Cyber adversary modeling and simulation
The rapid increase in the number of connected devices in US military networks has vastly expanded the possible cyberattack surface. As modern cyber adversaries become more proficient and sophisticated, these network systems are increasingly vulnerable to cyberattacks. Private businesses regularly fall victim to cyberattacks as well, which inflict devastating damage on the economy. In 2013, 7% of US organizations lost $1 million or more due to cybercrime, and 19% of entities had claimed losses between $50,000 and $1 million. Domestically, it is estimated that cyberattacks cost $300 billion per year, and cost $445 billion worldwide (Bremmer, 2015). Despite significant investment in addressing cyber threats, current defense efforts are largely reactive, addressing attacks after they occur instead of proactively identifying the most likely or dangerous threats. The current processes for detecting new cyberattacks and deploying defenses against them are entirely manual and require high levels of expertise. These reactive, manual approaches result in defensive failures as adversaries continue to evolve and launch new, decisive attacks that circumvent these approaches. Augmenting our cyber defenses with tools that predict the most likely attacks can alleviate the manual analytic burden on cyber specialists and facilitate proactive reduction of the cyberattack surface, ultimately increasing the resilience of our network infrastructure.
The Charles River Analytics Solution
Charles River Analytics created CyMod™, a cyber modeling and reactive agent framework that provides a tool for integrating intelligent cyber adversaries into simulation environments. CyMod enables cyber defenders to quickly and easily perform cyber wargaming to predict likely attack vectors and prepare proactive defenses against these attacks. Users can analyze sensor data provided from their network monitoring devices, such as Snort, and use this data to tailor their simulations to fit the threats they are encountering. CyMod uses systemic functional grammars (SFGs), which enable the parsing and interpretation of network and threat information. These grammars include rich models that can be executed in a simulation environment. The models capture detailed information about cyber adversaries, attacks, defenses, and other relevant contextual information about the world and simulation state.
Through use of the Hap engine, a reactive agent framework for realistic behavior generation, our CyMod platform enables rapid integration of these cyber models into commercially available off-the-shelf (COTS) simulators (e.g., ns-3, NeSSi2, OMNeT++) to facilitate prediction and wargaming in a realistic network environment. CyMod models a variety of different cyber domains, such as malware, embedded system vulnerabilities, unmanned aerial vehicle attacks, reconnaissance attacks, and defensive responses.
Specific capabilities within the CyMod toolkit:
- Flexible models of cyber adversaries for use in simulation and adversary understanding, including adversary goals, motivations, skill levels, and attacks they can execute.
- Flexible attack modeling and generation, leveraging generalizations encoded as SFGs to capture attack details at a variety of levels to model cyberattacks at high or low fidelity. The effects of cyberattacks on systems and processes outside the cyber domain can also be modeled.
- Parsing and understanding complex cyber data, including data from Snort and other IDSs, to enable better adversary and attack modeling and more accurate wargaming based on the exact attacks and scenarios encountered.
- An SFG editing and authoring tool that provides an in-depth graphical view of existing grammars and the ability to edit key features of the grammar.
- An intelligent agent framework for simulation integration and interaction that can respond to changes in the simulation environment and realistically and intelligently model the pursuit of goals by adversaries.
CyMod will greatly benefit the U.S. government and companies, enabling defenders to stay ahead of cyber adversaries and proactively defend their networks, rather than reacting after attacks happen. Through simulated wargaming with accurate adversary models, users can assess their vulnerabilities and evaluate the effectiveness of different defensive actions. Proactive defense through simulated environments provides a low-cost solution to cyberattacks and mitigates the costly damage recovery that results from successful attacks.