Cyber Reactive Adversary Framework for Training (CRAFT)
Given the growing threat of cyber warfare, training exercises in cybersecurity are becoming increasingly imperative. Unfortunately, large-scale exercises require too much time, money, and expertise to execute. As a result, training slips down in priority. An automated, adaptive, and dynamic training tool that can successfully mimic an adversary would reduce the cost of exercises and potentially increase their frequency.
Realistic, dynamic, and customized
An efficient, automated cyber-training tool must meet the following requirements:
- Deliver realistic adversary behaviors based on real-life exercises, not just simulations
- Easily integrate with existing training networks
- Enable instructors to assess and adjust agent behavior to meet shifting training objectives
Alternative approaches can craft an automated cyber-training tool, but they come with their own challenges. Baseline “smart scripting,” for example, is simple to use but is often too elementary in its approach. As a result, adversaries can easily figure out their behaviors and circumvent them.
“Intelligent scripting is too simplistic and not very dynamic,” says Sean Guarino, Principal Scientist at Charles River Analytics. “They don’t react very well to the things the defender might do, so they’re easily detected.” On the other end of the spectrum, cognitive architectures can also deliver, but they are too complex and esoteric, leaving the crafting of a tool to only a few skilled professionals.
CRAFT treads the middle “Goldilocks” ground effectively by leaning on its in-house reactive behavior-modeling architecture, Hap. Hap agents proactively and dynamically collect information on behavior.
“CRAFT’s modeling architecture, Hap, uses active planning so, unlike static behavior-tree approaches, Hap dynamically reconfigures the behaviors it pursues based on what the defenders are doing. Being able to detect, react, and adapt in real time presents a more complex adversary.”
Principal Scientist and Principal Investigator on the CRAFT effort
The team is working on making CRAFT’s interface more accessible so it can be “easily adopted by those who need to work with it,” Guarino adds.
CRAFT’s big achievement during Phase I was the development of an agent that can execute a live attack exercise, instead of simulations, and dynamically change behaviors. Phase II is addressing a wide range of adversary behaviors and attacks, including those outlined in MITRE’s ATT&CK framework.
While CRAFT started out as a tool for the armed forces, it can find commercial applications in corporate and university training programs. “There are a lot of gaps in training in the commercial sector as well. Having a tool such as CRAFT delivers more frequent and effective training,” Guarino says. “It means our cyber defenders will be better prepared to detect and respond to attacks more quickly and to conduct better cyber forensics to understand what happened during an attack that already occurred.”
Cyber Shield 22 Main Planning Conference at Professional Education Center involves more than 500 National Guard Soldiers and Airmen throughout the nation along with interagency partners. (U.S. Army National Guard photo by Staff Sgt. Jeffrey D. Reno)
This material is based upon work supported by the Small Business Innovation Research (SBIR) Program through the U.S. Army Contracting Command (ACC) – Orlando under Contract No. W900KK-21-C-0010. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Small Business Innovation Research (SBIR) Program through the U.S. Army Contracting Command (ACC) – Orlando.