As World is becoming more digitized, its National Critical Information Infrastructure assets in critical sectors like energy, banking, defence, telecom, transportation etc. have becoming more vulnerable to cyber attacks like the use of ransomware to hold assets at risk, disabling of CII threatening domestic public safety. In the Future, IOT will offer immense potential opportunities in many civil market domains including electric power distribution, intelligent transportation, medical treatment industrial control, and so on. IoT can also be useful in military domain for surveillance, unmanned systems and logistics. However these IoT shall further result in large increase in vulnerabilities in Defence and Security.
in the recent past, the cyber-security industry has undergone a significant shift in respect of acknowledging the importance of security training of users, transitioning from “users are the weak link of cyber-security” towards “users can be trained like muscles hence, improving a
company’s overall security posture. ”
The first line of defense against cyber threats and cyber crimes is to be aware and get ready, e.g., through cybersecurity training. Training can have two forms, the first is directed towards security professionals and aims at improving understanding of the latest threats and increasing skill levels in defending and mitigating against them. The second form of training, aims at increasing cybersecurity awareness among non-security professionals and the general public hence, improving a company’s overall security posture. Conducting such training programs requires dedicated testbeds and infrastructures that help in realizing and executing the training scenarios and provide a playground for the trainees. A cyber range is an environment that aims at providing such testbeds.
Cyber ranges are interactive, simulated representations of an organization’s local network, system, tools, and applications that are connected to a simulated Internet level environment. They provide a safe, legal environment to gain hands-on cyber skills and a secure environment for product development and security posture testing. A cyber range may include actual hardware and software or may be a combination of actual and virtual components. Ranges may be interoperable with other cyber range environments. The Internet level piece of the range environment includes not only simulated traffic, but also replicates network services such as webpages, browsers, and email as needed by the customer.
Test-Beds (TBs) are defined as a configurable and extensible cyber range with simulated industrial processes. TBs enable the training of Operational Technology (OT) network personnel facing cyber-attacks to improve cyber-situational awareness.
As Military is migrating to Net-centric operations, military networks and key supporting critical infrastructures are now at significant risk from cyber intrusion. The cyber warfare of future may involve attacks to disrupt Military command and control (C2) and other Networks. Cyber has become an operational domain of warfare, along with air, sea, and land. The vulnerabilities have expanded beyond network access points to vulnerabilities in software, datalinks, and even hardware.Therefore Militaries are developing secure network centric capabilities by employing cyber ranges and testbeds to carry out realistic military exercises with realistic IT platforms, Networks and systems for training related to network attack and defense scenarios, mimicking real-world scenarios in the lab so that they can train as they would fight.
They need to ensure that their mission-critical war-fighting infrastructure performs adequately in a time of war. This holds true for all pertinent elements of wartime architecture, from the radio equipped soldier on the ground, to command and control elements, to various service elements, and the often times extraordinarily complex networks in between. Testbeds also provide facility to test and validate strategies, tactics, inter-operability, functionality and performance of solutions for cyber warfare defense and offense.
National Cyber Range Complex
The National Cyber Range Complex was developed in 2011 and has been managed by Lockheed Martin under a $750 million contract it won in 2014. The range has grown greatly over recent years from a small initial number of test beds to an expected 32 in fiscal year 2022. Some of the training uses include vulnerability assessments, cyber mission force training, product and solutions evaluation and architecture evaluations. For this new contract, the Army went with a multiple-award approach and selected Lockheed as one of the 14.
In July 2021, the Army has picked the winners of a $2.4 billion contract to support the National Cyber Range Complex with testing, planning and events. In essence, the complex is a model of the internet that is used to test cyber tools and simulate attacks and responses to attacks. The new contract is broken into two categories: one for event planning and design, and the second for event execution and operations. Each category has several subcategories.
Eight small businesses (designated with an asterisk) are among the other 13 newcomers: BAE Systems, Boeing, The MIL Corp., Scientific Research Corp., Ad Hoc Research LLC *, Axiologic Solutions LLC, Command Post Technologies *, DigiFlight *, Dignitas Technologies *, ISYS Technologies *, Sealing Technologies *, Sentar*, and X Technologies *
The Joint Network Emulator (JNE) Program
The Joint Network Emulator (JNE) program is sponsored by the Joint Tactical Network Center (JTNC) (previously the JPEO JTRS) to provide a scalable Live-Virtual-Constructive (LVC) simulation-emulation environment to facilitate analysis, test and evaluation, mission planning, mission rehearsals and training for networks of both new JTRS and current radio equipment that can scale to thousands of nodes.
SCALABLE’s Joint Network Emulator (JNE) library, Powered by EXata, is a live-virtual-constructive (LVC) simulation platform for the development, test, and evaluation of battlefield communications networks, applications, and net-enabled systems. JNE uses EXata as the underlying network emulation software and leverages its efficient parallel discrete-event simulation kernel and system-in-the-loop interfaces. Using both a parallel discrete-event simulation kernel and system-in-the-loop interfaces, JNE can run accurate battlefield simulations.
To facilitate these simulations, clients can use live network hardware such as radios and routers, along with network software including network managers and monitoring software. In addition, users can implement various mission command applications such as video streaming and situation awareness applications. JNE was originally based on the Joint Tactical Radio System (JTRS), but it now allows for performance modeling and simulation of multi-domain tactical communications.
The platform focuses on simulating communications across all domains: land, sea, air, space, and cyber. To add to JNE’s existing capabilities, SCALABLE has also connected JNE with StealthNet, our expansive library of cyber attack and defense models. Using StealthNet in conjunction with JNE, you can accurately gauge the security and resiliency of battlefield networks as well as operational mission threads.
The JNE library is ideal for military planning, testing, and training operations. It enables the simulation of large-scale military communications networks under a wide variety of conditions. You can connect physical radios with multiple simulated radios through JNE, which gives users the ability to realistically simulate large tactical radio networks consisting of both physical and simulated components. Users can also develop, emulate, and run multiple simulated radio form models using the JNE library to test, plan, and train.
Current simulations supporting the Net-Centric Test battlespace do not accurately represent the impact of cyber threats and information operations. When cyber threats are considered, they are typically limited to a small number of isolated physical devices, write Maneesh Varshney from Scalable Network Technologies and others. To further limit consideration, insufficient attention is paid to cyber attacks launched on the basis of passive threats like the eavesdroppers or the coordinated threats.
Further, the test technologies are typically limited to incorporation of threats that can be realized physically, which limits both the scale and sophistication of representing such attacks; a Live-Virtual-Constructive (LVC) paradigm for modeling of threats is missing. Lastly, for threats such as jamming, wormhole attacks, large-scale Denial of Service attacks, use of physical threats is expensive, since specialized equipment and manpower is required to realize these threats. The net consequence of these deficiencies is to leave a major gap in the DoD test infrastructure with respect to our ability to realistically test the vulnerabilities and resiliency of Blue Force communication architectures to sophisticated cyber attacks, particularly in networks that include both current force & Future Force communication infrastructure.
StealthNet together with JNE thus provides a Live-Virtual- Constructive (LVC) framework for a real-time, hardware-in-the-loop capability for simulation of cyber threats to the entire net-centric infrastructure. It also provides the ability to assess the effectiveness of adversaries to disrupt Blue Force communications by measuring the impact of these attacks via key performance indicators, i.e., bandwidth, reliability, delay and quality of service metrics. The LVC technology can stimulate constructive and LVC networks with simulated cyber threats that span the entire protocol stack layers for testing and analysis of applications.
According to Rajive Bagrodia, CEO of SCALABLE, “Improved Live-Virtual-Constructive technology is essential for a dynamic, realistic and affordable cyber training environment. We have consistently been able to use our software solutions and capabilities to address the impact of a cyber threat. We are pleased to be part of the CyberTASE development team to provide simulation of cyber attacks and defense strategies for the test and training communities.”
The StealthNet Project
Derived from a research project with the U.S. Department of Defense, StealthNet is a GOTS library that works in conjunction with Joint Network Emulator (JNE). StealthNet features models for a Live-Virtual-Constructive (LVC) framework for network simulation, test, and evaluation of operational networks defenses against cyber attacks.
StealthNet is a Live-Virtual-Constructive (LVC) framework for test and evaluation of operational network defenses against cyber attacks. It has the following objectives:
- Accurately assess the readiness of systems in the Net-Centric Battlespace for Information Operations (IO)
- Provide an LVC framework for simulation and stimulation of operational net-centric systems under cyber attack
- Recreate the impact of IO within the simulation of the Net-Centric Battlespace by providing realistic cyber threat representations that include passive, active, and coordinated threats
- Assess ability to measure impact of cyber threat vectors (denial-of-service, virus, wormhole) on tactical network architectures and net-centric systems under test in the accomplishment of the mission
StealthNet provides a real-time, hardware-in-the-loop capability for simulation of cyber threats to the entire net- centric infrastructure. It also provides the ability to evaluate the effectiveness of the threats in disrupting Blue Force communications via key performance indicators, i.e. bandwidth, reliability, delay and quality of service metrics.
It enables an environment and methodology for testing blue systems against cyber attacks in order to discover and validate vulnerabilities and to assess mission impact. The StealthNet framework includes the simulated network architecture (tactical radios, network hardware and software), and interfaces from the simulated network to other LVC elements that include real network hardware (routers, firewalls, etc), live intrusion detection or intrusion prevention systems (e.g. Snort), real C2 systems under test (e.g. situation awareness (SA) applications) and other virtual and constructive elements
The benefit of the HVN approach is that real equipment can be connected to the virtual network, and real application traffic such as sensor feeds, voice communications, or video can be streamed through it. Thus the effects of the network state and its ability to route traffic to the intended destination along with delay and losses can not only be analyzed, but also be seen and heard in real-time. Third party network analysis, management and diagnostic tools, such as packet sniffers, SNMP managers may be used to concurrently study the purely simulated network and the physical network. By integrating real applications with the emulated cyber warfare communications effects models, it becomes possible to evaluate the impact of cyber attacks on operational systems and mission threads.
The second key component of the StealthNet framework is the Cyber Library of attack, defense and vulnerability models that can operate in LVC modes, and thus is able to simulate and stimulate the LVC networked system under test. This library contains models for accurate cyber threat simulation at all layers of the networking stack to include passive, active, coordinated and adaptive attacks. It features; cyber threat models for adaptive and coordinated attacks, scalability to test attacks on large communication networks, and cyber test and analysis metrics to quantify the information and the operational impact of cyber offense and defense strategies. Within this LVC architecture cyber threat models are also included that are capable of launching various attacks against the network architecture, as well as simulated physical attacks to exploit vulnerabilities (e.g. Metasploit, Nmap).
StealthNet leverages Parallel Discrete Event Simulation (PDES) concepts to model large-scale coordinated cyber threats on networks with hundreds to thousands of wired and wireless components. The high-fidelity implementation of the cyber models ensure that the physical network-system under test can be stimulated with simulated cyber threats that span all protocol stack layers for real-time testing.
Example cyber attack and defense models available in StealthNet:
Denial Of Service: DOS attacks overwhelm the resources (primarily memory or processing cycles) of a victim computer or network element so that it cannot service requests from other clients. The clients, therefore, are denied service from the victim computer or network. This is accomplished by sending a large volume of traffic. The DOS model in StealthNet supports three kinds of attacks:
Basic attack, where the attacker(s) send large volumes of UDP traffic to the victim host or network. The UDP traffic consumes the network buffer memory as well as CPU resources.
TCP SYN attack, where the attacker(s) send TCP SYN packets to the victim computer. Each TCP SYN packet opens a new TCP connection at the victim computer, thus consuming the transport layer buffer memory.
IP Fragmentation attack, where the attacker(s) send partially fragmented IP packets to the victim computer. The victim computer buffers these fragmented packets and waits for remaining segments, thus consuming the network layer buffer memory.
Radio Jamming, or simply jamming, is transmission of radio signals at sufficiently high energy to cause disruption of communication for nearby radios. The signals transmitted by jammers interfere with other legitimate signals in the vicinity of the jammer, causing the signal to noise ratio of the latter signals to drop significantly, and resulting in corruption of those signals. Currently three strategies of frequency selection for jamming are supported:
Wideband jamming: jam all transmissions in a given range of frequencies.
Sweep Jamming: The jammer divides the frequency range in contiguous chunks of frequency bands. The jammer jams each chunk at a time for a specified duration before moving to next chunk.
Custom jamming: model arbitrary frequency selection and hopping pattern for jamming.
Channel Scanning is an act of gathering information by intercepting and analyzing the signals. No attempt is made to decode the signal; only the characteristics of signals, such as frequency range, power of transmission, and RF signatures are determined. The Channel Scanning model provides a basic framework and API upon which advanced intelligence gathering algorithms may be developed
On-premises vs. cloud-based cyber ranges
Cyber ranges — that is, virtual environments — are an ideal tool for testing and validating the cybersecurity posture of systems and software as well as for training cyber defenders with the latest knowledge on cybersecurity tactics. Ranges help defenders improve their cybersecurity skills with real-time practice on a safe version of their own critical IT systems. They help organizations select, integrate, and test new products and approaches without disrupting operations. For the past two years, I’ve been working on a cyber-range capability for increased cyber resiliency and decreased operational risk.
On-premises solutions are seen by many as a legacy approach to cybersecurity training. Part of this is due to the costs involved with keeping a system such as this running properly and delivering relevant training. The amount of time and effort that is required for such a testing environment to be effective is not trivial. This means that you will generally find that more than one person will spend a lot of time making sure that there are meaningful and effective cyber ranges available for staff.
The world is going to the cloud, and so can cyber ranges. The cloud provides a flexible, reconfigurable, and elastic computing infrastructure at affordable prices. Cloud-based ranges provide a safe, controlled, and isolated environment and can scale in size based on mission scenarios. You pay as you go based on the capacity you need.
Cloud-based solutions have become a popular way for companies to give their employees safe, secure and up-to-date cybersecurity training tools. Using a cloud-based solution also means that there is a better spread of different training scenarios to train on. They are updated more often and have more people working on them to produce fresh content. There is also less maintenance involved in the day-to-day running of these systems. Auto-allocation of resources like virtual machines and switches is done on the fly, making it much easier.
Cloud-based cyber ranges offer a highly accessible means to get hands on experience with some of the most cutting-edge training techniques, the newest reports and methods for dealing with malware and much more. All that you need is an internet connection. Most cloud-based cyber ranges are accessible from within an internet browser, so no specialized software is needed. Simply log into the website with your credentials, find the cyber range that you are interested in and get started. Each of the different training modules can be accessed by simply clicking on them and following the on-screen instructions.
References and Resources also include: