Scalable Network Technologies’ Mod-Sim Tools Enable LVC Training and Testing of Active Defenses Across Different Cyber Terrains

My recent experience as a SOC director for a large enterprise has definitely upped my awareness of the need for a test and training environment where you can evaluate the impacts of changes to your SOC environment while also beginning to better understand the mission impacts of cyber attacks or the flow of different orchestrations. Many enterprises forego the development and deployment of such an environment due to costs and resource constraints. Renting time on a cyber range, while providing some training benefit, can also be expensive and difficult to achieve the fidelity of the mission impacts you may be trying to evaluate, especially for SCADA systems and ICS. Therefore I was quite intrigued when I ran across Scalable Networks Technologies at a recent conference and watched their high fidelity model about cyber scenarios for ICS being demonstrated. I quickly engaged their marketing department and was generously rewarded with this in depth interview with the CEO and Founder – Dr. Rajive Bagrodia. So read on to learn how tools from Scalable Networks Technologies can help improve your active defenses, supplement your cyber training, and bolster your change testing – all through a live, virtual constructive mod-sim platform.

Spotlight on Dr. Rajive Bagrodia

» Title: Dr. Rajive Bagrodia, Founder and CEO Scalable Network Technologies
» Website: http://www.scalable-networks.com/
» Linkedin: linkedin.com/in/dr-rajive-bagrodia-51342619

Read his bio below.

July 20, 2018

Chris Daly, Active Cyber:  Today’s communications networks demand resilience to cyber attacks and to address changes in demand and conditions. How does Scalable Network Technologies help network planners and operators to better assess their networks’ security posture and to understand how their networks operate under different operational scenarios?

Dr. Rajive Bagrodia, CEO Scalable Network Technologies: Network planners and operators typically use testing and simulation methods to assess how their network will react under varying conditions and cyber threats. However, testing live assets is costly, resource-intensive and provides limited opportunities to investigate alternative scenarios. SCALABLE’s flagship simulation/emulation tool, EXata, includes high-fidelity models to represent network elements (protocols at all layers of the TCP/IP protocol stack, radios, RF propagation, applications, terrain, etc.) as well as models of cyber attacks (denial of service, jamming, signal intelligence, eavesdropping, virus and worm propagation, exploiting vulnerabilities to gain unauthorized access, etc.). EXata also includes models for defense mechanisms (such as firewalls) and for assessing the impact of cyber attacks on the victim’s system resources (memory and CPU). This extensive library of network and cyber models can be used to investigate the behavior of networks under different operational conditions and threats and assess the effectiveness of remedial actions by performing what-if analyses.

SCALABLE solutions provide operators and planners a way to determine how resilient their communications fabric is to cyber-attacks using live, virtual and constructive (LVC) network models. These LVC network models substantially reduce lifecycle costs of networks and networked applications through all the stages from design, development, test, and planning and ensure a more robust deployment capability to ensure mission success.

Active Cyber: Creating a high fidelity network emulation capability sounds like a large effort. What types of capabilities does Scalable bring to such a model-based effort to automate the build process and how is fidelity in the model achieved?

Dr. Bagrodia: Simulation results are useful only if the simulation model accurately represents the characteristics of the target network. Our simulation products address this key requirement in a number of significant ways. First, the simulation kernels in SCALABLE products ( QualNet, EXata, and NDT) are a derivative of the DARPA-funded GloMoSim program at UCLA. GloMoSIm pioneered the use of parallel discrete-event simulation (PDES) and advanced parallel computing concepts to create a network simulator where high-fidelity models could be executed at much faster than real-time speeds. By leveraging PDES and low latency communications technology on multi-core processors, EXata can provide accurate wireless propagation models for challenging environments in relevant domains that include indoor, urban, rural, and even underwater communications. Second, for many protocol models, EXata uses the ‘shared code’ modeling approach, where programming modules from live protocol implementations are directly incorporated into the model, thus providing the highest fidelity models for the corresponding protocols. Third, the EXata kernel includes patented algorithms for fine-granularity time synchronization. These algorithms allow EXata to directly incorporate live hardware and software components in the LVC network models to add even more realism. For instance, a video streaming application can be directly incorporated in the EXata model to study the impact of various network dynamics that include mobility, competing traffic, traffic priority (e.g., Quality of Service), network configurations, etc., on video quality. Last, the various models in EXata undergo extensive V&V efforts using both internal R&D resources as well as independent, third-party model validations based on field test data.

To facilitate model development, EXata provides several capabilities to support the rapid development of accurate network and cyber threat models. These include:

• Extensive library of models of network elements. This includes high fidelity models of protocols at all layers of the protocol stack (application, transport, network, MAC and physical layers), RF propagation models (to calculate path loss, fading, and shadowing losses), terrain models, and mobility models. High fidelity models can be developed by incorporating actual code from protocol implementation.
• The EXata Cyber Model Library includes models for passive cyber attacks (Eavesdropping, SIGINT, Network Scanning, and Port Scanning), active cyber attacks (Jammer, Distributed Denial of Service, Virus and Worm Propagation), defense mechanisms (firewall, intrusion detection systems and anti-virus software), and OS resources impacted by attacks. This library also includes models for exploiting vulnerabilities to gain unauthorized access and perform malicious actions.

EXata provides several tools to aid accurate representation of real networks, including:
• Topology Converter – This tool imports a network topology specified in a Visio format and creates a simulation model of the network based on the topology.
• Packet Capture (PCAP) Traffic Mapper – This utility converts traffic captured from a real network into equivalent simulated application traffic which can be used in an EXata simulation to analyze network performance This enables accurate representation of real network traffic in simulations.
• Netflow Importer – This tool also creates simulation models of real network traffic, but instead of using information from captured packets, it uses traffic flow statistics advertised in netflow packets.
• Router Configuration Importer – This tool imports the actual configuration files used to configure physical routers from popular vendors like Cisco, and uses them to directly configure the corresponding routers in the simulation models.

Active Cyber: A network security area that is gaining attention involves the fusion of critical infrastructure networks with IT networks. How do SCALABLE’s modsim capabilities apply to this fusion point to help companies better understand the impact of cyber attacks on monitoring and control systems?

Dr. Bagrodia: Today, entire critical infrastructure – from water systems to electrical power– is controlled by and through networks. These control systems include networked IP-addressable devices such as sensors, access control systems, and controllers. Cyber-attacks on ICS or SCADA systems can take routes through Internet connections, business or enterprise network connections, or connections to other networks.

SCALABLE’s EXata network emulation platform, along with its cyber library of simulated attacks and vulnerabilities, has been used effectively for many years by military organizations to analyze and test the resilience of mission-critical tactical battlefield networks. SCALABLE has applied this technology to critical infrastructure. We can integrate live operations control equipment and IT systems with virtual networks and system dynamics simulations from our partner OPAL-RT, to represent actual critical infrastructure environments at full scale. EXata emulates the control network. The emulation runs in real-time and models connections, computers, SCADA protocols, communication protocols, security protocols, firewalls and other defenses. The SCADA protocols we have run on the emulated network include C37.118, DNP3, Modbus, IEC 61850 and others. As these packets traverse the emulated network in EXata they are subject to cyber-attacks. OPAL-RT provides the system dynamics simulation and the physical (or simulated) RTU and controller. We have integrated electrical transmission simulation and control network simulation together. Together, the companies’ integrated tools allow customers to visualize their specific environments in a manageable laboratory setting and quickly evaluate a range of ‘what if’ scenarios to determine the impact of a cyber-attack.

Active Cyber: What third party partnerships do Scalable support and what are the focus areas of these partnerships? Is there an ecosystem of capabilities or community of shared models?

Dr. Bagrodia: SCALABLE uses an open architecture and APIs to easily interface with other tools so that our users can rapidly design the simulation scenario, execute the model and visualize/analyze the results. Our products also support multiple interoperability standards that have been developed for simulations: HLA, DIS, and sockets. We have also developed APIs to directly interface the network simulations with commercial and military applications that include video streaming, VOIP, and Mission Command among many others.

EXata and QualNet have been architected to interface with a variety of third party commercial and Government-owned CGF (Computer Generated Forces) and SAFs (Semi-automated Force) products. These include VR-Forces from VT Mak, the ONESAF or ONE SEMI-Automated Forces solution from US Army, and NGTS or Next Generation Threat Systems from the US Navy. We also interface with other domain-specific simulators like the Satellite Toolkit or STK from AGI and third party propagation modeling tools like RF Builder from the US Navy and TIREM from Alion Science. Recently, we have established a partnership with OPAL-RT to provide our customers with an advanced cyber resiliency solution for control systems and power grids.

We provide an extensible set of APIs to interface the statistics database with advanced data visualization and business intelligence tools like Tableau.

Active Cyber: Network simulation tools and associated models offer a very good opportunity for enabling live training environments. What types of training capabilities do Scalable offer to provide a rich training experience? What types of network environments does SCLABLE’s training tool emulate – e.g., wi-fi, IOT/low power, SDN, transport, other?

Dr. Bagrodia: As the growing complexity of cyber-attack and defense has increased, it is essential to assess the impact of a cyber-attack on the informational and operational capabilities of the mission or enterprise. SCALABLE has developed the Network Defense Trainer (NDT) to provide a solution to train and prepare for attacks on networks. NDT integrates real and simulated cyber-attacks, wired and wireless virtual networks, live and virtual equipment and applications, and traditional training simulators into a full, instrumented, synthetic cyber warfare training environment. The system allows cyber warriors, network administrators and commanders to improve their awareness, reaction time and ability to take corrective action to work through a degraded cyber environment and complete an operation.

At the core of NDT is a real-time software emulation of wired and wireless networks including Wi-Fi, cellular, sensor networks, IPv6, routers, switches, tactical radios, and many more. The emulation reacts the same way as a real network, and can be subjected to real or simulated cyber-attacks including port and network scanning, routing misconfiguration, man in the middle, virus and worm propagation, vulnerability exploitation, eavesdropping, denial of service, jamming and others. Live traffic can be run through NDT’s network emulation and thus be subjected to cyber-attack.

The trainees can include everyone from commander to network administrators in the same exercise. Trainees can use their real applications and network defense tools on role player stations that are mapped to virtual nodes within NDT. The training is fast paced for operational speeds, and is centered on awareness, reaction time, correct action, workarounds and countermeasures, along with the ability to work through a degraded cyber environment at all levels to complete a mission. It logs all trainee actions and attack successes, then reinforces lessons learned with After Action Reviews that show trainees and observers what actually happened and why.

Active Cyber: Training environments are often one dimensional in that they typically focus on improving / measuring one or two technical skill sets. However, when it comes to decisions that may impact network resilience and availability at an enterprise level, people from the CIO to mission leads to technical specialists and to mid managers in between all have roles in making decisions or reacting to these events. How does Scalable provide a training environment that touches all these roles?

Dr. Bagrodia: NDT enables trainees at all levels from the CIO (or even CEO) down to technical specialists to participate at multiple role player stations, and work through normal chain-of-command channels, using the tools that they use in their live work environment, all in the same exercise. Chat and VoIP communications among team members, superiors, and subordinates are provided, and these can optionally be impacted by cyber-attacks. NDT is designed to integrate with other simulations and training systems, so that the operational effects of cyber-attacks on a mission (be it keeping an enterprise IT network operating, commanding a tactical military operation, or keeping a power grid stable) are faithfully represented. This can affect the overall commander’s situational awareness and decision-making. The integration of cyber-attacks with battlefield simulations or physical system simulations is a rather unique capability of NDT. Live operational systems can also be integrated, with their data or sensor feeds routed through our emulated network and subjected to cyber-attack while on route, so that the effects of the attacks can manifest themselves (safely) on live systems.

Active Cyber: One of the purposes of training is to exercise playbooks for response to incidents or events in the environment. What capabilities does Scalable provide to enable a robust training tool where playbooks can be tested / verified and lessons learned are explored? Is there a way to import playbooks for emulation and testing from security automation and orchestration tools into SCALABLE’S testing tool?

Dr. Bagrodia: NDT exercise preparation includes a facility to import lesson plans to enhance the trainees experience. These can be at the overall exercise level, with additional ones specified for the red and blue sides, and further broken down for teams within each side that will work together on specific objectives. NDT can automatically import network configurations from Visio diagrams or from SolarWinds. In addition, we have a utility to directly import router configuration files from various manufacturers and use these to automatically configure the SCALABLE router models. Actual traffic recorded from a live event can be played back through our emulated network (or even scaled up or down) during an exercise. During a training exercise, NDT gathers and records detailed, time-stamped statistics about every packet and every protocol layer, the launching and propagation of cyber-attacks, as well as every action by each of the trainees (screen shots, keystrokes, mouse clicks, and voice communications) which are all played back on a common timeline using NDT’s After Action Review to explore lessons learned.

Active Cyber: In most enterprises there are hundreds of network control points, security products and complex overlay networks that must be connected to orchestrate a comprehensive incident response. How does SCALABLE’s capabilities truly “scale” to represent such a distributed and diverse architecture from a model perspective?

Dr. Bagrodia: SCALABLE addresses scalability along the following three important dimensions: ease and speed of developing high-fidelity simulation models of large networks, speed of execution of these models, and ease of analysis of network behavior during simulation execution (using visualization) and post-simulation (by generating reports from the detailed statistics collected during simulation).

Model Development – Rapidly developing high-fidelity simulation models of real-world networks is facilitated by the following capabilities of EXata:

1. Pre-developed Models. As described earlier, EXata comes with an extensive library of models of network elements (routers, switches, radios, cellular or wi-fi network models, tactical network models, applications, etc.), cyber attacks (such as jamming, DDOS, eavesdropping, and SIGINT or signals intelligence) and vulnerability exploitation attacks. Simulation models of large networks, which represent the characteristics of the target network at a high degree of fidelity, can be easily built by using these pre-configured models of network and cyber elements.
2. Tools to Import Network Topologies and Traffic. The Topology Converter, PCAP Traffic Mapper, Netflow Importer, and Router Configuration Importer greatly facilitate the task of creating network simulation models which accurately represent the layout and traffic characteristics of real-world networks.
3. Graphical User Interface (GUI). EXata’s GUI provides an intuitive, easy-to-use means for creating network simulation models. The GUI also provides an easy way to develop custom models: the pre-configured models can be further refined (by modifying various protocol parameters, for example) and the custom models can be easily incorporated into the GUI for use in different network models.

Simulation Speed – The time that it takes to run a network simulation is important for a number of reasons. First, because of the variable nature of network traffic, to ensure confidence in simulation results, 10, 20 or more simulation runs may be needed for a single reliable data set. In particular, analysis of network resilience to cyber threats requires a large number of simulations. Hence, each simulation should complete in a short time. Second, for a network simulation model to interface with real applications and hardware in an LVC environment, it must run in ‘hard real-time’ (i.e., it should take at most one second of real time to produce one second of simulation data).

EXata can execute run high-fidelity, at-scale network simulations faster than real-time for purely constructive simulations and run in hard real-time an LVC environment. SCALABLE has demonstrated the ability to run high-fidelity models of wireless networks with thousands of radios on platforms with realistic mobility over terrain and operationally meaningful traffic at hard real-time. For purely constructive simulations, we can achieve faster than real-time speeds for simulations of networks consisting of tens of thousands of nodes.

Analysis – EXata provides tools for visualizing network operation during simulation and for performing detailed analysis after simulation.

1. EXata’s 3D visualization tool dynamically displays key statistics to provide valuable insight into network operation. This includes, for instance, the impact of a cyber attack on the end-end or link level delay or throughput, or the end-end path used for a given traffic flow.
2. EXata provides a high-performance database interface that records time-series and statistical data. The database can be configured to record statistics at different levels of granularity: from detailed statistics at the event level to summary statistics at the system level. The data is useful for generating pre-configured reports or for root cause analysis of anomalous network behavior.

Active Cyber: Cyber attacks are also very diverse in target scope, behavior, and impact. Can you describe how Scalable approaches the modeling of cyber attacks and vulnerabilities in the network?

Dr. Bagrodia: SCALABLE provides the Cyber library with EXata and NDT, which respectively address the areas of cyber test and cyber training. The cyber library has models of many real world cyber threats that affect enterprise networks, military networks, as well as SCADA systems. The attacks span the entire protocol stack from eavesdropping and jamming at the physical layer, to man-in-the-middle, message spoofing, and distributed denial of service (DDOS) in the network and transport layers to virus, worms, and vulnerability exploitation at the higher layers.

The active network attacks (DDOS, jammer, virus and worm propagation) are modeled with the same high level of fidelity as other protocols and applications in EXata such that subtle interactions between the specific attack and underlying protocol or application can be used to accurately mimic the effect of the attack on the target system. The virus model has been structured to exploit many virus-related vulnerabilities found in widely used databases like the MITRE Corporation’s Common Vulnerabilities and Exposures (CVE) database.

In addition to models of cyber attacks, the Cyber library also includes models of defense mechanisms, such as firewalls, Intrusion Detection Systems (IDS) and Anti-Virus Software (AVS). The firewall model examines each packet and allows or denies entry to the packet based on rules set at the firewall. These rules can be specified at the same level of detail as in firewalls used to protect real networks.

Active Cyber: How does SCALABLE deliver its capabilities to the market? Are cloud options available?

Dr. Bagrodia: SCALABLE engages in contract development projects for major aerospace and defense contractors, the DoD, and mobile network operators. These projects typically involve extending or adapting one of our standard simulation products to meet specific requirements that solve particular problems. In addition, SCALABLE works with our network of global partners and integrators to bring our cutting-edge software solutions to the market. We collaborate with commercial enterprises, educational institutions and governmental organizations around the world who all depend on reliable, effective networks to deliver business-critical, mission-critical communications and information.

Thank you Dr. Bagrodia for sharing information about your products and insights into the mod-sim environments of today. I can truly appreciate the possible benefits to be gained from using Scalable Network Technologies’ products and services to improve security operations and active defenses. Please return again soon to give me and my audience an update on your tools and their associated use cases. I know that the growing complexities of cyber defenses will increasingly require a high fidelity modeling capability to enhance understanding and match defenses to the ever-growing sophistication of cyber attacks.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, securing the Internet of Things, or other security topics. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at ActiveCyber.