Network Defense Trainer
NETWORK DEFENSE TRAINER OVERVIEW
The Network Defense Trainer (NDT) is a live-virtual-constructive (LVC) system for implementing sophisticated cyber range environments used to train all types of cyber warriors. Unlike most cyber ranges which use interconnected virtual machines running various operating systems and applications to replicate a live environment, our NDT system leverages a true virtual network model that accurately emulates a distributed network system. Both live and virtual hosts can be connected to the virtual network model, and the system can be federated with other training simulators to create powerful training solutions.
The key unique advantages of an NDT system are:
- Effectively represent mobile wireless equipment and applications (and the vulnerabilities they include) as they interoperate with wired backbone network infrastructure and fixed computing systems
- Accurately model the information transport fabric between servers and end-point systems in high fidelity to better demonstrate the effects of cyber-attacks
- Seamlessly integrate (federate) with other training systems such as air traffic control, flight training, and kinetic battlefield simulators
CYBER-ATTACKS AND "THE MISSION"
Training for any "mission", whether it is keeping a bank's website operational, running an airline operations center, or a fielding a military exercise, must be as realistic as possible in order to avoid "negative training" – that is, learning behavior or procedures that are actually ineffective in the real environment. In cyber training, this translates to having the behavior of the systems under cyber-attack perform in a repeatable manner consistent with how they would in the real world.
Hardware-based or VM-based cyber ranges which replicate information systems are limited in scale, costly, and time-consuming to configure. These ranges have little or no capability to simulate wireless networks with their inherent vulnerabilities. They also do not integrate the impact of a cyber-attack into an overall mission which is essential for realistic mission rehearsal.
SCALABLE’s Network Defense Trainer addresses all of these shortcomings with a new, unique approach.
- Kinetic and non-kinetic in the same space
- Integrated LVC + cyber training
- Use real system and train to recognize cyber-attacks
- Work through degraded cyber environment
SCALABLE has invested 15 years in the development and evolution of its network emulation technology. Virtual network models run a full network communication protocol stack on every emulated node, and connect over simulated links that can be wired and wireless.
Running in real-time, actual packets pass from live equipment through the virtual network model and out to other live equipment. Live equipment and applications are subjected to cyber-attacks originating within the emulated network that connects them. The efficient, parallel-executing software can emulate networks of thousands of nodes on a single server.
Messages and data are exchanged between entities in a full Live-Virtual-Constructive (LVC) training environment where full missions (corporate, government, or military) under cyber-attack can be rehearsed.
The NDT system is software-based, is portable, and can integrate specific customer protocols (e.g. emerging DoD waveforms or SCADA communications).
Network Defense Trainer provides trainees with the opportunity to apply knowledge in realistic, stressful situations in a high fidelity synthetic environment. The system provides training for situational awareness and rapid correct responses, and will reinforce lessons learned with After Action Reviews that show trainees and observers what actually happened and why.
The system provides operational training in:
- Detecting when something is wrong
- Quickly assessing what is happening
- Containing the attack (cyber for cyber)
- Taking countermeasures (cyber for cyber)
- Modifying operations and assuring the mission (cyber for others)
The trainees can include everyone from commander or CEO to network administrators in the same training exercise, using real tools, and learning what to expect during cyber-attack and how to react. The training is fast paced to prepare for incidents at network speeds, and is centered on awareness, reaction time and correct action (at all levels), cyber defenses, workarounds, and if appropriate, countermeasures.
Trainees learn how to act individually and as part of a team. Teams learn to work together effectively as they attempt to thwart cyber-attacks.
The system includes models for:
NDT is configurable to incorporate live, virtual and constructive (LVC) elements into a full trainer with integrated cyber warfare effects. It is possible to integrate NDT with existing training systems to facilitate a rapid initial deployment. NDT provides the simulation of the network, equipment, and wired & wireless environment while running actual net-centric applications and cyber-attacks, and integrating with other LVC components.
A training system will typically consist of:
- NDT server
- One or multiple Management workstations providing Exercise Preparation, Exercise Control, Cyber Operating Picture, Performance Evaluation, and After Action Review functionality
- Red Force and Blue Force Role Player workstations
- Real (live) devices or equipment
- (Optional) gateway connections to conventional trainers or constructive simulations
The NDT server runs on a Linux host TECHNICAL DETAILS
A virtual network model emulates the network in software, and contains cyber warfare models that are used to attack or defend the network as well as the connected equipment and applications. Real devices, virtual machines, and role players connect and exchange data from live applications over the emulated network. The privacy, integrity, or availability of data can be compromised by cyber-attack, with resulting effects observed on the live equipment.
The server also maintains the various system databases of exercise objects, statistics and training metrics.
A suite of web services runs on the system, accessible via standard open APIs.
Management workstations can be any type of host that supports standard web browsers (such as Firefox, Chrome, Safari, IE, etc.). The various management functions include:
Exercise Preparation allows the creation, modification, or selection of Lesson Plans, mission scenarios, network configurations, cyber-attacks, device mapping, role and trainee assignments, and sides and teams.
Exercise Control is used to load and unload an exercise, control federation execution, freeze and unfreeze, launch cyber-attacks, take snapshots during the exercise and restore them (in case a trainee made an unrecoverable mistake), and communicate with trainees using chat and VoIP.
The Cyber Operating Picture gives an indication of the state of the network and devices, and can be used to launch cyber-attacks. An example is shown below.
Cyber Operating Picture Screen Sample
Performance Evaluation keeps track of trainees' progress. The launching of attacks is logged, and trainee's responses (views, keystrokes, clicks, and communication with others) are logged along with response times, to assist with scoring. It maintains databases of trainees and the exercises they have completed along with their scores.
After Action Review plays back any player's screenshots ("perceived truth") and actions on a timeline with attacks, other players' views, and the actual state of the network (the "ground truth"). An example screen shot is shown below.
After Action Review Screen Sample
Role Player Workstations
Role players participate in the exercise at red/blue stations, with red players using real or simulated malware and exploitations to attack the virtual network and the connected live components. The blue role players try to accomplish their mission while monitoring and defending the network using their actual tools. The trainees are not limited to the Role Player stations. Trainees could also be at a live system such as a C2 station, or participating from another simulator.
Optional Gateway Connections
A gateway permits other training systems to participate in the cyber training exercise using HLA or DIS, if desired.
Constructive battlefield simulations can be integrated into the Network Defense Trainer, modeling the behavior of additional friendly and opposing entities. The constructive entities communicate with one another over the emulated network, with the success of these communications being subject to cyber-attack. Compromised communications affect the entities’ situational awareness and behavior, and therefore overall mission outcome.