Cyber Operations Battlefield Web Services (COBWebS) - PowerPoint Presentation

Slide1

Cyber Operations Battlefield Web Services (COBWebS)

– Concept

for a Tactical Cyber Warfare Effect Training

Prototype

2015 Fall SIW, Orlando

Henry Marshall, Science & Technology Manager

Army Research Laboratory (ARL) Human Research and Engineering Directorate (HRED)

Simulation and Training Technology Center (STTC) Advanced Simulation Branch

Agenda

2

Why Cyber Warfare Training?

Gap Analysis Participants

Cyber Warfare Terms

Introducing COBWebS:

C

yber

O

perations

B

attlefield

Web

S

ervice

COBWebS Overview

Design Drivers

Architecture Overview

Capability Overview

Example COBWebS Use Cases

Conclusion and Way Forward

Why Cyber Warfare Training?

3

Test/Cyber Science and Technology Research Areas

(Reference

:

PEO STRI Science and Technology Gaps for TSIS RFI – Dist. A – 6 May 2015)

S&T Focus Area

: Threat Cyber Capabilities

Research Areas

:

Enhance threat Computer Network

Operations

Threat Computer Network Attack & Computer Network

Defense

Remote mission command of multiple cyber

platforms

Modeling & execution of cyber

activities

Virtualization of threat

networks

Threat cyber tools developed as Software as a Service (SaaS)

Why Cyber Warfare Training? (cont’d)

4

National Simulation Center (NSC) Futures

identified

Big Data - Social Media, website into simulations

Network Architecture - Cyber Offense/Defense

The Department of Defense Cyber Strategy (April 2015)

One

of the tasks outlined

is

to establish an enterprise-wide cyber modeling and simulation (M&S)

capability

Director of National Intelligence named the cyber threat as the number one strategic threat to the U.S. from 2013-2015, placing it ahead of terrorism for the first time since the 11 September 2001 attacks

.

Joint

Publication (JP) 3-12R “Cyberspace Operations

”,

Army

Field Manual (FM) 3-38 “Cyber Electromagnetic Activities (CEMA

)”,

Army

FM 3-36 “Electronic Warfare”

Describe cyber operations and the importance of cyber warfare training

Why Cyber Warfare Training?

5

The Army

Combat Training Centers

(CTCs) provide

realistic, intensive training

for soldiers

and commanders of the units being trained. In the same measure of adding actors for realism, the emerging necessity for the modern and future battlefield to represent Cyber at CTCs caused the implementation of

observer/coach/trainers to realistically implement the Cyber threat for rotating units.The U.S. Army Cyber OPFOR has been responsible for emulating national level adversary attacks against U.S. Army Battle Command Systems at the CTCs since as early as 2011.

It

is difficult to emulate

large-scale cyber attacks without

the resources of the modeling and simulation (M&S) community. The capability gaps identified at the CTC contribute to the drivers that lead to the development of a non-intrusive M&S capability to support the cyber domain for full spectrum warfighters training.Challenge – Cyber Warfare is very Asymmetric and changingSource: wikipedia.org and other open sources

Gap Analysis Participants

6

Training and Doctrine Command (TRADOC)

TRADOC G-2 Intelligence Support Activity (TRISA)

Army Capabilities Integration Center (ARCIC)

Brigade Modernization Command (BMC)

Program Manager Constructive Simulation (PM

ConSim

)

PM Instrumentation, Targets, & Threat Simulators (ITTS)

Threat Systems Management Office (TSMO)

National Simulation Center

Johns Hopkins UniversityU.S. Army Signal Center of Excellence (SIGCOE) & Cyber COEArmy Combat Training Centers (CTCs)

Cyber Warfare Terms

7

Cyberspace Operations (CO)

are the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.

Computer Network Operations (CNO),

in concert with Electronic Warfare (EW), are used primarily to disrupt, disable, degrade or deceive an enemy’s command and control, thereby crippling the enemy’s ability to make effective and timely decisions, while simultaneously protecting and preserving friendly command and control.

Military CNO or CO consists of two main types:Computer Network Attacks (CNA), or Offensive Cyberspace Operations (OCO),

include actions taken via computer networks to disrupt, deny, degrade, deceive, or destroy the information within computers and computer networks and/or the computers/networks themselves.

Computer Network Defense (CND),

or Defensive Cyberspace Operations (DCO), include actions taken via computer networks to protect, monitor, analyze, detect and respond to network attacks, intrusions, disruptions or other unauthorized actions that would compromise or cripple defense information systems and networks.

Cyber Warfare Terms (cont’d)

8

CNA can further decomposed into the following types of attacks

:

Denial of Service (

DoS

),

or Distributed

DoS (DDoS), is an attempt to make a targeted machine or network resource unavailable to its intended users. DoS is an attempt to disrupt, degrade, deny, or destroy the target computer or network’s ability to send or receive information.

Information Interception (II)

is an attempt to intercept, or eavesdrop, on a targeted machine or network resource to gather information that may be used to the attacker’s advantage.

Information Forgery (IF) is an attempt to forge (i.e., fake) information sent on behalf of a known entity to a targeted machine or network resource in order to deceive the target’s C2 situational awareness (SA). Information Delay (ID) is an attempt to intercept and delay the information sent/received by a targeted machine or network resource in order to deceive and obstruct the target’s C2 SA.Typically many of the CNA attack types are carried out concurrently or sequentially to result in greatest damages to the targets as illustrated later in the example use cases section.Source: wikipedia.org and other open sources

COBWebS

9

Cyber

Operations

Battlefield

Web

Service

COBWebS

Definition

cob-web

1 a

: the network spread by a spider

b : tangles of the silken threads of a spiderweb usually covered with accumulated dirt and dust2 : something that entangles, obscures, or confuses"Cobweb." 

Merriam-Webster.com. Merriam-Webster, n.d. Web. 27 May 2014. <http://www.merriam-webster.com/dictionary/cobweb>.

– a prototype to support Cyber Warfare Training

COBWebS Design Drivers

10

Develop a

loosely coupled software service

that models the effects of cyber attacks on blue (friendly) mission command devices.

These cyber-attacks include:

Denial of Service (

DoS

)

Information Interception (II)

Information Forgery (IF)

Information Delay (ID)

Must support the ability do demonstrate asymmetric cyber attacks effects on training simulations mission command systems.

Show potential implementation strategy to add the Cyber Battlefield Operating System to current Live, Virtual and Constructive training simulations.

Support Information Assurance Requirements of Training Simulations.Provide a foundational capability that can be used on a wide range of training use cases.

11

COBWebS Design Drivers

Carefully select technologies used with the goal of picking the best components to build a training system Architecture:

Leverage

Mission Command Adapter Web Service

(MCA-WS) plug-in from the LVC Integrating Architecture (LVC-IA) program to simulate the effects of cyber attacks on mission command devices.

Leverages the

Utilize Ozone Widget Framework

(OWF) currently used in Command Web Command Post Computing Environment (CPCE) to provide users with a common map interface.

COBWebS Architecture Overview

12

The Computer Network Attack Service provides the

capability

for “

Spyders

” to get into the

COBWebS

and attack inbound and outbound data to and from the mission command devices. The types of attack capabilities are:Directed Denial of ServiceInformation Delay

Information Forgery

Information Interception

Simulation Client

Mission Command Adapter

Web Service

Config

s

Tools

s

Message

s

Client

c

Config

c

Tools

c

Message

c

Client

s

Tactical Network (JVMF, TADILJ, USMTF, FDL, etc.)

Simulation Network (DIS, HLA, etc.)

FBCB2

AFATDS

DCGS-A

AMDWS

Message

c

Client

s

Message

s

Client

c

COBWebS

CNA

s

Command Web Test Driver Interface

GAP CRITERIA CHECKLIST

Remote

mission command

of multiple cyber offensive and defensive

platforms

Modeling and execution of offensive and defensive cyber activities providing

force multiplier

effects

Virtualization

of offensive/threat and defensive networks

Offensive and defensive cyber tools developed as

software services

available in secure

cloud

environments

Simple Object Access Protocol

(SOAP)

<SERVICE NAME>

c

<SERVICE NAME>

s

Web service – client side

Web service – server side

LEGEND

Note : URNs are Fictional

COBWebS Capabilities

13

Provide the ability for trainer to incorporate cyber warfare elements into their exercises to meet training objectives

Train the trainees to recognize symptoms of cyber attacks

Develop contingencies, based on what has been compromised

Develop workarounds, response, recovery plans.

Alternative Courses of Action (COAs)

Help develop cyber doctrine based on detecting, responding, and recovery to a cyber attack.

Provides an Information Assurance (IA) safe environment without corrupting the network infrastructure

Typical

in cyber range exercises

Can be integrated with cyber test ranges

Software solution only – no special hardware required

Example COBWebS Use Cases

14

Individual COBWebS CNA capability can be used in training use cases or they can be combined to provide a more realistic scenario.

The following

example

combines different COBWebS CNA capabilities to

simulate more realistic

cyber-attacks

.

This is an

example “Man-in-the-Loop” use case of Red cyber-attacker using the

COBWebS’s

II,

DoS, ID, and IF services to deceive and disrupt Blue units’ SA while launching an ambush to destroy the Blue units.

1. Red cyber-attacker uses II to intercept, discover, and gain knowledge of the Blue entities ground truth.2. Red cyber-attacker uses DoS to denied Blue units’ C2 communication so their position reports and observation reports are blocked.3. Red cyber-attacker uses ID to delay critical Blue C2 communication4. Red assault units move in and destroy the Blue units.5. Red cyber-attacker uses IF to send fake C2 communication on behalf of Blue units as if everything is fine.6. Once the Red assault units have moved out of the area, Red cyber-attacker stop the IF messages.

Example COBWebS Use

Cases (

cont’d

)

15

RED force uses COBWebS to

discover

,

deceive

,

disrupt

, and

destroy

BLUE force

Ground Truth simulated by Constructive Simulation

Perceived Truth

as seen on MC systems as a result of cyber attacks

Forged BLUFOR locations

Observation Reports (

ObsRpts

) sent by

BLUFOR were denied thus not reflected

X

X

X

X

X

BLUFOR killed

Note : Units and graphics are fictional

Conclusion and Way

Forward

16

Cyberspace is a domain that lacks the necessary M&S tools to properly evaluate, experiment, and train the warfighter to recognize and utilize cyber operations as a part of the

mission

The initial phase of COBWebS allows training managers to incorporate CNA/OCO injection into their training exercises so that the trainees can recognize cyber-attacks and make decisions

accordingly

There are, however, other

user identified gaps

and limitations that remain to be

addressed, possibly in future COBWebS releases, These gaps include:

Simulate

CNA effects on in-bound C2 communication, i.e., from MCS to simulation clientsSimulate CNA effects on C2 communication between live entities/C2 devices, i.e., live to live Simulate proactive and reactive CND measures after the realization of being cyber-attacked. Incorporate cyber data exchange models as they

mature We plan COBWebS to transition to a Program of Record, e.g., OneSAF

Authors

17

Henry Marshall

Army

Research Laboratory (ARL)

Human Research and Engineering Directorate (HRED)

Simulation and Training Technology Center (STTC)

Orlando, Florida

Robert Wells

Dynamic Animation Systems,

Inc.

Orlando, FloridaJeff Truong

Effective Applications CorporationOrlando, Florida

Questions?MAJ. Jerry R. MizeArmy Research Laboratory (ARL)Human Research and Engineering Directorate (HRED)Simulation and Training Technology Center (STTC)Orlando, FloridaCPT. Michael HooperU.S. Army Cyber Command (ARCYBER)Fort Meade, Maryland