Sean Guarino¹, William Norsworthy¹, David Kelle¹, John Steigerwald¹, Timothy Ho¹, Dorsey Wilkin²

Interservice/Industry Training, Simulation, and Education Conference (I/ITSEC), Orlando, Florida (29 November 2023) 

Networks have become a critical background for military operations as adversaries and hackers become increasingly prolific and proficient at cyber warfare. Despite this, cyber training has remained focused on large-scale exercise that can be expensive and time-consuming, and ultimately too infrequent. A key element that drives this decision is the need for human experts to control adversary cyber Operations Forces (OPFOR). These experts can be difficult to obtain, and, when available, the goal is often to leverage their time to the greatest extent possible, driving these complex events. This paper describes ongoing work to develop an automated cyber adversary framework that enables the insertion of dynamic adversary behaviors into a live training environment, alongside tools for instructors and red cell operators to understand and customize the training experience provided by the automated adversary. Our solution combines: (1) an adaptive adversary framework that uses reactive behavior modeling to provide realistic, dynamic, and customized adversary behavior for meeting training objectives; (2) a cyber execution engine that integrates adversary agents with tools in the network environment, translating high-level adversary activities into appropriate low-level attack actions; and (3) an instruction support suite that provides tools for configuring, tracking, adjusting, and revising adversary behaviors to provide effective training. To enable rapid application across a wide range of adversaries, we have developed a behavioral template that can be adapted to include different types of attack tools, methods, and tactics. This paper details our application of this template and framework to model several advanced persistent threats identified in MITRE’s ATT&CK® (adversarial tactics, techniques, and common knowledge) framework. Future work will extend this framework to support a wider range of adversaries and integrate evolving training environments such as the DoD’s Persistent Cyber Training Environment (PCTE).

¹ Charles River Analytics
² PatchPlus Consulting

For More Information

To learn more or request a copy of a paper, contact Sean Guarino.

(Please include your name, address, organization, and the paper reference. Requests without this information will not be honored.)