Modelling and Analyzing Attack- Defense Scenarios for Cyber- Ranges

Abstract

Rome was not built in a day, but it was burnt to the ground in only six. Wood naturally catches fire, and without adequate engineering, fireproof houses and training for firefighters, destruction caused by fire is inevitable. In the 21st century, our modern world is built not on wood but on a digital infrastructure that was proposed in the 20th century with very little thought to security. This has resulted in a countless number of incidents in which that infrastructure has been compromised, from hospitals serving critically ill patients to gas pipelines providing necessary heating to people living in adverse climate conditions. The current state of affairs is unacceptable, and serious efforts are needed to design and build a secure digital world and train individuals to use and operate it securely. Engineers and scientists design road infrastructure with great safety measures, but traffic accidents still happen. Indeed, they remain one of the leading causes of death in the world, and most traffic accidents are caused by human error or negligence. Similarly, the digital infrastructure can be designed and deployed securely, but its overall security and safety depend upon the humans who are operating and using it. Therefore, there is a great need to train individuals to operate the digital infrastructure in a secure manner. Multiple efforts are being made to provide this training. These efforts include cybersecurity education and training based on different pedagogical methods involving classroom teaching, workshops, seminars, conferences and hands-on training. However, the effects of these efforts are not yet visible, as we experience ever-increasing damage caused by cyber-attacks. Traditionally, most cybersecurity awareness and training has been achieved through classrooms and workshops. Little focus has been on hands-on cybersecurity exercises. This is because designing and deploying infrastructure to deliver realistic hands-on exercises is a resource- intensive, complex and difficult task that requires considerable manual technical expertise. This makes the training very expensive and the process error-prone and difficult to standardize. In order to solve these issues, different researchers have tried to remove inefficiencies in cybersecurity exercises by automating different phases of the exercises with limited success. Some efforts yielded very specific testbed-related artifacts, which were only applicable to that specific testbed, while other efforts lacked the complexity required for realistic cybersecurity exercises. Moreover, there is a lack of consensus among the community on defining the training scenarios that can be used in such exercises. Therefore, standard specifications of scenarios that can be executed in a cybersecurity exercise environment are needed. In this work, I attempt to overcome and address these issues by enhancing efficiency, realism and standardization with a novel method of modeling and executing cybersecurity exercise scenarios in a cybersecurity exercise environment, or a cyber range. This is achieved through the development of a domain-specific language that is used to model and specify the technical requirements for cybersecurity exercises at an abstract level. The model of the exercise scenario is formalized and verified through logic programming, and then the technical requirements are translated into operational artifacts through an orchestrator. The operational artifacts contain an exercise infrastructure with vulnerabilities, traffic generators and attack/defense agents that can exploit or defend those vulnerabilities at an operational level in a cyber range. The proposed system goes beyond the state of the art by overcoming many inefficiencies in cybersecurity exercise scenario modeling and deployment, making their execution efficient, realistic and computationally repeatable. The proposed artifacts and solutions were tested in Norway’s national cybersecurity competitions, university classrooms and other cybersecurity exercises with positive results.