=Paper=
{{Paper
|id=Vol-3057/paper1.pdf
|storemode=property
|title=Conducting Cyber Exercises Based on the Information Security Threat Model
|pdfUrl=https://ceur-ws.org/Vol-3057/paper1.pdf
|volume=Vol-3057
|authors=Aleksandr V. Dorofeev,Alexey S. Markov
}}
==Conducting Cyber Exercises Based on the Information Security Threat Model==
https://ceur-ws.org/Vol-3057/paper1.pdf
Conducting Cyber Exercises Based on the Information Security
Threat Model
Aleksandr V. Dorofeev1 and Alexey S. Markov 1,2
1
NPO Echelon, 24 2nd Electrozavodskaya ul., Moscow, 107023, Russia
2
Bauman Moscow State Technical University, 5/1 2nd Baymanskay ul., Moscow, 105005, Russia
Abstract
The purpose of this study is to demonstrate the use of Russian guidelines for computer threat
assessment to organize information security exercises. The study deals with the cyber
exercises as a relevant class of online learning in information security. The authors analyzed
the definitions and shown specific features as well as classifications of cyber exercises. They
reviewed the codes, regulations, and guidelines applicable to cyber exercises, described
systematics underlying the cyber exercise scenarios. MITRE ATT&CK and FSTEC
guidelines on information security threat assessment are compared in brief. It is concluded
that Russian guidelines can be used to develop cyber exercises scenarios. We provided an
example of a Russian CTF competition and presented a CTF competition scenario compliant
with the Russian guideline.
Keywords 1
Education, game‐based learning, information security exercises, training, awareness, table-
top exercise, cyber-defense exercises, drill, cyber range, cyber security polygon, ATT&CK
1. Introduction
It is commonly believed that the basics of learning by simulation of real crises (which can include
targeted cyber-attacks) were determined by John Dewey in 1938. [1, 2]. In the military field this
approach, called exercises, was used much earlier: Few people do not know the saying of the great
military leader Aleksandr Suvorov "What is difficult in training will become easy in a battle", as
stated in the regulation on military training of troops in 1794.
Currently, the applied capabilities for simulation of real-life situations for training purposes have
changed fundamentally with the general computerization, testing of online work, and introduction of
computer simulation packages for thematic media (e.g. critical information infrastructure facilities),
etc. The transfer of crisis simulation into the field of information security has given the rise of a new
discipline, that is, cyber competitions and exercises. In creating and implementing cyber exercises,
methodologists usually rely on information security systematics of American origin, in particular
those developed by NIST and MITRE. In this publication, the authors give an example of cyber
exercises based on the Russian FSTEC threat assessment procedure [3, 4].
2. Introduction to Definitions
At present, the definitions of cyber exercises are still in their infancy and originate, of course, from
the military field. For example, MITRE [5] refers to exercises to simulated military cyber operations
(involving planning, preparation, and execution) aimed to train and evaluate the organization with a
Proceedings of VI International Scientific and Practical Conference Distance Learning Technologies (DLT–2021), September 20-22, 2021,
Yalta, Crimea
EMAIL: av@cnpo.ru (A. 1); a.markov@bmstu.ru (A. 2)
ORCID: 0000-0003-0111-7377 (A. 2)
©️ 2021 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR Workshop Proceedings (CEUR-WS.org)
1
�focus on an information security program. NIST [6] notes that exercises should be a simulation of an
emergency designed to test the IT plan, primarily the roles and responsibilities of personnel. The ITU
interprets the goals of cyber exercises as improving the coordinated response to cyber incidents in
dealing with cyber threats [7]. According to ISO 22398, exercises can be used to verify documents,
train, clarify and educate personnel on roles and responsibilities, improve coordination and
communication, improve individual performance, etc. [8]. The term is elaborated in ECSO [9], which
defines cyber exercises as a planned activity in which an organization simulates cyber-attacks,
information security incidents, or other types of breaches to test the cyber capabilities of the
organization, starting from the ability to detect a security incident to the ability to respond adequately
and minimize any associated consequences (Fig. 1).
Figure 1: Cyber Exercises as an Interdisciplinary Activity
Based on the descriptions of cyber security exercises [2, 10-13], cyber exercises should include the
following specific activities:
Simulate an information security emergency;
Evaluate actual and real (rather than hypothetical) threats, vulnerabilities, and computer
security attacks,
Use a comprehensive training program, including a game scenario that can be developed
during the game,
Improve both staff awareness, roles and responsibilities, coordination, and ability to make
decisions in abnormal situations.
As for the last item, it should be noted that exercises require practicing decision-making based on
the knowledge obtained [14], for example in any situation that is not described in the incident
management and computer attack response manuals [15-19].
It is well known that cyber exercises personnel is represented by some teams, usually the
following: Red team - attackers, Blue team - defenders, Green team - administrators, White team -
organizers, Yellow team - researchers, etc. (Fig. 2).
2
�Figure 2: Cyber Teamwork
The objectives and expectations of cyber exercises are determined by specific goals and
capabilities, and may, for example, include the following:
Train technical personnel in the use of information security tools,
Increase cyber security awareness,
Practice the management of decision-making while responding to incidents,
Practice communication processes within the team of defenders,
Check the adequacy of the organization's incident response regulations, etc.
A cyber range normally includes the following segments [9-20]:
Base segment: high-performance servers that can run dozens or hundreds of virtual servers
simultaneously, as well as a virtualization system;
Virtual infrastructure for protection and attack: network equipment, servers, and workstations,
information security tools;
Supporting infrastructure;
Scoring system (refereeing system).
3. Regulations and Guidelines
Regulations provide answers to the following questions:
When are cyber exercises necessary?
How should they be conducted?
As far as the first question is concerned, it should be pointed out that the staff of organizations
shall be trained and information security audits recommended (primarily a penetration test by
simulating real attacks). As we know, in most countries of the world these matters are regulated by
the state. In Russia, information security audit requirements (including penetration tests) are explicitly
defined by the security regulators in the banking sector (Bank of Russia standard) and critical
information infrastructure (Orders of FSTEC of Russia). Necessity and frequency of personnel
retraining and advanced training are determined by Resolutions of the Russian Government
(Resolution of the Government of the RF No. 79, Resolution of the Government of the RF No. 171,
Resolution of the Government of the RF No. 313) and specified in recommendations and regulations
of information security regulators.
Cyber exercises matters are most specifically described in the MITRE document [5]. In addition,
ISO 22390 regarding general IT exercises [8] and French publications dealing with business
continuity exercises [21].
It should be noted that these documents imply the classification of cyber exercises to form tasks,
expectations, teams, etc.
3
�4. Classifications
Based on the literature (e.g. [2, 20, 22]), the authors propose the following classification (Fig. 3):
Types of exercises and degree of abstraction (theoretical, real),
Level of publicity (closed, opened),
Target (business continuity, CIA),
Target audience (management, administrators, users),
Types of scenarios (CTF competition, multi-tasking, role-based)
Classes of attacks (techniques and tactics),
Scale (organization, industry, etc.).
Figure 3: Cyber Exercise Classification
The above classification covers fundamental exercises which may include the following [6, 23]:
1. Discussion based:
Table Top (TTX),
Games,
Workshop,
Seminars;
2. Operations based:
Checking management, control, and coordination,
Drill,
Full-field exercises,
3. Mixed.
In terms of scope and themes, most open exercises focus on critical information infrastructure
(CII) or cyber warfare [24, 25].
Figure 4 shows statistics of European cyber exercises in the field of CII [2].
4
�Figure 4: European CII Cyber Exercises
Based on the publications of National Cyber Range (created by Rostelecom as part of the Digital
Economy of Russia program), large-scale CII security exercises have already been performed in
energy and banking industries, and studies of the oil and gas, telecommunications, transport, and
metallurgy industries have been announced (Fig. 5).
Figure 5: Russian CII Cyber Exercises
Below is an example of a typical scenario for cyber exercises in an organization [26]:
Connecting the organization's employees to the community,
Phishing with remote administration software,
Planting USB with remote administration software,
Network attacks on externally accessed IT infrastructure,
Hidden transmission of data from the network using standard protocols, such as DNS,
Attempts to physically obtain confidential information from employees using social
engineering techniques.
Industry exercises could be organized to repulse some kind of cyber-attack, such as APT Tonto
and TA428 if the objective is to protect intellectual property, or Cobalt and Carbanak hacker groups
in case of banking exercises. In this regard, it is convenient to use the attribute characteristics of APT
attacks presented by MITRE to create a cyber exercises scenario.
5
� In this paper, the authors present a full-scale exercise integrated with qualification tests, Capture
the Flag (CTF). It should be noted that the origins of such exercises were formed back in 1996 at the
Defcon conference.
We will note the characteristic features of CTF exercises:
Teams are offered a set of tasks on information system security testing, forensics, information
search and analysis, password selection and exploitation of combinations of vulnerabilities,
cryptography, steganography, etc;
Successful completion of a task is a set of symbols (flag). For example, a flag can be an
administrator's password, contents of a file accessible only by a certain user, decrypted value, etc;
Flags are recorded in a special refereeing system, which automatically calculates points for
each team.
These tasks - the scenario - are either expertly generated (based on the organizers' experience) or
are linked to computer attack systematics, which, according to the authors, include the following:
NIST Framework (company maturity and/or milestones),
Lockheed Martin Cyber Kill Chain (cyber-attack phases),
MITRE ATT&CK (attackers' post-behavior),
FSTEC of Russia: procedure for assessing threats to information security (list of threats).
For example, [18] discusses in detail the formation of various kinds of cyber exercises in relation
to the NIST Cyber Framework. The highlight of the project is the consideration of the maturity of
companies involved in exercises. The table developed in the said study is presented in Fig. 6.
Source: Aoyama, etc. [18, fig. 2]
Figure 6: Cyber Exercise on Preparedness
Until recently, the most cited model in the literature was the 7-stage Cyber Kill Chain model. In
this case, cyber exercises are organized about the phases of cyber operations [27-29]. For example,
similar systematization is shown in [30].
Current studies related to scenario identification and demonstration focus on the use of behavioral
methods of attacks (post-incident is considered). In this case, the scenario is related to the MITRE
ATT&CK taxonomy. This taxonomy currently includes 14 tactics (target stages) and 144 techniques
(attack execution methods) [27, 31, 32].
The authors propose a similar approach to developing a scenario based on the threat model
adopted in Russia. The current threat assessment procedure of the Russian FSTEC includes 10
targeted attack stages used to develop scenarios for information security threats [3]:
T1. Information collection [33],
6
� T2. Initial access,
Т3. Introduction and execution of malware,
T4. Access securing,
T5. Malware management,
T6. Privilege increase,
T7. Activities hiding,
T8. Provision of access to related systems,
T9. Collection and withdrawal of information from the system,
T10. Unauthorized impact or access (target impact).
There are 145 ways of implementing the specified target stages.
In principle, it is not difficult to compare the above approach with ATT&CK systematics. Due to
the limited scope of publication, the authors compared only one target stage T4.
Table 1
Examples of Russian normative legal acts comparison of ATT&CK and FSTEC systematics
T4. Access securing
FSTEC MITRE ATT@CK
Т4.1. Unauthorized creation of accounts T1136, T1212
Т4.2. Using in-built OS remote access tools T1133, T1021
Т4.3. Covertly installing and running OS remote access tools T1133, T1021, T1219
Т4.4. Masking connected devices as legitimate devices Close to T1036
Т4.5. Making appropriate entries̆ in the auto start components T1542, T1053, T1547, T1037
Т4.6. Compromising device firmware T1542.001, T1495
Т4.7. Backing up malicious code to hidden areas none
The following is an example from the Russian cyber exercises.
5. Example of Using an Information Security Threat Model
Regarding the Russian cyber exercises market, it is arguable that cyber exercises can already be
presented as a service, e.g.:
1. Cyber exercises as infrastructure. Here, the national cyber exercises ground could be given as an
example.
2. Cyber exercises as a platform. An example would be the Ampire boxed product developed by
the Infotex group of companies.
3. Cyber exercises as a product. Products of dozens of Russian companies, producing a wide range
of data protection tools, involved in the exercises, can be referred to this class. We are talking about
SIEM, IDS/IPS, VA tools, and firewalls.
The latter includes the CTF cyber exercise Echeloned Defence (Defence in Depth exercise),
initiated by the Patriotic Youth Movement of Russia. Thus, the competition included 3 levels of
participants: juniors, students, and undergraduate students. In 2019 there were 147 participants in 25
teams and in 2020 the competition included more than 100 teams. Scenarios were created by the
threat model recommended by the FSTEC of Russia [3]. An example of a scenario for the above
exercises is shown in the matrix (Fig. 7).
7
�T1. T2. Т3. T4. T6. T7. T8. T10.
Information Initial Introduction Access Privilege Activities Provision of Target
collection access and securing increase hiding access to impact
execution of related
malware systems
T1.1 Т2.3 Т3.1 Т4.1 Т6.1 Т7.1 Т8.1 T1.1
T1.4 Т2.4 Т4.2 Т6.2 Т7.17 Т8.2 T1.4
Т1.5 Т6.3 Т1.5
Figure 7: CTF Cyber Exercise Scenarios within the FSTEC Methodology
6. Conclusion
This overview allows for making some brief conclusions.
1. Cyber exercises are a relevant form of incident-based training. An important feature of cyber
exercises is full alignment with online learning, which became usual during the pandemic. At the
same time, CTF competitions are currently the most popular in universities.
2. There is global awareness of the formation of cyber exercises scenarios that are currently based
on evolving attack systematics, most notably ATT&CK. However, the paper shows that scenarios can
be created based on threat models, including the Russian procedure.
3. It may be argued that a market for cyber exercises has developed globally and in Russia,
including cyber exercises as a service (cyber exercises as infrastructure, cyber exercises as platform,
and cyber exercises as product). There are a wide range of proprietary (paid) and open source
products for conducting or organizing exercises. Many companies producing security products
(SIEM, IDS/IPS, VA, FW) have free software for universities.
7. References
[1] J. Dewey. Education and Experience. Kappa Delta Pi, 1938. 91 p.
[2] E.G. Díez, D.F. Pereira, M. A. L. Merino, H. R. Suárez and D.B. Juan. Cyber Exercises
Taxonomy, Spanish National Institute for Cyber-security, 2015, 56.
[3] Methodology for assessing threats to information security. Methodological document. FSTEC of
Russia, 2021. 87 с. (In Russ.)
[4] S. V. Solovev, Y. K. Yazov. Information support of the activity for technical protection of
information. Voprosy kiberbezopasnosti [Cybersecurity issues]. 2021. N 1 (41). P. 69-79. DOI:
10.21681/2311-3456-2021-1-69-79. (In Russ.)
[5] J. Kick. Cyber Exercise Playbook. MP140714. Wiesbaden, Germany. MITRE, 2014. 50 p.
[6] T. Grance, T. Nolan, K. Burke, R. Dudley, G. White and T. Good. NIST SP 800-84 Guide to
Test, Training, and Exercise Programs for IT Plans and Capabilities, 2006. 97 p.
[7] ITU-D Study on Potential Development Trends in the CIS Region 2022-2025 - Cybersecurity.
RPM-CIS21/INF/5-R. ITU WTDC, 2021. - Version 1.0 - 52 p. (In Russ.)
[8] ISO 22390: 2013 – SS. Guidelines for exercises and testing, 40 p.
[9] Understanding Cyber Ranges: From Hype to Reality. WG5 PAPER. SWG 5.1. I Cyber Range
Environments and Technical Exercises. European Cyber Security Organisation, 2020. 31 p.
[10] G. Angafor, I. Yevseyeva, Y. He. Game‐based learning: A review of tabletop exercises for
cybersecurity incident response training. Security and Privacy vol 3 No 6, 1-19 (2020). DOI:
10.1002/spy2.126.
8
�[11] A. A. Petrenko, S. A. Petrenko. Cyber Exercises: Methodological Recommendations of ENISA.
Voprosy kiberbezopasnosti [Cybersecurity issues]. 2015. No 3 (11). P. 2-14. (In Russ.)
[12] M. I. Avilov. Role network monitoring system in the technical cyber defense exercise.
Proceedings of Saint Petersburg Electrotechnical University. 2019. N 2. P. 43-47. (In Russ.)
[13] L. A. Wahsheh and B. Mekonnen, "Practical Cyber Security Training Exercises," 2019
International Conference on Computational Science and Computational Intelligence (CSCI),
2019, pp. 48-53, DOI: 10.1109/CSCI49370.2019.00015.
[14] J. Rasmussen. Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in
human performance models. IEEE Transactions on Systems, Man, and Cybernetics, vol. SMC-
13, no. 3, pp. 257-266, May-June 1983. DOI: 10.1109/TSMC.1983.6313160.
[15] A. V. Olifirov, K. A. Makoveichuk, P. Y. Zhytnyy, T. N. Filimonenkova, and S. A. Petrenko,
Models of Processes for Governance of Enterprise IT and Personnel Training for Digital
Economy, 2018 XVII Russian Scientific and Practical Conference on Planning and Teaching
Engineering Staff for the Industrial and Economic Complex of the Region (PTES), 2018, pp.
216-219, DOI: 10.1109/PTES.2018.8604166.
[16] M. Karjalainen, T. Kokkonen and S. Puuska, "Pedagogical Aspects of Cyber Security
Exercises," 2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW),
2019, pp. 103-108. DOI: 10.1109/EuroSPW.2019.00018.
[17] R. Petersen, D. Santos, M. C. Smith, K. A. Wetzel, G. Witte. Workforce Framework for
Cybersecurity (NICE Framework). NIST Special Publication 800-181, Rev. 1. NIST, 2020, 27 p.
DOI: 10.6028/NIST.SP.800-181r1
[18] T. Aoyama, T. Nakano, I. Koshijima, Y. Hashimoto, and K. Watanabe. On the Complexity of
Cybersecurity Exercises Proportional to Preparedness. Journal of Disaster Research, 2017,
Vol.12 No.5, pp. 1081-1090. DOI: 10.20965/jdr.2017.p1081
[19] V.N. Taran. Quality Criteria for Professional Training of Personnel in IT Industry Proceedings of
2018 17th Russian Scientific and Practical Conference on Planning and Teaching Engineering
Staff for the Industrial and Economic Complex of the Region, PTES 2018, 2019, pp. 47–50,
8604267. DOI: 10.1109/PTES.2018.8604267.
[20] M.M. Yamin, B. Katt, V. Gkioulos, Cyber ranges, and security testbeds: Scenarios, functions,
tools and architecture, Computers & Security, Volume 88, 2020, 101636, DOI:
10.1016/j.cose.2019.101636.
[21] Organizing a cyber crisis management exercise, by ed. G. Poupard and V. Vallée. CCA, 2021,
128 p.
[22] E. Seker and H. H. Ozbenli, "The Concept of Cyber Defence Exercises (CDX): Planning,
Execution, Evaluation," 2018 International Conference on Cyber Security and Protection of
Digital Services (Cyber Security), 2018, pp. 1-9, DOI: 10.1109/CyberSecPODS.2018.8560673.
[23] Homeland Security Exercise and Evaluation Program, FEMA, 2020, 6 p.
[24] E. Sitnikova, E. Foo, R.B. Vaughn. The power of hands-on exercises in SCADA cybersecurity
education. Inform. Assurance Secure. Educ. Train. 2013. 406, pp. 83-94. DOI: 10.1007/978-3-
642-39377-8_9.
[25] M. Granåsen and C. Andersson. Measuring team effectiveness in cyber-defense exercises: a
cross-disciplinary case study, Cognition Technology, and Work, 2016, vol. 18n, no. 1, pp. 121-
143. DOI: 10.1007/s10111-015-0350-2.
[26] A.V.Dorofeev, A.S.Markov, Y.V.Rautkin. Ethical Hacking Training. CEUR Workshop
Proceedings, 2019, Vol-2522, pp. 47-56.
[27] R. Kwon, T. Ashley, J. Castleberry, P. Mckenzie, and S. N. Gupta Gourisetti, "Cyber Threat
Dictionary Using MITRE ATT&CK Matrix and NIST Cybersecurity Framework
Mapping," 2020 Resilience Week (RWS), 2020, pp. 106-112. DOI:
10.1109/RWS50334.2020.9241271.
[28] J. Straub. Modeling Attack, Defense and Threat Trees and the Cyber Kill Chain, ATT&CK and
STRIDE Frameworks as Blackboard Architecture Networks, 2020 IEEE International
Conference on Smart Cloud (SmartCloud), 2020, pp. 148-153. DOI:
10.1109/SmartCloud49737.2020.00035.
9
�[29] S. Choet al., "Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common
Operational Picture," 2018 International Conference on Cyber Situational Awareness, Data
Analytics And Assessment (Cyber SA), 2018, pp. 1-8. DOI: 10.1109/CyberSA.2018.8551383.
[30] V. Mokhor, V. Tsurkan, V. Pokrovska. Analysis of Cyber Exercises Approaches. CEUR
Workshop Proceedings. 2021, Vol. 2859. P. 61-70.
[31] A. P. Golushko and V. G. Zhukov. Application of Advanced Persistent Threat Actors`
Techniques aor Evaluating Defensive Countermeasures, 2020 IEEE Conference of Russian
Young Researchers in Electrical and Electronic Engineering (EIConRus). 2020, pp. 312-317.
DOI: 10.1109/EIConRus49466.2020.9039315.
[32] R. Al-Shaer, J. M. Spring and E. Christou, "Learning the Associations of MITRE ATT & CK
Adversarial Techniques," 2020 IEEE Conference on Communications and Network Security
(CNS), 2020, pp. 1-9. DOI: 10.1109/CNS48642.2020.9162207.
[33] A. Dorofeev, A. Markov, V. Tsirlov. Social media in identifying threats to ensure safe life in a
modern city. Communications in Computer and Information Science. 2016, N 674, pp. 441-449.
DOI: 10.1007/978-3-319-49700-6_44.
10
�