Concept for a Tactical Cyber Warfare Effect Training Prototype 2015 Fall SIW Orlando Henry Marshall Science amp Technology Manager Army Research Laboratory ARL Human Research and Engineering Directorate HRED ID: 785865
Download The PPT/PDF document "Cyber Operations Battlefield Web Service..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Cyber Operations Battlefield Web Services (COBWebS)
– Concept
for a Tactical Cyber Warfare Effect Training
Prototype
2015 Fall SIW, Orlando
Henry Marshall, Science & Technology Manager
Army Research Laboratory (ARL) Human Research and Engineering Directorate (HRED)
Simulation and Training Technology Center (STTC) Advanced Simulation Branch
Slide2Agenda
2
Why Cyber Warfare Training?
Gap Analysis Participants
Cyber Warfare Terms
Introducing COBWebS:
C
yber
O
perations
B
attlefield
Web
S
ervice
COBWebS Overview
Design Drivers
Architecture Overview
Capability Overview
Example COBWebS Use Cases
Conclusion and Way Forward
Slide3Why Cyber Warfare Training?
3
Test/Cyber Science and Technology Research Areas
(Reference
:
PEO STRI Science and Technology Gaps for TSIS RFI – Dist. A – 6 May 2015)
S&T Focus Area
: Threat Cyber Capabilities
Research Areas
:
Enhance threat Computer Network
Operations
Threat Computer Network Attack & Computer Network
Defense
Remote mission command of multiple cyber
platforms
Modeling & execution of cyber
activities
Virtualization of threat
networks
Threat cyber tools developed as Software as a Service (SaaS)
Slide4Why Cyber Warfare Training? (cont’d)
4
National Simulation Center (NSC) Futures
identified
Big Data - Social Media, website into simulations
Network Architecture - Cyber Offense/Defense
The Department of Defense Cyber Strategy (April 2015)
One
of the tasks outlined
is
to establish an enterprise-wide cyber modeling and simulation (M&S)
capability
Director of National Intelligence named the cyber threat as the number one strategic threat to the U.S. from 2013-2015, placing it ahead of terrorism for the first time since the 11 September 2001 attacks
.
Joint
Publication (JP) 3-12R “Cyberspace Operations
”,
Army
Field Manual (FM) 3-38 “Cyber Electromagnetic Activities (CEMA
)”,
Army
FM 3-36 “Electronic Warfare”
Describe cyber operations and the importance of cyber warfare training
Slide5Why Cyber Warfare Training?
5
The Army
Combat Training Centers
(CTCs) provide
realistic, intensive training
for soldiers
and commanders of the units being trained. In the same measure of adding actors for realism, the emerging necessity for the modern and future battlefield to represent Cyber at CTCs caused the implementation of
observer/coach/trainers to realistically implement the Cyber threat for rotating units.The U.S. Army Cyber OPFOR has been responsible for emulating national level adversary attacks against U.S. Army Battle Command Systems at the CTCs since as early as 2011.
It
is difficult to emulate
large-scale cyber attacks without
the resources of the modeling and simulation (M&S) community. The capability gaps identified at the CTC contribute to the drivers that lead to the development of a non-intrusive M&S capability to support the cyber domain for full spectrum warfighters training.Challenge – Cyber Warfare is very Asymmetric and changingSource: wikipedia.org and other open sources
Slide6Gap Analysis Participants
6
Training and Doctrine Command (TRADOC)
TRADOC G-2 Intelligence Support Activity (TRISA)
Army Capabilities Integration Center (ARCIC)
Brigade Modernization Command (BMC)
Program Manager Constructive Simulation (PM
ConSim
)
PM Instrumentation, Targets, & Threat Simulators (ITTS)
Threat Systems Management Office (TSMO)
National Simulation Center
Johns Hopkins UniversityU.S. Army Signal Center of Excellence (SIGCOE) & Cyber COEArmy Combat Training Centers (CTCs)
Slide7Cyber Warfare Terms
7
Cyberspace Operations (CO)
are the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace.
Computer Network Operations (CNO),
in concert with Electronic Warfare (EW), are used primarily to disrupt, disable, degrade or deceive an enemy’s command and control, thereby crippling the enemy’s ability to make effective and timely decisions, while simultaneously protecting and preserving friendly command and control.
Military CNO or CO consists of two main types:Computer Network Attacks (CNA), or Offensive Cyberspace Operations (OCO),
include actions taken via computer networks to disrupt, deny, degrade, deceive, or destroy the information within computers and computer networks and/or the computers/networks themselves.
Computer Network Defense (CND),
or Defensive Cyberspace Operations (DCO), include actions taken via computer networks to protect, monitor, analyze, detect and respond to network attacks, intrusions, disruptions or other unauthorized actions that would compromise or cripple defense information systems and networks.
Slide8Cyber Warfare Terms (cont’d)
8
CNA can further decomposed into the following types of attacks
:
Denial of Service (
DoS
),
or Distributed
DoS (DDoS), is an attempt to make a targeted machine or network resource unavailable to its intended users. DoS is an attempt to disrupt, degrade, deny, or destroy the target computer or network’s ability to send or receive information.
Information Interception (II)
is an attempt to intercept, or eavesdrop, on a targeted machine or network resource to gather information that may be used to the attacker’s advantage.
Information Forgery (IF) is an attempt to forge (i.e., fake) information sent on behalf of a known entity to a targeted machine or network resource in order to deceive the target’s C2 situational awareness (SA). Information Delay (ID) is an attempt to intercept and delay the information sent/received by a targeted machine or network resource in order to deceive and obstruct the target’s C2 SA.Typically many of the CNA attack types are carried out concurrently or sequentially to result in greatest damages to the targets as illustrated later in the example use cases section.Source: wikipedia.org and other open sources
Slide9COBWebS
9
Cyber
Operations
Battlefield
Web
Service
COBWebS
Definition
cob-web
1 a
: the network spread by a spider
b : tangles of the silken threads of a spiderweb usually covered with accumulated dirt and dust2 : something that entangles, obscures, or confuses"Cobweb."
Merriam-Webster.com. Merriam-Webster, n.d. Web. 27 May 2014. <http://www.merriam-webster.com/dictionary/cobweb>.
– a prototype to support Cyber Warfare Training
Slide10COBWebS Design Drivers
10
Develop a
loosely coupled software service
that models the effects of cyber attacks on blue (friendly) mission command devices.
These cyber-attacks include:
Denial of Service (
DoS
)
Information Interception (II)
Information Forgery (IF)
Information Delay (ID)
Must support the ability do demonstrate asymmetric cyber attacks effects on training simulations mission command systems.
Show potential implementation strategy to add the Cyber Battlefield Operating System to current Live, Virtual and Constructive training simulations.
Support Information Assurance Requirements of Training Simulations.Provide a foundational capability that can be used on a wide range of training use cases.
Slide1111
COBWebS Design Drivers
Carefully select technologies used with the goal of picking the best components to build a training system Architecture:
Leverage
Mission Command Adapter Web Service
(MCA-WS) plug-in from the LVC Integrating Architecture (LVC-IA) program to simulate the effects of cyber attacks on mission command devices.
Leverages the
Utilize Ozone Widget Framework
(OWF) currently used in Command Web Command Post Computing Environment (CPCE) to provide users with a common map interface.
Slide12COBWebS Architecture Overview
12
The Computer Network Attack Service provides the
capability
for “
Spyders
” to get into the
COBWebS
and attack inbound and outbound data to and from the mission command devices. The types of attack capabilities are:Directed Denial of ServiceInformation Delay
Information Forgery
Information Interception
Simulation Client
Mission Command Adapter
Web Service
Config
s
Tools
s
Message
s
Client
c
Config
c
Tools
c
Message
c
Client
s
Tactical Network (JVMF, TADILJ, USMTF, FDL, etc.)
Simulation Network (DIS, HLA, etc.)
FBCB2
AFATDS
DCGS-A
AMDWS
Message
c
Client
s
Message
s
Client
c
COBWebS
CNA
s
Command Web Test Driver Interface
GAP CRITERIA CHECKLIST
Remote
mission command
of multiple cyber offensive and defensive
platforms
Modeling and execution of offensive and defensive cyber activities providing
force multiplier
effects
Virtualization
of offensive/threat and defensive networks
Offensive and defensive cyber tools developed as
software services
available in secure
cloud
environments
Simple Object Access Protocol
(SOAP)
<SERVICE NAME>
c
<SERVICE NAME>
s
Web service – client side
Web service – server side
LEGEND
Note : URNs are Fictional
Slide13COBWebS Capabilities
13
Provide the ability for trainer to incorporate cyber warfare elements into their exercises to meet training objectives
Train the trainees to recognize symptoms of cyber attacks
Develop contingencies, based on what has been compromised
Develop workarounds, response, recovery plans.
Alternative Courses of Action (COAs)
Help develop cyber doctrine based on detecting, responding, and recovery to a cyber attack.
Provides an Information Assurance (IA) safe environment without corrupting the network infrastructure
Typical
in cyber range exercises
Can be integrated with cyber test ranges
Software solution only – no special hardware required
Slide14Example COBWebS Use Cases
14
Individual COBWebS CNA capability can be used in training use cases or they can be combined to provide a more realistic scenario.
The following
example
combines different COBWebS CNA capabilities to
simulate more realistic
cyber-attacks
.
This is an
example “Man-in-the-Loop” use case of Red cyber-attacker using the
COBWebS’s
II,
DoS, ID, and IF services to deceive and disrupt Blue units’ SA while launching an ambush to destroy the Blue units.
1. Red cyber-attacker uses II to intercept, discover, and gain knowledge of the Blue entities ground truth.2. Red cyber-attacker uses DoS to denied Blue units’ C2 communication so their position reports and observation reports are blocked.3. Red cyber-attacker uses ID to delay critical Blue C2 communication4. Red assault units move in and destroy the Blue units.5. Red cyber-attacker uses IF to send fake C2 communication on behalf of Blue units as if everything is fine.6. Once the Red assault units have moved out of the area, Red cyber-attacker stop the IF messages.
Slide15Example COBWebS Use
Cases (
cont’d
)
15
RED force uses COBWebS to
discover
,
deceive
,
disrupt
, and
destroy
BLUE force
Ground Truth simulated by Constructive Simulation
Perceived Truth
as seen on MC systems as a result of cyber attacks
Forged BLUFOR locations
Observation Reports (
ObsRpts
) sent by
BLUFOR were denied thus not reflected
X
X
X
X
X
BLUFOR killed
Note : Units and graphics are fictional
Slide16Conclusion and Way
Forward
16
Cyberspace is a domain that lacks the necessary M&S tools to properly evaluate, experiment, and train the warfighter to recognize and utilize cyber operations as a part of the
mission
The initial phase of COBWebS allows training managers to incorporate CNA/OCO injection into their training exercises so that the trainees can recognize cyber-attacks and make decisions
accordingly
There are, however, other
user identified gaps
and limitations that remain to be
addressed, possibly in future COBWebS releases, These gaps include:
Simulate
CNA effects on in-bound C2 communication, i.e., from MCS to simulation clientsSimulate CNA effects on C2 communication between live entities/C2 devices, i.e., live to live Simulate proactive and reactive CND measures after the realization of being cyber-attacked. Incorporate cyber data exchange models as they
mature We plan COBWebS to transition to a Program of Record, e.g., OneSAF
Slide17Authors
17
Henry Marshall
Army
Research Laboratory (ARL)
Human Research and Engineering Directorate (HRED)
Simulation and Training Technology Center (STTC)
Orlando, Florida
Robert Wells
Dynamic Animation Systems,
Inc.
Orlando, FloridaJeff Truong
Effective Applications CorporationOrlando, Florida
Questions?MAJ. Jerry R. MizeArmy Research Laboratory (ARL)Human Research and Engineering Directorate (HRED)Simulation and Training Technology Center (STTC)Orlando, FloridaCPT. Michael HooperU.S. Army Cyber Command (ARCYBER)Fort Meade, Maryland