Analyzing Mission Impacts of Cyber Actions ( AMICA )

This paper describes AMICA (Analyzing Mission Impacts of Cyber Actions), an integrated approach for understanding mission impacts of cyber attacks. AMICA combines process modeling, discrete-event simulation, graph-based dependency modeling, and dynamic visualizations. This is a novel convergence of two lines of research: process modeling/simulation and attack graphs. AMICA captures process flows for mission tasks as well as cyber attacker and defender tactics, techniques, and procedures (TTPs). Vulnerability dependency graphs map network attack paths, and mission-dependency graphs define the hierarchy of high-to-low-level mission requirements mapped to cyber assets. Through simulation of the resulting integrated model, we quantify impacts in terms of mission-based measures, for various mission and threat scenarios. Dynamic visualization of simulation runs provides deeper understanding of cyber warfare dynamics, for situational awareness in the context of simulated conflicts. We demonstrate our approach through a prototype tool that combines operational and systems views for rapid analysis. 1.0 INTRODUCTION In the U.S. Department of Defense (DoD) roadmap for cyber modeling & simulation (M&S), planning for integrated cyber and kinetic mission assurance is a key capability area [1]. The range of capabilities called out in the roadmap underscores the urgent need for rapid progress in this area, especially given the asymmetric nature of cyber conflict. Of particular importance is the integration of kinetic operations with the defensive cyber operations that support them. This requires effective communication of cyber situations (and their big-picture impacts) to decision makers. In addition, there are numerous potential applications of cyber M&S, along a spectrum of increased maturity and corresponding research challenges, as shown in Figure 1. Understanding mission resilience to cyber warfare requires bringing together layers of information from numerous sources. At the lower layers, network topology, firewall policies, intrusion detection systems, system configurations, vulnerabilities, etc., all play a part. We can combine these into a higher-level attack graph model that shows transitive paths of vulnerability. We also need to map cyber assets to mission requirements, and capture dependencies from low-level requirements to higher-level ones appropriate for decision making. Because mission requirements are highly dynamic, we need to capture time-dependent models of mission flow. Cyber attacks and defenses are similarly dynamic, and defenses generally vary depending on particular attack classes. Analyzing Mission Impacts of Cyber Actions (AMICA) 11 2 Approved for Public Release; Distribution Unlimited. Case Number 15-0725 STO-MP-AVT-211 Analysis • Explore • Understand • What-Ifs Training • Planning • Doctrine • Dynamic Interaction Operations • Live Decisions • Courses of Action Figure 1: Spectrum of cyber M&S applications and challenges. We introduce an approach that addresses all these aspects of mission-oriented cyber resilience, through an integrated M&S environment. This approach is called Analyzing Mission Impacts of Cyber Actions (AMICA). AMICA supports exploration and experimentation of the mission impacts of cyber warfare. The goal is to develop a flexible, extensible, modular, multi-layer M&S system for quantitative assessment of operational impacts of cyber attacks on mission performance. AMICA is expected to increase our understanding of dependencies between operational missions, cyber TTPs, and computing infrastructure. 2.0 PREVIOUS WORK There have been numerous information-centric military exercises with aspects of mission assurance and cyber warfare. In many exercises (e.g., Global Thunder [2] and Turbo Challenge [3]), cyber security is an important component, but not the primary exercise focus. More cyber-focused exercises such as Cyber Flag [4] have integrated cyber activities with operational missions for training purposes. M&S has been applied in more traditional military spheres, e.g., for inferring enemy intent [5], entity-based battlefield simulations [6], and command decision support [7]. However, military mission planning has yet to leverage M&S and other formal methods as part of its standard practice, especially in the area of developing cyber defensive courses of action. In short, tools such as AMICA for assessing mission impact of cyber warfare are generally unavailable for operations-level support. The defense community is aggressively accelerating cyber defense forces [8], further motivating the need for more advanced capabilities in cyber course-of-action planning. In the cyber domain, M&S capabilities are still relatively immature. Still, previous work can be leveraged for certain components of an integrated overall M&S approach. Systems such as Topological Vulnerability Analysis (TVA) [9][10], Network Security Planning Architecture (NetSPA) [11], and NRL’s ACCEPT (A Configurable Cyber Event Prioritization Tool) [12] fuse network data (topology, firewall rules, asset inventories, vulnerability scans/databases, intrusion alerts, etc.) into graph-based models for mapping vulnerability paths and prioritizing events. Capabilities such as MITRE’s Cyber Command System (CyCS) [13] and Cyber Mission Impact Assessment (CMIA) [14], and AFRL’s Cyber Mission Assurance [15] capture mission and cyber dependencies. Analyzing Mission Impacts of Cyber Actions (AMICA) STO-MP-AVT-211 Approved for Public Release; Distribution Unlimited. Case Number 15-0725 11 3 Another key enabler for cyber M&S is standardization efforts. Making Security MeasurableTM [16] is a collection of standardization activities within the cyber security community. It includes Common Vulnerabilities and Exposures (CVE), Common Attack Pattern Enumeration and Classification (CAPEC), Cyber Observable Expression (CybOX), Structured Threat Information Expression (STIX), and many others. These standards cover different aspects of security data needed for building comprehensive and accurate models. To capture the flow of mission and cyber processes, we leverage the Object Management Group (OMG) Business Process Model Notation (BPMN) [17] standard. We employ the commercial tool iGrafx [18], which extends BPMN with behavioral modeling, critical-path analysis, discrete-event simulation, Monte Carlo analysis, and experiment design. 3.0 APPROACH To explore the AMICA approach, we are conducting a pilot study and developing a proof-of-concept system. We seek a flexible, extensible, modular, and multi-layer M&S environment for quantitative assessment of operational impacts of cyber attacks on specific missions, as shown in Figure 2. Thus components can be interchanged, e.g., multiple missions on an infrastructure, to support analysis of different questions. Infrastructure Models Mission Models Cyber Defender TTPs Cyber Attacker TTPs