An Introduction to Cyber Modeling and Simulation
Description
This book provides an overview of cyber modeling and simulation (M&S) developments. Using scenarios, courses of action (COAs), and current M&S and simulation environments, the author presents the overall information assurance process, incorporating the people, policies, processes, and technologies currently available in the field. The author ties up the various threads that currently compose cyber M&S into a coherent view of what is measurable, simulative, and usable in order to evaluate systems for assured operation.
An Introduction to Cyber Modeling and Simulation provides the reader with examples of tools and technologies currently available for performing cyber modeling and simulation. It examines how decision-making processes may benefit from M&S in cyber defense. It also examines example emulators, simulators and their potential combination. The book also takes a look at corresponding verification and validation (V&V) processes, which provide the operational community with confidence in knowing that cyber models represent the real world. This book:
* Explores the role of cyber M&S in decision making
* Provides a method for contextualizing and understanding cyber risk
* Shows how concepts such the Risk Management Framework (RMF) leverage multiple processes and policies into a coherent whole
* Evaluates standards for pure IT operations, "cyber for cyber," and operational/mission cyber evaluations--"cyber for others"
* Develops a method for estimating both the vulnerability of the system (i.e., time to exploit) and provides an approach for mitigating risk via policy, training, and technology alternatives
* Uses a model-based approach
An Introduction to Cyber Modeling and Simulation is a must read for all technical professionals and students wishing to expand their knowledge of cyber M&S for future professional work.
More details
Other editions
Additional editions
Person
JERRY M. COURETAS, PHD, is Technology Lead for the Office of Secretary Defense's (OSD) Modeling and Simulation Coordination Office (DM&SCO) of Booz, Allen & Hamilton in McLean, VA, USA. He is currently the Editor-in-Chief of The Journal of Defense Modeling and Simulation. Dr. Couretas is a Global Industrial Cyber Security Professional (GICSP), a Project Management Professional (PMP), and a Certified Enterprise Architect (FEAC Institute).
Content
1 Brief Review of Cyber Incidents 1
1.1 Cyber's Emergence as an Issue 3
1.2 Estonia and Georgia - Militarization of Cyber 4
1.3 Conclusions 6
2 Cyber Security - An Introduction to Assessment and Maturity Frameworks 9
2.1 Assessment Frameworks 9
2.2 NIST 800 Risk Framework 9
2.2.1 Maturity Models 12
2.2.2 Use Cases/Scenarios 13
2.3 Cyber Insurance Approaches 14
2.3.1 An Introduction to Loss Estimate and Rate Evaluation for Cyber 17
2.4 Conclusions 17
2.5 Future Work 18
2.6 Questions 18
3 Introduction to Cyber Modeling and Simulation (M&S) 19
3.1 One Approach to the Science of Cyber Security 19
3.2 Cyber Mission System Development Framework 21
3.3 Cyber Risk Bow-Tie: Likelihood to Consequence Model 21
3.4 Semantic Network Model of Cyberattack 22
3.5 Taxonomy of Cyber M&S 24
3.6 Cyber Security as a Linear System - Model Example 25
3.7 Conclusions 26
3.8 Questions 27
4 Technical and Operational Scenarios 29
4.1 Scenario Development 30
4.1.1 Technical Scenarios and Critical Security Controls (CSCs) 31
4.1.2 ARMOUR Operational Scenarios (Canada) 32
4.2 Cyber System Description for M&S 34
4.2.1 State Diagram Models/Scenarios of Cyberattacks 34
4.2.2 McCumber Model 35
4.2.3 Military Activity and Cyber Effects (MACE) Taxonomy 36
4.2.4 Cyber Operational Architecture Training System (COATS) Scenarios 37
4.3 Modeling and Simulation Hierarchy - Strategic Decision Making and Procurement Risk Evaluation 39
4.4 Conclusions 42
4.5 Questions 43
5 Cyber Standards for Modeling and Simulation 45
5.1 Cyber Modeling and Simulation Standards Background 46
5.2 An Introduction to Cyber Standards for Modeling and Simulation 47
5.2.1 MITRE's (MITRE) Cyber Threat Information Standards 47
5.2.2 Cyber Operational Architecture Training System 49
5.2.3 Levels of Conceptual Interoperability 50
5.3 Standards Overview - Cyber vs. Simulation 51
5.3.1 Simulation Interoperability Standards Organization (SISO) Standards 52
5.3.2 Cyber Standards 54
5.4 Conclusions 56
5.5 Questions 57
6 Cyber Course of Action (COA) Strategies 59
6.1 Cyber Course of Action (COA) Background 59
6.1.1 Effects-Based Cyber-COA Optimization Technology and Experiments (EBCOTE) Project 59
6.1.2 Crown Jewels Analysis 60
6.1.3 Cyber Mission Impact Assessment (CMIA) Tool 61
6.1.4 Analyzing Mission Impacts of Cyber Actions 63
6.2 Cyber Defense Measurables - Decision Support System (DSS) Evaluation Criteria 64
6.2.1 Visual Analytics 65
6.2.2 Managing Cyber Events 67
6.2.3 DSS COA and VV&A 68
6.3 Cyber Situational Awareness (SA) 68
6.3.1 Active and Passive Situational Awareness for Cyber 69
6.3.2 Cyber System Monitoring and Example Approaches 69
6.4 Cyber COAs and Decision Types 70
6.5 Conclusions 71
6.6 Further Considerations 72
6.7 Questions 72
7 Cyber Computer-Assisted Exercise (CAX) and Situational Awareness (SA) via Cyber M&S 75
7.1 Training Type and Current Cyber Capabilities 77
7.2 Situational Awareness (SA) Background and Measures 78
7.3 Operational Cyber Domain and Training Considerations 79
7.4 Cyber Combined Arms Exercise (CAX) Environment Architecture 81
7.4.1 CAX Environment Architecture with Cyber Layer 82
7.4.2 Cyber Injections into Traditional CAX - Leveraging Constructive Simulation 84
7.4.3 Cyber CAX - Individual and Group Training 85
7.5 Conclusions 86
7.6 Future Work 87
7.7 Questions 87
8 Cyber Model-Based Evaluation Background 89
8.1 Emulators,Simulators, and Verification/Validation for Cyber System Description 89
8.2 Modeling Background 90
8.2.1 Cyber Simulators 91
8.2.2 Cyber Emulators 93
8.2.3 Emulator/Simulator Combinations for Cyber Systems 94
8.2.4 Verification, Validation, and Accreditation (VV&A) 96
8.3 Conclusions 99
8.4 Questions 100
9 Cyber Modeling and Simulation and System Risk Analysis 101
9.1 Background on Cyber System Risk Analysis 101
9.2 Introduction to using Modeling and Simulation for System Risk Analysis with Cyber Effects 104
9.3 General Business Enterprise Description Model 105
9.3.1 Translate Data to Knowledge 107
9.3.2 Understand the Enterprise 114
9.3.3 Sampling and Cyber Attack Rate Estimation 114
9.3.4 Finding Unknown Knowns - Success in Finding Improvised Explosive Device Example 116
9.4 Cyber Exploit Estimation 116
9.4.1 Enterprise Failure Estimation due to Cyber Effects 118
9.5 Countermeasures and Work Package Construction 120
9.6 Conclusions and Future Work 122
9.7 Questions 124
10 Cyber Modeling & Simulation (M&S) for Test and Evaluation (T&E) 125
10.1 Background 125
10.2 Cyber Range Interoperability Standards (CRIS) 126
10.3 Cyber Range Event Process and Logical Range 127
10.4 Live,Virtual, and Constructive (LVC) for Cyber 130
10.4.1 Role of LVC in Capability Development 132
10.4.2 Use of LVC Simulations in Cyber Range Events 133
10.5 Applying the Logical Range Construct to System under Test (SUT) Interaction 134
10.6 Conclusions 135
10.7 Questions 136
11 Developing Model-Based Cyber Modeling and Simulation Frameworks 137
11.1 Background 137
11.2 Model- Based Systems Engineering (MBSE) and System of Systems Description (Data Centric) 137
11.3 Knowledge- Based Systems Engineering (KBSE) for Cyber Simulation 138
11.3.1 DHS and SysML Modeling for Buildings (CEPHEID VARIABLE) 139
11.3.2 The Cyber Security Modeling Language (CySeMoL) 140
11.3.3 Cyber Attack Modeling and Impact Assessment Component (CAMIAC) 140
11.4 Architecture- Based Cyber System Optimization Framework 141
11.5 Conclusions 141
11.6 Questions 142
12 Appendix: Cyber M&S Supporting Data, Tools, and Techniques 143
12.1 Cyber Modeling Considerations 143
12.1.1 Factors to Consider for Cyber Modeling 143
12.1.2 Lessons Learned from Physical Security 144
12.1.3 Cyber Threat Data Providers 146
12.1.4 Critical Security Controls (CSCs) 147
12.1.5 Situational Awareness Measures 147
12.2 Cyber Training Systems 148
12.2.1 Scalable Network Defense Trainer (NDT) 153
12.2.2 SELEX ES NetComm Simulation Environment (NCSE) 153
12.2.3 Example Cyber Tool Companies 154
12.3 Cyber- Related Patents and Applications 154
12.4 Conclusions 160
Bibliography 161
Index 175
1
Brief Review of Cyber Incidents
When it comes to national security, I think this [i.e., cyber warfare] represents the battleground for the future. I've often said that I think the potential for the next Pearl Harbor could very well be a cyber-attack. If you have a cyber-attack that brings down our power grid system, brings down our financial systems, brings down our government systems, you could paralyze this country.1
Leon Panetta
The 1988 Morris Worm, designed to estimate the size of the Internet, caused the shutting down of thousands of machines and resulted in the Defense Advanced Research Projects Agency (DARPA) funding the first Computer Emergency Response Team (CERT) at Carnegie Mellon University (CMU). As shown in Table 1.1, cyberattacks have continued since 1988, with effects that range from data collection to controlling critical infrastructure.
Table 1.1 Select cyber incidents.
Year Cyberattack Objective Effects 1988 Morris Worm Understand the number of hosts connected to the Internet Removed thousands of computers from operation 2003 Slammer Worm Denial of service Disabled Ohio's Davis-Besse nuclear power plant safety monitoring system for nearly 5?h 2008 Conficker Implant malware on target machines Control target machines 2010 STUXNET Take control of Siemens industrial control systems (ICS') Destroyed centrifuges used for Iranian nuclear program 2012 Saudi Aramco (oil provider) business systems (aka Al Shamoon) Wipe disks on Microsoft Windows-based systems Destroyed ARAMCO business systems to cause financial losses due to their inability to bill customers for oil shipments 2013 South Korean Banks "DarkSeoul" virus used to deny service and destroy data Destroyed hard drives of selected business systems US Banks Distributed Denial of Service (DDoS) Caused financial losses through banks' inability to serve customers Rye Dam (NY) Access control gates for opening and closing at will Controlled dam gate system 2014 Sony Pictures Data breach Downloaded a large amount of data and posted it on the Internet; 3 wk before the release of a satirical film about North Korea 2015 Office of Personnel Management (OPM) breach Gain access to information on US Government Personnel Downloaded over 21 million US Government and contractor personnel files 2017 Equifax breach Gain access to consumer credit information Downloaded credit history and private information on over 143 million consumersTable 1.1 also provides a mix of documented cyber incidents, with only the Morris Worm in question, as to malevolent intent. Due to the multiple actors and actions, involving cyberattacks, a conversation around "resilience" (e.g. NIST Cybersecurity Framework) provides a means for communicating about how the overall system will continue to perform, in the face of adversity. In addition, resilience frames the discussion about an organization's operational risk; due to cyber, in this case. More specifically, the resilience view provides a means to organize the challenges associated with measuring and quantifying the broad scope of an organization's cyberattack surface by:
- Recognizing that the autonomy and efficiencies that information systems provide are too valuable to forego, even if the underlying technologies provide a potential threat to business operations.
- Understanding that cyber "security" (i.e. the ability to provide an effective deterrent to cyberattacks) is not achievable for most organizations in the short term, so resilience is one way to develop organizational policies and processes around
- mitigation scenarios for general cyberattacks
- comparing tacitly accepted cyber risk to business risks that we already transfer (e.g. hurricanes, earthquakes, natural disasters, etc.) to other organizations (e.g. insurance companies).
- Coordinating the challenges associated with an organization's people being a key source of cyber vulnerability.
Resilience, therefore, provides an overarching approach, with some elements already modeled, for bundling the exposure associated with cyber and moving the discussion to a more manageable set of risks; analogous to operational challenges already mitigated or transferred through an organization's policies and processes. In addition, cyber risk management requires analytical evaluation and testable scenarios that enable contingency planning for each respective organization. Cyber risk assessment is a growing area of interest, and an inspiration for developing cyber modeling and simulation techniques.
1.1 Cyber's Emergence as an Issue
The issue of cyber security, somewhat slow to be recognized during information technology's rapid rate of development and dissemination into business enterprises over the last half century, often gets the same level of news coverage as natural disasters or stock market anomalies. While an Office of Personnel Management (OPM)2 breach disclosing the private information of millions of US civil servants gets a few days of news, a new iPhone release will create weeks of chatter on social networks. Cyber insecurity is much less interesting to the general public than the Internet's entertainment and socialization prospects.
The same market growth for personal computing technologies, however, adds to unforeseen security challenges that networked technologies provide. Increased connectivity, often leading to tighter coupling (i.e. both technically and socially), challenges "open" information system architectures and their intended benefit. In addition, this increased connectivity provides, for the first time, an artificial domain, or space, through which nefarious actors can exercise potentially catastrophic effects. Cyber's ability to deny or manipulate entire regions of a state, at time constants much shorter than current management structures can handle, is a relatively recent realization. For example, by 2015, reports (Frankel et al. 2015; Maynard and Beecroft 2015) on the potentially catastrophic nature of a cyberattack started to emerge. Along with the increasing importance of cyber, as a physical threat, there is an increased awareness, via news coverage (Figure 1.1).
Figure 1.1 Organizations targeted by China.
Source: Mandiant (2014), Fireeye https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf.
In addition to Figure 1.1's profile of commercial cyber activity, military applications are expanding as well, with notable uses in Estonia and Georgia over the last decade.
1.2 Estonia and Georgia - Militarization of Cyber
For three weeks in 2007, the Republic of Estonia suffered a crippling cyberattack that left government, political, and economic facets of the country helpless (Yap 2009) (Figure 1.2).
Figure 1.2 Map of N. Europe with Estonia (Google Maps).
This scenario provides a template to examine the policy, training, and technology options of a cyber-attacked state. Estonia's policy options were limited for a number of reasons, including:
- difficulty of attribution
- lack of international standards
- current political environment
Ultimately, unless a cyberattack causes indisputable damage, loss of human life, and can be traced back to a source with high certainty, it is unlikely that a state will conventionally respond in self-defense. Currently, there are no clear international laws,3 or rules of engagement, that govern the rights of any sovereign state in the event of a cyberattack, without people dying or significant physical damage. The current approach is to take the existing laws and treaties and interpret them to fit cyber domain activities.
However, unlike a conventional attack, there are many more factors that blur the line in cyberspace. Attribution is usually spread across different sovereign states with limited physical evidence. Without a common, and agreed upon, definition of what constitutes a cyberattack, how can nations defend themselves without risking ethical, legal, and moral obligations? The fundamental dilemma a state faces is to balance its retaliatory options with the requisite legal justifications, if they cannot be confident of the source for the attack.
While policy frameworks are still evolving to deal with cyber as a conflict domain, newly employed technologies provide unprecedented platforms for launching cyberattacks. For example, the major part of Estonia's assault suddenly stopped roughly a month after it began, suggesting that a botnet had been leased for the attacks....
