Attack Graph Simulation Approach to Cyber Defense Training
From MilcordWiki
Overview
RealContext is our cyber defense training solution based on an attack graph simulation. With the alarming escalation in the volume, sophistication, and destruction of network attacks, the training of professionals who design, operate, maintain, and protect the networks becomes increasingly urgent.
Need
With increasing levels of vulnerabilities, exploits, worms, viruses, and the increasing sophistication of the attacker profile, the training of security personnel is essential in the protection of DoD infrastructure and mission critical information assets. DIAP (Defense-wide Information Assurance Program) notes some of the some of the implications of implementing 8570: the uncertain size (150,000) of the professional CNDO (Computer Network Defensive Operations), the costs of certification and testing, the quality of instructor knowledge and curriculum currency in training and education, the lack of training exercises, and the unknown effectiveness of training and education programs on user behavior and security posture.
Approach
In the vulnerability assessment area, attack graphs create a graphical structured model to describe the ways in which a system may be compromised. By using network topology based graph attack simulations that are synched with a vulnerability dictionary, students will be able to understand the ways in which computer networks will be attacked, determine the likelihood and impact of these attacks and decide what action to take where the risks are unacceptable.
RealContext - built on the Skybox Security attack graph simulation platform - captures attackers’ techniques and multi-stage decision processes to develop a vulnerability assessment picture for the student. Our approach displays the domain expert’s decisions both visually as attack maps and textually as reports to guide students towards achieving the same. Our research demonstrates the feasibility of an attack graph simulation approach to cyber defense training by developing student, teacher and curriculum models. The figures show the use of the use of the attack graph simulation platform within the intelligent tutoring system shell:
What is the source of the highest risk attack on the Personnel Badge System?
- a. Worm-Blaster
- b. Compromised Notebook
- c. Foreign Adversary
- d. Tainted Desktop
Answer: B (Compromised Notebook) Level: Medium Keyword: Risk Analysis
Benefits
In contrast to synthetic simulation authoring environments, which generate shallow models, RealContext focuses on leveraging the COTS modeling and simulation tools that the students will use in an operational setting after training, thus coming closer to the vision of learning by doing with retention rates of about 80%. In addition, our application addresses a gap in security training courseware – information assurance security risk management.
Applications
Our product will serve Federal agencies that need to respond to the training compliance challenges of FISMA and DoD Directive 8570.1. Educational institutions serving the information assurance training market in the government and commercial sectors will be the early adopters of our technology. Another target segment would be the system integrators that provide training and assessment in the information assurance training market.
References
- Caglayan, A., Thompson, P, and Bratus, S. A Graph Attack Simulation Approach to Vulnerability Management IATAC IAnewsletter, Vol. 6, No. 4, Spring 2004.
- Caglayan, A., Hewlett, R., Taylor, H. and Lyle, M. (2006) “A Real Context Simulation Approach to Cyber Defense Training”, Technical Report, DTIC AD Number ADB324372, Milcord LLC, Waltham, MA Jan. 2006.
