UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces Cyber Operations Battlefield Web Services (COBWebS) – Concept for a Tactical Cyber Warfare Effect Training Prototype 2015 Fall SIW, Orlando Henry Marshall, Science & Technology Manager Army Research Laboratory (ARL) Human Research and Engineering Directorate (HRED) Simulation and Training Technology Center (STTC) Advanced Simulation Branch
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces Agenda 2 Why Cyber Warfare Training? Gap Analysis Participants Cyber Warfare Terms Introducing COBWebS: Cyber Operations Battlefield Web Service COBWebS Overview Design Drivers Architecture Overview Capability Overview Example COBWebS Use Cases Conclusion and Way Forward
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces Why Cyber Warfare Training? 3 Test/Cyber Science and Technology Research Areas (Reference: PEO STRI Science and Technology Gaps for TSIS RFI – Dist. A – 6 May 2015) S&T Focus Area: Threat Cyber Capabilities Research Areas: Enhance threat Computer Network Operations Threat Computer Network Attack & Computer Network Defense Remote mission command of multiple cyber platforms Modeling & execution of cyber activities Virtualization of threat networks Threat cyber tools developed as Software as a Service (SaaS)
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces Why Cyber Warfare Training? (cont’d) 4 National Simulation Center (NSC) Futures identified –Big Data - Social Media, website into simulations –Network Architecture - Cyber Offense/Defense The Department of Defense Cyber Strategy (April 2015) One of the tasks outlined is to establish an enterprise-wide cyber modeling and simulation (M&S) capability Director of National Intelligence named the cyber threat as the number one strategic threat to the U.S. from , placing it ahead of terrorism for the first time since the 11 September 2001 attacks. Joint Publication (JP) 3-12R “Cyberspace Operations”, Army Field Manual (FM) 3-38 “Cyber Electromagnetic Activities (CEMA)”, Army FM 3-36 “Electronic Warfare” Describe cyber operations and the importance of cyber warfare training
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces Why Cyber Warfare Training? 5 The Army Combat Training Centers (CTCs) provide realistic, intensive training for soldiers and commanders of the units being trained. In the same measure of adding actors for realism, the emerging necessity for the modern and future battlefield to represent Cyber at CTCs caused the implementation of observer/coach/trainers to realistically implement the Cyber threat for rotating units. The U.S. Army Cyber OPFOR has been responsible for emulating national level adversary attacks against U.S. Army Battle Command Systems at the CTCs since as early as It is difficult to emulate large-scale cyber attacks without the resources of the modeling and simulation (M&S) community. The capability gaps identified at the CTC contribute to the drivers that lead to the development of a non-intrusive M&S capability to support the cyber domain for full spectrum warfighters training. Challenge – Cyber Warfare is very Asymmetric and changing Source: wikipedia.org and other open sources
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces Gap Analysis Participants 6 Training and Doctrine Command (TRADOC) TRADOC G-2 Intelligence Support Activity (TRISA) Army Capabilities Integration Center (ARCIC) Brigade Modernization Command (BMC) Program Manager Constructive Simulation (PM ConSim) PM Instrumentation, Targets, & Threat Simulators (ITTS) Threat Systems Management Office (TSMO) National Simulation Center Johns Hopkins University U.S. Army Signal Center of Excellence (SIGCOE) & Cyber COE Army Combat Training Centers (CTCs)
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces Cyber Warfare Terms 7 Cyberspace Operations (CO) are the employment of cyberspace capabilities where the primary purpose is to achieve objectives in or through cyberspace. Computer Network Operations (CNO), in concert with Electronic Warfare (EW), are used primarily to disrupt, disable, degrade or deceive an enemy’s command and control, thereby crippling the enemy’s ability to make effective and timely decisions, while simultaneously protecting and preserving friendly command and control. Military CNO or CO consists of two main types: Computer Network Attacks (CNA), or Offensive Cyberspace Operations (OCO), include actions taken via computer networks to disrupt, deny, degrade, deceive, or destroy the information within computers and computer networks and/or the computers/networks themselves. Computer Network Defense (CND), or Defensive Cyberspace Operations (DCO), include actions taken via computer networks to protect, monitor, analyze, detect and respond to network attacks, intrusions, disruptions or other unauthorized actions that would compromise or cripple defense information systems and networks.
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces Cyber Warfare Terms (cont’d) 8 CNA can further decomposed into the following types of attacks: Denial of Service (DoS), or Distributed DoS (DDoS), is an attempt to make a targeted machine or network resource unavailable to its intended users. DoS is an attempt to disrupt, degrade, deny, or destroy the target computer or network’s ability to send or receive information. Information Interception (II) is an attempt to intercept, or eavesdrop, on a targeted machine or network resource to gather information that may be used to the attacker’s advantage. Information Forgery (IF) is an attempt to forge (i.e., fake) information sent on behalf of a known entity to a targeted machine or network resource in order to deceive the target’s C2 situational awareness (SA). Information Delay (ID) is an attempt to intercept and delay the information sent/received by a targeted machine or network resource in order to deceive and obstruct the target’s C2 SA. Typically many of the CNA attack types are carried out concurrently or sequentially to result in greatest damages to the targets as illustrated later in the example use cases section. Source: wikipedia.org and other open sources
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces COBWebS 9 CyberOperationsBattlefieldWebService COBWebS Definition cob-web 1 a : the network spread by a spider b : tangles of the silken threads of a spiderweb usually covered with accumulated dirt and dust 2 : something that entangles, obscures, or confuses "Cobweb." Merriam-Webster.com. Merriam-Webster, n.d. Web. 27 May a prototype to support Cyber Warfare Training – a prototype to support Cyber Warfare Training
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces COBWebS Design Drivers 10 Develop a loosely coupled software service that models the effects of cyber attacks on blue (friendly) mission command devices. –These cyber-attacks include: Denial of Service (DoS) Information Interception (II) Information Forgery (IF) Information Delay (ID) Must support the ability do demonstrate asymmetric cyber attacks effects on training simulations mission command systems. Show potential implementation strategy to add the Cyber Battlefield Operating System to current Live, Virtual and Constructive training simulations. Support Information Assurance Requirements of Training Simulations. Provide a foundational capability that can be used on a wide range of training use cases.
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces 11 COBWebS Design Drivers Carefully select technologies used with the goal of picking the best components to build a training system Architecture: Leverage Mission Command Adapter Web Service (MCA-WS) plug-in from the LVC Integrating Architecture (LVC-IA) program to simulate the effects of cyber attacks on mission command devices. Leverages the Utilize Ozone Widget Framework (OWF) currently used in Command Web Command Post Computing Environment (CPCE) to provide users with a common map interface.
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces COBWebS Architecture Overview 12 The Computer Network Attack Service provides the capability for “Spyders” to get into the COBWebS and attack inbound and outbound data to and from the mission command devices. The types of attack capabilities are: Directed Denial of Service Information Delay Information Forgery Information Interception Simulation Client Mission Command Adapter Web Service Mission Command Adapter Web Service Config s Tools s Message s Client c Config c Tools c Message c Client s Tactical Network (JVMF, TADILJ, USMTF, FDL, etc.) Simulation Network (DIS, HLA, etc.) FBCB2 AFATDS DCGS-A AMDWS Message c Client s Message s Client c COBWebS CNA s Command Web Test Driver Interface GAP CRITERIA CHECKLIST Remote mission command of multiple cyber offensive and defensive platforms Modeling and execution of offensive and defensive cyber activities providing force multiplier effects Virtualization of offensive/threat and defensive networks Offensive and defensive cyber tools developed as software services available in secure cloud environments GAP CRITERIA CHECKLIST Remote mission command of multiple cyber offensive and defensive platforms Modeling and execution of offensive and defensive cyber activities providing force multiplier effects Virtualization of offensive/threat and defensive networks Offensive and defensive cyber tools developed as software services available in secure cloud environments Simple Object Access Protocol (SOAP) c s Web service – client side Web service – server side LEGEND Note : URNs are Fictional
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces COBWebS Capabilities 13 Provide the ability for trainer to incorporate cyber warfare elements into their exercises to meet training objectives Train the trainees to recognize symptoms of cyber attacks Develop contingencies, based on what has been compromised Develop workarounds, response, recovery plans. Alternative Courses of Action (COAs) Help develop cyber doctrine based on detecting, responding, and recovery to a cyber attack. Provides an Information Assurance (IA) safe environment without corrupting the network infrastructure Typical in cyber range exercises Can be integrated with cyber test ranges Software solution only – no special hardware required
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces Example COBWebS Use Cases 14 Individual COBWebS CNA capability can be used in training use cases or they can be combined to provide a more realistic scenario. The following example combines different COBWebS CNA capabilities to simulate more realistic cyber-attacks. This is an example “Man-in-the-Loop” use case of Red cyber-attacker using the COBWebS’s II, DoS, ID, and IF services to deceive and disrupt Blue units’ SA while launching an ambush to destroy the Blue units. 1. Red cyber-attacker uses II to intercept, discover, and gain knowledge of the Blue entities ground truth. 2.Red cyber-attacker uses DoS to denied Blue units’ C2 communication so their position reports and observation reports are blocked. 3.Red cyber-attacker uses ID to delay critical Blue C2 communication 4.Red assault units move in and destroy the Blue units. 5.Red cyber-attacker uses IF to send fake C2 communication on behalf of Blue units as if everything is fine. 6.Once the Red assault units have moved out of the area, Red cyber- attacker stop the IF messages.
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces Example COBWebS Use Cases (cont’d) 15 RED force uses COBWebS to discover, deceive, disrupt, and destroy BLUE force Ground Truth simulated by Constructive Simulation Perceived Truth as seen on MC systems as a result of cyber attacks Forged BLUFOR locations Observation Reports (ObsRpts) sent by BLUFOR were denied thus not reflected X X X X X BLUFOR killed Note : Units and graphics are fictional
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces Conclusion and Way Forward 16 Cyberspace is a domain that lacks the necessary M&S tools to properly evaluate, experiment, and train the warfighter to recognize and utilize cyber operations as a part of the mission The initial phase of COBWebS allows training managers to incorporate CNA/OCO injection into their training exercises so that the trainees can recognize cyber-attacks and make decisions accordingly There are, however, other user identified gaps and limitations that remain to be addressed, possibly in future COBWebS releases, These gaps include: Simulate CNA effects on in-bound C2 communication, i.e., from MCS to simulation clients Simulate CNA effects on C2 communication between live entities/C2 devices, i.e., live to live Simulate proactive and reactive CND measures after the realization of being cyber-attacked. Incorporate cyber data exchange models as they mature We plan COBWebS to transition to a Program of Record, e.g., OneSAF
UNCLASSIFIED The Nation’s Premier Laboratory for Land Forces Authors 17 Henry Marshall Army Research Laboratory (ARL) Human Research and Engineering Directorate (HRED) Simulation and Training Technology Center (STTC) Orlando, Florida Robert Wells Dynamic Animation Systems, Inc. Orlando, Florida Jeff Truong Effective Applications Corporation Orlando, Florida Questions? MAJ. Jerry R. Mize Army Research Laboratory (ARL) Human Research and Engineering Directorate (HRED) Simulation and Training Technology Center (STTC) Orlando, Florida CPT. Michael Hooper U.S. Army Cyber Command (ARCYBER) Fort Meade, Maryland