=Paper=
{{Paper
|id=Vol-2859/paper6
|storemode=property
|title=Analysis of Cyber Exercises Approaches
|pdfUrl=https://ceur-ws.org/Vol-2859/paper6.pdf
|volume=Vol-2859
|authors=Volodymyr Mokhor,Vasyl Tsurkan,Valeriia Pokrovska
|dblpUrl=https://dblp.org/rec/conf/its2/MokhorTP20
}}
==Analysis of Cyber Exercises Approaches==
https://ceur-ws.org/Vol-2859/paper6.pdf
61
Analysis of cyber exercises approaches
© Volodymyr Mokhor1[0000-0001-5419-9332], © Vasyl Tsurkan2[0000-0003-1352-042X]
and © Valeriia Pokrovska2[0000-0002-1318-5521]
1 Pukhov institute for modeling in energy engineering of National academy of sciences of
Ukraine, Kyiv, Ukraine
2 Institute of special communication and information protection National technical University
of Ukraine “Igor Sikorsky Kyiv Polytechnic Institute”, Kyiv, Ukraine
v.mokhor@gmail.com, v.v.tsurkan@gmail.com, Hilariyap@gmail.com
Abstract. Raising awareness of the organization’s employees comes down to
cyber exercise. They can target both an individual employee and specialists in
general. This is implemented mainly in four stages of organization of the cyber
exercises. In the first stage, the purpose, scenarios, evaluating system of results
for their execution are defined, and scenario-modeling environment is estab-
lished. It is tested for compliance with the purpose of cyber exercises within the
second stage. In the third stage, cybersecurity scenarios are being developed. The
results of the execution are evaluated in the fourth stage. This is due to the rele-
vance of the analysis of approaches to the organization of cyber exercises. In
solving this problem, it was established that there was no uniform interpretation
of this concept. First, such ambiguity of interpretations is associated with the di-
rection of cyber exercises. Therefore, approaches to their organization are fo-
cused on obtaining theoretical knowledge, practical skills, and cybersecurity
skills. Primarily, an incident detection and prevention approach is common. An-
other common approach is assessment of cybersecurity through penetration test-
ing. The application of these approaches can be generalized and organized as a
game.
Keywords: cybersecurity, scenario, incident, cyber exercises, cyber exercises
approaches.
1 Introduction
An important element of promoting and maintaining cybersecurity in an organization
is knowledge and awareness of existing threats types and real attacks on critical infra-
structure. [1]. Cyber exercises are organized through awareness-raising programs for
cybersecurity organizations. [2]. It mainly comes down to training in an interactive
form and is characterized by orientation both for the individual employee and for spe-
cialists as a whole.
There are four stages in the organization of cyber exercises [1-3]. In the first stage,
goals, scenarios, evaluating system of results for their execution, and the scenario-mod-
eling environment are established. The environment is being tested for compliance with
Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons
License Attribution 4.0 International (CC BY 4.0).
�62
the goals of cyber exercises in the second stage. In the third stage, established cyberse-
curity scenarios are being worked out, while the results of their execution are evaluated
at the fourth stage [3]. Depending on the purpose of cyber exercises and the training
level of organization employees, it can be organized using different approaches.
2 Cyber exercises approaches
Now there is no unified interpretation of the “cyber exercises”, concept for example:
“cyber training”, “cyber range”. Sometimes “cyberlearning” term is used, particularly,
when organizing remote cyber exercises. It is focused primarily on obtaining theoretical
knowledge. Unlike “cyberlearning”, a characteristic feature of “cyber training” and
“cyber range” is the focus on obtaining of practical cybersecurity skills [1-4].
Such terms as “cybersecurity exercises”, “cyber defense exercises” are often used
as interchangeable, and describe cyber exercises as processes for preparing, evaluating,
practicing, and improving the effectiveness of the organization to ensure cybersecurity
[4]. They cover large-scale computer modeling activities, as well as tabletop exercises,
for example, prepared possible scenarios card.
In military terms “drills” and “exercises” sometimes refer to similar activities, es-
pecially when it comes to training sessions [4]. The term “drills” is used to describe
systematic training in the use of techniques or tools by performing exercises repeatedly.
The repetitive, systematic nature of tasks as "drills" distinguishes them from other types
of exercises.
A typical approach to organizing cyber exercises is characterized by the acquisition
of skills and abilities to respond to cybersecurity incidents. First, they focus on both
their detection and prevention of manifestation in future activities [4]. In addition, it is
possible to focus on assessing cybersecurity through penetration testing. This is the
basis of an approach to identifying information vulnerabilities in cyberspace [5], in-
cluding the use of social engineering [6]. At the same time, the use of a game approach
to organizing cyber exercises is common. Within its framework, two teams are distin-
guished – attackers and “victims” [2].
2.1 Defense Oriented Approach
The specificity of each of the known approaches to organizing cyber exercises is deter-
mined by their purpose and focus, and depends on the training level (qualifications) of
the organization’s specialists. Among them, an approach that focuses on responding to
cyber incidents and reducing the consequences of their manifestations stands out.
Therefore, cyber exercises are carried out to practice protection methods that can be
used in responding to cybersecurity incidents. Defense Oriented Approach for cyber
exercises is one of the most promising approaches to cybersecurity [1, 7].
Raising the awareness of the organization’s employees is achieved through various
forms of cyber exercise, in particular, progressive, specialized and individual. This al-
lows participants to test their knowledge, ability, and cybersecurity skills. Among the
common forms of cyber-training, the following ones stand out [7]:
� 63
1. Tabletop exercises – this is a scenario-based discussion that validates proactive
countermeasures against simulated cyber incidents. For example: Elevation of Privilege
(EoP), EoP card game helps to study possible threats to software and computer systems,
Cyber Atlantic exercises conducted by ENISA, Cyber 9/12 Challenge tabletop activity
to developing national security policy recommendations for cyber incident scenario.
These exercises validate cybersecurity plans to identify vulnerabilities and determine
how to handle them.
2. Simulation exercises – these are practical training sessions in which cyber inci-
dents are simulated. For example: Cyber Coalition, Cyber Europe exercises conducted
by ENISA. Practical activities allow participants to see the effects of cyberattacks in a
controlled environment.
3. Full scale Exercises – these are challenging exercises that are designed to pro-
vide practical skills in real time. For example: Locked Shields and Baltic Shields exer-
cises. This type of simulation is realistic, it allows you to check cybersecurity plans,
security policies [8]. Their main purpose is to analyze and test methods of countering
cyberattacks.
The Defense Oriented Approach is more about system administration and digital
forensics. Participants of cyber exercise who seek to defend themselves against cyber
incidents and their consequences should be aware that defense activities are a continu-
ous process that can be represented by a sequence of such actions [ 7]:
1. Creation of a security policy – Involves the use of various tools to eliminate
vulnerabilities. Encryption methods can be used to hide the transmitted data through
channels exposed to dangerous influences. Systems with known security vulnerabilities
should be kept up to date by the remediation of them. Ensuring physical security pro-
vides for reliable storage of equipment.
2. Security status monitoring – Plays a critical role in determining how effectively
security policy requirements are met. This is achieved by using, for example, intrusion
detection and prevention systems. They can be considered as an effective solution for
monitoring unwanted traffic.
3. Testing of security measures is seen as the only way to convince the imple-
mented means to maintain the security policy. The purpose of security measures testing
is to identify all possible loopholes and weaknesses of the software system, which might
result in a loss of important information.
4. Improving security assurance – achieved by considering vulnerability reports
and security advisories that help keep abreast of new potential attacks. Monitoring, test-
ing, and identifying vulnerabilities is critical to refining and tuning security policies.
Such actions are considered as the basis for the presentation “Security Wheel” (see,
for example [7], Fig. 1). They should be used to ensure the security of information
assets, to track them by stages of the life cycle. Due to this, it is possible to timely detect
attacks and, most importantly, reduce their occurrence and, as a result, improve security
configuration.
In the Defense Oriented Approach, there are at least three ways to organize exercises
for cyber exercises participants [8]:
1. Obtaining requirements and services that must be provided and / or developing
their own measures, means to meet them.
�64
2. Obtaining the default settings for certain systems, programs, or services that
must be provided and configured to meet security requirements.
3. Access to the installed and configured systems, programs, services whose secu-
rity must be ensured. In this approach, the attacker can be seen as an instructor or an
external party.
Fig. 1. “Security Wheel”.
An example of using Defense Oriented Approach is Blue Teaming exercise. It is
designed to train the team, which must ensure the security of pre-configured and secure
infrastructure. Red Team real or automated (in the form of scenarios), prepares a train-
ing scenario in accordance with the set goal.
Obtaining theoretical knowledge and skills of cyber defense (cyber defence exer-
cises, CDX) are among examples of cyber exercises. The main focus is on cybersecurity
defense tasks. In particular, conducting forensic investigations and practicing security
configuration skills, such as networking.
The Cyber Europe exercises focus on simulating manifestations of large-scale secu-
rity incidents that could lead to a cyber crisis. The training offers opportunities for dig-
ital forensic analysis (e.g. of incidents or malware), as well as solving complex business
continuity situations and overcoming cybercrises.
2.2 Offense Oriented Approach
Computer systems can be compromised in various ways, and countering complex and
persistent attacks consists of understanding the sequence of possible malicious actions
and thinking of the attacker. Exercises within the Offense Oriented Approach, namely
Red Teaming, support the development of security measures and tools given the com-
plexity of attacks. That is why this approach to organizing cyber exercises is focused
on practicing proactive cyber security mechanisms. Such exercises usually simulate the
protection of critical infrastructure from cyber security incidents [7, 9].
� 65
Most of the exercises in this approach to organizing cyber exercises involve oper-
ating servers and performing penetration tests on target systems. Starting with target
system recognition, vulnerability detection and assessment, cyber security participants
check security violations, try to use them to achieve the goal of conducting a scenario
to access the target system [6, 9]. Maintaining access to the system and introducing
hidden command and control systems ensures the effectiveness of cyber exercises.
Testing security plan, measures, and procedures implemented by simulating attacker
behavior can improve security.
Participants in cyber exercises should master the offensive model of behavior to
ensure cybersecurity. It helps to better understand how to defend against cybersecurity
incidents. At the same time, there is a need for a deep understanding of how to conduct
attacks in order to know how to mitigate them and minimize possible losses. Therefore,
the Offense Oriented Approach encourages participants to view the exercises as attack-
ers (intruders). They will have to conduct attacks to accomplish various tasks. Simulat-
ing real attacks is reduced to performing a sequence of steps, namely (see, e.g. [9], Fig.
2):
1. Reconnaissance.
2. Weaponization (takes into account the received information during reconnais-
sance, creation of malicious software).
3. Delivery (detection of vulnerabilities for the threats implementation).
4. Exploitation (realization of threats due to identified vulnerabilities).
5. Privilege escalation (exploiting a bug, to gain elevated access to resources).
6. Lateral movement (when an attacker moves from a compromised device to oth-
ers on this network).
7. Command and control.
8. Exfiltrate and complete (data extraction, placement backdoors).
Fig. 2. Red Team Actions
In Offense Oriented Approach, a system that is preconfigured for known vulnerabil-
ities can be affected. At the same time, most of them do not necessarily have to be
guided by someone during the attack.
Using Red Teaming as a cybersecurity training exercise can be an effective way to
gain the decision-making skills and abilities needed to detect and counter cybersecurity
incidents. Red Teaming exercises may involve the use of a set of available methods and
tools, or may develop a response to unforeseen situations. Offense Oriented Approach
to organize cyber exercise is extremely useful for testing infrastructure and systems,
identifying security vulnerabilities, and configuration errors when learning to counter
�66
cyberattacks. During cyber exercises, it is important to understand the possible conse-
quences. The closest thing to cyberattack training is the format of so-called “ethical
hacking”, which may also be called pentesting and Red Teaming.
Examples of the “offensive” type international cyber exercises are Locked Shields,
Cyber Coalition, Baltic Cyber Shield. These cyber trainings are focused on improving
technical skills for response, cyber investigations, proactive response to cyber incidents
in order to protect critical infrastructure.
2.3 War Game Approach
The approach chosen for cyber exercises should depend on their intended purpose. As
a rule, they are designed to provide theoretical knowledge and practical skills to security
administrators. This is realized through the use of the Defense Oriented Approach.
Whereas penetration testing exercises are based on Offense Oriented Approach. How-
ever, a mixed approach, namely the War Game Approach, is advisable for a compre-
hensive cyber exercise.
The Mixed Approach combines the Defense Oriented Approach with the Offense
Oriented Approach. Thus, its complexity is achieved when performing exercises with
cyber defense. In this case, the participants of the cyber exercise are divided into two
teams. The first plays the role of a defender (“victim”). The second reflects the role of
attackers (intruders).
An example of cyber exercise that combines offensive and defensive approaches is
the CTF competition (Capture the flag) [10]. These training exercises give participants
the opportunity to feel the role of an attacker or a defender. They can test their abilities
in solving cybersecurity problems. They provide for the detection of vulnerabilities,
exploit implementation, data protection, forensics. Fulfillment of tasks is evaluated by
the gain in the form of “flags”. In particular, a file with a unique string of special char-
acters [11]. Checking the “flags” in the system allows setting grades depending on the
complexity of the tasks.
There are two main formats of CTF [11]:
1. Task-based (Jeopardy) – training is reduced to solving as many problems as pos-
sible in different areas (digital forensics, web application, cryptography, mobile Secu-
rity)
2. Attack-defense – training is reduced to the protection of, for example, the net-
work, server, confidential information and maintaining the functionality of intended
services at the same time as the implementation of attacks aimed at violating services
is carried out by the enemy team.
Participants in cyber exercises are involved in scenarios, and the team of attackers
uses real tools of operation and penetration to attack the virtual network. The defense
team monitors the state of the network and network equipment and protects the net-
work, they can also practice counterattacks against the red team. A group of people,
known as the white team, create the training environment and control the cyber training.
They establish a set of rules for interaction between the red and blue teams and some-
times act as instructors to give tips to exercise participants in cyber training.
� 67
2.4 Cyber exercise tools
The use of tools in organizing cyber exercise is mostly reduced to such options:
1. Simulation tools – tools that allow you to conduct practical training sessions, for
example [10]: online platform, cyber training range. They simulate cyber incidents, the
response to which is expected in real time.
2. Tabletop tools – toolboxes that are allowed to conduct cyber exercise based on
discussion, for example [12]: cards with the exercise scenario, quiz. Participants gather
and discuss their role in an emergency (cybersecurity incident) and possible response
options.
Both types of cyber exercise tools have their advantages and disadvantages. Full-
scale modeling may involve the use of virtual network environments that allow exercise
participants to monitor the manifestations of cybersecurity incidents. However, this re-
quires a lot of resources and detailed planning. At the same time, tabletop tools should
use a small period of time, taking into account the need for concentration. Because they
are focused on discussions and therefore the sense of urgency and realism in modeling
is lost.
If special skills are not required to prepare for the use of tabletop tools, then the use
of simulation tools is due to the presence of theoretical knowledge and skills in setting
them up. However, despite this, it is now common to simulate real-world situations
using appropriate hardware and software. Developing realistic and scalable scenarios
becomes important for effective cyber exercises. An example of such cyber exercise
tools is [10]:
1. Hardware cyber range, although realistic, but large-scale, expensive and time-
consuming to set up. Due to its cost, the number of exercise participants who can be
trained in any of the scenarios of cyber threats is limited. In addition, it limits the total
number of cyber exercise participants over a set period of time. We should also mention
the wired cyber range, which is characterized by the complexity of modeling wireless
tactical networks with their inherent vulnerabilities.
2. Virtual cyber range is considered as a simulation environment that provides real-
time hardware and software for the implementation of cyber threats to the network in-
frastructure [2]. It is closely integrated with physical equipment, programs, network
monitoring tools, intrusion detection and prevention systems and structural modeling
“battlefield”. This provides cybersecurity skills and countermeasures against cyberat-
tacks (see, e.g. [13], Fig. 3). Simulation is about presenting a real system with an analog
that is easier to manage, providing the same functionality, without reference to a spe-
cific location and equipment.
�68
Fig. 3. General cyber range model
The general cyber range model of a cyber exercise site is defined by the following
components [2, 13]:
1. Orchestration Layer – layer that uses input data from RLMS. It is designed to
orchestrate cybersecurity tools. At the same time, it integrates the technology and ser-
vice components of the cyber range.
2. Underlying Infrastructure – level of infrastructure, which determines the realism
and accuracy of the cyber range. In addition, ways of generating traffic and modeling
attacks are used.
3. Virtualization Layer – layer, which is defined as a firewall between the target
and underlying infrastructures. Whereas the target infrastructure is considered relative
to the feasibility of attacks.
4. Target Infrastructure – a simulated environment in which cyber exercise partic-
ipants training. Based on the purpose of their organization, scenarios will be generated
to create the target infrastructure at the orchestration level. A scenario may contain
configuration-specific information, including IP address ranges, routing information,
server stacks, and software.
The approaches to organizing cyber exercises are analyzed in Table 1, taking into
account the peculiarities of their use and the relevant tools (see Table 1).
� 69
Table 1. Analysis of cyber exercises approaches
S. Formulation of Features Tools
No the approach of using the approach
1. Defense Oriented Focuses on countering manifestations of cards with the ex-
Approach cybersecurity incidents and preventing their ercise scenario,
consequences. Acquires cybersecurity quiz, virtual cyber
skills and abilities. Pre-prepared scenarios range
are used.
2. Offense Oriented Proactive cybersecurity measures are prac- virtual cyber
Approach ticed. Counter-attack skills are obtained to range, online plat-
counteract the feasibility of cyber incidents. form
Pre-prepared scenarios are used.
3. War Game Combined Defense Oriented Approach virtual cyber
Approach with Offense Oriented Approach. Assumes range, online plat-
division of participants into teams (e.g., form
“victim”, ttacker, mentor). There are no
pre-prepared scenarios.
Conclusion
Thus, the organization of cyber exercises is accompanied by the use of various con-
cepts. Each of them determines their specificity, taking into account the orientation of
both the individual employee and the specialists as a whole. Such features determine
the choice of approaches to the organization of cyber exercises. In particular, they can
focus on individual cybersecurity tasks, for example, on incident response (“Cyber de-
fense”), cybersecurity assessment (“Compensation Testing”), or reduction of the num-
ber of solutions to the game (“War game”).
References
1. Seker, E., Ozbenli, H.: The Concept of Cyber Defence Exercises (CDX): Planning, Execu-
tion, Evaluation. In: 2018 International Conference on Cyber Security and Protection of
Digital Services (Cyber Security). pp. 1-9, IEEE, Glasgow, Scotland, UK, (2018)
https://doi.org/10.1109/CyberSecPODS.2018.8560673, last accessed 2020/18/11.
2. Yamin, M., Katt, B., Gkioulos, V.: Cyber Ranges and Security Testbeds: Scenarios, Func-
tions, Tools and Architecture. Computers & Security, vol. 88 (2020), https://doi.org/
10.1016/j.cose.2019.101636, last accessed 2020/11/10.
3. Kick, J.: Cyber exercise playbook. The MITRE Corporation, Wiesbaden, Germany (2014).
4. Vykopal, J., Vizvary, M., Oslejsek, R., Celeda, P., Tovarnak, D.: Lessons learned from com-
plex hands-on defence exercises in a cyber range, In: IEEE Frontiers in Education Confer-
ence (FIE). pp. 1-8. IEEE, Indianapolis, IN, USA, https://doi.org/10.1109/FIE.2017.8190713,
last accessed 2020/11/10.
5. Matania, E., Yoffe, L., Goldstein, T.: Structuring the national cyber defence: in evolution
towards a Central Cyber Authority. Journal of Cyber Policy, vol. 2, no. 1, 16-25 (2017),
https://doi.org/10.1080/23738871.2017.1299193, last accessed 2020/11/10.
�70
6. Mokhor, V. V., Tsurkan, O. V., Tsurkan, V. V., Herasymov, R. P.: Information Security
Assessment of Computer Systems by Socio-engineering Approach. In: Proc. XVII Interna-
tional Scientific and Practical Conference Information Technologies and Security: selected
papers. Vol. 2067. Aachen, Germany: CEUR WS, 2017. pp. 92-98, http://ceur-ws.org/Vol-
2067/paper13.pdf.
7. Patriciu, V. V., Furtuna, A. C.: Guide for designing cyber security exercises. In: Proceedings
of the 8th WSEAS International Conference on E-Activities and Information Security and
Privacy, pp. 172–177. World Scientific and Engineering Academy and Society, WSEAS
(2009).
8. Knüpfer, M., Bierwirth, T., Stiemert, L., Schopp, M., Seeber, S., Pöhn, D., Hillmann, P.:
Cyber Taxi: A Taxonomy of Interactive Cyber Training and Education Systems. Model-
driven Simulation and Training Environments for Cybersecurity, vol. 12512, 3-21 (2020),
https://doi.org/10.1007/978-3-030-62433-0_1, last accessed 2021/16/01.
9. López de Jiménez R.: Pentesting on web applications using ethical – hacking. In: IEEE 36th
Central American and Panama Convention (CONCAPAN XXXVI), pp. 1-6. IEEE, San Jose,
Costa Rica, https://doi.org/10.1109/CONCAPAN.2016.7942364, last accessed 2020/11/10.
10. Dewar, Robert, S.: Cybersecurity and Cyberdefense Exercises, CSS Cyber Defense Reports,
Center for Security Studies (CSS), ETH Zurich, (2018), https://doi.org/10.3929/ethz-b-
000314593, last accessed 2020/18/11.
11. Cowan, C., Arnold, S., Beattie, S., Wright, C., Viega, J.: Defcon Capture the Flag: Defend-
ing Vulnerable Code from Intense Attack. In: Proceedings DARPA Information Survivabil-
ity Conference and Exposition. vol. 1, pp. 120-129, Washington, DC, USA, https://doi.org/
10.1109/DISCEX.2003.1194878, last accessed 2020/12/18.
12. Angafor, G., Yevseyeva, I., He, Y.: Game‐based learning: A review of tabletop exercises
for cybersecurity incident response training. Security and Privacy 3(6), 117-131 (2020),
https://doi.org/10.1002/spy2.126, last accessed 2020/23/12.
13. National Initiative for Cybersecurity Education (NICE). The Cyber Range: A Guide. Guid-
ance Document for the Use Cases, Features, and Types of Cyber Ranges in Cybersecurity
Education, Certification and Training, https://cutt.ly/8kipFaN, last accessed 2020/23/12.
�