe burglary ratings are given in Table 12.3.
Table 12.3 Selected Underwriters Laboratory (UL) safe burglary ratings.
| UL rating | Net Working Time (NWT) (minutes) | Testing interpretation |
| TL‐15 | 15 | Tool Resistant (face only) |
| TL‐30 | 30 | Tool Resistant (face only) |
| TRTL‐15X6 | 15 | Torch & Tool Resistant (six sides) |
| TRTL‐30X6 | 30 | Torch & Tool Resistant (six sides) |
| TXTL‐60 | 60 | Torch & Tool Resistant |
The rating system is based around the concept of “Net Working Time” (NWT), the UL expression for the time that is spent attempting to break into the safe by testers using specified sets of tools such as diamond grinding tools and high‐speed carbide tip drills. Thus, TL‐15 means that the safe has been tested for NWT of 15 minutes using high‐speed drills, saws, and other sophisticated penetrating equipment. The tool sets are also categorized into levels – TRTL‐30 indicates that the safe has been tested for a NWT of 30 minutes, but with an extended range of tools such as torches. Assumptions about the processes include:
- There is an implication that given the proper resources and enough time, any safe can eventually be broken into.
- A safe is given a burglary rating based on its ability to withstand a focused attack by a team of knowledgeable safe crackers following a well‐defined set of rules and procedures for testing.
- The rules include using well‐defined sets of common resources for safe cracking.
- The resources available to the testers are organized into well‐defined levels that represent increasing cost and complexity and decreasing availability to the average attacker.
- Even though there might be other possibilities for attack, only a limited set of strategies will be used, based on the tester’s detailed knowledge of the safe.
The UL rating does not attempt to promise that the safe is secure from all possible attack strategies – it is entirely possible that a design flaw might be uncovered that would allow an attacker to break into a given safe in seconds. However, from a statistical point of view, it is reasonable to assume that as a group, TL‐30 safes are more secure than TL‐15 safes. This ability to efficiently estimate a comparative security level for a given system is the core objective of looking Mean Time to Exploit (MTTE) (Chapter 9).
Learning from the safe rating methodology, MTTE for rating a network makes the following assumptions:
- Given the proper resources and enough time, any network can be successfully attacked by an agent skilled in the art of electronic warfare.
- A target network or device must be capable of surviving an attack for some minimally acceptable benchmark period (e.g. MTTE).
- The average attacker will typically use a limited set of strategies based on their expertise and their knowledge of the target.
- Attackers can be statistically grouped into levels, each with a common set of resources such as access to popular attack tools or a level of technical knowledge and skill.
Complementing the UL analog for cyber system access estimation is the cyber threat data providers’ tactical and strategic outlook for current trends in system attack practices.
12.1.3 Cyber Threat Data Providers
Ponemon, Verizon, and Symantec are some of the most famous open‐source cyber threat reports (Table 12.4).
Table 12.4 Open‐source cyber threat reports – organizations and missions.
| Name | Mission |
| Ponemon | Ponemon Institute conducts independent research on privacy, data protection, and information security policy. Our goal is to enable organizations in both the private and public sectors to have a clearer understanding of the trends in practices, perceptions, and potential threats that will affect the collection, management, and safeguarding of personal and confidential information about individuals and organizations. Ponemon Institute research informs organizations on how to improve upon their data protection initiatives and enhance their brand and reputation as a trusted enterprise. |
| Verizon | The 2016 report continues our investigation into nine common threat patterns and how they are evolving from last year’s report. The 2016 Data Breach Investigations Report (DBIR) addresses several topics for the very first time: (i) What effect does mobile malware have on data security and (ii) How can you better estimate the financial impact of a data breach? |
| Symantec | The Internet Security Threat Report provides an overview and analysis of the year in global threat activity. The report is based on data from the Symantec Global Intelligence Network, which Symantec's analysts use to identify, analyze, and provide commentary on emerging trends in the dynamic threat landscape. |
Each of Table 12.4’s threat data reports provides practical insights into current cyber operations. This includes informing the application of CSCs as a preventive measure for network security.
12.1.4 Critical Security Controls (CSCs)
CSCs (Table 12.5) are the product of multiple man‐years of time and effort. Designed to be prioritized, based on their level of effective security, CSCs provide an easy reference for cybersecurity professionals, from beginning to advanced. An additional note about CSCs is that they are designed to be automated, being a first step in machine‐based course of action (COA) reaction to cyber threats.
Table 12.5 Critical Security Controls (CSCs).
| Critical Security Controls (CSCs) | Description |
| 1 | Inventory of authorized and unauthorized devices |
| 2 | Inventory of authorized and unauthorized software |
| 3 | Secure configurations for hardware and software on mobile device, laptops, workstations, and servers |
| 4 | Continuous vulnerability assessment and remediation |
| 5 | Controlled use of administrative privileges |
| 6 | Maintenance, monitoring, and analysis of audit logs |
| 7 | E‐mail and web browser protections |
| 8 | Malware defenses |
| 9 | Limitation and control of network ports |
| 10 | Data recovery capability |
| 11 | Secure configurations for network devices |
| 12 | Boundary defense |
| 13 | Data protection |
| 14 | Controlled access based on the need to know |
| 15 | Wireless access control |
| 16 | Account monitoring and control |
| 17 | Security skills assessment and appropriate training to fill gaps |
| 18 | Application software security |
| 19 | Incident response and management |
| 20 | Penetration tests and red team exercises |
Some of Table 12.5’s automated responses include patching, port closure, and packet screening (e.g. to find encrypted data transmission in an exfiltration). Similar to Table 12.5’s controls are Australia’s opposition force (Table 12.6), estimated to provide 85% of the network security requirements.
Table 12.6 Australian Signals Directorate computer network defense controls.
| Australian Signals Directorate (ASD) Control Name | Description |
| Application Whitelisting (1) | Whitelisting – when implemented correctly – makes it harder for an adversary to compromise an organization’s computer system. Application whitelisting is a technical measure that only allows authorized applications to run on a system. This helps prevent malicious software and unauthorized applications from running. |
| Patching Systems (2,3) | A software patch is a small piece of software designed to fix problems or update a computer program. Patching an organization’s system encompasses both the second and third mitigation strategies. It is important to patch both your operating system and applications within a two‐day timeframe for serious vulnerabilities. Once a vulnerability in an operating system or application is made public, you can expect malware to be developed by adversaries within 48 h. In some cases, malware has been developed to take advantage of a publicly disclosed vulnerability within eight hours. There is often a perception that by patching a system without rigorous testing, something is likely to break on the system. In the majority of cases, patching will not affect the function of an organization’s computer system. Balancing the risk between taking weeks to test patches and patching serious vulnerabilities within a two‐day timeframe can be the difference between a compromised and a protected system. |
| Restricting Administrative Privileges (4) | When an adversary targets a system, they will primarily look for user accounts with administrative privileges. Administrators are targeted because they have a high level of access to an organization’s computer network. If an adversary gains access to a user account with administrative privileges, they can access any data the administrator can access – which generally means everything. Minimizing administrative privileges makes it more difficult for the adversary to spread or hide their existence on a system. Administrative privileges should be tightly controlled. It is important that only staff and contractors that need administrative privileges have them. In these cases, separate accounts with administrative privileges should be created that do not have access to the Internet. This reduces the likelihood of malware infecting the administrator as they should not be web browsing or checking emails while using their privileged account. |
As shown in Tables 12.5 and 12.6, security controls provide a cross‐institutional memory that can help security researchers approach key challenges to creating cyber agents that include (i) modeling the complex and continually evolving processes of cyber operations and (ii) leveraging the tools and data standards that enable cognitive agents to interoperate with networks invisibly to the user; distilling models of cyber offensive and defensive behavior based on observation and elaboration of human expertise.
12.1.5 Situational Awareness Measures
Cyber M&S benefits from a long line of SA research, much of it used to develop aircraft training programs, and currently available for cybersecurity training development (Table 12.7).
Table 12.7 Methods of measuring situational awareness.
| Situational awareness measure | Objective |
| Situational Awareness Global Assessment Technique (SAGAT) | SAGAT is a global tool developed to assess Situation Awareness (SA) across all of its elements based on a comprehensive assessment of operator SA requirements (Endsley 1995) that includes a three‐layer model:
|
| Human Potential Explorer (HUPEX) | Culture‐independent PC tool for measuring SA under stress |
| WOMBAT | The WOMBAT Situational Awareness and Stress Tolerance Test is a modern psychological assessment tool for selecting complex‐system operators such as pilots, air traffic controllers, ship and train operators, 9‐1‐1 dispatchers, and nuclear‐plant operators; in fact anyone in charge of complex operations involving multiple concurrent inputs and response alternatives. |
| Situational Awareness Rating Technique (SART) (Taylor et al. 2000) | SART uses the following 10 dimensions to measure operator SA:
SART is administered post‐trial and involves the participant rating each dimension on a seven‐point rating scale (1 = Low, 7 = High) in order to gain a subjective measure of SA. |
Table 12.7’s methods for evaluating SA are used in conjunction with training systems, providing the simulated cyber terrain for rehearsing known and hypothesized scenarios.
12.2 Cyber Training Systems
One driver of interest in cyber M&S is military applications, where uses of cyber are increasing, as well, with notable uses in Estonia and Georgia over the last decade. While there is work currently being done to characterize cyber systems and their threats, the objective here (Table 12.8) is to look at trainers/simulators for cyber phenomena.
Table 12.8 Cyber trainer examples (defense emphasis).
| Supplier | Offering | System description |
| APMG International | Cyber Defense Capability Assessment Tool | This tool links security, IT risk management, and business resilience areas for assessing and enhancing cyber capability of organizations. A software‐based framework, the Cyber Defense Capability Assessment Tool models cyber capabilities of an enterprise. |
| Antycip/Scalable | Network Defense Trainer | Representation of a cyberattack in mission rehearsal scenarios enabling users to identify the main impact(s) on a scenario; uses Exata to emulate the wireless network. |
| Belden | TOFINO SCADA Security Simulator | Tofino SCADA Security Simulator was a complete SCADA system sold as a portable platform (discontinued) |
| Boeing | CRIAB/Cyber‐Range‐In‐A‐Box | Cyber Range‐In‐A‐Box (CRIAB) is a compact system used to support the development, test, experimentation, and training of cyber tools and techniques. CRIAB creates security solutions by allowing modeling and simulation of complex missions and advanced threats. CRIAB is Boeing's hardware and software solution for efficient network emulation, virtualization, and integration for training, platform validation, rehearsals, and evaluations. CRIAB is the leading virtual cyber range solution supporting the development and test of tools and techniques, and the training of today's cybersecurity workforce. |
| Circadence (gaming/training) | Offer an immersive, AI‐powered, patent‐pending, proprietary cybersecurity training platform | |
| Camber | CENTS/SLAM‐R/O&T | The Camber product is the result of an US Air Force initiative, started in 2003 and resulted in what is now called the Air Force Simulator Training and Exercises (SIMTEX) program. CENTS provides the baseline for the HOTSIM (Hands On Training SIMulator) for training individuals and CYNTRS (Cyber Security Network Training Simulator) for training network teams. Components in these simulators are SLAM‐R (Sentinel‐legion‐Autobuild‐Myrmidon‐Reconstitution) and the RGI (Range Global Internet). |
| Cybersponse | Cyber responder training; initial critical asset evaluation for security strategy development. | |
| Diatteam | Hynesim (HYbrid NEtwork SIMulator) | The product centralizes around a scenario development tool that providing means to quickly design the environment under test by using Graphical editors, leveraging an extensible set of libraries that can provide the basic blocks of a network. It contains readymade images of different windows – and Linux OS’s and allows to create new ones with various patch levels and their vulnerabilities. Also images exist for mainstream CISCO routers and generic images for switches. Once the topology is defined, attributes can be added that control the network in terms of speed, ports been opened, etc. |
| Elbit | Cybershield NCDS Training System | The system features an advanced training management system, where the training manager defines, builds, deploys, and runs the training methodology and scenario for each training session. The trainees’ activities are tracked and recorded – along with all logs from the network components and security information events – to be fully analyzed during a debriefing and after action review (AAR). |
| Metova CyberCENTS | Range, attack traffic generation, and training. | |
| Naval Postgraduate School | Malicious Activity Simulation Tool (MAST) | Support the conduct of network administrator security training on the very network that the administrator is supposed to manage. A key element of MAST (Littlejohn and Makhlouf 2013) is to use malware mimics to simulate malware behavior. Malware mimics look and behave like real malware except for the damage that real malware causes. |
| CyberSIEGE | CyberCIEGE enhances information assurance and cybersecurity education and training through the use of computer gaming | |
| SANS | Cyber City | NetWars CyberCity is designed to teach warriors and infosec pros that cyber action can have significant kinetic impact in the physical world. CyberCity is a 1:87 scale miniaturized physical city that features SCADA‐controlled electrical power distribution, as well as water, transit, hospital, bank, retail, and residential infrastructures. CyberCity engages participants to defend the city's components from terrorist cyberattacks, as well as to utilize offensive tactics to retake or maintain control of critical assets. |
| Scalable Networks | Network Defence Trainer | The Network Defence Trainer (NDTrainer) is a live‐virtual‐constructive (LVC) system for implementing cyber‐range environments used to train cyber warriors. The NDTrainer system leverages a virtual network model that simulates communication networks. Both live and virtual hosts can be connected to the virtual network model, and the system can be federated with other training simulators to create training solutions. |
| Selex ES | NCSE | Communications‐focused representation of a cyberattack, enabling users to identify where might be the main impact(s) on a scenario |
| Tele‐communications Systems (TCS) | TCS’ Art of Exploitation® (AoE™) Portfolio provides that protection with hands‐on training and services from trusted and credentialed professionals. | |
As shown in Table 12.8, multiple training simulations exist for cyber. Industrial control systems (ICS’) (Carr 2014), just one example of an enterprise attack surface, includes multiple elements (Javate 2014) for possible use of M&S to train and protect. These tools provide an important contextual view for evaluating a team or individual’s SA.
12.2.1 Scalable Network Defense Trainer (NDT)
This is one of the few tools identified to date that provides a representation of the impact of an event in cyberspace on both the informational and operational capabilities of a mission. It creates linkages between the cyber training environment and the classical domain training exercises. It is service oriented and Computer Generated Forces (CGF)‐agnostic adding cyber effects to traditional training effects, thereby training operators to work round a cyberattack and complete their mission objectives. The tool is interoperable with other simulations via HLA to create an emulated software virtual network running in real time.
The NDT cyber tools and ranges provide an engine for representing a cyberattack, and this engine uses the network protocols and standards appropriate to these tools. A DIS/HLA gateway provides an interface to training simulators and simulations, allowing the NDT to deliver a representation of cyber traffic to the federation running the training simulation, which uses the standards appropriate to its own level.
12.2.2 SELEX ES NetComm Simulation Environment (NCSE)
This tool allows users to model and simulate operational network assets. By implementing a “System‐in‐the‐Loop” capability users can establish a “Live‐Constructive” connection and allow real hardware or applications and the simulation environment to interact as a common operational picture. It incorporates communications effects with the rest of the simulation to generate an enhanced awareness of the impact a cyberattack might have on the scenario. It can be integrated with “most common CGFs” and using HLA can be federated into a synthetic environment to allow decision makers to understand how a cyberattack might alter the interactions of entities within the scenario.
The NCSE environment is designed to be integrated with virtual training tools to provide cyber personnel with training on communications assets. This allows them to analyze the scalability, survivability, availability, and reliability of the networks. In turn, this leads to an improved SA by enabling users to identify where the main impact of a cyberattack might be noticed and to make appropriate provision. At the network level, the provision could be to ensure a robust configuration that includes an appropriate level of deliberate redundancy. For non‐cyber operators, this could be to ensure they are trained to operate in reversionary modes should certain equipment become unavailable.
Both the Scalable NDT and SELEX’ NCSE are training platforms to improve the SA of the respective cyber and mission operators. These training platforms are usually targeted toward training mission operators to know when to call the cyber professionals, who maintain specialized tools.
12.2.3 Example Cyber Tool Companies
While it is a challenge to monitor the almost daily evolution of cyber offerings, Table 12.9 provides a sample of cyber‐specific companies.
Table 12.9 Sample commercial training companies and offerings.
| Company | Description |
| Bivio Networks | The platform deployed for the exercise is part of the Bivio FlowIntelligence application suite that combines the Suricata Engine from OISF, an Open Source Next Generation Intrusion Detection and Prevention Engine, with Symantec Cyber Security: DeepSight™ Intelligence data feeds and the Proofpoint ET Pro Ruleset. |
| CyVision | CAULDRON leverages Topological Vulnerability Analysis (TVA) approach. TVA monitors the state of network assets, maintains models of network vulnerabilities and residual risk, and combines these to produce models that convey the impact of individual and combined vulnerabilities on the overall security posture. The core element of this tool is an attack graph showing all possible ways an attacker can penetrate the network. |
| GNS3 | Network software emulator for combining real and emulated devices. |
| Lumeta | IPSonar used for mapping enterprise‐level networks. |
| Neo Technology | Open source graph database – capability for attack graph enumeration. |
| Rivera Group | EAGLE6 works by automatically building an enterprise model through logs and code repositories. |
| Virginia Tech Hume Center | The Hume Center leads Virginia Tech's research, education, and outreach programs focused on the challenges of cybersecurity and autonomy in the context of national and homeland security. Education programs provide mentorship, internships, scholarships, and seek to address key challenges in qualified US citizens entering federal service. Current research initiatives include cyber–physical system security, orchestrated missions, and the convergence of cyber warfare and electronic warfare. |
Table 12.9’s offerings span from foundational research (e.g. Virginia Tech) to specialized tools for assessing (e.g. Lumeta IPSonar), evaluating (e.g. GNS3), and performing strategy evaluation (e.g. CAULDRON) on a network of interest. While Table 12.9’s offerings are already on the market, with a developing user community, looking at recent patents, and patent applications, provide a view of what to expect, in terms of capabilities, over the next few years.
12.3 Cyber‐Related Patents and Applications
Granted patents (Table 12.10) provide a view as to what the US Patent and Trademark Office has determined to be a novel contribution to cybersecurity.
Table 12.10 Granted patents.
While Table 12.10 shows what is currently protected, in terms of cybersecurity, Table 12.11’s innovations are more recent, due to their being applications currently under consideration.
Table 12.11 Patent applications.
Table 12.11’s look at patent applications is constantly evolving, with new applications coming in daily for cyber innovations.
12.4 Conclusions
Table 12.10 and Table 12.11’s recent patents and applications provide a glimpse of the innovative activity currently being applied to cyber. M&S, a necessary underpinning for these new inventions, is growing as well. From the time (Table 12.3) or lessons learned (Table 12.5) abstractions that we take from physical security and information assurance, respectively, to the evolving threat data (Table 12.4), the current cyber environment (Table 12.2) provides multiple opportunities for M&S to contribute.