Building a Better 'Cyber Range'
21 Mar 2012
By Peter A Buxbaum for ISN
As part of our weekly focus on digital and strategic games in international relations and security, today we revisit an ISN Insights classic. Building on Jody Ray Bennett’s discussion yesterday of how virtual technologies – such as video games – are being used to prepare soldiers for real world battlefields, Peter Buxbaum reports on the use of sophisticated virtual environments – called cyber-ranges – to train ‘cyber-warriors’ for possible cyber-attacks.
Warfighters endure a battery of training and exercise experiences before being deployed to face an enemy. They are provided the opportunity to demonstrate and improve their combat skills, participate in exercises, and familiarize themselves with weapons, information and communications systems.
The same holds true for cyber warriors and network defenders. They require a digital environment in which to train, evaluate and develop offensive and defensive capabilities. They also wish to simulate attacks to assess information assurance capabilities, and measure incident response procedures.
'Cyber ranges' are the virtual environments which have been created for cyber-warfare training and exercises. These constructs provide tools for strengthening the security, stability and performance of vital government, military, and intelligence cyber infrastructures. But scaling up these virtual environments to an appropriate level presents a challenge for the agencies and industry contractors who operate them.
"There are lots of similarities between kinetic and virtual ranges," Bob Geisler, a former director of information operations in the Office of the US Secretary of Defense, told ISN Insights. "In their simplest forms, ranges replicate operational environments in a controlled setting so you don't have to go into the wild. You don't have to worry about errant shots and hurting people. In a controlled environment you can replicate results and see how consistently either a defense [strategy] or a weapon performs." Geisler currently serves as director of cyber security at external pageScience Applications International Corporation (SAIC), a FORTUNE 500 company.
Cyber ranges can be found within US military services and agencies, at other government units as well as at private industry installations. The US Joint Forces Command operates the Information Operations (IO) Range, a unit which appears to be gaining in importance. An attempt to establish a National Cyber Range by the Defense Advanced Research Projects Agency, which would have broadened the scope of the IO Range beyond the national security community to include civilian agencies, contractors and academia may be foundering, according to some reports, due to the refusal of the US Congress to fund the enterprise.
The point of exercising on a cyber range is to be able to report to commanders the probable degree of success of the cyber capabilities being tested. "On the defensive side, you want to run standard threats against the network and see if the defenses worked or not," said Geisler. "You have more latitude testing defenses on a range than on a live network. You have to be concerned about inadvertent spillover of a test on a live network. The range can serve as a schoolhouse as well as a certification capability for technology."
Exercising to scale
For organizations such as the US military, which operates large-scale and far-flung networks, one of the challenges is how to scale up a cyber range to emulate the operational environment. "A successful range should be able to connect and disconnect multiple participants depending on the operational scenario of the effect you want to experiment with," said Geisler. "The secret is how to link them all together."
Cyber range exercises must be performed at an enterprise scale and not in a small lab, agreed Hal Jones, technical director for cyber security solutions at external pageBAE Systems. "It has become apparent that the only way to build these types of solutions is to test them in a large-scale environment," he said. "We do experiments on data with a 50,000-node network."
Mimicking the traffic associated with large live networks also presents challenges. "You need that type of traffic in order to be able to sniff out what vulnerabilities are out there," said Peter Mozloom, vice president for cyber solutions at external pageModus Operandi, a US-based software company that serves the defense and intelligence community.
Modus Operandi is working with the US Air Force on its Cyber Experimentation Environment (CEE). The New York state-based CEE uses a tool developed at the Massachusetts Institute of Technology, called LARIAT, to generate user traffic and network attacks and to provide an evaluation of intrusion detection technologies. The tool can emulate large-scale networks with tens of thousands of users.
"It is like war gaming," said Mozloom. "If you are mimicking an attack on an adversary's network, you determine the percentage of targets hit and the extent of collateral damage. You can determine if an offensive cyber weapon was appropriately stealthy or whether defenders could see it coming from a mile away."
Mozloom expects the CEE to be linked to the IO range by this summer. "This will enable us to run even bigger scenarios," he said.
On the network defense side, BAE is taking an approach which keeps the enterprise scale of the construct but which also integrates human analysis in the effort to provide real-time intelligence on the state of the network. The BAE approach is informed by a reaction to the dominant approach to network security, which Jones considers to be fundamentally flawed.
"The basic concept is that one can define how one will be attacked and write rules that prohibit that from happening," he said. "The problem is that defenses are effective against prior attacks, but once attackers understand the defenses it is relatively simple to craft an offense that will go around them."
BAE's approach instead focuses on a concept called real-time network forensics that allows analysts to observe network conditions and identify anomalies. "What is needed is to be able to extract from a network in real time any artifact that might be unusual," Jones explained. "If that ends up being a terabyte of information, the analysts need tools to massage that information and to present it as a set of plausible scenarios. The analysts can apply their own judgment to query the system and direct the analysis. This involves putting the analysts on the network and in the data."
The approach taken by BAE Systems is comparable to the techniques that the US intelligence community has deployed in the last 10-15 years in combating terrorism, according to Jones. "There are proven techniques that allow intelligence analysts to sift through massive amounts of data to come up with telltale signs of an attack," he said. "What we are doing is borrowing tools, techniques and procedures from the intelligence community."