Technology Today

2013 Issue 1

Cyber Analysis Modeling Evaluation for Operations (CAMEO) — Countering the Cyberthreat

Today’s cyberthreat is real, pervasive and potentially devastating to information networks and systems that are the core of defense and commercial infrastructures. All information systems are under the shadow of cyberattack, and the developers and users of these systems must evolve and apply cyber countermeasures and resiliency techniques that enable secure operation in this hostile environment to ensure mission survival.

Essential to the evolution, evaluation and application of cyber countermeasures and resiliency techniques is the ability to visualize the cyberthreat and analyze the prospective effectiveness of countermeasures during all phases of networked system development, deployment and use. Common cyberthreat analysis tools provide only a static examination of cyber vulnerabilities. This is similar to examining a wall for integrity against an outside force (e.g., are there any cracks or weaknesses?). A true understanding of the cyberthreat must consider the dynamic aspect of the cyberattack as it moves into and through an information system; just as gauging a wall’s defensive effectiveness must include a consideration of the dynamic forces applied from breaching attacks (e.g., wind, water, explosives or projectiles). The effectiveness of new defenses such as cyber maneuver, random reconstitution and other active defense mechanisms must be evaluated against the dynamic nature of today’s threats. Additionally, “what-if” scenarios and zero-day attacks covering many combinations of cyberattack need to be considered, including those as yet unobserved but viable future threats.

Figure 1. CAMEO is applied across all phases of the information systems development and deployment lifecycle.

Dynamic Cyber Modeling and Simulation Framework

Raytheon’s Cyber Analysis Modeling Evaluation for Operations (CAMEO) modeling and simulation toolkit addresses the need for a dynamic cyber modeling and simulation framework. This framework specifically supports “what-if” scenario simulation and analysis, enabling the selection and configuration of the most effective active defenses and attack-detection mechanisms during the planning and operations phases of an information system’s life cycle (Figure 1).

The CAMEO modeling and simulation analysis process is shown in Figure 2. It starts with ingestion of target network node data that may be scanned by a vulnerability scanning tool or be entered directly by the cyberanalyst. The CAMEO ingest service provides a single common interface for disparate authoritative sources of device, application, hardware, vulnerability and weakness data, and it automates the enrichment, correlation and verification of that data.

Figure 2. CAMEO enables dynamic simulation and analysis of network vulnerabilities.

Once the network and vulnerability data have been ingested, the network visualization component of the CAMEO toolset enables the analyst/user to visualize, manipulate and verify various aspects of the target network and to conduct operations on its component tree and interconnections.

Once the cyberanalyst verifies the network data model, the CAMEO discrete simulation (DSIM) begins. DSIM launches analyst-defined simulated threat attacks that seek to reach the final attack phase of exploitation (e.g., pilfer) on a target node in the modeled network. CAMEO-modeled defenses can then be applied independently or in combination against these attacks to ascertain optimal cyberdefense employment as illustrated in Figure 3. Also, analyst-defined-and-verified alternate network configurations can be substituted into DSIM to study parametric designs and operational alternatives being considered.

Figure 3. The highly flexible CAMEO discrete simulation can model single threats or multiple threats as well as evaluate any combination of defenses.

Parametric Evaluation

CAMEO provides several cyberattack metrics, including the number of threats visited on the target network, the number of threats defeated, the number of threats successful in reaching exploitation objectives and the lifetime of threats. These metrics enable the comparative evaluation of parametric alternatives for target network resiliency techniques, configuration, design and/or defense employment versus threat attack characteristics (e.g., number of simultaneous attacks, type and combination of attacks, timing of attacks), as shown in Figure 4. This figure illustrates the improvement gained as the interval between proactive defensive maneuvers decreases (faster proactive defenses). This increases the time cyberattacks spend in reconnaissance phases (footprint, scan and enumerate) and decreases the time available for pilfering (exfiltrating) data.

Figure 4. CAMEO Parametric results for multiple cyberattack scenarios show the escalation of a cyberthreat
over time if no preemptive defense is applied within a given time (interval), progressing from the gaining of a footprint within the network to ultimately establishing the capability to pilfer data.

Large-scale parametric evaluation is greatly enhanced by an analytic technique and adjunct feature to CAMEO called data farming. Data farming enables quick examination of pre-run simulation data across a wide range of parameters of interest for different design and operational sensitivity studies without having to rerun the simulation. The data farming process and the enabling CAMEO functionality culminates in the generation and assimilation of results from many different scenarios for the investigation of a large number of variables across a wide range of values and multiple time factors. This process generates a farm of data from which a harvest of meaningful anti-cyber design and employment strategies can be realized, including results that may lead to non-intuitive findings.

At various stages in the CAMEO data farming workflow, data can be post-processed to enable a narrowed grouping around the data of interest. This post-processing is based upon evaluation and visualization to expose metric inflection break points for applying optimal design and operational anti-cyber techniques. In Figure 4, one break point for the application of preemptive defenses appears between 24 hours and two days, where the latter interval is the last time the final pilfer stage of cyberattack appears. The result of this CAMEO analysis then forms the basis for a course of action to apply preemptive defenses every 24 hours in order to counter “pilfer” by the envisioned and simulated attack.

The CAMEO framework toolkit enables the cyber engineer and analyst to appraise a network concept design or existing system for cyber implications against single and multiple attack scenarios. The toolkit has a wide range of capabilities that can be used throughout network system design, development and deployment for the enhancement of network resilience and the application of cyber countermeasures.

Steve Martin and Suzanne Hassell
Contributors: Paul Beraud, Alen Cruz, Gangadhar Ganga,
Daniel Gomez, Travis Hester, David Hyde, Brian Mastropietro,
Frank Pietryka, Niraj Srivastava, Justin Toennies,
Pablo Vazquez and Gary Wright

Share This Story



Top of Page