simulation-based cyber wargaming...•advanced framework for simulation, integration & modeling...

1

Simulation-Based

Cyber Wargaming

Georgia Tech Cyber Lecture Series

Ambrose Kam (Cyber Fellow)

Lockheed Martin

Sept 27 2019

Copyright © 2019 Lockheed Martin Corporation

UnclassifiedDistribution A

2

Contact Information

• Name: Ambrose Kam

• Company: Lockheed Martin

• Telephone: 609-326-5086

• Email: [email protected]



mailto:[email protected]

3

Ambrose Kam

•Over 25 yrs in Modeling & Simulation (M&S) and Operations Analysis (OA) with broad expertise in communications, networking, mission planning, renewable energy, radar, electronic warfare, cyber, etc.

•Pioneer in applying M&S and OA techniques on cyber risk analysis and cyber resiliency assessment

•MIT Fellow in Systems Design & Management since 2002

•2017 Asian American Engineer of the Year (AAEOY) Award

•Published over 40 research papers on a variety of subjects; guest lecturer @ MIT, Georgia Tech; principal investigator on research projects with leading universities and military service academies (USAFA, USMA, USNA, NPS, etc.)

•MEng in Mechanical Engineering from Cornell; Double Master’s Degree from MIT (Systems Engineering & Management).



4

Why Wargaming?

DoD Reinvigorates Wargaming(Apr 5, 2016) Over the past year, at least four directives from the highest levels of the Department of Defense (DoD) and the services, including a February 2015 memo from Deputy Secretary of Defense Robert Work, called for more wargaming.

Source: https://www.govtechworks.com/the-return-of-wargaming-how-dod-aims-to-re-imagine-warfare/#gs.BejQRHo

(April 5, 2016) The Pentagon requested more than $55 million for wargaming for fiscal 2017, and more

than $525 million over the five-year Future Years Defense Program spending plan. … Cyber is of

particular concern. Cloaked in secrecy, cyberwarfare is difficult to incorporate into wargames. But not

including it jeopardizes the validity of games that attempt to simulate conflicts against opponents who

will certainly use cyberweapons against U.S. forces.

As cyber attacks become more sophisticated, modeling and testing strategies for both offensive

and defensive operations is essential for U.S. military planners.

Source: https://www.govtechworks.com/the-return-of-wargaming-how-dod-aims-to-re-imagine-warfare/#gs.BejQRHo



https://www.govtechworks.com/the-return-of-wargaming-how-dod-aims-to-re-imagine-warfare/#gs.BejQRHo

https://www.govtechworks.com/the-return-of-wargaming-how-dod-aims-to-re-imagine-warfare/#gs.BejQRHo

5

What is a Wargame?


Adapted from Ministry of Defense Wargaming Handbook, 2017, pg 10

Representation of an aspect of a real / fictitious conflict

Pre-defined rules, data and operational

procedure

To provide decision-making experience

To provide decision-making information

A Wargame

Is a

In accordance with

That is applicable to real-world situations

6

Wargaming Process

Problem Statement

Design Development

TestingRehearsalExecution

Analysis/Archive


Lockheed Martin Image

7

Benefits

• Explore options and take risks without risking lives

• Cost effective way to practice command, exercise staff procedures

• Explore innovations in the art of war

• Discover new factors and questions not identified before


8

Cyber Wargaming in the Commercial Sector


Source: https://www2.deloitte.com/us/en/pages/risk/articles/cyber-risk-services-cyber-war-gaming.htmlSource: https://home.kpmg/sg/en/home/services/cyber-confidence/cyber-

education/cyber-war-gaming.html

https://www2.deloitte.com/us/en/pages/risk/articles/cyber-risk-services-cyber-war-gaming.html

https://home.kpmg/sg/en/home/services/cyber-confidence/cyber-education/cyber-war-gaming.html

9

Wargaming Challenges

• Repeatability

• Qualitative

• Adjudication

• Not Predictive

• Only as good as the participants

? (Insights)

10

Digitizing the Traditional Wargame

Lockheed Martin Imagehttps://www.lockheedmartin.com/en-us/news/features/2016/webt-navy-area-51.html



Operator-in-the-Loop

Real-Time

Simulation-Based

Adjudication

11

What is Cyber Attack Network Simulation (CANS)?

CANS models cyber events and their impacts to a system

Simulated Attackers Network Simulated Target Network

The Cyber Attack Network Simulator (CANS) is a discrete event simulation that allows analysts to study the effect of various cyber events against a model of a planned or operational network system.

CANS Framework

Simulation Engine Performance MetricsLockheed Martin Image


Distribution A Unclassified

CANS (Simulated) Network Model

© Copyright 2019 Lockheed Martin Corporation

• Network Configuration• Sim Configuration• CAPEC• NVD

Cyber Attack Launchers (CAL)

Network Visualizers

CANS is a highly-scalable and extensible simulator

CANS Architecture

External Clients: Simulators/Visualizers (optional)



13

Cyber Wargaming: A Madden Football Analogy

Defensive PlaybookMadden Football Video Game

Offensive Playbook

Defensive Playbook




14

“Offensive” Playbook

Offensive Playbook

Cyber Kill

Chain

CAPECNVD

Leverages Govt & Industry Resources for Wide Spectrum of Attack Behaviors



Threat Class Description

Abuse of Functionality (AoF)

An attacker manipulates one or more functions of an application in order to perform an attack. This is a

broad class of attacks wherein the attacker is able to alter the intended result or purpose of the functionality

and thereby affect application behavior or information integrity. Outcomes can range from vandalis, and

reduction in service to the execution of arbitrary code on the target machine.

Alter System Components (ASC)Attack Patterns within this category focus on alteration or manipulation of the components in a system in an

attempt to achieve a desired negative technical impact

Analyze Target (AT)

Attack Patterns within this category focus on the analysis of a target system, protocol, message, or

application in order to overcome protections on the target or as a precursor to other attacks. Analysis can

involve dissection of an application, analysis of message patterns, formal analysis of protocols, or other

methods. The outcome of these attacks can be disclosure of sensitive informaiton or disclosure of a secuirty

configuration that leads to further attacks targeted to discover weaknesses

Deceptive Intervention (DI)

Attack Patterns within this category focus on malicious interactions with a target in an attempt to deceive the

target and convince the target that it is interacting with some other principal and as such, take actions based

on the level of trust that exists between the target and the other principal. These types of attacks assume

that some piece of content or functionality is trusted by the target because of this association. Oftenidentified

by the term "spoofing", these types of attacks rely on the falsification of the cotent and/or identify in such a

way that the target will incorrectly trust the legitimacy of the content. for example, an attacker may modify a

financial transaction between two parties so that the participants remain unchanged bu the amount of the

transaction is increseaed. if the recipient cannot detect the change, they may incorrectly assume the

modified message originated with the original sender. attacks of this type may involve an adversary crafting

the content from scratch or capturing and modifying legitimate content

Deplete Resources (DR)

an attacker depletes a resource to the point that the target's functionality is affected. Virtually any resource

necessary for the target's operation can be targeted in this attack. The result of a successfl deplete

resources attack is usually the degradation or denial of one or more services offered by the target. The

more protected the resource and the greater the quantity of it that must be consume, the more resources the

attacker will need to have at their disposal.

Sample CVEs Extracted from NIST National Vulnerability Database

Sample Attack Patterns Extracted from CAPEC


15

“Defensive” Playbook

Defensive Playbook

Cyber Survivability Attributes

(CSA)

NIST SP 800-160 Vol2

NIST SP 800-53 R5



Examining Cyber Resiliency & Survivability through Realistic Wargaming

NIST 800-53 Controls

Cyber Resiliency Techniques

Adaptive Response

Analytic Monitoring

Deception

Diversity

Dynamic Positioning

Non-Persistence

Privilege Restrictions

Segmentation

Coordinated Protection

Contextual Awareness

Realignment

Redundancy

Substantiated Integrity

Un

pre

dic

tab

ility

NIST 800-160 Vol2Cyber Survivability Attributes (CSA)


16

Cyber Wargame Designer




17

What is AFSIM?

• Advanced Framework for Simulation, Integration & Modeling

• Government Owned object-oriented C++ library

• Discrete Event Simulation

• Can run at, faster and slower than real time• Can be Human-in-the-loop

The intent of AFSIM is not to provide all encompassing models, but rather to provide the framework for incorporating the necessary models*

*from AFRL



18

Modeling the Cyber“5D” Effects as Defined in JP3-12



19

19



20

Modeled Cyber Effect ExamplesCyber Effects 5D Effect Type Results

Comm Link Shutdown

Disruption / Denial Denial of Service Loss Ability to send/receive messages (e.g. target tracks, commands); launchers loss ability to receive engagement commands

Track Spoofing Disruption / Deception Manipulate track information

Add addition error to elevation data: reduce values by 1km; blue missiles miss red targets

Track Spoofing Deception / Disruption Manipulate track information

Add addition error to lat & long data: reduce values by 0.02 degree; blue missiles miss

IFF Spoofing Deception / Disruption Manipulate track information

Change “Foe” to Friendly in track database; red targets won’t get engaged (fratricide firing doctrine)

CANS Details on How Cyber Effects can be Achieved



21

CANS/AFSIM Software Architecture

Blue Team Red Team

AFSIM/Warlock




22

AFSIM Warlock Operator Interface

Courtesy of IST

Blue Cell Player

Distributed Operator Stations

Courtesy of IST

Lockheed Martin ImageCANS/AFSIM DIS



23

AFSIM (Warlock)

• Role of Warlock• Provides an operator interface to play out the scenario

• Real-Time engagements and decision making support • Task Assignment & Task Status Displays

• Custom panels to reflect operators’ roles

• Mimic SAM/Ship C2 Commander / TAO / EW officers• Ability to “hook” a target and initiate kinetic or non-kinetic

responses• Tactical responses (kinetic): Launcher selection, weapon/target pairing

• Determine when and what the EW responses should be (non-kinetic)




24

Sample Scenario

• Unclassified scenario to illustrate this CANS/AFSIM (Warlock) CONOPS

• Multi-Player Operator-in-the-Loop (cyber only or multi-domain)

• Red vs Blue Wargaming Scenario • White Cells are observers (might provide scenario injects)

• Operators to provide real-time responses

• Cyber attack vectors are derived from govt validated sources• Common Attack Pattern Enumeration and Classification (CAPEC) (unclassified)



25

Sample Scenario (Effects of Cyber)



26

Sample Metrics


B L U E E N G A G E M E N T S R E D E N G A G E M E N T S B L U E E N G A G E M E N T S R E D E N G A G E M E N T S

B A S E L I N E C O M M S C Y B E R A T T A C K

Sum of Weapon Fired

Sum of Weapon Hit and Target Kill

Sum of Weapon Hit and Target Damaged

Sum of Weapon Missed Target

• In this example, a CANS player acting as a cyber attacker, targeted and shutdown communication on the IADS Commander

• This resulted in:• Blue destroying XX more Red Targets

• Red destroying YY less Blue Assets

• And Red launching less defensive weapons



27

Sample Metrics

B L U E E N G A G E M E N T S

R E D E N G A G E M E N T S

B L U E E N G A G E M E N T S

R E D E N G A G E M E N T S

B A S E L I N E ( W I T H O U T R G P O ) W I T H R G P O

Sum of Weapon Fired

Sum of Weapon Hit and Target Kill

Sum of Weapon Hit and Target Damage

Sum of Weapon Missed Target

In this example, all four (4) blue bombers countered the Red IADS with EW

countermeasures upon approach.

This resulted in:

• Red firing more SAMs,

expending inventory

• Red missing more

targets, wasting

inventory

• Blue bombers

remaining in the

engagement zone

longer

Red Fired More

Red Missed More



28

Conclusion

• CANS/AFSIM Multi-Domain Wargaming Framework• Low Cost, Real-Time, Operator-in-the-Loop Wargaming Engine

• Flexible scenario implementations to expose operational & capability gaps

• Experiment with new Tactics, Techniques and Procedures (TTP)

• Large variety of EW/Cyber exploits (offensive/defensive)

• Future Work• UCI messaging to bring in tactical systems

• Mission planning tool integration

• Artificial Intelligence, machine learning and battle management optimization



29

Questions?



31

. . .

. . .

DIS InterfaceUDP

Socket

CANS External Simulators

(e.g. SENSIS, AFSIM)

Health and Status Messages

DIS Entity State PDUs or similar format

Distributive Interactive Simulation (DIS) is a IEEE 1278 standard for simulation interoperability




32

AFSIM DIS Interface Sequence Diagram

DIS Input Stream DIS PDU Factory WSF DIS App

Receive PDUParse PDU Header

Process WSF DIS PDU

AFSIM Internal Simulation Data

Identify PDU Type

Create WSF DIS PDU Object as defined by PDU

Type

Entity Object tagged by WSF DIS PDU




simulation-based cyber wargaming...•advanced framework for simulation, integration & modeling...

Documents