NETWORK DEFENCE TRAINER
Cyber attacks have been increasing significantly in both number and complexity, prompting the need for better training of cyber defense analysts. To conduct effective training for cyber situation awareness, it becomes essential to design realistic training scenarios.
SCALABLE developed Network Defense Trainer (NDT) to address the increased instances and impact on the network. NDT integrates cyberspace operations and traditional kinetic warfare into full, instrumented, synthetic cyber warfare training environments. This allows cyber warriors, network administrators and command and staff to train as they would fight, improving their awareness, reaction time and ability to take corrective action to work through degraded cyber environments and successfully complete missions.
Network Defense Trainer (NDT) is a live-virtual-constructive (LVC) simulator for training all types of cyber warriors. It can be implemented as a stand-alone system to deliver hands-on experience in the behavior of a wide range of cyber attacks.
NDT can also be integrated with computer generated forces (CGF) and semi-automated forces (SAF) tools to add realistic cyber warfare effects into kinetic mission planning and mission rehearsal exercises.
An NDT system leverages virtual network models which are configured to accurately emulate networks comprised of thousands of wired and wireless nodes. Live and virtual hosts can be connected to the virtual network models, and a system can be federated with other simulators to create powerful training solutions.
The key unique advantages of an NDT system are:
- Effectively represent mobile wireless equipment and applications (and the vulnerabilities they include) as they interoperate with wired backbone network infrastructure and fixed computing systems
- Accurately model the information transport fabric between servers and end-point systems in high fidelity to better demonstrate the effects of cyber-attacks
- Seamlessly integrate (federate) with other training systems such as air traffic control, flight training, and kinetic battlefield simulators
CYBER-ATTACKS AND “THE MISSION”
Cyber security training for any “mission”, whether it is keeping a bank’s website operational, running an airline operations center, or a fielding a military exercise, must be as realistic as possible in order to avoid “negative training” – that is, learning behavior or procedures that are actually ineffective in the real environment. In cyber defense training, this translates to having the behavior of the systems under cyber-attack perform in a repeatable manner consistent with how they would in the real world.
Hardware-based or VM-based cyber ranges which replicate information systems are limited in scale, costly, and time-consuming to configure. These ranges have little or no capability to simulate wireless networks with their inherent vulnerabilities. They also do not integrate the impact of a cyber-attack into an overall mission which is essential for realistic mission rehearsal.
SCALABLE’s Network Defense Trainer addresses all of these shortcomings with a new, unique approach to cyber defense. Our tools will enable your security team to develop a full cyber assessment of how prepared your organization is for cyber attacks.
Virtual network models run a full network communication protocol stack on every emulated node and connect over simulated links that can be wired and wireless.
Running in real-time, actual packets pass from live equipment through the virtual network model and out to other live equipment. Live equipment and applications are subjected to cyber-attacks originating within the emulated network that connects them. The efficient, parallel-executing software can emulate networks of thousands of nodes on a single server.
Messages and data are exchanged between entities in a full Live-Virtual-Constructive (LVC) training environment where full missions (corporate, government, or military) under cyber-attack can be rehearsed.
The NDT system is software-based, is portable, and can integrate specific customer protocols (e.g. emerging DoD waveforms or SCADA communications).
Our emulation environment gets as close to a real-world attack as possible, enabling organizations to strengthen their cyber defenses.
Network Defense Trainer provides trainees with the opportunity to apply knowledge in realistic, stressful situations in a high fidelity synthetic environment. The system provides cyber security training for situational awareness and rapid correct responses and will reinforce lessons learned with After Action Reviews that show trainees and observers what actually happened and why.
The system provides operational cyber attack training in:
- Detecting when something is wrong
- Quickly assessing what is happening
- Containing the attack (cyber for cyber)
- Taking countermeasures (cyber for cyber)
- Modifying operations and assuring the mission (cyber for others)
The trainees can include everyone from commander or CEO to network administrators in the same training exercise, using real tools, and learn what to expect during cyber-attack and how to react. The training is fast-paced to prepare for incidents at network speeds and is centered on awareness, reaction time and correct action (at all levels), cyber defenses, workarounds, and if appropriate, countermeasures.
Trainees learn how to act individually and as part of a team. Teams learn to work together effectively as they attempt to thwart cyber-attacks.
The system includes models for:
- Network security
- Port and network scanning
- Denial of Service
- Stimulate Intrusion Detection System
- Signals Intelligence
- O/S resource models
- Vulnerability exploitation
- Virus attacks
- Worm and virus propagation
- Backdoors, rootkits
- Host models
- Security logs and audit trails
- Coordinated attacks
- Adaptive attacks
NDT is configurable to incorporate live, virtual and constructive (LVC) elements into a full trainer with integrated cyber warfare effects. It is possible to integrate NDT with existing training systems to facilitate a rapid initial deployment. NDT provides the simulation of the network, equipment, and wired & wireless environment while running actual net-centric applications and cyber-attacks, and integrating with other LVC components.
A training system will typically consist of:
- NDT server
- One or multiple Management workstations providing Exercise Preparation, Exercise Control, Cyber Operating Picture, Performance Evaluation, and After Action Review functionality
- Red Force and Blue Force Role Player workstations
- Real (live) devices or equipment
- (Optional) gateway connections to conventional trainers or constructive simulations
A virtual network model emulates the network in software and contains cyber warfare models that are used to attack or defend the network as well as the connected equipment and applications. Real devices, virtual machines, and role players connect and exchange data from live applications over the emulated network. The privacy, integrity, or availability of data can be compromised by cyber-attack, with resulting effects observed on the live equipment.
The server also maintains the various system databases of exercise objects, statistics, and training metrics. A suite of web services runs on the system, accessible via standard open APIs.
Management workstations can be any type of host that supports standard web browsers (such as Firefox, Chrome, Safari, IE, etc.). The various management functions include:
Exercise Preparation allows the creation, modification, or selection of Lesson Plans, mission scenarios, network configurations, cyber-attacks, device mapping, role and trainee assignments, and sides and teams.
Exercise Control is used to load and unload an exercise, control federation execution, freeze and unfreeze, launch cyber-attacks, take snapshots during the exercise and restore them (in case a trainee made an unrecoverable mistake), and communicate with trainees using chat and VoIP.
The Cyber Operating Picture gives an indication of the state of the network and devices and can be used to launch cyber-attacks. An example is shown below.
Performance Evaluation keeps track of trainees’ progress. The launching of attacks is logged, and trainee’s responses (views, keystrokes, clicks, and communication with others) are logged along with response times, to assist with scoring. It maintains databases of trainees and the exercises they have completed along with their scores.
After Action Review plays back any player’s screenshots (“perceived truth”) and actions on a timeline with attacks, other players’ views, and the actual state of the network (the “ground truth”). An example screenshot is shown below.
Role players participate in the exercise at friendly or adversary stations, using their own repertoire of real discovery, attack, monitoring, and defense tools. That is, the tools embraced by the thick arrow in Figure 3 can be launched from the role player stations. Adversary players can use real malware and exploitations, as well as launch simulated attacks, to attack the emulated network and the connected live components. The friendly role players try to accomplish their mission while monitoring and defending the network using their actual tools. The trainees are not limited to the Role Player stations. Trainees could also be at a live system such as a C2 station, or participating from another kinetic training simulator.
A gateway permits other training systems to participate in the cyber training exercise using HLA or DIS if desired.
Constructive battlefield simulations can be integrated into the Network Defense Trainer, modeling the behavior of additional friendly and opposing entities. The constructive entities communicate with one another over the emulated network, with the success of these communications being subject to cyber-attack. Compromised communications affect the entities’ situational awareness and behavior, and therefore overall mission outcome.
- Accurate modeling of the network produces high-fidelity responses to cyberspace operations including attacks to the network’s control plane or exploitation of wireless vulnerabilities.
- The ability to mix real equipment, virtual machines, and host models allows the incorporation of existing and future vulnerabilities and their effects on systems.
- Routing real traffic through the emulated network allows integration with deployed live and virtual training systems.
- Real exploitation tools can be used side by side with simulated cyber-attacks in a safe environment.
- Interfaces to constructive simulations allow messages between their entities to be subjected to cyber-attack, affecting entity behavior.
- The system integrates cyberspace and kinetic environments and allows training for the impact of cyberspace operations on overall missions.