![Page 1: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/1.jpg)
1
Simulation-Based
Cyber Wargaming
Georgia Tech Cyber Lecture Series
Ambrose Kam (Cyber Fellow)
Lockheed Martin
Sept 27 2019
Copyright © 2019 Lockheed Martin Corporation
UnclassifiedDistribution A
![Page 2: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/2.jpg)
2
Contact Information
• Name: Ambrose Kam
• Company: Lockheed Martin
• Telephone: 609-326-5086
• Email: [email protected]
Copyright © 2019 Lockheed Martin Corporation
UnclassifiedDistribution A
![Page 3: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/3.jpg)
3
Ambrose Kam
•Over 25 yrs in Modeling & Simulation (M&S) and Operations Analysis (OA) with broad expertise in communications, networking, mission planning, renewable energy, radar, electronic warfare, cyber, etc.
•Pioneer in applying M&S and OA techniques on cyber risk analysis and cyber resiliency assessment
•MIT Fellow in Systems Design & Management since 2002
•2017 Asian American Engineer of the Year (AAEOY) Award
•Published over 40 research papers on a variety of subjects; guest lecturer @ MIT, Georgia Tech; principal investigator on research projects with leading universities and military service academies (USAFA, USMA, USNA, NPS, etc.)
•MEng in Mechanical Engineering from Cornell; Double Master’s Degree from MIT (Systems Engineering & Management).
Copyright © 2019 Lockheed Martin Corporation
UnclassifiedDistribution A
![Page 4: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/4.jpg)
4
Why Wargaming?
DoD Reinvigorates Wargaming(Apr 5, 2016) Over the past year, at least four directives from the highest levels of the Department of Defense (DoD) and the services, including a February 2015 memo from Deputy Secretary of Defense Robert Work, called for more wargaming.
Source: https://www.govtechworks.com/the-return-of-wargaming-how-dod-aims-to-re-imagine-warfare/#gs.BejQRHo
(April 5, 2016) The Pentagon requested more than $55 million for wargaming for fiscal 2017, and more
than $525 million over the five-year Future Years Defense Program spending plan. … Cyber is of
particular concern. Cloaked in secrecy, cyberwarfare is difficult to incorporate into wargames. But not
including it jeopardizes the validity of games that attempt to simulate conflicts against opponents who
will certainly use cyberweapons against U.S. forces.
As cyber attacks become more sophisticated, modeling and testing strategies for both offensive
and defensive operations is essential for U.S. military planners.
Source: https://www.govtechworks.com/the-return-of-wargaming-how-dod-aims-to-re-imagine-warfare/#gs.BejQRHo
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 5: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/5.jpg)
5
What is a Wargame?
Copyright © 2019 Lockheed Martin Corporation
Adapted from Ministry of Defense Wargaming Handbook, 2017, pg 10
Representation of an aspect of a real / fictitious conflict
Pre-defined rules, data and operational
procedure
To provide decision-making experience
To provide decision-making information
A Wargame
Is a
In accordance with
That is applicable to real-world situations
![Page 6: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/6.jpg)
6
Wargaming Process
Problem Statement
Design Development
TestingRehearsalExecution
Analysis/Archive
Copyright © 2019 Lockheed Martin Corporation
Lockheed Martin Image
![Page 7: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/7.jpg)
7
Benefits
• Explore options and take risks without risking lives
• Cost effective way to practice command, exercise staff procedures
• Explore innovations in the art of war
• Discover new factors and questions not identified before
Copyright © 2019 Lockheed Martin Corporation
![Page 8: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/8.jpg)
8
Cyber Wargaming in the Commercial Sector
UnclassifiedDistribution A
Source: https://www2.deloitte.com/us/en/pages/risk/articles/cyber-risk-services-cyber-war-gaming.htmlSource: https://home.kpmg/sg/en/home/services/cyber-confidence/cyber-
education/cyber-war-gaming.html
![Page 9: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/9.jpg)
9
Wargaming Challenges
• Repeatability
• Qualitative
• Adjudication
• Not Predictive
• Only as good as the participants
? (Insights)
![Page 10: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/10.jpg)
10
Digitizing the Traditional Wargame
Lockheed Martin Imagehttps://www.lockheedmartin.com/en-us/news/features/2016/webt-navy-area-51.html
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
Operator-in-the-Loop
Real-Time
Simulation-Based
Adjudication
![Page 11: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/11.jpg)
11
What is Cyber Attack Network Simulation (CANS)?
CANS models cyber events and their impacts to a system
Simulated Attackers Network Simulated Target Network
The Cyber Attack Network Simulator (CANS) is a discrete event simulation that allows analysts to study the effect of various cyber events against a model of a planned or operational network system.
CANS Framework
Simulation Engine Performance MetricsLockheed Martin Image
Copyright © 2019 Lockheed Martin Corporation
Distribution A Unclassified
![Page 12: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/12.jpg)
CANS (Simulated) Network Model
© Copyright 2019 Lockheed Martin Corporation
• Network Configuration• Sim Configuration• CAPEC• NVD
Cyber Attack Launchers (CAL)
Network Visualizers
CANS is a highly-scalable and extensible simulator
CANS Architecture
External Clients: Simulators/Visualizers (optional)
Lockheed Martin Image
UnclassifiedDistribution A
![Page 13: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/13.jpg)
13
Cyber Wargaming: A Madden Football Analogy
Defensive PlaybookMadden Football Video Game
Offensive Playbook
Defensive Playbook
Lockheed Martin Image
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 14: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/14.jpg)
14
“Offensive” Playbook
Offensive Playbook
Cyber Kill
Chain
CAPECNVD
Leverages Govt & Industry Resources for Wide Spectrum of Attack Behaviors
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
Threat Class Description
Abuse of Functionality (AoF)
An attacker manipulates one or more functions of an application in order to perform an attack. This is a
broad class of attacks wherein the attacker is able to alter the intended result or purpose of the functionality
and thereby affect application behavior or information integrity. Outcomes can range from vandalis, and
reduction in service to the execution of arbitrary code on the target machine.
Alter System Components (ASC)Attack Patterns within this category focus on alteration or manipulation of the components in a system in an
attempt to achieve a desired negative technical impact
Analyze Target (AT)
Attack Patterns within this category focus on the analysis of a target system, protocol, message, or
application in order to overcome protections on the target or as a precursor to other attacks. Analysis can
involve dissection of an application, analysis of message patterns, formal analysis of protocols, or other
methods. The outcome of these attacks can be disclosure of sensitive informaiton or disclosure of a secuirty
configuration that leads to further attacks targeted to discover weaknesses
Deceptive Intervention (DI)
Attack Patterns within this category focus on malicious interactions with a target in an attempt to deceive the
target and convince the target that it is interacting with some other principal and as such, take actions based
on the level of trust that exists between the target and the other principal. These types of attacks assume
that some piece of content or functionality is trusted by the target because of this association. Oftenidentified
by the term "spoofing", these types of attacks rely on the falsification of the cotent and/or identify in such a
way that the target will incorrectly trust the legitimacy of the content. for example, an attacker may modify a
financial transaction between two parties so that the participants remain unchanged bu the amount of the
transaction is increseaed. if the recipient cannot detect the change, they may incorrectly assume the
modified message originated with the original sender. attacks of this type may involve an adversary crafting
the content from scratch or capturing and modifying legitimate content
Deplete Resources (DR)
an attacker depletes a resource to the point that the target's functionality is affected. Virtually any resource
necessary for the target's operation can be targeted in this attack. The result of a successfl deplete
resources attack is usually the degradation or denial of one or more services offered by the target. The
more protected the resource and the greater the quantity of it that must be consume, the more resources the
attacker will need to have at their disposal.
Sample CVEs Extracted from NIST National Vulnerability Database
Sample Attack Patterns Extracted from CAPEC
Lockheed Martin Image
![Page 15: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/15.jpg)
15
“Defensive” Playbook
Defensive Playbook
Cyber Survivability Attributes
(CSA)
NIST SP 800-160 Vol2
NIST SP 800-53 R5
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
Examining Cyber Resiliency & Survivability through Realistic Wargaming
NIST 800-53 Controls
Cyber Resiliency Techniques
Adaptive Response
Analytic Monitoring
Deception
Diversity
Dynamic Positioning
Non-Persistence
Privilege Restrictions
Segmentation
Coordinated Protection
Contextual Awareness
Realignment
Redundancy
Substantiated Integrity
Un
pre
dic
tab
ility
NIST 800-160 Vol2Cyber Survivability Attributes (CSA)
Lockheed Martin Image
![Page 16: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/16.jpg)
16
Cyber Wargame Designer
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
Lockheed Martin Image
![Page 17: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/17.jpg)
17
What is AFSIM?
• Advanced Framework for Simulation, Integration & Modeling
• Government Owned object-oriented C++ library
• Discrete Event Simulation
• Can run at, faster and slower than real time• Can be Human-in-the-loop
The intent of AFSIM is not to provide all encompassing models, but rather to provide the framework for incorporating the necessary models*
*from AFRL
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 18: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/18.jpg)
18
Modeling the Cyber“5D” Effects as Defined in JP3-12
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 19: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/19.jpg)
19
19
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 20: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/20.jpg)
20
Modeled Cyber Effect ExamplesCyber Effects 5D Effect Type Results
Comm Link Shutdown
Disruption / Denial Denial of Service Loss Ability to send/receive messages (e.g. target tracks, commands); launchers loss ability to receive engagement commands
Track Spoofing Disruption / Deception Manipulate track information
Add addition error to elevation data: reduce values by 1km; blue missiles miss red targets
Track Spoofing Deception / Disruption Manipulate track information
Add addition error to lat & long data: reduce values by 0.02 degree; blue missiles miss
IFF Spoofing Deception / Disruption Manipulate track information
Change “Foe” to Friendly in track database; red targets won’t get engaged (fratricide firing doctrine)
CANS Details on How Cyber Effects can be Achieved
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 21: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/21.jpg)
21
CANS/AFSIM Software Architecture
Blue Team Red Team
AFSIM/Warlock
Lockheed Martin Image
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 22: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/22.jpg)
22
AFSIM Warlock Operator Interface
Courtesy of IST
Blue Cell Player
Distributed Operator Stations
Courtesy of IST
Lockheed Martin ImageCANS/AFSIM DIS
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 23: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/23.jpg)
23
AFSIM (Warlock)
• Role of Warlock• Provides an operator interface to play out the scenario
• Real-Time engagements and decision making support • Task Assignment & Task Status Displays
• Custom panels to reflect operators’ roles
• Mimic SAM/Ship C2 Commander / TAO / EW officers• Ability to “hook” a target and initiate kinetic or non-kinetic
responses• Tactical responses (kinetic): Launcher selection, weapon/target pairing
• Determine when and what the EW responses should be (non-kinetic)
UnclassifiedDistribution A
Lockheed Martin Image
Copyright © 2019 Lockheed Martin Corporation
![Page 24: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/24.jpg)
24
Sample Scenario
• Unclassified scenario to illustrate this CANS/AFSIM (Warlock) CONOPS
• Multi-Player Operator-in-the-Loop (cyber only or multi-domain)
• Red vs Blue Wargaming Scenario • White Cells are observers (might provide scenario injects)
• Operators to provide real-time responses
• Cyber attack vectors are derived from govt validated sources• Common Attack Pattern Enumeration and Classification (CAPEC) (unclassified)
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 25: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/25.jpg)
25
Sample Scenario (Effects of Cyber)
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 26: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/26.jpg)
26
Sample Metrics
UnclassifiedDistribution A
B L U E E N G A G E M E N T S R E D E N G A G E M E N T S B L U E E N G A G E M E N T S R E D E N G A G E M E N T S
B A S E L I N E C O M M S C Y B E R A T T A C K
Sum of Weapon Fired
Sum of Weapon Hit and Target Kill
Sum of Weapon Hit and Target Damaged
Sum of Weapon Missed Target
• In this example, a CANS player acting as a cyber attacker, targeted and shutdown communication on the IADS Commander
• This resulted in:• Blue destroying XX more Red Targets
• Red destroying YY less Blue Assets
• And Red launching less defensive weapons
Lockheed Martin Image
Copyright © 2019 Lockheed Martin Corporation
![Page 27: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/27.jpg)
27
Sample Metrics
B L U E E N G A G E M E N T S
R E D E N G A G E M E N T S
B L U E E N G A G E M E N T S
R E D E N G A G E M E N T S
B A S E L I N E ( W I T H O U T R G P O ) W I T H R G P O
Sum of Weapon Fired
Sum of Weapon Hit and Target Kill
Sum of Weapon Hit and Target Damage
Sum of Weapon Missed Target
In this example, all four (4) blue bombers countered the Red IADS with EW
countermeasures upon approach.
This resulted in:
• Red firing more SAMs,
expending inventory
• Red missing more
targets, wasting
inventory
• Blue bombers
remaining in the
engagement zone
longer
Red Fired More
Red Missed More
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 28: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/28.jpg)
28
Conclusion
• CANS/AFSIM Multi-Domain Wargaming Framework• Low Cost, Real-Time, Operator-in-the-Loop Wargaming Engine
• Flexible scenario implementations to expose operational & capability gaps
• Experiment with new Tactics, Techniques and Procedures (TTP)
• Large variety of EW/Cyber exploits (offensive/defensive)
• Future Work• UCI messaging to bring in tactical systems
• Mission planning tool integration
• Artificial Intelligence, machine learning and battle management optimization
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 29: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/29.jpg)
29
Questions?
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 30: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/30.jpg)
![Page 31: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/31.jpg)
31
. . .
. . .
DIS InterfaceUDP
Socket
CANS External Simulators
(e.g. SENSIS, AFSIM)
Health and Status Messages
DIS Entity State PDUs or similar format
Distributive Interactive Simulation (DIS) is a IEEE 1278 standard for simulation interoperability
Lockheed Martin Image
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
![Page 32: Simulation-Based Cyber Wargaming...•Advanced Framework for Simulation, Integration & Modeling •Government Owned object-oriented C++ library •Discrete Event Simulation •Can](https://reader035.vdocument.in/reader035/viewer/2022081615/5fdb40544f467575653a780a/html5/thumbnails/32.jpg)
32
AFSIM DIS Interface Sequence Diagram
DIS Input Stream DIS PDU Factory WSF DIS App
Receive PDUParse PDU Header
Process WSF DIS PDU
AFSIM Internal Simulation Data
Identify PDU Type
Create WSF DIS PDU Object as defined by PDU
Type
Entity Object tagged by WSF DIS PDU
Lockheed Martin Image
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation