DEFINING, MEASURING, AND ANALYZING DEFENSIBILITY IN THE DEFENSIVE CYBER OPERATIONS CONTEXT

When talking about cyber systems, both researchers and decision makers have used the term "defensibility" widely, but there is no universal definition for it and no method to observe and measure it. This study examines how defensibility can be defined in a defensive cyber operations context, what critical factors constitute it, and how those factors could be measured. This is done by first examining doctrine and research to create a framework of meaning for defensibility. Second, the study proposes seven fundamental capabilities that a defender needs to be able to perform in defensive cyber operations and a set of system attributes that affect those capabilities. Finally, a set of measures for those attributes is proposed to allow defensibility to be observed and measured. The results of this study are a definition of defensibility for the defensive cyber operations context, a list of system attributes that constitute its defensibility, and a set of associated measurements for these attributes. Using these, it is possible to analyze the defensibility of a system to indicate what restrictions a defender might have when conducting operations in the system and the areas where the system needs to improve. This work is the first step in building defensibility into a useful tool that highlights the needs of a defensive actor who conducts dynamic defensive operations in a system, versus the needs of an actor who implements static measures to increase cyber security.Löjtnant, Swedish NavyApproved for public release. Distribution is unlimited

Examining the Roles of Army Reserve Component Forces in Military Cyberspace Operations

Cyberspace operations have become pervasive in the United States, and they enable many aspects of modern life for the average citizen, such as entertainment, communication, education, transportation, banking, and voting. The continuing development of the U.S. Army and Department of Defense (DoD) Reserve component cyberspace units can leverage the capabilities and experience of industry and academia to help protect critical information infrastructure and enhance national security. What opportunities and challenges surround the integration of these forces into a still-evolving joint cyberspace force?https://press.armywarcollege.edu/monographs/1383/thumbnail.jp

AUTOMATED CYBER OPERATIONS MISSION DATA REPLAY

The Persistent Cyber Training Environment (PCTE) has been developed as the joint force solution to provide a single training environment for cyberspace operations. PCTE offers a closed network for Joint Cyberspace Operations Forces, which provides a range of training solutions from individual sustainment training to mission rehearsal and post-operation analysis. Currently, PCTE does not have the ability to replay previously executed training scenarios or external scenarios. Replaying cyber mission data on a digital twin virtual network within PCTE would support operator training as well as enable development and testing of new strategies for offensive and defensive cyberspace operations. A necessary first step in developing such a tool is to acquire network specifications for a target network, or to extract network specifications from a cyber mission data set. This research developed a program design and proof-of-concept tool, Automated Cyber Operations Mission Data Replay (ACOMDR), to extract a portion of the network specifications necessary to instantiate a digital twin network within PCTE from cyber mission data. From this research, we were able to identify key areas for future work to increase the fidelity of the network specification and replay cyber events within PCTE.Captain, United States Marine CorpsApproved for public release. Distribution is unlimited

Implications of Service Cyberspace Component Commands for Army Cyberspace Operations

The first 7 years of U.S. Cyber Command operations are paved with milestones that mark the steady operationalization of modern cyberspace as the newest domain of military conflict as well as a realm of international power. The creation of the Cyber Mission Force and Joint Force Headquarters-Cyber are significant steps toward improving the timeliness and effectiveness of cyberspace operations that directly support combatant commands and the whole-of-government responses to cyberspace threats. It focuses on the central question: “What is the context in which different military services approach cyberspace component operations internally as well as with the Department of Defense?”https://press.armywarcollege.edu/monographs/1381/thumbnail.jp

The Army Role in Achieving Deterrence in Cyberspace

In 2015, the Department of Defense (DoD) released the DoD Cyber Strategy which explicitly calls for a comprehensive strategy to provide credible deterrence in cyberspace against threats from key state and nonstate actors. To be effective, such activities must be coordinated with ongoing deterrence efforts in the physical realm, especially those of near-peers impacting critical global regions such as China in the Asia-Pacific region and Russia in Europe. It is important for the U.S. Army to identify and plan for any unique roles that they may provide to these endeavors. This study explores the evolving concept of deterrence in cyberspace in three major areas: • First, the monograph addresses the question: What is the current U.S. deterrence posture for cyberspace? The discussion includes an assessment of relevant current national and DoD policies and concepts as well as an examination of key issues for cyber deterrence found in professional literature. • Second, it examines the question: What are the Army’s roles in cyberspace deterrence? This section provides background information on how Army cyber forces operate and examines the potential contributions of these forces to the deterrence efforts in cyberspace as well as in the broader context of strategic deterrence. The section also addresses how the priority of these contributions may change with escalating levels of conflict. • Third, the monograph provides recommendations for changing or adapting the DoD and Army responsibilities to better define and implement the evolving concepts and actions supporting deterrence in the dynamic domain of cyberspace.https://press.armywarcollege.edu/monographs/1379/thumbnail.jp

Cyber Threat Reports 18 Nov - 12 Dec 2016

Army Cyber Institute Cyber Threat Report Tech Trends: Stories and Highlights Hackers hunting Hackers. 48% of organizations have suffered ransomware attacks. ATM skimming hit NY hospitals. Mirai botnet attacks thousands of home routers. A new way to anonymize data might actually work

Gamification as a neuroergonomic approach to improving interpersonal situational awareness in cyber defense

In cyber threat situations, the establishment of a shared situational awareness as a basis for cyber defense decision-making results from adequate communication of a Recognized Cyber Picture (RCP). RCPs consist of actively selected information and have the goal of accurately presenting the severity and potential consequences of the situation. RCPs must be communicated between individuals, but also between organizations, and often from technical to non-/less technical personnel. The communication of RCPs is subject to many challenges that may affect the transfer of critical information between individuals. There are currently no common best practices for training communication for shared situational awareness among cyber defense personnel. The Orient, Locate, Bridge (OLB) model is a pedagogic tool to improve communication between individuals during a cyber threat situation. According to the model, an individual must apply meta-cognitive awareness (O), perspective taking (L), and communication skills (B) to successfully communicate the RCP. Gamification (applying game elements to non-game contexts) has shown promise as an approach to learning. We propose a novel OLB-based Gamification design to improve dyadic communication for shared situational awareness among (technical and non-technical) individuals during a cyber threat situation. The design includes the Gamification elements of narrative, scoring, feedback, and judgment of self. The proposed concept contributes to the educational development of cyber operators from both military and civilian organizations responsible for defending and securing digital infrastructure. This is achieved by combining the elements of a novel communication model with Gamification in a context in urgent need for educational input.publishedVersio

TESTING DECEPTION WITH A COMMERCIAL TOOL SIMULATING CYBERSPACE

Deception methods have been applied to the traditional domains of war (air, land, sea, and space). In the newest domain of cyber, deception can be studied to see how it can be best used. Cyberspace operations are an essential warfighting domain within the Department of Defense (DOD). Many training exercises and courses have been developed to aid leadership with planning and to execute cyberspace effects that support operations. However, only a few simulations train cyber operators about how to respond to cyberspace threats. This work tested a commercial product from Soar Technologies (Soar Tech) that simulates conflict in cyberspace. The Cyberspace Course of Action Tool (CCAT) is a decision-support tool that evaluates defensive deception in a wargame simulating a local-area network being attacked. Results showed that defensive deception methods of decoys and bait could be effective in cyberspace. This could help military cyber defenses since their digital infrastructure is threatened daily with cyberattacks.Marine Forces Cyberspace CommandChief Petty Officer, United States NavyChief Petty Officer, United States NavyApproved for public release. Distribution is unlimited

Ten Years In: Implementing Strategic Approaches to Cyberspace

This book represents a look beyond theories and analogies to examine the challenges of strategy implementation. In the essays that follow, practitioners who are building cyberspace forces at-scale join scholars who study power and force in this new domain to collectively offer a unique perspective on the evolution and future of cyber strategy and operations.https://digital-commons.usnwc.edu/usnwc-newport-papers/1044/thumbnail.jp

AN AUTOMATED POST-EXPLOITATION MODEL FOR OFFENSIVE CYBERSPACE OPERATIONS

The Department of Defense (DOD) uses vulnerability assessment tools to identify necessary patches for its many cyber systems to mitigate cyberspace threats and exploitation. If an organization misses a patch, or a patch cannot be applied in a timely manner, for instance, to minimize network downtime, then measuring and identifying the impact of such unmitigated vulnerabilities is offloaded to red teaming or penetration testing services. Most of these services concentrate on initial exploitation, which stops short of realizing the larger security impact of post-exploitation actions and are a scarce resource that cannot be applied to all systems in the DOD. This gap in post-exploitation services results in an increased susceptibility to offensive cyberspace operations (OCO). This thesis expands upon the automated initial exploitation model of the Cyber Automated Red Team Tool (CARTT), initially developed at the Naval Postgraduate School, by developing and implementing automated post-exploitation for OCO. Implementing post-exploitation automation reduces the workload on red teams and penetration testers by providing necessary insight into the impact of exploited vulnerabilities. Patching these weaknesses will result in increased availability, confidentiality, and integrity of DOD cyberspace systems.Outstanding ThesisLieutenant, United States NavyApproved for public release. Distribution is unlimited