Shulou(Shulou.com)06/01 Report--

This material comes from a project funded by the Department of Defense and operated by the Institute of Software Engineering at Carnegie Mellon University under the contract FA8721-05-C-0003, a federally funded research and development center.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the client, and the findings and conclusions or recommendations do not necessarily reflect the views of the U.S. Department of Defense.

No guarantee. Materials from Carnegie Mellon University and the School of Software Engineering are provided "as is". Carnegie Mellon University makes no warranties, express or implied, including, but not limited to, warranties of fitness or merchantability, proprietary or results resulting from the use of this material. Carnegie Mellon University does not guarantee any freedom resulting from infringement of patents, trademarks or editions.

[release statement]

This material has been approved for public release and unrestricted distribution. Please refer to copyright notices used and distributed by non-U.S. Governments.

Internal use: * allow reproduction of this material and prepare derivative works from this material for internal use, as long as all copies and derivative works contain copyright and "unsecured" notices.

External use: * this material can be completely reproduced without modification and distributed free of charge in written or electronic form without formal permission. Formal permission is required for any other external / or commercial use. To apply for a license, you should contact the School of Software Engineering through permission@sei.cmu.edu.

* these restrictions do not apply to United States government entities.

Catalogue

I Executive Summary. 2

II Summary... 2

III realism is the key to cyber war exercises. 3

IV R-EACTR framework. 4

4.1. Environment. 5

4.2. Opponent. 5

4.3. Communication. 6

4.4. Tactics. 6

4.5. The role. 7

V case study-Cyber Forge 11. 7

5.1. Environment. 7

5.2. Opponent. 9

5.3. Communication. 11

5.4. Tactics. 11

5.5. The role. 12

VI concluded that. 13

I Executive Summary

In order to enable a network security team to maintain the ability to respond to network and network security incidents, it must be practiced through practice. For a team considering participating in a cyber security competition, the preparatory members of the team have unique personal skills, and everyone refines and perfects their personal skills through repeated exercises. In this process, the pinnacle of practice is "melee"-all members of the team work together to achieve a single goal: to score more points than the other team. In the field of cyber security competition, the organizers of the competition will try their best to make the experience of the competition as real as possible. Its design and organization is exactly the same as the real game field, and the equipment used in the game is almost the same as the real game equipment, and the rules of the game are equivalent. In order to ensure that everyone abides by the rules, more referees are needed to strengthen supervision. Before a real game, the most important rehearsal is a melee. Without a melee competition, it is difficult for coaches to assess the strengths and weaknesses of cyber security teams. Similarly, without the melee of team members, it is difficult to understand how their roles are integrated as a whole and their strengths and cooperation with each other.

This is the way of thinking that military planners must adopt when planning online exercises for US military cyber teams. Military exercises have many purposes. For example, the tactics, skills and procedures of the security team exercise and evaluate. More importantly, team members build and improve trust relationships. In order to get the maximum benefit from these participation, the exercise must focus on realism.

In this report, we introduce a design framework for cyber warfare exercises called reality-Environment, opponents, Communications, tactics and roles (R-EACTR). This framework ensures that reality takes into account all aspects of the participant experience when designing team-based exercises. The author used this framework in about 30 live-fire cyber warfare exercises-repeatedly improving and recording the details that show the best realism. This framework is useful in the planning and design phases of the exercise build process. It forces dialogue among planners, engineers, training supervisors and participants. It also encourages a full understanding of what the exercise will be done and the details of how it will be carried out. These conversations gather detailed information about participation in the upcoming competition, which is essential for creating a useful experience for exercise participants.

I abstract

As the field of cyberspace extends to all aspects of military operations, military leaders are faced with the challenge of providing valuable training and exercises to more and more cyber units. In order for the training to be valuable, the training experience must be real. This report introduces a design framework for cyber warfare exercises called reality-Environment, opponents, Communications, tactics and roles (R-EACTR). The R-EACTR framework puts realism at the forefront of every cyber warfare design decision. The report also describes the challenges involved in creating a military cyber exercise, builds a realistic framework for all aspects of the exercise, and a case study of an exercise in which the framework has been successfully applied.

II realism is the key to Cyber Warfare exercises

John Laudicina, a contributor to Forbes magazine, predicts that 2017 will be the "year of cyber warfare"-due to increased vulnerabilities of the Internet of things, infrastructure rehearsals and changing global power politics [Laudicina,2016]. The nation-state is ready for cyber warfare. In December 2016, the attack on the South Korean Cyber Command was blamed on North Korea [BBC 2016]. These events also confirm the naivety of those who think that the Internet will stop. In fact, many experts believe that full-scale cyber warfare is almost inevitable. In order to deal with this reality, military leaders are actively preparing cyber warfare troops for cyber warfare.

How should our army be prepared? The CERT Network Security Talent Development (CWD) Board of the Software Engineering Institute (SEI) has trained a large number of U.S. government network professionals. In 2010, CWD researchers published a SEI technology report detailing our training methods for network security personnel [Hammerstein 2010]. The report describes three main stages of development: knowledge-building, skills-building and experience-building. Initially, CWD spent most of its time improving the first two phases: knowledge building and skills building. These two stages are mainly realized through a virtual training environment-providing customized network security course materials and hands-on laboratories. Since the release of the 2010 technical report, CERT researchers have been increasingly involved in the "experience-building" stage of this teaching method. Experience building is achieved through team-based online exercises. Since 2011, CERT researchers have delivered more than 125 cyber exercises to more than 8000 Defense Department (DoD) participants, representing all military departments, including reserves and guards.

According to Joint publication 1-02, exercises are defined as "military exercises that simulate wartime operations and involve the planning, preparation, and execution of military acts, with the main purpose of training and evaluating cyber warfare capabilities" [DTIC 2017]. Almost all military units participate in team-based exercises at least once a year to ensure that members are able to implement their assigned to-do list (METL). The network departments we support are conducting a variety of cyber exercises, ranging from large-scale exercises (such as Cyber Flag,Cyber Guard and Cyber Knight) over several weeks to small-scale exercises (such as Cyber Forge and Mercury Challenge) over several hours. In all these exercises, we either lead or directly assist the military in planning, building, delivering and reporting.

Over the past five years, we have paid close attention to the feedback generated from the exercise. The most frequent feedback is the desire for "realism". "the team wants to maximize realism in all conceivable ways." After conducting a large-scale exercise, the Action report pointed out that some of the tools available in the exercise environment are different from those used in practice. In a small-scale exercise, a member of the Network Protection Group (CPT) told us that the interaction between the team and external organizations was not truly simulated. In 2016, our cyber exercise design team was assigned to the U.S. Army Cyber Enterprise Technology Command (NETCOM) training and exercise department to collect survey data after each exercise. In the response to each survey, we learned more specific realistic details that could be designed in the exercise. There are a lot of benefits when we respond to learning each lesson and improving the real level in the exercise. Team leaders report that the value of such exercises has increased and participants have become more engaged.

When we design realism into the exercise, we must take into account a simple fact: as realism increases, so does the cost of the exercise. Therefore, we conduct a cost / benefit analysis of various realistic details to determine whether the investment should be maximized or minimized. The key is to find the point where we make concessions to keep the cost to a minimum, but to make the exercise real enough to achieve the desired training results.

General Stanley McChrystal (Stanley McChrystal) talks about SEAL training in his book team (Team of Teams): "A team that combines trust and goals will become stronger. Such teams can improvise operational responses to dynamic, real-time developments" (McChrystal,2015). The increase in realism will also lead to a more complex and dynamic environment. We have observed that in order to gain the upper hand in this growing real-world cyberwarfare exercise environment, teams have learned to operate as a whole and build trust with each other-rather than relying on individual skill sets. We compiled our observations and notes into a design framework called reality-Environment, opponents, Communications, tactics and roles (R-EACTR). We now apply R-EACTR to every cyber war exercise we design, develop, and deliver.

III R-EACTR framework

In our experience, all design decisions are consistent with the following five areas of training experience: environment, opponent, communications, tactics, and roles. From the participants' point of view, each aspect must be real enough to provide a satisfactory (and valuable) training experience. The omission of any aspect could undermine the authenticity of the whole exercise. For example, there may be a real opponent. However, if there is no real tactics, the value is limited in the action against the real opponent. In another example, the environment may be real, but without an actual communication mechanism, the sense of realism will be meaningless when reporting threat mitigation recommendations. We believe that a content that does not include the above five aspects will make the exercise impractical. The next five sections define the details of each of the above sections and identify the elements and sub-elements that cover a specific part as a whole.

Figure 1:R-EACTR framework

1.1. Environment

The "environment" section refers to the sum of the conditions, observations and access to information experienced by the participants. The first element is the physical space in which the team will train, including environmental and office space issues. The second element is the virtual space, which consists of the network, access, and system configuration with which the team will interact. The last point is psychological. This is usually the hardest to simulate, but you should try. We simulate the real psychological reaction by putting the team into familiar schedules, reporting agreements, and mental stress. The elements and sub-features of the environment segment are defined in Table 1.

Table 1: environment section

Essential factors

Sub-element

Physical space

Office space: tables and chairs, whiteboard, printer, telephone, etc.

Environment: close to familiar facilities, uniforms, restaurants, etc.

Virtual space

Network: architecture, infrastructure equipment, security applications

Access: console, remote Desktop Protocol (RDP), login

Configuration: version control, patches, Security Technology implementation Guide (STIG) level

Mental activity

Battle rhythm: schedule, battle peak, shift cycle, end daily

Mental stress: speed, complexity, evaluation, feedback from leaders, etc.

1.2. Opponent

The "opponent" part refers to the sum of hostile forces simulated throughout the exercise. The first element is threat, which is simulated by modeling a specific type of known opponent. The threat must be complex, and when added to the threat type, it is real. The second element of the opponent's part is resources. If the sub-elements of finance, manpower and technology are designed into an overall scenario, then the opponent is real. The elements and subelements of the means are defined in Table 2.

Table 2: opponent section

Essential factors

Sub-element

Threaten

Type: nation-state, * doctrine, criminal family, unknown, mixed

Complexity: difficulty level, interference, deception

Resources

Finance: purchasing power, bribery, hiring mercenaries

Community: internal threats, intelligence sources, social engineering

Technology: tools, systems, skills

1.3. Communication

The "communication" section refers to the sum of the mechanisms and methods that the team will use to communicate throughout the exercise. We usually divide this part into two parts: internal and external. When designing the communication segment, we are concerned with the communication that the replication team uses as closely as possible in practice. This section also includes modeling any communication that will move outside the team boundary to an external organization. We have found that enough attention should be paid to the way the team communicates externally, as this will enable the trainer to actually inject information (orders, reports, tasks, etc.) to drive the team's behavior. The elements and sub-elements of the communication section are shown in Table 3.

Table 3: communication section

Essential factors

Sub-element

Inside

Voice: Internet Protocol Voice (VoIP), teleconference, mobile phone, face to face.

E-mail, instant messaging, file sharing

External

Instructions: operational commands, temporary commands, Commander critical Information requirements (CCIRs)

Collaboration: events, threats, authorizations, requests for information (RFIs)

1.4. Tactics

The "tactics" section refers to the sum of tactics, techniques and procedures within the team. When designing the tactical part, there will be a lot of dialogue between the cyber warfare team and the exercise developer during the design phase. Although all teams use the same METL operation, they perform tasks in different ways. This fact makes it difficult for this code to model correctly. The first element of the tactical section is the individual, in which we consider specific skills, tools, and responsibilities. The second element of the tactical part is the collective, and we focus more attention on the process that can successfully achieve the mission's objectives. The elements and sub-elements of the tactical section are defined in Table 4.

Table 4: tactical section

Essential factors

Sub-element

Individual

Major: military professional expertise (MOS), certification, experience

Leaders: resource allocation, briefing, prioritization

Collective

Task: METL, Target, report

Process: team specific procedures, military directives, regulations, military decision process (MDMP)

1.5. Role

The "role" section refers to the sum of the roles that must be played in the exercise to provide a real mission. When designing the role section, we will write all possible interactions and ensure that each individual is available during the exercise. In designing this section, we use the red, white and blue elements that are common in almost all online exercises. The elements and sub-elements of the role segment are defined in Table 5.

Table 5: roles section

Essential factors

Sub-element

Blue team

Team: battle leader, host, network, simulation / simulation, logging, reporting

Support: computer network defense service provider (CNDSP), intelligence, and headquarters

White team

Control: injection traffic, timing, main scene event list (MSEL) controller

Evaluation: embedded observers, evaluators, inspectors

Red team

Opposition (OPFOR): military category, criminal category, political category, civilian category

OPFOR support: technology, finance, logistics

II case study-Cyber Forge 11

Since 2012, CWD's board of directors has been working with the training and exercise department of the Army Network Enterprise Technology Command to provide team-level exercises for various network units. A series of exercises are called "Cyber Forge". The Cyber Forge exercise series consists of unclassified, fictional group training activities designed to enable the cyber protection brigade to evaluate the performance of the cyber protection team. This exercise is driven by several training developers who are mission owners, computer network defense service providers (CNDSP), hostile forces ("Red Team"), game guides, and other necessary roles. This exercise is provided remotely through the CERT Private Network training Cloud (PCTC), an example of a simulation, training and training platform (STEP). In this case study, we describe a Cyber Forge exercise that was designed and delivered to the network protection team in September 2016. In the next five sections, a table summarizes the design details of each network segment of Cyber Forge 11.

2.1. Environment

With regard to the physical aspects of the environment, CPT can train in positions that the team is familiar with. Because CPT is in familiar facilities and normal environment, this greatly increases the authenticity of physical elements. With regard to the virtual elements of the environment, the virtual network of Cyber Forge 11 is a complex infrastructure that accurately deploys CPT to the Joint Base-connecting to the Network Enterprise Centre (NEC) and the Regional Network Centre (RCC). Provide team members with real tools and enterprise systems similar to those used in recent CPT operations. For the psychological factors of the environment, through the mandatory introduction of the owner of the simulation task to design a lifelike injection of mental pressure, resulting in the expected psychological reaction. This is due to the eagerness to provide as much in-depth technical information as possible on the defense network terrain. Table 6 details the most important sub-elements of the Cyber Forge 11 environment part design.

Table 6:Cyber Forge 11 partial environment design details

Essential factors

Sub-element

Cyber Forge details

Physics

Office space

Use local stations to access unclassified Internet Protocol routers (NIPR) and commercial Internet

Separate red / white / blue team room

Team laptop, printer, whiteboard, phone available

Readily available communication mechanism

Environment

Normal food and beverage choice, unified (UOD) one-day demand

Normal shipping, weekly PT requirements

Virtual

Virtual network

Analog Interconnection forwarding Operations Base (FOB), Network Enterprise Center (NEC), Regional Network Center (RCC) and Defense Information system Agency (DISA)

Simulated Internet and Multi-Hop Border Gateway Protocol (BGP) routing, Internet site, root server for Domain name Service (DNS)

Actual Internet-based HTTP and DNS network traffic generation against protection assets

Define and dynamically assign opponent / red team IP address and range

Virtual access

RDP or Secure Shell (SSH) access to all servers, devices, and network devices

Console access to all end-user workstations, servers, devices and network devices

Configuration

Windows Server 2008

Windows Sever 2008 Active Directory (AD) domain level

There are hundreds of real user accounts in Active Directory

Active Directory restricted group policy

Update Windows workstation and server operating systems and application patches

Windows 7 and Ubuntu Desktop user Workstation

Microsoft Office 2011 and Microsoft Outlook client mail

Simulate Windows 7 user login, email, MS Office activity

Windows 2008 IIS and Apache Linux web servers

Microsoft AD and Linux BIND DNS

HBSS/McAfee ePolicy Orchestrator

Cisco Router

Blue Coat Proxy Servers

Palo Alto Firewall and Real Firewall rules

Cisco SourceFire and Security Onion

Arcsight SIEM

Collection and Analysis of SiLK NetFlow Network Traffic

Forensics tools: SIFT, REMnux, and ADHD

ACAS/Nessus security scanner

ELK stack

Kali Linux

Mental activity

Battle rhythm

Daily STARTEX 0800, PAUSEX 1600, hotwash

The daily operation of the combat captain

Mental stress

Conduct a survey briefing to the simulation task owner on the second day (1500)

The task leader directs the task with the intention of causing stress

The combat commander instructs and expects to act quickly

Simulation of CNDSP technology and concrete interaction

On the 4th day, OPFOR is fast.

2.2. Opponent

With regard to the threat elements of the opponent part, we decided to introduce two potential opposing forces to CPT during Cyber Forge 11. One is a regional crime family, and the other is a regional belligerent nation-state. Opposing forces represent different types of threats with varying degrees of complexity, intentions and interests. For the resource elements of the rival part, we take into account the real interaction between the OPFOR and the supporting roles. This includes money laundering, intrigue and geopolitical posturing. CPT understands various scenario-based injections by receiving intelligence reports and interfacing with simulated external agencies. Table 7 provides the design details of the counterpart fine molecular elements for Cyber Forge 11.

Table 7:Cyber Forge 11 opponent subdivision design details

Essential factors

Sub-element

Cyber Forge details

Threaten

Types

Separatist forces seek independence with coordinated help from hostile countries in neighboring countries.

Transnational criminal organizations try to influence geopolitical events to achieve their own financial benefits and to increase their control over the region.

Both groups can coordinate with each other and are hostile nation-states at the same time.

Complexity

Separatists in hostile nation-states have enhanced the capacity of the Internet to declare their activities.

Criminal families are the most capable and have recently acquired mercenaries.

Criminal families are also known for additional crimes such as kidnapping and extortion.

Everyone can have multiple networks at the same time.

Everyone has the ability to gather operational intelligence on the Internet.

Resources

Finance

Transnational criminal organizations have received adequate funding as a result of a recently successful network targeting regional bank assets.

Community

Training: all members are technologically proficient and can speak English as a second language.

The main personnel are educated in western universities.

Several companies have established network call logos and well-known reputations in cyber warfare activities.

All of them have received advanced social engineering training.

Technical

Reconnaissance: Port and service enumeration

Spear website fishing: a variety of technologies

Browser development and utilization *

Malware injection that enables remote management, privilege escalation, and horizontal mobility

Once you have a foothold, you can establish a covert persistent connection.

Data filtering and information collection

Degradation of system integrity

Denial of Service / distributed denial of Service (DoS / DDoS) *

Advanced persistent threat (APT) level

2.3. Communication

For the internal elements of the communications section, we ensure that CPT members can take advantage of all their normal mechanisms: email, voice, and chat. Because CPT is paired together, members can communicate face to face. For the external factors of the communication part, all external institutions are actually connected to the CPT exercise system. Table 8 provides the design details of the communication segment sub-elements for Cyber Forge 11.

Table 8:Cyber Forge 11 communication section design details

Essential factors

Sub-element

Cyber Forge details

Inside

voice

Use direct face-to-face communication in the same room

Electron

Use email and online chat to simulate the Network Operations Center (NOC)

Use online chat within the team: all have dedicated channels / chat rooms (Spark Chat)

Use Windows files to share all files between teams

Use the Redmine Web application to submit the RFI and response to CNDSP

External

Instruction

Receive operation instructions and fragmentation instructions during the STARTEX and throughout the exercise

Collaboration

Chat online using email and simulated NOC / CNDSP / Task Manager and Cyber Fusion Center

Use the online chat tool to create a dedicated channel / room for the online chat of the Intel team, moderator and help desk to create a communication channel.

2.4. Tactics

For the individual elements of the tactical section, we checked the list of participants and made sure that each skill was used in some way, including leadership positions and intelligence analysts, when designing the exercise. For the collective elements of the tactical part, we select specific projects from the unit's METL, which will be applied and ensure that the OPORDER adopts these collective actions. Then we designed the interactions that would occur between the various organizations simulated during the exercise so that each collective task had a specific injection ready to trigger it. Table 9 provides details of the design of the tactical molecular components of Cyber Forge 11.

Table 9:Cyber Forge 11 Tactical Section Design details

Essential factors

Sub-element

Cyber Forge details

Individual

Profession

Review configurations and tool settings based on specific technical skills

Review security tool data for malicious activities

Report specific infrastructure findings to the team

Leader

Head of the team responsible for preparing the status report (SITREPS)

Priority actions given to members of the leading team

Collective

Task

Review all information provided and confirm that the certificate and network connection are successful

Validates the defense tasks of key terrain network assets

Deployment team customizes security tools and sensors

Determine the network / configuration baseline

Conduct current security risk assessment of infrastructure

Monitor, detect and respond to the activities of opponents

Proposed configuration mitigation recommendations to CNDSP

The activity of trapping any opponent

Directly engage in threatening activities with active opponents

Make daily network activity report (NAR)

Daily situation report generated (SITREP)

Process flow

Use internal team processes to identify threats and deliver them to combat officers

Use internal team processes for threat discovery and mitigation technology implementation

Submit the RFIs to the task owner and CNDSP through the internal team process

Train internal team processes around MDMP when new threats / reports / orders are received

2.5. Role

For the blue team elements in the role section, all team members work within their normally assigned roles and responsibilities. Support the Blue Army (the Blue Force). The role actors simulated "Network Fusion Center", "responsible Intelligence Unit", "Local Garrison CNDSP" and "owner of assigned tasks"). For the red team elements of the role part, the role players also simulate several antagonistic forces. For the white team elements of the role part, the exercise developer will consider all aspects of the exercise control in the white team. The assessment team is headed by a training sergeant (NCO) within the CPT. Table 10 provides details of the design of the fine molecular elements of the role segment of Cyber Forge 11.

Table 10:Cyber Forge 11 role breakdown design details

Essential factors

Sub-element

Cyber Forge details

Blue team

party

The combat captain is present and provides team leadership.

The network protection team is 21 members.

Support

The CNDSP / NOC role already exists and can answer questions and provide operational support through online chat and phone calls.

The Intel team role exists to help Intel "tippers" to help with the exercise. The Intel team also answered questions about Intel after Intel's "tippers" was provided to the team.

White team

Control

Identify and assign white team members to the roster role

STARTEX logistics coordination for all teams and components

Manage the Game clock of STARTEX / PAUSEX / ENDEX

Control the flow of MSEL

A brief introduction to STARTEX

Hotwash in ENDEX

Monitor the progress and status of the team and adjust MSEL according to strengths and weaknesses

Use the on-screen tracking tool to monitor end user activity / clicks

Manage the time of Intel information release

Manage the deployment time of the red team

Evaluation

The embedded observer is placed in the same room as the blue team participant.

Embedded observers provide real-time feedback and summary reports.

Red team

Opposition (OPFOR)

Deploy a custom RAT (remote management tool) APT

Create and use Slowloris DDoS botnet defense assets

Harpoon phishing using beacons based on malware and data theft

Use horizontal movement to * AD domain

Use SQL injection for data * and filtering

Through rogue CD*** malware

OPFOR support

Provides access to simulated sensitive information to regional Internet service providers.

Provide simulated leaked information about troop movements.

Provides simulated leaked information from regional bank assets.

III conclusion

In this report, we introduce the R-EACTR framework as a guide for designing and building sufficiently realistic military cyber warfare exercises. In our experience building and cyber warfare exercises, we find that the key factor to maximize value is realism. With a solid framework for creating a team of excellent network security talents, the team can become a network security elite through exercises.

Reference:

The web address shall take effect from the date of publication of this document.

[BBC 2016]

bbc. North Korea "attacks military cyber command in the south", BBC News. December 5, 2016. Http://www.bbc.com/news/world-asia-38219009

[DTIC 2017]

Defense Technology Information Center. Joint publication 1-02: dictionary of military and related terms. DTIC . March 2017. Http://www.dtic.mil/doctrine/new_pubs/dictionary.pdf

[Hammerstein 2010]

Hammerstein, Josh and May, Christopher. The method developed by CERT network security staff. CMU / SEI-2010-TR-045 . Carnegie Mellon University, Pittsburgh, Pennsylvania Institute of Software Engineering, 2010. Http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=9697

[Laudicina 2016]

Laudicina, John. 2017 will be the year of cyber war. Forbes magazine. December 16, 2016. Https://www.forbes.com/sites/paullaudicina/2016/12/16/2017-will-be-the-year-of-cyber- warfare / # 74c6c86a6bad

[McChrystal 2015]

McChrystal Stanley; Collins,Tantum; Silverman David; & Fussell,Chris. Teamwork: new rules for a complex world. Penguin, 2015. Https://mcchrystal-group.com/teamofteams/

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.