simulation-based cyber wargaming...•advanced framework for simulation, integration & modeling...
TRANSCRIPT
1
Simulation-Based
Cyber Wargaming
Georgia Tech Cyber Lecture Series
Ambrose Kam (Cyber Fellow)
Lockheed Martin
Sept 27 2019
Copyright © 2019 Lockheed Martin Corporation
UnclassifiedDistribution A
2
Contact Information
• Name: Ambrose Kam
• Company: Lockheed Martin
• Telephone: 609-326-5086
• Email: [email protected]
Copyright © 2019 Lockheed Martin Corporation
UnclassifiedDistribution A
3
Ambrose Kam
•Over 25 yrs in Modeling & Simulation (M&S) and Operations Analysis (OA) with broad expertise in communications, networking, mission planning, renewable energy, radar, electronic warfare, cyber, etc.
•Pioneer in applying M&S and OA techniques on cyber risk analysis and cyber resiliency assessment
•MIT Fellow in Systems Design & Management since 2002
•2017 Asian American Engineer of the Year (AAEOY) Award
•Published over 40 research papers on a variety of subjects; guest lecturer @ MIT, Georgia Tech; principal investigator on research projects with leading universities and military service academies (USAFA, USMA, USNA, NPS, etc.)
•MEng in Mechanical Engineering from Cornell; Double Master’s Degree from MIT (Systems Engineering & Management).
Copyright © 2019 Lockheed Martin Corporation
UnclassifiedDistribution A
4
Why Wargaming?
DoD Reinvigorates Wargaming(Apr 5, 2016) Over the past year, at least four directives from the highest levels of the Department of Defense (DoD) and the services, including a February 2015 memo from Deputy Secretary of Defense Robert Work, called for more wargaming.
Source: https://www.govtechworks.com/the-return-of-wargaming-how-dod-aims-to-re-imagine-warfare/#gs.BejQRHo
(April 5, 2016) The Pentagon requested more than $55 million for wargaming for fiscal 2017, and more
than $525 million over the five-year Future Years Defense Program spending plan. … Cyber is of
particular concern. Cloaked in secrecy, cyberwarfare is difficult to incorporate into wargames. But not
including it jeopardizes the validity of games that attempt to simulate conflicts against opponents who
will certainly use cyberweapons against U.S. forces.
As cyber attacks become more sophisticated, modeling and testing strategies for both offensive
and defensive operations is essential for U.S. military planners.
Source: https://www.govtechworks.com/the-return-of-wargaming-how-dod-aims-to-re-imagine-warfare/#gs.BejQRHo
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
5
What is a Wargame?
Copyright © 2019 Lockheed Martin Corporation
Adapted from Ministry of Defense Wargaming Handbook, 2017, pg 10
Representation of an aspect of a real / fictitious conflict
Pre-defined rules, data and operational
procedure
To provide decision-making experience
To provide decision-making information
A Wargame
Is a
In accordance with
That is applicable to real-world situations
6
Wargaming Process
Problem Statement
Design Development
TestingRehearsalExecution
Analysis/Archive
Copyright © 2019 Lockheed Martin Corporation
Lockheed Martin Image
7
Benefits
• Explore options and take risks without risking lives
• Cost effective way to practice command, exercise staff procedures
• Explore innovations in the art of war
• Discover new factors and questions not identified before
Copyright © 2019 Lockheed Martin Corporation
8
Cyber Wargaming in the Commercial Sector
UnclassifiedDistribution A
Source: https://www2.deloitte.com/us/en/pages/risk/articles/cyber-risk-services-cyber-war-gaming.htmlSource: https://home.kpmg/sg/en/home/services/cyber-confidence/cyber-
education/cyber-war-gaming.html
9
Wargaming Challenges
• Repeatability
• Qualitative
• Adjudication
• Not Predictive
• Only as good as the participants
? (Insights)
10
Digitizing the Traditional Wargame
Lockheed Martin Imagehttps://www.lockheedmartin.com/en-us/news/features/2016/webt-navy-area-51.html
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
Operator-in-the-Loop
Real-Time
Simulation-Based
Adjudication
11
What is Cyber Attack Network Simulation (CANS)?
CANS models cyber events and their impacts to a system
Simulated Attackers Network Simulated Target Network
The Cyber Attack Network Simulator (CANS) is a discrete event simulation that allows analysts to study the effect of various cyber events against a model of a planned or operational network system.
CANS Framework
Simulation Engine Performance MetricsLockheed Martin Image
Copyright © 2019 Lockheed Martin Corporation
Distribution A Unclassified
CANS (Simulated) Network Model
© Copyright 2019 Lockheed Martin Corporation
• Network Configuration• Sim Configuration• CAPEC• NVD
Cyber Attack Launchers (CAL)
Network Visualizers
CANS is a highly-scalable and extensible simulator
CANS Architecture
External Clients: Simulators/Visualizers (optional)
Lockheed Martin Image
UnclassifiedDistribution A
13
Cyber Wargaming: A Madden Football Analogy
Defensive PlaybookMadden Football Video Game
Offensive Playbook
Defensive Playbook
Lockheed Martin Image
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
14
“Offensive” Playbook
Offensive Playbook
Cyber Kill
Chain
CAPECNVD
Leverages Govt & Industry Resources for Wide Spectrum of Attack Behaviors
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
Threat Class Description
Abuse of Functionality (AoF)
An attacker manipulates one or more functions of an application in order to perform an attack. This is a
broad class of attacks wherein the attacker is able to alter the intended result or purpose of the functionality
and thereby affect application behavior or information integrity. Outcomes can range from vandalis, and
reduction in service to the execution of arbitrary code on the target machine.
Alter System Components (ASC)Attack Patterns within this category focus on alteration or manipulation of the components in a system in an
attempt to achieve a desired negative technical impact
Analyze Target (AT)
Attack Patterns within this category focus on the analysis of a target system, protocol, message, or
application in order to overcome protections on the target or as a precursor to other attacks. Analysis can
involve dissection of an application, analysis of message patterns, formal analysis of protocols, or other
methods. The outcome of these attacks can be disclosure of sensitive informaiton or disclosure of a secuirty
configuration that leads to further attacks targeted to discover weaknesses
Deceptive Intervention (DI)
Attack Patterns within this category focus on malicious interactions with a target in an attempt to deceive the
target and convince the target that it is interacting with some other principal and as such, take actions based
on the level of trust that exists between the target and the other principal. These types of attacks assume
that some piece of content or functionality is trusted by the target because of this association. Oftenidentified
by the term "spoofing", these types of attacks rely on the falsification of the cotent and/or identify in such a
way that the target will incorrectly trust the legitimacy of the content. for example, an attacker may modify a
financial transaction between two parties so that the participants remain unchanged bu the amount of the
transaction is increseaed. if the recipient cannot detect the change, they may incorrectly assume the
modified message originated with the original sender. attacks of this type may involve an adversary crafting
the content from scratch or capturing and modifying legitimate content
Deplete Resources (DR)
an attacker depletes a resource to the point that the target's functionality is affected. Virtually any resource
necessary for the target's operation can be targeted in this attack. The result of a successfl deplete
resources attack is usually the degradation or denial of one or more services offered by the target. The
more protected the resource and the greater the quantity of it that must be consume, the more resources the
attacker will need to have at their disposal.
Sample CVEs Extracted from NIST National Vulnerability Database
Sample Attack Patterns Extracted from CAPEC
Lockheed Martin Image
15
“Defensive” Playbook
Defensive Playbook
Cyber Survivability Attributes
(CSA)
NIST SP 800-160 Vol2
NIST SP 800-53 R5
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
Examining Cyber Resiliency & Survivability through Realistic Wargaming
NIST 800-53 Controls
Cyber Resiliency Techniques
Adaptive Response
Analytic Monitoring
Deception
Diversity
Dynamic Positioning
Non-Persistence
Privilege Restrictions
Segmentation
Coordinated Protection
Contextual Awareness
Realignment
Redundancy
Substantiated Integrity
Un
pre
dic
tab
ility
NIST 800-160 Vol2Cyber Survivability Attributes (CSA)
Lockheed Martin Image
16
Cyber Wargame Designer
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
Lockheed Martin Image
17
What is AFSIM?
• Advanced Framework for Simulation, Integration & Modeling
• Government Owned object-oriented C++ library
• Discrete Event Simulation
• Can run at, faster and slower than real time• Can be Human-in-the-loop
The intent of AFSIM is not to provide all encompassing models, but rather to provide the framework for incorporating the necessary models*
*from AFRL
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
18
Modeling the Cyber“5D” Effects as Defined in JP3-12
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
19
19
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
20
Modeled Cyber Effect ExamplesCyber Effects 5D Effect Type Results
Comm Link Shutdown
Disruption / Denial Denial of Service Loss Ability to send/receive messages (e.g. target tracks, commands); launchers loss ability to receive engagement commands
Track Spoofing Disruption / Deception Manipulate track information
Add addition error to elevation data: reduce values by 1km; blue missiles miss red targets
Track Spoofing Deception / Disruption Manipulate track information
Add addition error to lat & long data: reduce values by 0.02 degree; blue missiles miss
IFF Spoofing Deception / Disruption Manipulate track information
Change “Foe” to Friendly in track database; red targets won’t get engaged (fratricide firing doctrine)
CANS Details on How Cyber Effects can be Achieved
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
21
CANS/AFSIM Software Architecture
Blue Team Red Team
AFSIM/Warlock
Lockheed Martin Image
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
22
AFSIM Warlock Operator Interface
Courtesy of IST
Blue Cell Player
Distributed Operator Stations
Courtesy of IST
Lockheed Martin ImageCANS/AFSIM DIS
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
23
AFSIM (Warlock)
• Role of Warlock• Provides an operator interface to play out the scenario
• Real-Time engagements and decision making support • Task Assignment & Task Status Displays
• Custom panels to reflect operators’ roles
• Mimic SAM/Ship C2 Commander / TAO / EW officers• Ability to “hook” a target and initiate kinetic or non-kinetic
responses• Tactical responses (kinetic): Launcher selection, weapon/target pairing
• Determine when and what the EW responses should be (non-kinetic)
UnclassifiedDistribution A
Lockheed Martin Image
Copyright © 2019 Lockheed Martin Corporation
24
Sample Scenario
• Unclassified scenario to illustrate this CANS/AFSIM (Warlock) CONOPS
• Multi-Player Operator-in-the-Loop (cyber only or multi-domain)
• Red vs Blue Wargaming Scenario • White Cells are observers (might provide scenario injects)
• Operators to provide real-time responses
• Cyber attack vectors are derived from govt validated sources• Common Attack Pattern Enumeration and Classification (CAPEC) (unclassified)
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
25
Sample Scenario (Effects of Cyber)
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
26
Sample Metrics
UnclassifiedDistribution A
B L U E E N G A G E M E N T S R E D E N G A G E M E N T S B L U E E N G A G E M E N T S R E D E N G A G E M E N T S
B A S E L I N E C O M M S C Y B E R A T T A C K
Sum of Weapon Fired
Sum of Weapon Hit and Target Kill
Sum of Weapon Hit and Target Damaged
Sum of Weapon Missed Target
• In this example, a CANS player acting as a cyber attacker, targeted and shutdown communication on the IADS Commander
• This resulted in:• Blue destroying XX more Red Targets
• Red destroying YY less Blue Assets
• And Red launching less defensive weapons
Lockheed Martin Image
Copyright © 2019 Lockheed Martin Corporation
27
Sample Metrics
B L U E E N G A G E M E N T S
R E D E N G A G E M E N T S
B L U E E N G A G E M E N T S
R E D E N G A G E M E N T S
B A S E L I N E ( W I T H O U T R G P O ) W I T H R G P O
Sum of Weapon Fired
Sum of Weapon Hit and Target Kill
Sum of Weapon Hit and Target Damage
Sum of Weapon Missed Target
In this example, all four (4) blue bombers countered the Red IADS with EW
countermeasures upon approach.
This resulted in:
• Red firing more SAMs,
expending inventory
• Red missing more
targets, wasting
inventory
• Blue bombers
remaining in the
engagement zone
longer
Red Fired More
Red Missed More
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
28
Conclusion
• CANS/AFSIM Multi-Domain Wargaming Framework• Low Cost, Real-Time, Operator-in-the-Loop Wargaming Engine
• Flexible scenario implementations to expose operational & capability gaps
• Experiment with new Tactics, Techniques and Procedures (TTP)
• Large variety of EW/Cyber exploits (offensive/defensive)
• Future Work• UCI messaging to bring in tactical systems
• Mission planning tool integration
• Artificial Intelligence, machine learning and battle management optimization
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
29
Questions?
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
31
. . .
. . .
DIS InterfaceUDP
Socket
CANS External Simulators
(e.g. SENSIS, AFSIM)
Health and Status Messages
DIS Entity State PDUs or similar format
Distributive Interactive Simulation (DIS) is a IEEE 1278 standard for simulation interoperability
Lockheed Martin Image
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation
32
AFSIM DIS Interface Sequence Diagram
DIS Input Stream DIS PDU Factory WSF DIS App
Receive PDUParse PDU Header
Process WSF DIS PDU
AFSIM Internal Simulation Data
Identify PDU Type
Create WSF DIS PDU Object as defined by PDU
Type
Entity Object tagged by WSF DIS PDU
Lockheed Martin Image
UnclassifiedDistribution A
Copyright © 2019 Lockheed Martin Corporation