Attack Graph Simulation Approach to Cyber Defense Training

From MilcordWiki

Overview

With the alarming escalation in the volume and sophistication of network attacks, the training of professionals who design, operate, maintain, and protect the networks becomes increasingly urgent. RealContext is our cyber defense training solution based on an attack graph simulation. Attack graphs depict ways in which an adversary can exploit vulnerabilities to break into a system.

Need

With the increasing sophistication of the attacker profile, the training of security personnel is essential in the protection of DoD infrastructure and mission critical information assets. DIAP (Defense-wide Information Assurance Program) notes some of the some of the issues associated with combating this challenge to include the uncertain size (150,000) of the professional CNDO (Computer Network Defensive Operations) staff, the costs of certification and testing, the quality of instructor knowledge and curriculum currency in training and education, the lack of training exercises, and the unknown effectiveness of training and education programs on user behavior and security posture.

Approach

In the vulnerability assessment area, attack graphs create a graphical structured model to describe the ways in which a system can be compromised. By using network topology based attack graph simulations that are synced with a vulnerability dictionary, students are able to understand the ways in which computer networks are able to be comprised, determine the likelihood and impact of these attacks and decide what action to take where the risks are unacceptable.

RealContext - built on the Skybox Security attack graph simulation platform - captures attackers’ techniques and multi-stage decision processes to develop a vulnerability assessment picture for the student. Our approach displays the domain expert’s decisions both visually as attack maps and textually as reports to guide students towards achieving the same. Our research demonstrates the feasibility of an attack graph simulation approach to cyber defense training by developing student, teacher, and curriculum models. The figures show the use of the use of the attack graph simulation platform within the intelligent tutoring system shell:

What is the source of the highest risk attack on the Personnel Badge System?

• a. Worm-Blaster
• b. Compromised Notebook
• c. Foreign Adversary
• d. Tainted Desktop

Answer: B (Compromised Notebook) Level: Medium Keyword: Risk Analysis

Benefits

In contrast to synthetic simulation authoring environments, which generate shallow models, RealContext focuses on leveraging the COTS modeling and simulation tools that the students will use in an operational setting after training, thus coming closer to the vision of learning by doing with retention rates of about 80%. In addition, our application addresses a gap in security training courseware – information assurance security risk management.

Applications

Our product serves Federal agencies that need to respond to the training compliance challenges of FISMA and DoD Directive 8570.1.

References

• Caglayan, A., Thompson, P, and Bratus, S. A Graph Attack Simulation Approach to Vulnerability Management IATAC IAnewsletter, Vol. 6, No. 4, Spring 2004.
• Caglayan, A., Hewlett, R., Taylor, H. and Lyle, M. (2006) A Real Context Simulation Approach to Cyber Defense Training, Technical Report, DTIC AD Number ADB324372, Milcord LLC, Waltham, MA Jan. 2006.