M. Goh,Siddhant Shrivastava,A. Mathur,Francisco Furtado

DOI: https://doi.org/10.23919/CyCon55549.2022.9811000

2022-05-31

Abstract:This paper explores the objectives, tactics, and strategies for identifying, planning, conducting, and evaluating an international cyber-physical exercise (CPX). The goal of a CPX is to improve defense capabilities for defending national critical infrastructure via global coordination. Lessons about CPX have been derived from a series of annual cyber-physical defense exercises conducted since 2015, referred to as Critical Infrastructure Security Showdowns (CISS). The cyber range of a CISS consists of a realistic and operational enterprise network coupled to water treatment and distribution plants in the form of physical testbeds and digital twins. These systems simulate and integrate information technology (IT) and operational technology (OT) scenarios that are ubiquitous in modern-day critical infrastructure controlled by industrial control systems (ICS). Participants from the red, blue, green, and white teams are assigned specific roles to attack, defend, visualize, and manage the plant, respectively. Each of these roles is evaluated via a specific set of metrics by a panel of judges and automated systems. The scoring criteria incentivize the red teams to design and launch novel attacks to contribute to and improve the cybersecurity community’s knowledge base regarding offense and defense. The lessons distilled from these positive-sum games are analyzed and shared in the form of post-event reports.From 2015 to 2021, CISS has constantly evolved to mimic contemporary cyber-physical security scenarios in the real world. These evolutions have forced the CISS organizing team to adapt and design novel infrastructure to support the changing needs of the event and its stakeholders, from tooling, logistics, and network infrastructure to scoring criteria and cross-disciplinary collaboration.The cited reports on techniques, tactics, and procedures will be valuable to stakeholders from the military, industry, government, and academia.

Environmental Science,Engineering,Computer Science

Magdalena Glas,Gerhard Messmann,Günther Pernul

DOI: https://doi.org/10.1016/j.cose.2024.103965

IF: 5.105

2024-06-27

Computers & Security

Abstract:The global shortage of cybersecurity professionals poses a daunting challenge for organizations seeking to protect their assets and data. To counteract this workforce shortage, cyber range exercises (CRXs) can equip individuals with the necessary knowledge and skills to become security professionals. However, the complexity of CRXs tends to overwhelm trainees with little prior cybersecurity experience, resulting in ineffective learning experiences. To address this issue, we take an interdisciplinary approach, leveraging established models on learning and motivation for cybersecurity. In this pursuit, we propose a literature-based framework of six design principles that aim to facilitate CRX designers in creating more effective CRXs. To illustrate the framework's utility, we introduce a CRX for incident response built upon these principles. To evaluate the effectiveness of this principle-driven CRX design, we conducted a user study with N=89 participants. The results of this study showed that the design provided an engaging learning experience that enabled participants to effectively acquire incident response knowledge and skills.

computer science, information systems

Yongjoo Shin,Hyukjin Kwon,Jaeyeong Jeong,Dongkyoo Shin

DOI: https://doi.org/10.3390/electronics13193867

IF: 2.9

2024-09-30

Electronics

Abstract:As cyberattacks become increasingly sophisticated with advancements in information and communication technology, the impact of cyberspace threats is growing in both civilian and defense sectors. The utilization of cyber capabilities in operations is on the rise, prompting major nations to continuously enhance their cyber capabilities. This study aims to establish a systematic approach to cyber operations training and propose a framework for the development of cyber training. A hybrid cyber training system is designed as a plan for temporal and spatial integration to simultaneously combine simulation-based training with real-world target training. To develop this concept, a literature review was conducted, expert consultations were held, and data were collected and analyzed through visits to relevant organizations and units. Additionally, the fundamental components of cyber training were examined from environmental, scenario-based, and operational perspectives, leading to the presentation of a development direction for effective cyber training. This study is anticipated to enhance response capabilities to evolving cyber threats and attacks, improve cyber operational proficiency, and secure cyber power to achieve dominance in cyberspace.

engineering, electrical & electronic,computer science, information systems,physics, applied

Matthew Ricks

2024-01-01

Abstract:While a natural disaster or related threat may impact an organisation at some point, it is more likely (even inevitable) that it will be the victim of a cyber attack. The solution to being better prepared for these imminent attacks is to undertake more lightweight and frequent incident response (IR) exercises to help build capabilities and community through a tighter, recurring cycle of planning, conducting and assessing. To boost the facilitation of IR exercises, organisations must leverage the established relationships between business continuity management (BCM) or resilience staff (both of which are familiar with business continuity and disaster recovery exercises), and their information security office. As BCM will ultimately be involved in response and recovery after a cyber attack, it is intuitively more effective to collaborate with BCM in advance. Indeed, it has been substantiated that BCM engagement improves incident response time and reduces incident response costs. This paper concludes that involving BCM or resilience departments in IR exercises contributes to more effective responses to actual incidents.

Elochukwu Ukwandu,Mohamed Amine Ben Farah,Hanan Hindy,David Brosset,Dimitris Kavallieros,Robert Atkinson,Christos Tachtatzis,Miroslav Bures,Ivan Andonovic,Xavier Bellekens

DOI: https://doi.org/10.3390/s20247148

IF: 3.9

2020-12-13

Sensors

Abstract:Cyber situational awareness has been proven to be of value in forming a comprehensive understanding of threats and vulnerabilities within organisations, as the degree of exposure is governed by the prevailing levels of cyber-hygiene and established processes. A more accurate assessment of the security provision informs on the most vulnerable environments that necessitate more diligent management. The rapid proliferation in the automation of cyber-attacks is reducing the gap between information and operational technologies and the need to review the current levels of robustness against new sophisticated cyber-attacks, trends, technologies and mitigation countermeasures has become pressing. A deeper characterisation is also the basis with which to predict future vulnerabilities in turn guiding the most appropriate deployment technologies. Thus, refreshing established practices and the scope of the training to support the decision making of users and operators. The foundation of the training provision is the use of Cyber-Ranges (CRs) and Test-Beds (TBs), platforms/tools that help inculcate a deeper understanding of the evolution of an attack and the methodology to deploy the most impactful countermeasures to arrest breaches. In this paper, an evaluation of documented CRs and TBs platforms is evaluated. CRs and TBs are segmented by type, technology, threat scenarios, applications and the scope of attainable training. To enrich the analysis of documented CRs and TBs research and cap the study, a taxonomy is developed to provide a broader comprehension of the future of CRs and TBs. The taxonomy elaborates on the CRs/TBs dimensions, as well as, highlighting a diminishing differentiation between application areas.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Nabin Chowdhury,Vasileios Gkioulos

DOI: https://doi.org/10.1007/s10207-023-00704-z

2023-06-03

International Journal of Information Security

Abstract:Current enterprises' needs for skilled cyber-security (CS) professionals have prompted the development of diverse CS training programs and offerings. It has been noted that even though enterprise staff is now more aware of security threats, the number of successful attacks against companies has all but decreased over the years. Several criticisms were raised against current CS training offerings, which often made them inadequate, or unable to change participants' behavior and security attitude. One of the main factors CS training programs are often not very effective is the lack of engagement or motivation of participants. This is often the result of training not being tailored to the needs or preferences of participants. In our previous work, we tackled this issue by developing a personalized learning theory-based model for developing CS training frameworks. In this work, we utilize the model to develop two CS training exercises: two game-based scenarios using the CS training video game Cyber CIEGE and one table-top team exercise. The exercises are later tested by involving a group of 12 students from the Norwegian Institute of Science and Technology (NTNU) Information Security master's degree program. According to the results of the experiment and the feedback from the students, students felt more engaged during the exercises due to having been participants in their development process. This has in turn motivated them to continue using the training tools independently in their spare time. Further research is recommended to establish whether the training development model is adequate for different target groups, as well as better performing than other models when developing full-fledged training programs.

computer science, information systems, theory & methods, software engineering

Saif Al-Dean Qawasmeh,Ali Abdullah S. AlQahtani,Muhammad Khurram Khan

2024-01-21

Abstract:In the dynamic realm of cybersecurity, awareness training is crucial for strengthening defenses against cyber threats. This survey examines a spectrum of cybersecurity awareness training methods, analyzing traditional, technology-based, and innovative strategies. It evaluates the principles, efficacy, and constraints of each method, presenting a comparative analysis that highlights their pros and cons. The study also investigates emerging trends like artificial intelligence and extended reality, discussing their prospective influence on the future of cybersecurity training. Additionally, it addresses implementation challenges and proposes solutions, drawing on insights from real-world case studies. The goal is to bolster the understanding of cybersecurity awareness training's current landscape, offering valuable perspectives for both practitioners and scholars.

Cryptography and Security

Jillian Valente,Mark Reith

DOI: https://doi.org/10.34190/eccws.23.1.2332

2024-06-21

Abstract:Cyber competition and conflict remain an enduring concern for the Department of Defense (DoD). Positive control of cyberspace is crucial across the vast diversity of military operations and supporting activities. People play an important role in cyber prevention, detection, and remediation, but they receive relatively little training outside of the annual Cyber Awareness Challenge. While this gamified training is a reasonable baseline, it primarily addresses cybersecurity from the office worker's perspective. Other career fields within the DoD may benefit from specialized training in cybersecurity, in particular the civil engineering (CE) community supporting critical infrastructure protection. This paper surveys a range of contemporary cyber serious games and assesses each for potential inclusion into CE training. Furthermore, it suggests game elements and characteristics that are likely to benefit the CE community.

Álvaro Luis Martínez,Jorge Maestre Vidal,Victor A. Villagrá González

DOI: https://doi.org/10.48550/arXiv.2111.07005

2021-11-13

Abstract:Since the cyberspace consolidated as fifth warfare dimension, the different actors of the defense sector began an arms race toward achieving cyber superiority, on which research, academic and industrial stakeholders contribute from a dual vision, mostly linked to a large and heterogeneous heritage of developments and adoption of civilian cybersecurity capabilities. In this context, augmenting the conscious of the context and warfare environment, risks and impacts of cyber threats on kinetic actuations became a critical rule-changer that military decision-makers are considering. A major challenge on acquiring mission-centric Cyber Situational Awareness (CSA) is the dynamic inference and assessment of the vertical propagations from situations that occurred at the mission supportive Information and Communications Technologies (ICT), up to their relevance at military tactical, operational and strategical views. In order to contribute on acquiring CSA, this paper addresses a major gap in the cyber defence state-of-the-art: the dynamic identification of Key Cyber Terrains (KCT) on a mission-centric context. Accordingly, the proposed KCT identification approach explores the dependency degrees among tasks and assets defined by commanders as part of the assessment criteria. These are correlated with the discoveries on the operational network and the asset vulnerabilities identified thorough the supported mission development. The proposal is presented as a reference model that reveals key aspects for mission-centric KCT analysis and supports its enforcement and further enforcement by including an illustrative application case.

Cryptography and Security

Jan Vykopal,Pavel Čeleda,Valdemar Švábenský,Martin Hofbauer,Martin Horák

DOI: https://doi.org/10.1145/3649217.3653642

2024-04-16

Abstract:Tabletop exercises are used to train personnel in the efficient mitigation and resolution of incidents. They are applied in practice to support the preparedness of organizations and to highlight inefficient processes. Since tabletop exercises train competencies required in the workplace, they have been introduced into computing courses at universities as an innovation, especially within cybersecurity curricula. To help computing educators adopt this innovative method, we survey academic publications that deal with tabletop exercises. From 140 papers we identified and examined, we selected 14 papers for a detailed review. The results show that the existing research deals predominantly with exercises that follow a linear format and exercises that do not systematically collect data about trainees' learning. Computing education researchers can investigate novel approaches to instruction and assessment in the context of tabletop exercises to maximize the impact of this teaching method. Due to the relatively low number of published papers, the potential for future research is immense. Our review provides researchers, tool developers, and educators with an orientation in the area, a synthesis of trends, and implications for further work.

Computers and Society

Yu Zheng,Zheng Li,Xiaolong Xu,Qingzhan Zhao

DOI: https://doi.org/10.1016/j.dcan.2021.07.006

IF: 6.348

2021-07-01

Digital Communications and Networks

Abstract:Driven by the rapid development of the Internet of Things, cloud computing and other emerging technologies, the connotation of cyber space is constantly expanding and becoming the fifth dimension of human activities. However, security problems in cyber space are becoming serious, and traditional defense measures (e.g., firewall, intrusion detection systems and security audit) often fall into a passive situation of being prone to attacks and difficult to take effect when responding to new types of network attacks with higher and higher degree of coordination and intelligence. By constructing and implementing the diverse strategy of dynamic transformation, the configuration characteristics of systems are constantly changing and the probability of vulnerability exposure is increasing. Therefore, the difficulty and cost of attack are increasing, which provides new ideas for reversing the asymmetric situation of defense and attack in cyber space. Nonetheless, there are few related works that systematically introduce dynamic defense mechanisms for cyber security. The related concepts and development strategies of dynamic defense are rarely analyzed and summarized. To bridge this gap, we conduct a comprehensive and concrete survey of recent research efforts on dynamic defense in cyber security. Specifically, we firstly introduce basic concepts and define dynamic defense in cyber security. Next, we review the architectures, enabling techniques and methods for moving target defense and mimic defense. This is followed with taxonomically summarizing the implementation and evaluation of dynamic defense. Finally, we discuss some open challenges and opportunities on dynamic defense in cyber security.

Allan Cook,Helge Janicke,Richard Smith,Leandros Maglaras

DOI: https://doi.org/10.1016/j.cose.2017.07.009

2017-09-01

Abstract:The threat to Industrial Control Systems (ICS) from cyber attacks is widely acknowledged by governments and literature. Operators of ICS are looking to address these threats in an effective and cost-sensitive manner that does not expose their operations to additional risks through invasive testing. Whilst existing standards and guidelines offer comprehensive advice for reviewing the security of ICS infrastructure, resource and time limitations can lead to incomplete assessments or undesirably long countermeasure implementation schedules.In this paper we consider the problem of undertaking efficient cyber security risk assessments and implementing mitigations in large, established ICS operations for which a full security review cannot be implemented on a constrained timescale. The contribution is the Industrial Control System Cyber Defence Triage Process (ICS-CDTP). ICS-CDTP determines areas of priority where the impact of attacks is greatest, and where initial investment reduces the organisation's overall exposure swiftly. ICS-CDTP is designed to be a precursor to a wider, holistic review across the operation following established security management approaches. ICS-CDTP is a novel combination of the Diamond Model of Intrusion Analysis, the Mandiant Attack Lifecycle, and the CARVER Matrix, allowing for an effective triage of attack vectors and likely targets for a capable antagonist. ICS-CDTP identifies and focuses on key ICS processes and their exposure to cyber threats with the view to maintain critical operations. The article defines ICS-CDTP and exemplifies its application using a fictitious water treatment facility, and explains its evaluation as part of a large-scale serious game exercise.

computer science, information systems

Jason E. Ellis,Travis W. Parker,Joachim Vandekerckhove,Brian J. Murphy,Sidney Smith,Alexander Kott,Michael J. Weisman

DOI: https://doi.org/10.1109/MILCOM55135.2022.10017529

2023-02-16

Abstract:The vulnerability of cyber-physical systems to cyber attack is well known, and the requirement to build cyber resilience into these systems has been firmly established. The key challenge this paper addresses is that maturing this discipline requires the development of techniques, tools, and processes for objectively, rigorously, and quantitatively measuring the attributes of cyber resilience. Researchers and program managers need to be able to determine if the implementation of a resilience solution actually increases the resilience of the system. In previous work, a table top exercise was conducted using a notional heavy vehicle on a fictitious military mission while under a cyber attack. While this exercise provided some useful data, more and higher fidelity data is required to refine the measurement methodology. This paper details the efforts made to construct a cost-effective experimentation infrastructure to provide such data. It also presents a case study using some of the data generated by the infrastructure.

Cryptography and Security

Ekzhin Ear,Jose L. C. Remy,Shouhuai Xu

DOI: https://doi.org/10.1109/CSR57506.2023.10224940

2023-07-10

Abstract:Cyber ranges mimic real-world cyber environments and are in high demand. Before building their own cyber ranges, organizations need to deeply understand what construction supplies are available to them. A fundamental supply is the cyber range architecture, which prompts an important research question: Which cyber range architecture is most appropriate for an organization's requirements? To answer this question, we propose an innovative framework to specify cyber range requirements, characterize cyber range architectures (based on our analysis of 45 cyber range architectures), and match cyber range architectures to cyber range requirements.

Cryptography and Security

E. J. M. Colbert,D. T. Sullivan,A Kott

DOI: https://doi.org/10.48550/arXiv.1708.07424

2017-08-24

Cryptography and Security

Abstract:This paper presents general strategies for cyber war gaming of Cyber-Physical Systems (CPSs) that are used for cyber security research at the U.S. Army Research Laboratory (ARL). Since Supervisory Control and Data Acquisition (SCADA) and other CPSs are operational systems, it is difficult or impossible to perform security experiments on actual systems. The authors describe how table-top strategy sessions and realistic, live CPS war games are conducted at ARL. They also discuss how the recorded actions of the war game activity can be used to test and validate cyber-defence models, such as game-theoretic security models.

Mona Lange,Alexander Kott,Noam Ben-Asher,Wim Mees,Nazife Baykal,Cristian-Mihai Vidu,Matteo Merialdo,Marek Malowidzki,Bhopinder Madahar

DOI: https://doi.org/10.48550/arXiv.1703.03306

2017-03-09

Cryptography and Security

Abstract:The North Atlantic Treaty Organization (NATO) Exploratory Team meeting, "Model-Driven Paradigms for Integrated Approaches to Cyber Defense," was organized by the NATO Science and Technology Organization's (STO) Information Systems and Technology (IST) panel and conducted its meetings and electronic exchanges during 2016. This report describes the proceedings and outcomes of the team's efforts. Many of the defensive activities in the fields of cyber warfare and information assurance rely on essentially ad hoc techniques. The cyber community recognizes that comprehensive, systematic, principle-based modeling and simulation are more likely to produce long-term, lasting, reusable approaches to defensive cyber operations. A model-driven paradigm is predicated on creation and validation of mechanisms of modeling the organization whose mission is subject to assessment, the mission (or missions) itself, and the cyber-vulnerable systems that support the mission. This by any definition is a complex socio-technical system (of systems), and the level of detail of this class of problems ranges from the level of host and network events to the systems' functions up to the function of the enterprise. Solving this class of problems is of medium to high difficulty and can draw in part on advances in Systems Engineering (SE). Such model-based approaches and analysis could be used to explore multiple alternative mitigation and work-around strategies and to select the optimal course of mitigating actions. Furthermore, the model-driven paradigm applied to cyber operations is likely to benefit traditional disciplines of cyber defense such as security, vulnerability analysis, intrusion prevention, intrusion detection, analysis, forensics, attribution, and recovery.

Baptiste Prebot,Yinuo Du,Cleotilde Gonzalez

2023-04-04

Abstract:Given the increase in cybercrime, cybersecurity analysts (i.e. Defenders) are in high demand. Defenders must monitor an organization's network to evaluate threats and potential breaches into the network. Adversary simulation is commonly used to test defenders' performance against known threats to organizations. However, it is unclear how effective this training process is in preparing defenders for this highly demanding job. In this paper, we demonstrate how to use adversarial algorithms to investigate defenders' learning of defense strategies, using interactive cyber defense games. Our Interactive Defense Game (IDG) represents a cyber defense scenario that requires constant monitoring of incoming network alerts and allows a defender to analyze, remove, and restore services based on the events observed in a network. The participants in our study faced one of two types of simulated adversaries. A Beeline adversary is a fast, targeted, and informed attacker; and a Meander adversary is a slow attacker that wanders the network until it finds the right target to exploit. Our results suggest that although human defenders have more difficulty to stop the Beeline adversary initially, they were able to learn to stop this adversary by taking advantage of their attack strategy. Participants who played against the Beeline adversary learned to anticipate the adversary and take more proactive actions, while decreasing their reactive actions. These findings have implications for understanding how to help cybersecurity analysts speed up their training.

Cryptography and Security,Human-Computer Interaction

Benjamin Shreeve,Joseph Gardiner,Joseph Hallett,David Humphries,Awais Rashid

2023-06-21

Abstract:Cyber incident response is critical to business continuity -- we describe a new exercise that challenges professionals to play the role of Chief Information Security Officer (CISO) for a major financial organisation. Teams must decide how organisational team and budget resources should be deployed across Enterprise Architecture (EA) upgrades and cyber incidents. Every choice made has an impact -- some prevent whilst others may trigger new or continue current attacks. We explain how the underlying platform supports these interactions through a reactionary event mechanism that introduces events based on the current attack surface of the organisation. We explore how our platform manages to introduce randomness on top of triggered events to ensure that the exercise is not deterministic and better matches incidents in the real world. We conclude by describing next steps for the exercise and how we plan to use it in the future to better understand risk decision making.

Cryptography and Security

Pantaleone Nespoli,Mariano Albaladejo-González,José Antonio Pastor Valera,José A. Ruipérez-Valiente,Joaquin Garcia-Alfaro,Félix Gómez Mármol

2024-02-20

Abstract:It is undeniable that we are witnessing an unprecedented digital revolution. However, recent years have been characterized by the explosion of cyberattacks, making cybercrime one of the most profitable businesses on the planet. That is why training in cybersecurity is increasingly essential to protect the assets of cyberspace. One of the most vital tools to train cybersecurity competencies is the Cyber Range, a virtualized environment that simulates realistic networks. The paper at hand introduces SCORPION, a fully functional and virtualized Cyber Range, which manages the authoring and automated deployment of scenarios. In addition, SCORPION includes several elements to improve student motivation, such as a gamification system with medals, points, or rankings, among other elements. Such a gamification system includes an adaptive learning module that is able to adapt the cyberexercise based on the users' performance. Moreover, SCORPION leverages learning analytics that collects and processes telemetric and biometric user data, including heart rate through a smartwatch, which is available through a dashboard for instructors. Finally, we developed a case study where SCORPION obtained 82.10% in usability and 4.57 out of 5 in usefulness from the viewpoint of a student and an instructor. The positive evaluation results are promising, indicating that SCORPION can become an effective, motivating, and advanced cybersecurity training tool to help fill current gaps in this context.

Cryptography and Security,Computers and Society

Sanyam Vyas,John Hannay,Andrew Bolton,Professor Pete Burnap

2023-03-09

Abstract:Within recent times, cybercriminals have curated a variety of organised and resolute cyber attacks within a range of cyber systems, leading to consequential ramifications to private and governmental institutions. Current security-based automation and orchestrations focus on automating fixed purpose and hard-coded solutions, which are easily surpassed by modern-day cyber attacks. Research within Automated Cyber Defence will allow the development and enabling intelligence response by autonomously defending networked systems through sequential decision-making agents. This article comprehensively elaborates the developments within Automated Cyber Defence through a requirement analysis divided into two sub-areas, namely, automated defence and attack agents and Autonomous Cyber Operation (ACO) Gyms. The requirement analysis allows the comparison of automated agents and highlights the importance of ACO Gyms for their continual development. The requirement analysis is also used to critique ACO Gyms with an overall aim to develop them for deploying automated agents within real-world networked systems. Relevant future challenges were addressed from the overall analysis to accelerate development within the area of Automated Cyber Defence.

Cryptography and Security,Artificial Intelligence