‹header›

‹date/time›

Click to edit Master text styles

Second level

Third level

Fourth level

Fifth level

‹footer›

‹#›

John Saunders –

Story about Indian Chief

On faculty at Information Resources Management College National Defense University (students are LtCol, Col and General Officers)IRMC was 1st college in world University umbrella dedicated to the study of IT and all aspects. Now UC Berkeley, Syracuse, and Penn State. Run DoD’s Information Warfare program, 1st grads in 1995, now integrated with NWC and ICAF programs

One of National Security Agency’s “Center of Academic Excellence” in Information Assurance. Students receive NSA approved 4011 certificate.

Now setting up (about 50% complete) “Silicon Curtain” Simulation Lab. Test bed for running and testing InfoSec simulations.

The Information Resources Management (IRM) College prepares leaders to direct the information component of national power by leveraging information and information technology for strategic advantage. Primary areas of concentration include business process reengineering, IRM law and policy, information technology, information security, management of acquisition processes

IRMC Courses free to National Security Agencies, low cost to other Feds, open on limited basis to private sector

What is M&S – Some definitions to limit the scope of my talk

what simulations are out there - Primary focus –, how have they worked out? Will Show you some of them

Issues with simulation will rise as we review the experience of others in using them – cost, learning curves, level of detail

General break out of types of simulations along tool lines – network modeling tools, management flight simulators, etc

Brief discussion of modeling “standards”/ frameworks

Would certainly be thrilled to hear about any efforts within your organizations in this arena

Key work here is SYSTEM. Modeling is about understanding systems - how does this thing work, what are all the components, how do they fit together, what feedback mechanism are in place.

Transportation Centers – FAA, City Subway Systems, Electrical Utilties

NOCs w/ HP Openview, Tivoli, CA Unicenter

Models discussed here today are planning and learning models

Symbolic modeling maybe something like predicate calculus [John ?? At University of Tulsa] or state space/Petri Net [Moitra&Konda at Carnegie Mellon Univ] modeling which utilizes a specific set of symbols to represent ideas about objects, time, sets, and ways to manipulate them

Security models typically not used for “optimization” although can be. More often used for configuration, testing, learning

You are likely wondering – what the heck does an elephant have to do with this?

“The Blind Men and the Elephant” by American poet John Godfrey Saxe (1816-1887) based upon an Indian fable.

Tusk – like a spear Side – like a wall Trunk – like a snake Leg – like a tree Ear – like a fan Tail – like a rope

So oft in theologic wars,

The disputants, I ween,

Rail on in utter ignorance

Of what each other mean,

And prate about an elephant

Not one of them has seen.

What the system looks like depends upon your perspective. Most often none have the full picture

•Instant "reset" of computers, networks, etc to initial conditions

•Compression of long term activity into short periods

•Lower cost than utilizing real computers, networks, software, protocols, etc

•Ease of scalability

•Creation of scenarios too risky for "real world" testing

•Levels of abstraction like the OSI model may be represented

•Ease of re-configuration

•Capability for building in an “automatic/scripted” Black or White Team

When to Model? Actual object or process:

•Is very complex - too difficult to observe

•Doesn’t currently exist

•Is too dangerous to observe

•Takes too long to observe

•Has a large number of variations, and

•Economically and operationally feasible to do so

Focus here is on Audience: What types of simulations are applicable to what groups

Packet Wars for System Admins

Sniffers + Network Design Tools for System Designers

Canned Attack/Defend Scenarios for New Users, IT Security Education

Management Flight Simulators – for Security management

Role Playing – for General Mgt – people who think UNIX are castrated males in a harem

Packet wars – greatest granularity, lowest organizational levels, Role Playing – least granularity, highest org levels

Characteristics/Benefits

Best way to go if available.

Uses real networks, real software,real exploits

Harmless

1st Service Academy Competition last April, includes awarding of trophy. Judged by expert team at NSA. Quote from Col/Dr Don Welsh, USMA “The highest learning I have ever seen as an educator took place in this one week exercise.”

SANS ID’net here in DC Rules of Engagement

Activity Points

Port Scan 1

Script Kiddie 5

Recent Exploits 10

Old Exploits 20

New Exploit 50

No denial of service or DDOS attacks; Can defend: must allow basic services: web/mail/ftp/DNS; After attack is successful, cannot be repeated

Drawbacks

Big $ to set up – hardware, software, labor

Reset after exercise may even include complete reload of OS, databases, etc

Good primarily for only System Administrator level training, some managerial level awareness

As a sideline, although not a simulation tool, simple network diagramming can certainly be a low cost start to better understanding your system through a pictoral model. Use echo/ping to establish segments, equipment types

Characteristics:

Utilize a sniffer to build DB of packet streams,

Feed into Design/Modeling Tool to observe loads, flows, statistics – can usually interpret multiple protocols, equipment types

Benefits

Good for modeling Availability:

“What ifs” on host firewall loads, etc,

Loads on Authentication Servers,

Unusual Traffic Analysis

Visualization, compacting loads of traffic into a single visual

Drawbacks:

Fall short on modeling memory, software execution

Requires massive storage and processing power to collect/store data & then run the analysis

Expensive: Design tools $15000, Sniffers - similar

http://www.sniffer.com/

Next area is Canned Attack Defend

Characteristics

Canned rules,

Limited (but often numerous) scenarios, fixed decision tree execution paths

Often some random elements

High up front building costs – multimedia package like Visual Basic, Macromedia Authorware: Rule of thumb (conservative) – 300 man hours for each hour of output

“I liked cyber protect because”:

- It felt real, programs got stale and needed updating. It exploited where I was weak

- Overall, this is an excellent product and one which I will take home to my network professionals and insist they give me a certificate.

- I found the CyberProtect exercise to be very instructional. It did take me a while to get through the exercise but I was finally successful. It was a good exercise and very informative.

- I found CyberProtect to be an excellent tool to test the knowledge of someone charged to protect an agency's infrastructure. This is a tool that I will take back and provide to my team, and others within the department.

- When using the tool, one would quickly found out that if you did not at least cover your bases you were exposed and open to attacks. This did not mean you had to purchase the high-end tools, but strategically placing low end items were the network could handle it, and balancing between the middle to high ranges. Upgrades could be applied if funds were available later on.

- Overall, hands-on allows the students to understand the process. There were issues that were raised that provoked questions.....the whole purpose of the exercise.”

Demo of ISWGS

Types of Attacks

InfoChess

A few "specialized" rules are added to the usual game of Chess to simulate some of the characteristics of Information Operations such as

"psychological operations,

military deception,

operations security,

electronic warfare, and

physical destruction,

mutually supported by intelligence, to deny information to, influence, degrade, or destroy adversary command and control capabilities.“

It is played by many of the Information Warfare groups within the U.S. Military

Characteristics

More Strategic in Nature – good for more “managerial” simulations, combining costs, and tools, people, and lifecycle issues like obsolescence

Quantitative and Qualitative Variables

Mix of apples & oranges, easily combine many seemingly disparate elements into one model

May include Multimedia

Benefits

Provides understanding of relationships, analysis of "nth order effects

ability to also change the model "on the fly”

good for working in groups to model the challenges

Analysis of long term effects

Capitalizes upon visual processing capability

Drawbacks

Requires basic understanding of the modeling symbolic representation system – system dynamics and/or discrete event simulation

Most people not attuned to thinking systemically – requires convincing that this approach has payoffs

Time and resource consuming – to build model

Rejection because complexity not understood – people prefer simplicity – the “right” answer

Switch over to ithink

Talk about Sectors –point out elements Dig Down Capability, contrast to “canned” approach

A very simplified model

Drag & Drop 2 Servers into the environment

The MFS involves many different variables and variable types.

Typical simulation would have greater than 1000 variables.

Validation important but process of building the model is equally important – to overcome the blind men and elephant syndrome

Many different possible uses for M&S in the IT Manager’s environment

Show film segment here

Perception management, industry v. governmental roles,

Washington Post – 2 weeks ago article on bioterrorism role playing

Examples include

1. The Day After … in Cyberspace II [Anderson, 1997], a

2. Presidents Commission on Critical Infrastructure Protection (PCCIP) Strategic Simulation created by Booz, Allen, & Hamilton [Critical, 1997],

3. Winn Swartou at the InfoWarCon Conference [InfoWarCon, 2001],

4. Cyber War at CSI 27 [Bliss, 2000], and

5. Dark Winter [Roberts, 2001]. Although Dark Winter is about BioTerrorism, it still conveys the type of strategic level decision-making and containment skills that would be necessary in a massive Cyber Terrorism event.

Typically combinations of custom built & high end network design packages used in role playing scenarios.

JSIMS http://www.jsims.mil/

Deny Delay Deceive

Voice & Data

Utilizes RunTime Infrastructure -

CNA CND Component

Focus on tactical battlefield

JQUAD is I.O segment of JSIMS run by CACI

JWARS Joint Warfare System

http://www.mitre.org/support/papers/tech_papers99_00/maxwell_jwars/index.shtml

C4ISR Component

NETWARS

http://www.disa.mil/D8/netwars/

Joint DISA & J-6 (C4i) project

Network simulation using OPNET

Network Warfare Simulation (NETWARS) is a communications modeling tool that enables the warfighter to credibly model tactical and operational communications demands with all the stresses that combat places on communications systems.

D-wall is a deception mechanism that produces “deception” traffic on a network similar to a honeypot

http://all.net/journal/ntb/mathdeception/mathdeception.html

Cyber Command System is a centralized C2 system allowing command over the cyber security elements in a network; can recommend courses of action

Visual NRM is a static mapping tool which uses the Network Rating Methodology to

http://chacs.nrl.navy.mil/projects/VisualNRM/

Value of formalized models, e.g. OSI should be evident

Drivers in HLA – DOD components, war fighting

Drivers in Common Criteria – vendors, government, need for international level