defender's approach in cyber security exercises · situational awareness, requirements...

RequirementspecificationforcybersecuritysituationalawarenessDefender'sapproachincybersecurityexercisesJarnoLötjönenMaster’sthesisDecember2017SchoolofTechnologyMaster’sDegreeProgrammeinInformationTechnologyCyberSecurity

Description

Author(s)Lötjönen,Jarno

TypeofpublicationMaster’sthesis

Date2.12.2017

Languageofpublication:English

Numberofpages

75

Permissionforwebpubli-cation:x

TitleofpublicationRequirementspecificationforcybersecuritysituationalawarenessDefender'sapproachincybersecurityexercises

DegreeprogrammeMastersDegreeProgrammeinInformationTechnology,CyberSecurity

Supervisor(s) Kokkonen,TeroKarjalainen,Mika

AssignedbyJAMKUniversityofAppliedSciences,JYVSECTECKokkonen,TeroAbstract

Digitalizationoftheworldisrapidandposesnewthreatstodevelopedsocieties.Cyberse-curityexercisesheldinJAMKUniversityofAppliedSciencesprovidesignificantlearningop-portunitiestoindividualsandorganizationsinrealisticglobalcyberenvironmentRGCE.Theexercisesaretechnical-functionalbynatureandthismeansthatthesituationalawarenessofindividualsandteamsiscriticalinordertofulfillthelearningobjectives.Goodsitua-tionalawarenessmeansthatdecisionmakershavecorrectinformationtomakedecisions.Thesisstudiedsituationalawarenessinthecontextofcybersecurityexercisefromtheper-spectiveofthedefendingblueteam.Defendingteamsobserve,reportandmitigatecybereventsthatarehappeninginthecyberenvironmentassignedtothem.Therearemanydif-ferenttypesofcyber-attackshappeningthattheteamshouldbeabletodetect.Researchquestionsforthisthesisstatedthattheobjectiveofthethesisistofindthere-quirementsneededforasituationalawarenesssystemandmakeaproposalfornovelcon-structionforblueteamsituationalawarenesssystem.Additionally,thereisaneedtodomoreresearchinthefieldofsituationalawarenessandpartofthisthesiswastoidentifywherenewresearchisneeded.Asamainresult56requirementshavebeenidentifiedandaproposalforanovelsystemconstructionismade.Additionally,newresearchtopicsintheareasofindividualandor-ganizationalsituationalawarenesshavebeenidentified.

Keywords/tags(subjects)

Cybersecurity,Cyberexercise,Situationalawareness,Requirementspecification

Kuvailulehti

Tekijä(t)Lötjönen,Jarno

JulkaisunlajiOpinnäytetyö,ylempiAMK

Päivämäärä2.12.2017

JulkaisunkieliEnglanti

Sivumäärä75

Verkkojulkaisulupamyönnetty:x

TyönnimiRequirementspecificationforcybersecuritysituationalawarenessDefender'sapproachincybersecurityexercises

Tutkinto-ohjelmaMastersDegreeProgrammeinInformationTechnology,CyberSecurity

Työnohjaaja(t)Kokkonen,TeroKarjalainen,MikaToimeksiantaja(t)JAMKUniversityofAppliedSciences,JYVSECTECKokkonen,TeroTiivistelmä

Maailmandigitalisaatioonnopeaajaasettaauusiauhkiakehittyneilleyhteiskunnille.JyväskylänammattikorkeakoulunIT-instituutissapidettävätkyberturvallisuusharjoituksettarjoavatmerkittäviäoppimismahdollisuuksiayksilöillesekäryhmillerealistisessaglobaalissakyberympäristössäRGCE:ssä.Harjoituksetovatluonteeltaanteknis-toimin-nallisia,jatämätarkoittaa,ettäyksilönsekäryhmäntilannetietoisuusonkriittistäoppimis-tavoitteidensaavuttamisessa.Hyvätilannetietoisuusmahdollistaapäätöksenteonpe-rustuenoikeaaninformaatioon.Opinnäytetyötutkipuolustavanryhmännäkökulmastatilannetietoisuuttakyberturval-lisuusharjoituksenviitekehyksessä.Puolustavatryhmäthavainnoivat,raportoivatjatorju-vatkyberilmiöitäjoitaheilleannetussakybertoimintaympäristössätapahtuu.Ryhmäntu-leekyetähavaitsemaanmoniaerilaisiakyberhyökkäyksiä.Opinnäytetyöntutkimuskysymyksetmäärittivättyöntavoitteiksivaatimusmäärittelynvaatimuksienlöytämisensekäuudenkonstruktioehdotuksenmäärittämisenpuolustavanryhmäntilannetietoisuusjärjestelmälle.Lisäksitilannetietoisuudenalallaontarvetehdälisätutkimustajauusientutkimuskohteidentunnistaminenoliosatyötä.Pääasiallisinatuloksinaonlöydetty56vaatimustajanäidenperusteellaluotujärjestelmänkonstruktio.Lisäksiuusiatutkimuskohteitayksilönjaorganisaatioidentilannetietoisuudenalueeltaontunnistettu.

Avainsanat(asiasanat)Kyberturvallisuus,Kyberturvallisuusharjoitus,tilannetietoisuus,tilanneymmärrys,vaati-musmäärittely

4Contents

Glossary.................................................................................................................7

1 Introduction....................................................................................................8

2 Research........................................................................................................10

2.1 Researchobjectives..................................................................................10

2.2 Researchmethodology.............................................................................10

2.3 Researchquestions...................................................................................13

3 Requirementsspecification............................................................................14

3.1 Fundamentalsofrequirementspecificationinsoftwareengineering.....14

3.2 Requirementhandlinginsoftwaredevelopment.....................................15

3.3 Specificationinsoftwaredevelopment....................................................17

3.4 Requirementcategorization.....................................................................17

4 CybersecurityexercisesandtheinfrastructureinJAMK................................20

4.1 Overviewofcoreexercisetypes...............................................................20

4.2 Tabletopexercise.....................................................................................20

4.3 Hybridexercise.........................................................................................21

4.4 Fullliveexercise........................................................................................21

4.5 Exerciseteamdefinitions.........................................................................22

4.6 Cyberrange..............................................................................................25

4.7 RealisticGlobalCyberEnvironment(RGCE)cyberrange.........................26

5 Situationalawareness....................................................................................28

5.1 Theoreticalbackground............................................................................28

5.2 Differentlevelsofsituationalawareness.................................................29

5.3 Situationalawarenessforteams..............................................................32

5.4 Cybersecuritysituationalawareness.......................................................34

5.5 Situationalawarenessinformationconsumersandprovidersystems.....37

5

6 Cybersecuritysituationalawarenesssystemapproaches..............................39

7 RequirementsforblueteamSAsystem.........................................................41

7.1 BlueteamSAincybersecurityexercise...................................................41

7.2 Usagerequirements.................................................................................43

7.3 Blueteamuserrequirements...................................................................46

7.4 Whiteteamrequirements........................................................................51

7.5 Interconnectivityrequirements................................................................52

7.6 Dataprocessingrequirements.................................................................54

8 Systemconstruction......................................................................................57

8.1 Userinterface...........................................................................................58

8.2 Datainputandselect................................................................................59

8.3 DataAPI....................................................................................................59

8.4 Dataaggregation......................................................................................60

8.5 Database...................................................................................................60

9 Researchresults.............................................................................................61

10 Conclusions....................................................................................................63

References............................................................................................................66

Appendices...........................................................................................................69

Figures

Figure1ElementsofConstructiveResearch(Kasanenetal.1993,247)....................11

Figure2Agileprocess(Sommerville2011,63)...........................................................16

Figure3Plan-BasedDevelopment(Sommerville2011,63)........................................17

Figure4Thelevelsofsituationalawareness(Endsley1995,35)................................29

6

Figure5Theframeworkmodel(Endsley1995,35).....................................................31

Figure6Teamsituationalawareness(Endsley1995,39)...........................................33

Figure7CyberSecurityinformationconsumersandproviders..................................38

Figure8Systemscontributinginformationtothesituationalawareness..................42

Figure9Proposedblueteamsituationawarenesssystemconstruction....................58

Tables

Table1Contentofarequirement...............................................................................18

Table2RequirementsforaSASystem.......................................................................69

7

Glossary

JYVSECTEC JyväskyläSecurityTechnology

SWEBOK SoftwareEngineeringBodyofKnowledge

RGCE RealisticGlobalCyberEnvironment

DFIR DigitalForensicandIncidentResponse

SA SituationalAwareness

RT RedTeam

WT WhiteTeam

BT BlueTeam

GT GreenTeam

CERT Computeremergencyresponseteam

CSIRT Computersecurityincidentresponseteam

IR IncidentResponse

MISP MalwareInformationSharingPlatform

CAIS CyberAttackInformationSystem

OOG out-of-game

IG in-game

OSINT OpenSourceIntelligence

HUMINT HumanIntelligence

8

1 Introduction

Theworldhasgonedigital.Indevelopedinformationsocieties,suchasFinland,thisis

afactsoprofoundthatwithoutfunctioningdatanetworksandcomputersystemsthe

well-beingofhumansandeventhesecurityofthenationisatrisk.

Inthiscomplexworldwheretheboundariesofthedigitalizedinfrastructureandthe

physicalrealmareblurredtheinterconnectedenvironmentofphysicalandelectrical

systemsisoftendescribedascyberdomain.CyberdomainisdefinedintheFinnish

cybersecuritystrategyasadomainofinformationtechnologyinfrastructurespro-

cessingdata.(SecretariatoftheSecurityCommittee2013,12)

Intoday’sworldwherecyberdomainisanintegralpartofpeople’slives,theneed

fortrainingagainstdifferenttypesofcyberrelatedthreatsisevergrowing.JAMK

UniversityofAppliedScienceshasarrangedavastnumberofdifferenttypesofcyber

trainings.Thetrainingagainstthreatsshouldtakeplaceincontrolledenvironment

becausethereisaneedforrealisticsimulatedattacks,andtherisksforbreakinglaws

orharmingoutsidersbymakingmistakesintheopeninternetaresimplyputtoobig

andactual.Also,notmanyorganizationsarewillingtotaketherisksofharmingtheir

productionenvironmentorcontinuityofbusiness.

Forthispurpose,thecybersecurityexercisesareheldinclosedcyberrangesisolated

fromtheinternet;however,theymimictheservicesandstructuresoftherealinter-

net.Nevertheless,itmakesnodifferenceifoneistraininginsimulationsorstruggling

withrealCyberSecurityincidentsinone’sproductionsystems,theneedforaccurate

situationalawarenessisalwaysparamount.

Situationalawarenesscanmeanavarietyofthingstodifferentpeople.Peoplealso

havemanytypesofcomprehensionsaboutthesituationalawareness.Therefore,

thereisaneedtodefinewhatitmeansinthecontextofthisthesis.

Manytimes,tobeabletoresolveacybersecurityincidentthereisaneedtoknow

whathappened,whereithappened,whenithappened,whyithappenedandto

9

whomithappened.Thereareseveralsystemssoldandadvertisedassituational

awarenesssystems.Thesevaryfrominfrastructuremonitorsystemstologmanage-

mentsystemsandeventoticketingplatforms.Thesesystemsarecrucialtoolsforin-

formationgatheringforincidenthandling;however,theproblemisthatwhencom-

plexdecisionsneedtobemadeforsolvingcybersecurityincidents,mostoftheinfor-

mationisprocessedinthehumanheads.

Thereisaclearneedforasystemthatgatherspiecesofinformationsothattheinci-

denthandlercanmakerationaldecisionsfasterandfocusontherelevanttasks.In

manycybersecurityexercises,thesituationgetshecticandanysystemthathelpsin

prioritizationwouldbeusefulforthedefendingteam.

Thetheoreticalbackgroundforthisthesisisbasedonaresearchoncybersecurity

situationalawareness,requirementsmanagementandcybersecurityexercises.

Theoutcomeofthisthesiscanbeusedasahigh-levelrequirementspecificationfora

cybersecuritysituationalawarenesssystemforthedefenderincybersecurityexer-

cises.Itshouldbepossibletodesignanddevelopademonstrationsystemthatvisu-

alizesandhelpsinunderstandingwhatthecurrentoverallcybersecuritystatusand

situationofincidenthandlingisforadefendingteam.

ThisthesisisassignedbyJYVSECTEC(JyväskyläSecurityTechnology).JYVSECTECisan

independentcybersecurityresearch,traininganddevelopmentcenterwithinJAMK

UniversityofAppliedSciences,theInstituteofInformationTechnology.JYVSECTEC

arrangescyberexercisesofvarioustypesandsizes,andthepurposeofthisthesisis

toadvancetheresearchofSA(SituationalAwareness)incyberexercises.(JYVSECTEC

2017)

10

2 Research

2.1 Researchobjectives

Inthisthesis,thesituationalawarenessofcybersecurityexerciseteamisstudied.

Situationalawarenessinexercisecoverstheaspectofreportingteamactionsinthe

courseofanexercise.Thismeansthatteamreportsandunderstandstheactions

theymakeinexercisealongwiththemoreobvioustechnicalfindings.Thesisexplains

whythereisaneedforanewsituationalawarenesssystemconstruction.

Theobjectiveofthisthesisistocreatearequirementspecificationdocumentfora

cybersecuritysituationalawarenesssystem.Thedesignedsituationalawarenesssys-

temdescribedherecouldbeusedincybersecurityexercisesbyateamresponsible

fordefendingtechnicalcyberenvironmentsagainstvarioustypesofcybersecurity

threats.Hence,thedefinition,adefender’sapproach,inthesubtitleofthethesis.

Thereisavastnumberofsystemsandplatformsavailablemarketedassituational

awarenesssystemsonthemarkettoday.Becausealmostanytypeofvisualizationor

logmanagementsoftwareenhancestheawarenessofthesituationincomputersys-

temenvironmentstheuseofsituationalawarenessterminologyinmarketingisvalid.

Complexityofsituationalawarenessillustrateswhytherearemanywaystousethe

term.Definitionandcontextrelatedtothesisisexplained.

Systemsorplatformsspecificallydesignedforthecybersecurityexerciseusagein

mindarenon-existentoratleastnonewereavailableatthetimeofwritingthisthe-

sis.Therefore,theneedforthisresearchisjustified.

2.2 Researchmethodology

Gordana(2010)statedthatconstructivemethodologyisasuitableresearchmethod

tobeusedinsoftwareengineeringtheses.Notallrelevantfirsthandknowledgeis

usuallypresentedwhenreferringtomorefundamentalapproachessuchasempirical

method,groundedtheoryetc.Therefore,amethodofconstructiveapproachis

11

needed.Characterizationofaconstructivemethodanditsrelationtothemorefun-

damentalresearchmethodologies.(Gordana2010,1)

Gordana(2001,1)alsoreferstowhatLazaroandMarcos(2005)stated,thatinthe

fieldofcomputing,theengineeringresearchdiffersgreatlyfromtraditionalscientific

approachesasengineeringfocusesonhowathingiscreatedandhowitworksin-

steadofmetaphysicalissues.(Lazaro&Marcos2005,3)

Theconstructiveresearchmethodshouldaimatsolvingpracticalproblemsviaapro-

cessofselectingaproblem,obtainingknowledgeaboutareaanddesigningasolu-

tion.Whenthereareexistingtheoriesandpracticalproblems,thegapshowspoten-

tialforacontributiontoconstructiveresearch.(Lehtirantaetal.2015,1)

Constructiveresearchcanbeconsideredasatypeofappliedstudiesasproductionof

newknowledgeischaracteristictoit.Thisaspectsuitswellintothesisdoneforuni-

versityofappliedsciences.(Kasanenetal.1995,252)

Kasanenetal.(1993,247)introducedamodelwithfourelementsthatshouldbein-

cludedinconstructiveresearch.TheseareshowninFigure1withtheconstructionin

thecenterasthefinalsolution.

Figure1ElementsofConstructiveResearch(Kasanenetal.1993,247)

PracticalrelevancetothisthesiscomesfromtheneedwhatJYVSECTEC(JYVSECTEC

2017)hasfoundoutinfewyearsofrunningcyberexercises.Blueteamsoftenreport

12

thattheyhaddifficultiesinunderstandingthesituationanddon’tremembertheac-

tionstheymade.Thereisarealworldneedforanewsituationawarenesssystemto

beusedincyberexercisesandwithfeaturesthatarenotfoundinthemarket.Many

differentsystemsareusedseparatelyinexercisestoaccomplishthetaskscoveredby

thisthesis.

Practicalfunctioningistheproblematicissueinthiskindofapproachandisstatedto

besoalsobyKasanenetal.(1993,246)intheirresearch.Themainproblemliesin

understandingthefactthattheactualfunctioningofaproblem-solvingconstruction

canoftenbefoundonlyaftertheconstructionisactuallyimplemented.Thisisnot

eveninthescopeofthisthesissothisresearchmethodfailsinthisarea.

Theoreticalconnectiontoresearchcomesfromliteratureregardingsituational

awarenessandcybersecurityexerciseresearch.Reflectingthesewithauthorssev-

eralyearsofpracticalexperiencefrommanydifferentexercisesitiseasytounder-

standthattheoreticalliteratureisnotfocusingintothedilemmaofblueteamsitua-

tionalawareness.

Accordingtoastudyconsistingof102scientificarticlesbyFrankeandBrynielsson

(2014)Theoreticalresearchofcybersituationalawarenessisfocusingmoretowards

dataanalytic,datafusionandtoanswertothecyberthreatsbytechnicalmeans.

(Franke&Brynielsson2014,26-27)

Whencyberexercisesarestudiedtheresearchandliteraturefoundisfocusingon

coveringdifferentaspectsthatneedtobetakenintoaccountwhendesigningand

conductingexercisesbutdoesn’treallyfocusonteamperformanceinexercises.

Thisthesiscontributesintotheoreticalresearchbyexaminingtheteamsituational

awarenessandidentifyingtheneedforanovelconstructionandtherequirementsto

developsuchaconstruction.

13

2.3 Researchquestions

BecauseofthemassiveamountofdataincomplexICTenvironmentsandmanydif-

ferentcomputersystemsfordisplayingandanalyzinginformationareavailableassit-

uationalawarenesssystems,butfailtoaddresstheneedsofacyberexercise,there-

searchfornovelsystemdesignshouldbeperformed.Researchshouldshowthatre-

quirementsandconstructionforasystemwithsaidneedscanbefound.

Anotherproblemliesinthevastvarietyofanswerstothequestionwhatsituational

awarenessis.Whenspecifiedintoamoredetailedareaofcybersecuritysituational

awareness,therearebasicallyasmanyanswersastherearepeopleanswering.Ifany

definitionsornewresearchtopicsforblueteamsituationalawarenessincybersecu-

rityexercisecanbefounditshouldbestatedandsomenewresearchinformation

shouldbepresented.

Newresearchandsolutionsinthefieldofsituationalawarenessisaproductof

JYVSECTECprojectandthereisalsotheneedtofindoutaspectsofsituationalaware-

nessthatmightneedfurtherresearch.

Thequestionsthatarethedriversforthisthesiscanbesummarizedas:

• Whataretherequirementsforadefendingteamsituationalawarenesssystem

• Whatkindofframeworkconstructioncanbeproposed

• Whatresearchthereisforasituationalawarenessincyberexercises?

Anyadditionalfindingsshouldbereportedandattheminimumbelistedinthecon-

clusiontobeproposedasafutureresearchpossibilities.

14

3 Requirementsspecification

3.1 Fundamentalsofrequirementspecificationinsoftwareengineering

Inthischapter,somekeyelementsofasoftwareproject’srequirementspecifications

arestudiedtogainagoodunderstandingofhowandwhythisprocessisfundamen-

talwhendevelopingsoftwareproducts.

AccordingtowellrespectedsourceliteratureSWEBOK(SoftwareEngineeringBodyof

Knowledge),thesoftwarerequirementisstatedasapropertythatshouldsolvea

real-worldproblem.(Bourque&Fairley2014,33-34)

Softwarerequirementmanagementmeanstheanalysisandvalidationofrequire-

mentsthroughoutthelifecycleofproduct.Projectsarecriticallyvulnerableifre-

quirementmanagementisnotdoneeffectively.(Bourque&Fairley2014,32)

SWEBOK(2014,34)alsodefinesanexamplethatasolutionmayaimatautomation

ofataskoratsupportingabusinessprocess;however,sincethesefunctioninacom-

plexmanner,therequirementsarealsotypicallycomplexcombinationsfromvarious

peoplefrommultiplelevelsofanorganization.(Bourque&Fairley34)

Whenlaterinthisthesisthesituationalawarenessisdefined,itisquiteobviousthat

withoutaquitestrictandlimitedfirstapproachtorequirementspecificationwork,

therewillbesuchavastnumberofcomplexitythatitwouldbecomeanoverwhelm-

ingtasktostart.Hence,onlykeyrequirementsatsomewhatabstractlevelwouldbe

feasible.

Whendefiningtherequirementworkforasoftwareproject,thereshouldbeaclear

understandingabouttheproposedrequirementhandlingmodel.

15

3.2 Requirementhandlinginsoftwaredevelopment

Itisnotreallyarelevantpartofthisthesistodefinerequirementhandling;however,

ithelpsinlimitingthescopeandaidswithunderstandingwhyitmightseemthat

someinterestingelementsarenottakenintoaccountwhenrequirementsarecho-

sen.

Astheorganizationthatassignedthisthesisisauniversityandnotasoftwarecom-

pany,itisquitecommontoexperimentandtrynewmethods.Theultimategoal

mightnotbeacommercialsoftwaretobesoldbuttheaimistostudypossibleap-

proachestoacertaindilemma.

Therefore,toostrictguidelinesmightactuallylimitthepossibilities.Inthistypeof

workthemoreagile,fastandflexiblemethodstendtoworkthebest.Iftheideahad

beenasoftwareprojectthatexperimentsandevolvesintoactualcode,itwouldhave

beenpossibletousetheagiledevelopmentmethod.

TheagileapproachillustratedinFigure2considersdesignandimplementationas

centralactivities.Itincorporatesotheractivities,suchaselicitationofrequirements

andtestingofimplementationintodesignandimplementationaccordingtoSom-

mervilleinSoftwareEngineeringbook.(Sommerville2011,62)

16

Figure2Agileprocess(Sommerville2011,63)

Asthisthesisaimsmoreatbeingastudyanddefininganewideainthefieldofsitua-

tionalawarenessratherthancreatinganactualsoftwareproductwork,theagilede-

velopmentprocesswasnotthebestsuitableoption.Itmustbestatedthatrequire-

mentsforsuchanagileprojectcanbefoundasrequested.

Whenitcomestorequirementhandlinginthisproject,theauthorhasusedplan-

baseddevelopmentspecificationprocessasthisseamedwellsuitedforthiswork.

AsstatedbySommerville(2011,62-63),intheplan-drivenapproachthatisillus-

tratedinFigure3theiterationoccurswithinactivitiesthemselves.Eachfunctioniter-

atesintoformaldocumentsthatarepassedbetweendifferentprocessstages.There-

fore,therequirementengineeringtakesplacefirst,andtherefinementofthisphase

leadstoactualrequirementspecification.Theworkdoneforthisthesiscanbecon-

sideredasarequirementengineeringphaseandatthesametimethisthesiscanbe

consideredastheactualrequirementspecification.Thoughitmustbestatedthat

therearemorethesisrelatedresearchissueswrittenthanwouldbenecessaryina

commercialproject.

17

Figure3Plan-BasedDevelopment(Sommerville2011,63)

Thisplan-basedmodelissuitableforthistypeofthesiswork.Ithelpsindefiningthe

scopeofthethesismorestrictlythanagilemethod;however,atthesametimeitof-

fersthepossibilitytoleaveoutthedesignandimplementationpartwhichisnotin

thescopeofthethesis.

3.3 Specificationinsoftwaredevelopment

Thereasoningbehindsoftwarespecificationworkliesintherealizationthatthispro-

cessclarifiestheunderstandingandhelpswithdefiningwhatpartsthedesignedsys-

temrequires.Italsoidentifiestheconstraintsofthesystemoperations.

Sommervillealsostatestheobviousunderstandingthattherequirementsprocessis

notsimplycarriedoutinastrictsequenceofactions.Therequirementanalysisneeds

tocontinuethroughoutthedefinitionandspecificationphasesasnewrequirements

comeintolightastheworkcontinues.(Sommerville2011,38)

Keepingthisinmindthereisapointintimewhereitismandatoryfortheauthorto

freezetheprocessofaddingnewrequirementsintothisthesis.Itisobviousthat

therewillbeagreatnumberofnewideasthatcomeupduringtherequirement

specificationwork,whichleadstopossiblefuturedevelopmentopportunities.

3.4 Requirementcategorization

Inordertobeabletomanagerequirements,someformofcategorizationandre-

quirementformatneedstobedefined.

18

AccordingtotherequirementmanagementguideoftheFinnishDefenseForces,

everyrequirementmusthaveanindividualidentificationthatcanbemulti-layered.If

arequirementcontainsmultipleissues,theyshouldbedividedintosubrequire-

ments.Also,thereisarulethatidentificationsmustbeuniqueandtheIDmustnot

beduplicated.(Kosola2013,7-8)

Table1presentsamodelthattheauthorhasdevelopedforasinglerequirementthat

issuitedforgeneratingthesystemconstructionthisthesis.Requirementshavesome

keyattributesthataredefined.

Table1Contentofarequirement

CATEGORY INFORMATION ADDITIONALREMARKS

REQIDNUM Ex.1.1.1 Dependingonthecategorynumberingmightchange

REQNAME NameoftherequirementNeedstobesuchthatitsfunc-tionalityisunderstoodfromthe

name

DESC Description Moredetaileddescriptionoftherequirement

REQIMPORTANCE Importance Importancevalue,Mandatory,

Important,Necessary

ACTION Actiontype Whatshouldbedonewhenthisrequirementismet

TYPEOFACTION

TextualorNumericalinfor-mationetc.

Therecouldbealsomoreab-stractactionsthanvalueinputs

RELATIONTOOTHERREQ REQIDNUM IDofarequirementwhichhas

relationorclarification

Namefortherequirementistoaidreaderofthisdocumenttounderstandquickly

themeaningoftherequirement.

AccordingtoKosola(2013,14)descriptionforarequirementisfreetextualfieldthat

describestherequirementinmoreelaboratedetails.Thisdoesn’tmean,however,

thatanyrandomfreetextwordingisthereforearequirement.Requirementneedsto

defineprecisionandnotbetooabstract.

19

Therequirementsinthisthesishavetruerelevancetotheproblem,whichiswhy

therearenorequirementstobeleftoutbuttheirimportanceshouldbetakeninto

consideration.TheimportancelevelofarequirementisalsoderivedfromKosolaand

isdecidedtobethree-leveledwithmandatory,importantandnecessary.(Kosola

2013,15)

Mandatoryrequirementsaresuchthattheyshallbeimplementedtothesystemand

cannotbeoverlookedorleftoutfromimplementation.Importantrequirements

shouldbeimplementedbutarenotvitaltotheusageofthesystem.Necessaryre-

quirementsaresuchthatcanbeleftoutbutarevaluableandshouldbeimple-

mented.

Otherinformationfieldsintherequirementmodelaremoreorlessadditionalattrib-

utesandhavebeenselectedbytheauthorinordertohelpunderstandtheconstruc-

tionthatisformedbasedontherequirements.

20

4 CybersecurityexercisesandtheinfrastructureinJAMK

4.1 Overviewofcoreexercisetypes

Inthischapter,somekeyexercisetypesarecovered.Thereisavastnumberofdiffer-

entkindsofexercisesthatcouldbeusedwhenlearningaboutcybersecuritythreats

andaboutthewaysofhandlingdifferentkindofincidents.

Whenlookingforinformationabouthowtoconductsuchanexercise,abookfrom

MITREcomesupasanindustrybaselineforexercisebuilding.Also,theroughcatego-

rizationofdifferentexercisetypescanbefoundinthecyberexerciseplaybookpub-

lishedbytheMITREorganization.ItstatesthecoretypestobeTableTop,Hybrid

(scriptedinjectswithrealprobes/scans)andfulllive(realandscripted).(Kick2014,8)

InJAMKJYVSECTEC,thecyberexercisesarecategorizedaccordingtothebusiness

model.MITREcategoriesarealsovalidforJAMKbusinesscasesandtheywillbere-

flectedonwhenbrieflygoingthrough.Theyhavebeennamedsothattheywillbe

moreelaboratetocustomers.

InJYVSECTECcyberrange,RGCEandsolutionswhitepaper,themainexercisetypes

offeredarenamedasDigitalForensicsandIncidentResponse(DFIR)exercise,Indus-

trysectorexerciseandtailoredcyberexercise.(Vatanenetal.2017,13-15)

JAMKexercisesarereflectedontheirMITREcounterpartswhendefiningtheexer-

cisesviatheMITREcategorization.

4.2 Tabletopexercise

Tabletopexercisehasscriptedeventsandisoftenthefirsttypeofexercise.Table

topexercisesdonottaketoolongtimetoplanandneedlimitedresources.Thisisa

commonexercisetypethatiswellsuitedforplayingthescenariosforthedecision-

makinglevelattendees.Theplannersandplayersusuallysitatsametable,andthe

injectsarehypothetical,pre-coordinatedandwrittendown.Thisexerciseisoften

21

usedtobuildrelationshipsshareinformationbetweendifferentorganizations.They

shouldnotbetoobigandshouldofferaroomfordiscussions.(Kick2014,9)

AtJAMKJYVSECTEC,tabletopexercisesareusuallynothosted.Thefocusandthe

businessmodelisaimedmoreattechnicalandoperationallevels.However,insome

occasions,atabletopapproachhasbeenselectedinunisonwithtechnical-opera-

tionalexercisewithcompanyexecutives,whichhasbeenareallygoodwayofinte-

gratingtwodifferenttypesofexercises.

4.3 Hybridexercise

Hybridexercisesincludescriptedinjectsandrealprobesorscans,whichincreasethe

realismandtrainingopportunities.Thereshouldbearedteamthatgeneratesreal

eventsagainstpre-determinedtargets.Coordinationandplanningtakeslongeras

trainingalsosimulatesbusinessprocesses.Thistypeofexercisecouldbeconsidered

asa“walking”asthereisapre-determinedcourseofactions.(Kick2014,10)

InJAMKexercise,thedigitalforensicandincidentresponsecouldbeconsideredasa

variantofthisMITREhybridexercisedefinition.InDFIRexercise,thescriptedevents

arerealandconductedbyredteam(RT)members.Theexerciseitselfisnotliveac-

tionbutmoreofawalkthroughoftheoccurredincidentandhelpsinraisingaware-

nessofthemodernattackvectorsandtactics.Atthesametime,thetrainedorgani-

zationisabletounderstandtheprocessofincidentresponseandfamiliarizethem-

selveswiththeforensicartifactsofcybersecurityincidents.

4.4 Fullliveexercise

Fullliveexercisesarebasedonrealevents.Theyincreasetherealismandgivetrain-

ingaudienceagreatopportunitytoenhancetheircapabilitiestocounteractifand

whenrealworldincidentsoccur.Thereisliveredteamingongoing,andalthoughtar-

getsandproceduresaremostlyscripted,thereisroomforliveRTactionstobetaken

whentheopportunityopens.Fullliveexercisessimulatesimilarconflictionsaswould

occurinrealworldnetworks.(Kick2014,10)

22

Therealisminafullliveexerciseisthedeterminingsuccessfactor,whichraisesthe

needforplannerstounderstandthethreats,threatactors,theirobjectives,theirtac-

ticsandprocedures(TTPs).(Kick2014,11)

CyberexercisesheldbyJYVSECTECaremostlyliveexercisevariants.Theyareheldin

realisticready-madecomplexindustryorganizationsorinfullycustomizedand

scopedcustomerorganizationsrunningintheRealisticGlobalCyberEnvironment

(RGCE)cyberrangedevelopedjustforthispurposeinmind.

JAMKexercisesarealwaysheldinanisolatedcyberrangeenvironment;however,

MITREalsopointsoutthatinsomeoccasionscyberexercisescanbeheldinliveenvi-

ronmentsifallnecessaryprecautionsandrisksaretakenintoaccount.JAMKbelieves

thatatotallyisolatedenvironmentissafer,moreeconomicalandmakesitpossible

todoinjectsthatwouldnotbefeasibleinproductionenvironments.

4.5 Exerciseteamdefinitions

Inacybersecurityexercise,thereisacommonpatternofdefiningteamsbycolour.

Themostcrucialteamsforliveexercisesarewhite,redandblue.Othercolourscan

beused;however,thesearemusthaveteams.Thebasicfunctionsforteamsareas

follows:whiteisplan/exercisecontrol,redteamisattacker/adversaryandblueisde-

fendingteam.Thegreenteamisthemostcrucialteambecausetheyareresponsible

foralltechnicalissuesandtheadministrationofcyberrangeandpossiblyfacilitate

someinjectsalsowhenredteamisunabletodosoaccordingtolimitationsininfra-

structure.

Definitionsvaryformanythingsrelatingtocyber;however,quiteoftenwhenglossa-

riesarewrittenordefinitionsforterminologyareaddressed,namelyintheNorth

AmericanliteratureadocumentnamedCSNNI4009(CommitteeonNationalSecurity

Systems2010.)bythecommitteeonNationalSecuritySystemscomesup.Another

goodsourcefordefinitionsisCRISCyberRangeLexiconVersion1.0(Damodaran

2015.).

23

Whiteteam

Quiteoftenthewhiteteamismentionedinacontextofsomesortofcompetition.

AccordingtoCommitteeonNationalSecuritySystems(2010,81),thewhiteteamis

responsibleforactingasarefereeinanengagementbetweenaredteamandablue

team.Inanexercise,thewhiteteamactsasthejudges,enforcestherulesoftheex-

ercise,observestheexercise,resolvesanyproblemsthatmayarise,handlesallre-

questsforinformationorquestions,andensuresthattheexerciserunssmoothly.

Thewhiteteamalsohastheresponsibilityforderivinglessons-learned,conducting

thepostengagementassessment,andpromulgatingresults.(CommitteeonNational

SecuritySystems2010,81)

JAMKdoesnothostcompetitionssodefinitionpartswithcompetition-specificissues

isleftoutbypurposeinJAMKJYVSECTECexercisesheldinRGCE.InJAMKJYVSECTEC

whiteteamisusedtodefinetheplanningteamandalsotheExCon(exercisecontrol)

oftheactualexercise.Also,thepostexerciseactionslikereportingarewhiteteam

responsibilities.

BettersuiteddefinitionforJAMKisfoundfromDamodaran(2015,20)wherethe

teamisadministrativemanagementandmonitoringteamwhodoesassessmentof

eventsandteams.

Redteam

RedteaminJAMKisateamofspecialistsworkingmainlyforJYVSECTECbusiness

unit.RedteamattackstheorganizationsbuiltinsidetheRGCECyberrangeinexer-

cise.Inonlysomerareoccasions,personnelfromsomeotherorganizationother

thanJAMKmaybeapartoftheredteam.Emergingcommercialofferingtousered

teaminginrealworldpenetrationtestingmightgivedifferentdefinitionstored

teamingthanisdescribedhere;however,inJAMKthelimitationismadetousered

teamonlyintheRGCE.

24

Redteamisagroupofpeopleauthorizedandorganizedtoemulateapotentialad-

versary’sattackorexploitationcapabilitiesagainstanenterprise’ssecurityposture.

Theredteam’sobjectiveistoimproveenterpriseInformationAssurancebydemon-

stratingtheimpactsofsuccessfulattacksandwhatworksforthedefenders(i.e.,the

blueteam)inanoperationalenvironment.(CommitteeonNationalSecuritySystems

2010,59)

Blueteam

Asthisthesisfocusesontheblueteamthedefinitionofablueteamiscrucial.In

mostexercises,theblueteamistheteamthatactuallyisthetrainingaudience,and

allactivitiesfocusonaidingthisteamtounderstandandlearnthecyberevents.The

blueteamhastobeabletounderstandwhatthestatusoftheirenvironmentis,and

allintrusiondetectionandpreventionsystemsshouldbebuiltinsuchawaythatred

teamattackscanbeseenandmitigatedeitherbytheteamitselforwiththehelpof

thegreenteam.

Blueteamisresponsiblefordefendinganenterprise’suseofinformationsystemsby

maintainingitssecuritypostureagainstagroupofmockattackers(i.e.,theRed

Team).Typically,theBlueTeamanditssupportersmustdefendagainstsimulatedat-

tacksinarepresentativeoperationalcontextwiththehelpofaneutralgroupcon-

trollingthesimulationorexercise(i.e.,theWhiteTeam).(CommitteeonNationalSe-

curitySystems2010,7)

Thekeyfocusinthetechnicalexercisepartshouldbeondefendinganenterprise’s

useofinformationsystems.Tobeabletolearnasmuchaspossible,theexercisesin

JYVSECTECfocusheavilyondetection,gathering,reportingandsharingactionablein-

dicatorsofcompromise.ItisnotfeasibletoblocktheIP-rangeofacompletecountry

buttofigureouttheactualattackvectors,whattheattackerisdoing,wheretheat-

tackercomesfrom,howtheattackermaneuversinsidethecorporationnetworks

andwhatthemaingoalfortheattackeris.

25

ThisapproachgivesalreadysomeusefulrequirementsfortheblueteamSAsystem.

Theyneedtoknowandunderstandthesituationfrommultipleanglesandbeyond

thecommonandtraditionaltechnicalpreventativesystemperspectivetobesuccess-

fulinthecyberdefenseexercise.Thisunderstandingshouldbeimplementedinan

incidenthandlingapproachinliveenvironmentsaswell.OftentheattackerTTPisnot

regardedashighlyimportantbecausebusinesscontinuityisthemainfocus;how-

ever,understandingtheattacker’smotivesandtacticsmighthelpinthelongrunto

mitigatetherisksmorecomprehensively,andlearningthisisoneofthekeyelements

inJYVSECTECexercises.

Greenteam

GreenteaminJAMKistheteamresponsiblefordesigning,buildingandmaintaining

theRGCEcyberrange.Thismeanseverythingfromrangescoreservicestoorganiza-

tionalnetworksandout-of-gameinfrastructuressuchaslearningfacilitynetworks

andtheworkstationusedforconnectingintotherange.

Greenteamisagroupofoperatorsresponsiblefortheexerciseinfrastructure.They

configureallvirtualcomputers,networksandcomplexmonitoringinfrastructure.The

Greenteamalsomonitorsthehealthofthesandboxandfixescrashesandinfrastruc-

tureissuesifneeded.(Celedaetal.2015,6)

Thegreenteamalsogeneratessomepartoftheinjectsdesignedbythewhiteteam

andredteam.Redteamandgreenteammustworkcloselytogetherinwhite-box

mannerfortheenvironmentstobeexploitableincertainareas.Itisnotfeasibleor

costeffective,anditmightactuallybealimitingfactorforthesuccessoftheexercise

iftheredteamdoesnotknowtheinfracompletely.Redteamisnottheaudiencebe-

ingtrained.

4.6 Cyberrange

Rangeisaconceptthatisfamiliartomanyorganizations;however,itassociatesin

manydifferentways.ThereisanumberofcyberrangesnowadaysintheEurope;yet,

26

quiteoftentheytendtobeapartofamilitaryorothergovernmentalsecurityorgan-

ization.Notmuchispublicinformationandreferencematerialisquitehardtofind.

MITREstatesthatcyberrangeisacontrolledelectronicalcomputingenvironment

withsystems,networks,services,andusersgenerallyisolatedfromthelivenetwork.

Rangehasadefinedbaselineofphysicalorvirtualinstancesconfiguredforasce-

nario.However,MITREstatesrangemayhavedrawbackbycreatingunrealisticorar-

tificialsettings.(Kick2014,11)

Accordingtoastudybasedonpubliclyavailable,non-classifiedinformation,there

aremorethan30knowncyberrangesandtestbedsofemulationorsimulationtypes

thatcouldbeusedforcyberexercisesaccordingtoastudymadebyAustralianDe-

partmentofdefense.(DavisandMagrath2013,24-25)

JYVSECTECRGCEcyberrangebuiltinJAMKisoneofthemostadvancedandcompre-

hensivecyberrangesinEurope.Withitsrealisticinternetstructures,realisticsys-

tems,realisticservicesandrealisticusertrafficatthecoreofthedevelopmentwork,

thisapproachmakesJAMKJYVSECTEC’scyberrangeuniqueinmanyways.

AnotheracademiccyberrangeexampleistheKYPO–CyberExercise&Research

PlatformdevelopedandoperatedbyCSIRT-MU–thesecurityteamofMasarykUni-

versity.KYPOaimstoprovideavirtualizedenvironmentforperformingcomplex

cyber-attacksagainstsimulatedcriticalinfrastructure.(Celedaetal.2015,1)

4.7 RealisticGlobalCyberEnvironment(RGCE)cyberrange

ThefoundationforrealisminRGCEcyberrangeismadewithfunctionsthatmimic

thereal-worldinternetstructure.RGCEisatotallyisolatedenvironmentcontrolled

byJAMKstaff.ItfeaturesrealworldpublicIPstructurewithtier1-3operatorsand

fullyfunctionalBGProuting.IthasalsorealisticnamestructuresandPKIinfrastruc-

turestonameafewcoreservices.(Vatanenetal.2017,3)

27

Realisticusertrafficsimulationisakeyelementintechnicalcyberexercisesandfor

thispurpose,JAMKhasdevelopedahierarchicaltree-likenetworktrafficsimulation

botnet.Thetrafficgenerationfromthisbotnetcanbescatteredthroughoutthe

RGCEinternetIPaddressspacing.Withtheaidofthisbotnet,itispossibletosend

numerousdifferenttypesoftrafficanditisuptobotnetoperatorwhetheritismali-

ciousorlegitimateusertraffic.(Kokkonen2016,23)

JYVSECTEC’scyberrangealsohasmanydifferentcomprehensiveindustryspecificor-

ganizationenvironmentsrepresentingcertainfieldsofbusiness,theirservices,and

technicalenvironmentsincludingtheactualbusinessservicesystems.Thesecur-

rentlyincludeafinancialorganization,aninternetserviceprovider,aroadtunnel

providerandanelectricitycompany.TheseenvironmentsarenotjustICT-specific

systemsbutholisticenvironmentsdowntophysicalindustrialcontroldevices.

(Vatanenetal.2017,6)

28

5 Situationalawareness

5.1 Theoreticalbackground

Whensearchingfortheconceptofsituationalawareness,onefindsthatperhapsthe

mostreferencedtheoreticalmodelforfundamentalsismadebyEndsleyin1995.

Endsleystatesthatbasedondescriptiveviewofdecisionmaking,thesituational

awarenessisapredominantconcerninsystemdesign.(Endsley1995,32)

Endsley’sgroundbreakingworkinthesituationalawarenessarealaidthefounda-

tionsbyusingarewherethecorrectknowledgeoftherealtimesituationalaware-

nesshadbeenusedforadecisionmakingforalongtime.Thiswasaviation.Even

thoughtheyhadbeenmakingdecisionsbytheseprinciplesintheaviationfield,it

wasEndsleywhodefinedtheseintheacademicworld.(Endsley1995,32-33)

Itwassoonunderstoodthatactuallyallcriticalandreal-timedecision-makingpro-

cesseswheresomehowrelatedtothissituationalawarenessissue.Thismadeitclear

thatotherareasandfieldsofexpertiseadoptedsituationalawarenessintotheir

studies.

Cybersecurityisnotsomethingthathasbeenherelongasatermorasacomplete

business.Inthelastfewyears,thewholecybersecurityindustryandtheunderstand-

ingthatdigitalizationforcesallaspectsofamodernsocietyintotakingcybersecurity

asafundamentalpartalsodrivestheneedtodevelopanddefinethesituational

awarenessintocybersecurityrealm.

Cybersecuritysituationalawarenessinvolvestechnicalandcognitiveaspectsthat

contributetounderstandingofwhatneedstobedoneinordertoenhanceunder-

standingofthecyberenvironment.(Franke&Brynielsson2014,20)

29

5.2 Differentlevelsofsituationalawareness

Endsleydefinesthreeprimarylevelcomponentsofsituationalawareness(Figure4)

thathaveahierarchicalstructure.Thesearedefinedasindividual’sperceptionofob-

servedelements,comprehensionofthecurrentsituationandtheabilitytoproject

thefuturestatusofthings.(Endsley1995,36)

Figure4Thelevelsofsituationalawareness(Endsley1995,35)

Theperceptionofelementsinthecurrentsituationatlevel1inEndsley’smodel

simplymeansthatanindividualperceivesthestatus,attributesanddynamicsofrele-

vantelementsinordertoachievesituationalawareness.Incybersecurity,these

couldmean,forexamplealertsindefensivesystemssuchasfirewallsorIDS/IPSsys-

tems.Thesetypesofattributesshouldbeaccuratedatasothatdecision-makingis

basedonfacts.(Endsley1995,36-37)

Level2isthecomprehensionofthecurrentsituation.Thisisasynthesisoftheele-

mentsatlevel1.Theelementsthemselvesusuallydonotmakeaholisticunderstand-

ingbutacollectionofdatahelpsthedecisionmakerinformingpatterns.Inthecyber

securitycontext,itcouldmeanthatifasinglecomputerisaffectedwithmalware,it

couldbethatonepersonispossiblygeneratingariskbyaccidentorbypurpose.But

ifatrapidspeedmultiplecomputersstarttoalertfromasimilarissue,theremightbe

anoutbreakofmalware,orsomepatternmatchinghasstartedtoalertasafalsepos-

itive.InCSIRTthinking,thereisnotreallymuchdifferenceinreaction;however,asa

30

situationalawarenessissuethesetwoarecompletelydifferentscenariosdrivenby

thelevel1elements.(Endsley1995,37)

Theprojectionoffuturestatusistheabilitythatformsthehighestlevelofsituational

awareness.Itisachievedbyknowledgeofstatusanddynamicsofelementsandcom-

prehensionofsituationfromlevel1andlevel2situationalawareness.Asinacyber-

incidentmanagerrole,aseniortendstofigureouttheurgencyandcriticalityfaster

thanapersonjuststartinginthistypeofrole.Thisleadsintomorepreciseprojection

offuturestatuswhichisthelevel3SA.(Endsley1995,37)

Therefore,itisquiteobviousthatSAisbasedonfarmorethansimplyperceivingin-

formation.Itincludescomprehendingthemeaningofinformation,comparingitto

goalsandprovidingprojectionsintothefuturestateofenvironment.Thisiscrucial

fordecision-makingprocessasstatedbyEndsley.(Endsley1995,37)

BydefiningthesethreelevelsinamoredetailedmannerasisillustratedinFigure5,

Endsley(1995,35)demonstrateshowaperson’sdifferentlevelsofunderstanding

thesituationalawarenessworksasafoundationfordecisionmakingthatultimately

leadstoactions.

31

Figure5Theframeworkmodel(Endsley1995,35)

Endsley’sframeworkmodelshowstheloopwherethedecisionsformedbysitua-

tionalawarenessleadintotheperformanceofactions.Inadetailedmodel,thedeci-

sionpointneedsinputfromindividualfactorsincludingsuchissuesasobjectives,ex-

pectations,longtermmemoryandautomaticity.(Endsley1995,35)

Oneshouldnotefromthemodelthattheactionsalterthestateoftheenvironment,

andbythismechanismtheyactuallychangetheperceptionofelements,comprehen-

sionofsituationandprojectionoffuture.Thisloopalterstheindividualsituational

awarenessconstantly.Incybersecurityincidents,theactionstoblockhostiletraffic

orthemitigationofavulnerabilityinworkstationswillalterthevisibilityofelements

insecuritysystemsthatactasaninputforlevel1situationalawareness.

Ifoneunderstandsthecomplexityofmoderncorporatenetworksandsystemsandat

thesametimehasunderstandingabouttheamountofdataflowsandnetworktraf-

ficthatisgeneratedeveninsmallscaleenvironments,thesituationalawarenessof

theproblemstartstoform.

Thisisthereasonwhysomanyautomationsystemsandsecuritycontrolsaremar-

ketedtodayasasituationalawarenesstools.TheyactuallycanbeunderstoodasSA

systemsbecausetheyaidinperception,comprehension,projectionoffutureandaid

inperformingactions.They,however,dothisinoneormoreaspects;however,be-

causeofthecomplexitynosilverbulletsolutionsexist.Somehugesystemstryto

32

tacklethisandofferanumbrellasystemofsortsbutbecausetheissueissocomplex

theytendtoeatallpossibleresourcesandyetfallshort.

Inthecontextofcybersecurityexercise,thedecision-makingprocesstendstobe

fast.InJAMKexercises,theperceptionofelementspartisawell-thoughtissueand

thecyberincidentcanbefoundoutfromsystems.Whenthereareplentyofactions

goingon,thereisclearlyaneedforasolutionthathelpssomehowwithmakinga

moreholisticcomprehensionofcurrentsituationpossible.

Thisthesistriestostatearequirementsetforsuchasystemthatcouldbethende-

velopedorscrapped.Thesetypesofsystemsarenotfoundatthemoment;however,

theneedisrapidlygrowingalsooutsidethetrainingcontext.Inmanyde-briefingsaf-

teranexerciseithasbeenstatedthatitwouldbehelpfultohavesuchasystemnot

onlyinexercisesbutalsoatsecurityworkincompanies.

5.3 Situationalawarenessforteams

Laterthetypesofexercisesaredefined;however,thisthesisaimsinhelpingateam

toformsituationalawarenessinacybersecurityexerciseinordertoperformgood

actionsbasedondecisionsmadewithvalidinformation.

Aswasshownearlier,eachpersonformstheirownsituationalawarenessasitisan

individualprocess.ThenitmustbeobviousthatwhengatheringSAinateam,thefi-

nalSAisactuallyamixedcombinationfrommultiplepersons.

Mostoftenteammembershavetheirownspecificsetsoftheirinformationsources,

suchasdefensivesystemsforcyberincidentsthattheyknowbetterthansomeone

else,andthereforeitiscommonthattheindividualSAelementsoverlap.Itisalsoa

factthatapersoncategorizestheirownissuestobemorecriticalbecausetheyfor

theirindividualSAbasedontheirunderstandingofthesituation.

33

TeamsituationalawarenessisshowninFigure6.Someoverlapsbetweeneachteam

member’sSArequirementsareboundtohappen.Thissubsetofinformationconsti-

tutesmuchoftheteamcoordination.AccordingtoEndsley,thiscoordinationmay

occurasverbalcommunication,asaduplicationofinformationorbysomeother

means.TheoverallteamSAcanbeconceivedasthedegreeofinwhichallteam

memberspossesstheSAfortheirresponsibilities.(Endsley1995,39)

Figure6Teamsituationalawareness(Endsley1995,39)

Whenthinkinghowcrucialthissituationalawarenessisforateamsuccessandlearn-

ingpossibilitiesincyberexercise,itisunderstandablewhatEndsley(1995,39-40)is

saying.Thereisevidencethataperson’smannerofcharacterizingasituationwillde-

terminethedecisionprocessforsolvingproblems.Someotherevidencestatesthat

eventhewaytheproblemispresentedaffectsdecisions.Ontheotherhand,there-

lationshipbetweenSAandperformanceisnotdirectbutcanbepredicted.Ingen-

eral,itisunderstoodthatwithinaccurateorincompletesituationalawareness,the

decisionswillleadintopoorperformance.Therearestudiesthatstate,ontheother

hand,thatifteammembersunderstandthattheSAislacking,theytendtoperform

betterthanthosethatthinktheyhaveallneededelements.(Endsley1995,39-40)

Thesituationalawarenessisakeyelementandthemoretimecriticaltheproblems

arethemorecrucialthecorrectandwellsharedinformationis.Incybersecurityinci-

34

dents,thedataismovingsofastthathumansareunabletoprocessit.Also,thesys-

temsaresocomplexthathumanscannotlookatallthingsallthetime.Thisiswhy

automationandsituationalawarenesssystemsareneeded.

5.4 Cybersecuritysituationalawareness

Eventhoughinmostofthecasesthebasicideasforsituationalawarenessincyber

securityderivethemselvesfromtheworksofEndsley(1995),themodernimplemen-

tationsmadeforthecybersecurityhavemanyoutcomes.

Hence,itisoftensaidinthetalksthatthereareasmanydifferentunderstandings

aboutwhatthesituationalawarenessmeansincybersecuritycontextasthereare

talkersandlisteners.

Cybersecuritysituationalawarenesscanbetakenasasubsetofsituationalaware-

ness.Itisthepartofoverallsituationalawarenessthatcanbegatheredwithtech-

nicalsystemsandcognitiveunderstandingfromthecyberenvironment.(Franke&

Brynielsson2014,26-2

Thereare,however,somestudiesmadeanddefinitionsstatedthatmayhelpinde-

finingandscopingtheboundariesofunderstandingofthecybersecuritysituational

awarenessinmoredetailmanner.

Barfordetal.(2010,3-4)havedefinedinterestingcategorizationaspectsthatdiffer

fromthetraditionalEndsleymodelandactuallysomehowmakethesomewhattheo-

reticalmodelmoredefinedandperhapseasiertounderstandinnormaldaytoday

actions.Thiscategorizationhassevenmajorpoints:

1. Beawareofthecurrentsituation.Thisaspectcanalsobecalledsituationper-

ception.Situationperceptionincludesbothsituationrecognitionandidentifi-

cation.

35

2. Beawareoftheimpactoftheattack.Thisaspectcanalsobecalledimpactas-

sessment.

3. Beawareofhowsituationsevolve.Situationtrackingisamajorcomponentof

thisaspect.

4. Beawareofactor(adversary)behavior.

5. Beawareofwhyandhowthecurrentsituationiscaused.

6. Beawareofthequality(andtrustworthiness)ofthecollectedsituation

awarenessinformationitemsandtheknowledge-intelligence-decisionsde-

rivedfromtheseinformationitems.

7. Assessplausiblefuturesofthecurrentsituation.

Thesecanbeeasilyadoptedtofitthecybersecuritycontextandeventhoughthe

fundamentalshavethesameideologythatEndsley’smodelhas,themoreprecise

mentionsabouttheactualimpactofanattackandthereferencesmadetothreatac-

tororadversaryclearlydefinethiscategorizationtobehighlysuitablewhentalking

aboutthecybersecuritysituationalawareness.

This,ofcourse,isnottheonlywaytodefinethesituationalawarenessissueandby

lookingatoneothercategorizationthatgoesevenintomoredetailedandtechnical

level,onestartstounderstandthatthereisclearlyaneedtobesomewhatspecific

andpreciseinmakingdecisionsaboutwhatthecybersecuritysituationalawareness

meansinthisthesis.

OnesuchinterestingframeworkcanbefoundaccordingtotheNISTcybersecurity

frameworkpaperdonebyTri-CountyElectricCooperative,Inc.Itstudiedthesitua-

tionalawarenessforcriticalinfrastructureandkeyresources(CIKR)anditstatedthat

therearefivemajorpoints(NIST2013,2):

36

1. AccurateawarenessofautilitiescybersecuritynetworkandtheCIKRthatisa

partofthatnetwork.

2. Completeunderstandingoftheutilitiescybersecurityoperationsandtheindi-

vidualCIKRthatcontributestotheoverallprocessoftheutilitiessystem.

3. Properassessmentofthecurrentoperationsoccurringwithintheutilitiescy-

bersecuritynetworkandtheabilitytoassesspotentialbreakdowns,weakar-

easorvulnerabilitiesthatcanbeexploitedtoamaximumeffectincripplinga

utilitiessystem.

4. Monitoringofunusualeventsoroccurrenceswithinthecybersecuritynet-

work.

5. Flexibilitytoapproachpossiblethreatsandmitigatethembeforetheycanbe

successful.

Basedonthese,itissafetostatethatwhenthinkingofthesituationalawarenesssys-

temrequirementsfortheblueteamincyberexercises,thereisaneedtoaddressthe

humanfactorasadecisionmaker.Ontheotherhand,onemusttrytokeepinmind

notonlytheactualawarenessofwhatisthoughttobethenormbutalsotothink

abouthowtogatherinformationabouttheadversaries.Inthecoreandasafounda-

tionforallactivities,onemustalsounderstandthecorenatureofcybersecurity

eventsthatisthedetailedtechnicalaspectofthings.

Thereisplentyoftalkabouthowcybersecurityismuchmorethanjustthehacker

andtechnologyissues.Thisisofcourseafactinititself;however,itshouldbere-

memberedthattheveryissuewhycybersecurityissuchabigthingisthatdetailed

technicalsecurityflawsareattheheartofcyber.

37

Theamountofdatatobeprocessedeveninthesmallsystemsandnetworksisso

vastthattechnicalsolutionsarealsoakeyinsolvingabigpartofsituationalaware-

nessdilemmasothatthenon-technicaldecision-makingprocessofhumansisfeasi-

ble.

5.5 Situationalawarenessinformationconsumersandprovidersystems

Aswritteninthepreviousparagraphs,itisclearthatcybersecurityanditssituational

awarenessismuchmorethanjustatechnicalissue,whichleadsstraighttothecon-

clusionthatallaspectsareimpossibletounderstanddeeplybysingleindividuals.

Theconclusionthenmustbethatthereisavastnumberofrolesandresponsibilities

relatedtosituationalawarenessdecision-making.Theneedforinformationbymany

differentpersonsisclear.Onecouldarguecorrectlythatwhetheronerealizesitor

not,everyonerelatedtoeithersystemmanagement,cybersecurity,operationalor

strategicalleveldecisionmakingwillautomaticallyformtheirownpersonalcyberse-

curitysituationalawarenessunderstandingaccordingtotheinformationtheysee

andhear.Thetheoreticalbackgroundwasexplainedearlierinthisthesisaccordingto

theEndsleyframeworkinchapter5.2andrefinedbyBarfordandNISTdefinitionsin

chapter5.4.

Atleastsomeofthekeyinformationconsumersthathavebeenidentifiedbytheau-

thorduringtheprofessionalcareerofover10yearsinsystemsmanagementand

cybersecurityfieldareillustratedinFigure7.

38

Figure7CyberSecurityinformationconsumersandproviders

Bymakingthiskindofvisualization,itiseasiertounderstandthecoreelements

providinginformationanddisplayingitwhendefiningtherequirements.

Onecouldarguecorrectlythatbecausethereisnotoneclearandprecisedefinition

andunderstandingaboutthisissue,thenthiswayofthinkingisjustonepossibleout-

comeanddoesnotcoverallaspects.

Thisisunderstoodandthisthesisonlytriestocoverthefundamentalaspectsrelated

tocybersecurityexercisesheldatJAMKUniversityofAppliedSciences.This,how-

ever,isnotalimitingfactorandtherearenoreasonswhythisspecificationcouldnot

addressthissituationalawarenesssystemdilemmaforCERTsandCSIRTsalsoasa

possibleapproachforfuturestudiesandtrials.

39

6 Cybersecuritysituationalawarenesssystemapproaches

Therearesomecybersecurityspecificsituationalawarenessproposalsfoundfrom

scientificresearchpapers.Themainideologicaldifferenceswiththesystemspecified

inthisthesisversuswhatcanbefoundisthattheyaredesignedtotacklesometech-

nicalaspectsoraredrivenbytheneedtoaidCERTfunctions.

Inacyber-exercise,therearemanysimilaritiestoarealorganization’sthreatman-

agementandincidentresponseprocesses,andtheblueteamsusetheseprocesses

whentakingpartinexercises.However,theexerciseframeworksetsitsownneeds

tothesituationalawarenesssystemsandmakestheactualworksomewhatdifferent.

Inexercises,thereareneedstoreporteventstogamemanagementwhichisspecific

requirementsforasystemthatthisthesisisresearching.

Also,informationsharingtootherpartnersmightnotalwaysbeafeasibletaskinan

exercise.Oftenthelivethreatintelligencefeedfrominternet,outsidepartnersor

fromotherteamsmightnotatallbeapartoftheexercise.Therearesomeexercises

wheretheinformationsharingisfundamentalpart,andfortheseoccasions,generic

toolssuchasMISP(MalwareInformationSharingPlatform)canbeimplementedfor

thistask.InCERTworkthisisacorerequirementbutinexercisekeepingthesitua-

tionawarenessofteamactionsandthecommunicationtogamecontrolismuch

moreimportant.

CAIS(CyberAttackInformationSystem)projectproposedaconceptforasystemar-

chitecturetobeusedinAustriafornationalcybersituationalawareness.Thiscon-

ceptisatypicalexampleofthesituationalawarenesssystemdevelopmentwhere

thecollaborationandthreatsharingfrommultipleorganizationstonationalCERTis

thedriver.Thistypeofsystemarchitectureisnotsuitableforexerciseneeds;how-

ever,itcanprovideusefulinsightintosituationalawarenesssystemsandbeusedas

requirementgivingresearch.(Skopiketal.2012,4)

Anotherusualresearchapproachtosituationalawarenessistouseautomationand

technicalsensorapproach.Thistypeofapproachissuitablewhendatafusionisused.

40

Therearenotmanycommercialsystemsatthistimethatusethisapproach;how-

ever,anovelarchitecturedesignforsuchasystemwasproposedbyKokkonen

(2016,298-299)Thatresearchcanbethoughtasbaselineresearchforthisthesis.

Thatkindofapproachcouldsolvesomeaspects;however,itdoesnotcoverCERT

functionorcyberexercisecontrolfunctions.Itwasusedasarequirementsource.

41

7 RequirementsforblueteamSAsystem

Whenanalyzingtheblueteamdefinitions,situationalawarenesssystemsandexer-

cisetypesdefinedearlier,itisobviousthatdependingoftheexercisetype,theblue

teamconsistsofmultipletypesofpersonnel.Thismeansthatrequirementsforsitua-

tionalawarenesscanbefoundbyanalyzingmultipleoperationalfunctions.

Themainideaincyberexerciseistobeabletolearnfromtheinjects.Learningobjec-

tivesdon’tsaythatlearningtousesomenewandnovelsystemisthemainfocusin

theexercise.Thisfactalonesetssomerequirements.TheSAsystemneedstobein-

tuitiveandeasytouse.

Anotherlearningobjectiveistounderstandandfindouttheattackertactics,tech-

niquesandprocedures(TTP)fromsecuritycontrolsandtrytounderstandthewhole

attackscenario.Therefore,thereisafinelinewheretoomuchautomationisstarting

tohinderthislearningobjective.

ThissystemisaimedathelpingtheteamformtheirSAabouttheactionsintheexer-

cise,nottodotheworkforthembyutilizingdata-fusion,robotics,automationetc.

Theobjectiveistounderstandwhattheteamisdoingandhowtheyfigureoutwhat

isrelevantandwhatisnot.Atthesametime,theyactuallyreporttothegameman-

agementtheteamstatuswithouthavingtothinktoomuchreportingasaseparated

function.

Thissystemwillalsohelpinanalyzingaftertheexercisewhattheteamdidandwhen

andhow.ThishelpsJYVSECTECpersonnelinwritingbetterafter-actionreportstothe

exerciseorganizations.

7.1 BlueteamSAincybersecurityexercise

Becauseeveryoneintheteamneedstounderstandthesituation,andthereforeform

theirSA,theyareconsideredasinformationusers.IR(IncidentResponse)functionis

42

obvious;however,inmostexercises,thereisalsooperationaladministratorperson-

nelwhocontributestomitigationandobservationfunctions.Insomeoccasions,the

teamsmightalsoincludebusinessmanagerandcommunicationmanagerroles.

Otherrolesareusuallyplayedbythewhiteteamandarenotusersofthisblueteam

SAsystem.ThoserolesusetheSAsystemfromexercisecontrolperspective.

Regardingrequirements,theserolesandthesupportingsystemsneededbythemare

consideredasinformationconsumersorinformationproviders.Examiningthose

leadstoidentificationofmanytechnicalsystemsandsomeobviousrelationsthey

have.

TheauthorhasformedaroughlayoutinFigure8withsomeofthekeyelementsthat

contributeasaninformationsourcetothesituationalawarenessandshouldthere-

forebeconsideredassourcesforrequirements.

Figure8Systemscontributinginformationtothesituationalawareness.

Requirementsarebrieflystatedinthissectionandamorecomprehensivetableof

therequirementsisattachedinAppendix1.Therequirementsarethemainresultsof

thisthesiswiththeconstructionproposal.

43

7.2 Usagerequirements

UI(Userinterface)requirementssectioncoverstherequirementsthatarenotspe-

cificforanysystemusersbutarenecessarywhendefiningsomegeneralpointsin

thissystem.Theserequirementsfocusoneaseofuseandothergeneralaspects.The

actualdesignandgraphicalaspectsarenotdefinedbecausetheyareirrelevantin

thisstageandarepartofthedesignandimplementationphases.

Theinformationthatblueteamsneedtoforminacyber-exercisecanbecategorized

inmanyways;yet,inJAMKexercisesthemaininformationclassesaredefinedby

JYVSECTECas:

1. Observation:Thisisasingleeventaboutalmostanything;however,theexer-

ciseaudienceshouldreportmainlyexerciserelatedshortcomings,develop-

mentideasandotherfeedback.

2. Issue:Thisisaneventrelatingtoflaw,errorormissinginformationabout

OOG(out-of-game)orIG(in-game)thatishandledbytheGT(greenteam)

3. Incident:Thesearereportedandmanagedeventsinthegamethattheblue

teamhasseenanddecidestoinvestigatefurther;alleventsshouldleadtoac-

tionsandultimatelycontainactionabledataortheyareunderstoodasobser-

vations.CyberIncidentsincludealsoin-gameOSINT(Opensourceintelli-

gence),HUMINT(HumanIntelligence),socialmediaetc.relatedIncidents

Thereportingofinformationshouldbefast,quick,intuitiveandeasy.Mostofthe

systemsmarketedasSAsystemsarecomplexandyettheylackfundamentalele-

mentssuchastimelinefunctions,orarenotintuitiveandflexibleininformation

modification.

Requirement1.1Multipleinformationtypes

44

Systemshallbeabletohandledifferentmaininformationtypesneededindifferent

exercisefunctions.

Requirement1.1.1InformationtypeObservation

Systemshallbeabletohandleobservationtypeofinformation.

Requirement1.1.2InformationtypeIssue

Systemshallbeabletohandleissuetypeofinformation.

Requirement1.1.3InformationtypeIncident

Systemshallbeabletohandleincidenttypeofinformation.

Requirement1.2Simplicityofusage

Systemshallbeeasytouseastoocomplexuserinterfacescanpushexercisepartici-

pantstooptout.

Requirement1.2.1Informationinputfieldmaximum

Thereshouldbeamaximumofeightfieldstheuserneedstoinputinordertopush

anyoftheinformationtypesintoSAsystem.Thisrequirementisimportantbutmay

changeaccordingtolearningsfromdesign,implementationandtestphases.Itmust

beemphasizedstronglythatanyadditionsabovesixmightbecounterproductive.

Requirement1.2.2Noseparatelogincredentials

Systemshallnothaveseparatelogincredentials.Thisiscrucialbecausethemoresys-

temsexerciseparticipantshavetosigninto,themoreofthemareleftunused.

45

Requirement1.2.3Singlesign-onwithexercisecredentials

Loginshallbeautomaticallyimplementedassinglesign-onfunctionintoSAatthe

sametimewhenanexerciseparticipantisloggingintoacyberrangemachine.

Requirement1.2.4AutomatedopeningoftheSAsystem

TheusershallloginautomaticallyintoSAsystem.Thisprocesswillmakeitobvious

fortheexerciseparticipantsthatthissystemiscritical,andtheusageofsuchsystem

isanintegralpartoftheexercise.

Requirement1.2.5Inputformaccordingtoinformationtype

Humaninputsystemshallchangetheinformationfieldsautomaticallyaccordingto

userselectionofinformationtype.

Requirement1.2.6IG-OOGhybridstructure

Thereshallbeonlyoneinterfaceforinformationinput.Theinformationcanbeused

fromin-gameorout-of-gameperspectivesaccordingtoinformationuserbeingapart

ofblueteamorsomeotherteamrespectively.

Requirement1.2.7Limitedamountofgraphics

Theuserinterfacesshouldnotbetoographicalinnature.Thesimpleinputfieldap-

plicationwithlimitedinformationispreferred.Thelimitedgraphicsmeansthatitis

easilyadoptedanddon’tdistractusersfromthetasksoftheexercise.

Requirement1.2.8Dynamicview

Theusershallbeabletoselectthepartstobevisible.Thesystemusersneedtoform

individualSAsotheviewintoSAsystemneedstobeindividuallycustomizable.

46

Requirement1.2.9Automaticeventchangeindicator

Thesystemshallchangethevisualmarkinginsystemwheneventischangedsome-

how.ThisrequirementisrelatedtoRequirement5.2.3Automaticrelation.Theuser

needstoseesomekindofmarkingifautomationisaddingrelationsthattheuser

didn’tknow.Thiswayeveneventsmarkedasreadyordonemightactuallybevalua-

bleinsomelaterphaseoftheexerciseasnewinformationarise.

7.3 Blueteamuserrequirements

BlueteamcanbeconsideredasaformofCSIRTteamandthereforetohavecertain

requirementsforanSAsystemfromthisrole.RequirementsforCSIRTSAhastobe

takenintoaccount.Notmanyofthosecanbeeasilyadaptedtosuittheexercise

needsastheyfocusheavilyonnormalday-to-dayCSIRToperationsandoftenrelate

tobiggerphenomenathansingleorganization.Somerequirementscanstillbede-

rivedfrommaterialconcerningCSIRTSA.

AccordingtoRuefle(2014,5)CSIRTneedstounderstandwhereweaknessesoccur

andwhenmaliciousactorsaretakingadvantageoftheseweaknesses.Theyalsopro-

posethatanynewtoolforsituationalawarenessshouldnotonlyfocusoncurrentat-

tacksbutshouldalsostrivetocollectlessonslearnedandafter-the-factanalysis.

ThiswayofreasoningisalsocrucialforunderstandingbetterinJAMKcyberexercise

whathashappenedandhowtomitigate.Themaingoalistofindouttherootcause

sothatitcouldhelpinmitigatingtheattackseffectively.Anotherkeypointinblue

teamactionsistogatheractionableIOCs(IndicatorofCompromise)thatcanbede-

liveredtootherteamsortothewhiteteam.

Themajorityofneedsarefocusedonincidenteventclass.Issuesandobservations

aremainlysuchthattheinformationisnotchangingduringtheexercise.Theyare

snapshotsintimewheninputted.Incidentsare,however,handledbymanyandusu-

allytheinformationisgrowing,changingandrelationshipstootherincidentsare

addedduringinvestigations.

47

RegardingincidentsCichonski,Millar,Grance&Scarfone(2012,31)haveidentified

manyinformationthatincidenthandlersshouldgather.Fromtheseapplicableto

JAMKexercisecontextare;statusofincident,summary,indicators,relatedincidents.

Requirement2.1Titleofincident

Usersofthesystemshallbeabletoassignfreetextformattitletoincidentsothatit

iseasilyidentifiable.Thisshouldnotbetoolongastherearedescriptionfieldforac-

tualinformation.

Requirement2.1.1Searchofincident

Usersshallbeabletosearchforexistingincidentsdirectlyfromthetitlefield.Thisis

tohelpavoidgeneratingmultipleinputsfromsameincident.

Requirement2.2Criticalitylevelofincident

Usersofthesystemshallbeabletoassigncriticalityvaluetoincident.

Requirement2.2.1Textuallevelofincident

Usersofthesystemshallbeabletoassigntextualvaluetoincident.Ifateamisusing

writtencriticalityvaluestheycandoso.

Requirement2.2.2Numericallevelofincident

Usersofthesystemshallbeabletoassignnumericalvaluetoincident.Ifateamis

usingnumbersforcriticalitytheycandoso.

Requirement2.2.3Changethecriticalitylevelofincident

48

Usersofthesystemshallbeabletochangethecriticalityofincidentaccordingto

theirneeds.Incidentschangetheircriticalitywhentheyareinvestigated.

Requirement2.3Assignmentofincident

Usersshallbeabletoassignindividualstoberesponsibleinhandlingincidentsin

team.

Requirement2.3.1Changeassignment

Usersshallbeabletochangeassignmentofincidentaccordingtotheirneeds.Many

individualsmighttakepartinhandlingincidents

Requirement2.4Stateoftheincident

Usersshallbeabletoassignstatetoincidents.Teamusesthistomonitorwhatthe

statusofanincidentis.Statesvaryaccordingtodefinitionsusedbyteambutoften

theycouldbesomethinglikeopened,processed,closed,reopened.

Requirement2.4.1Changethestateoftheincident

Usersshallbeabletochangestateofincidents.

Requirement2.5Incidentdescriptioninput

Usersshallbeabletousefreetextfieldindescribingwhattheyaredoing.Itcouldbe

informationtheyhavemonitoredorsomethingtheyfoundininvestigation.

Requirement2.6Actionabledatainput

49

Usersshallbeabletousefreetextfieldindescribingwhattheydefineasactionable

data.ThesecanbeIOCs,notionsofattackersorotherinformationthatusersofthe

systemthinkarerelevanttootherteamsortowhiteteam.

Requirement2.7Taggingofevents

Usersshallbeabletoassignfreetexttagstoevents.

Requirement2.8Relationshipofevents

Usersshallbeabletoassignrelationshipstoeventsiftheyknowany.

Requirement2.9Timelineofevents

Usersshallbeabletoseeeventsofinterestinagraphicaltimeline.

Requirement2.9.1Selectionofeventstotimeline

Usersshallbeabletofilterandselecteventsandmodificationpointstoeventsas

theywishintimeline.Usercouldwanttoseesingleeventanditsmodificationsor

maybealleventswithsametagorIOCinformation.

Requirement2.9.2Informationinputfromtimeline

Usersshallbeabletoaltertheinformationdirectlyfromtimeline.Thisistomake

surethatdynamichandlingoftheeventsisimplementedandthereisnoneedtogo

intoinputsystemtosearchandchangethings.Informationshouldbeautomatically

visibleinotherusertimelineifdisplayparametersaresettofindthis.

Requirement2.9.3Dynamictimeline

50

Timelineshouldbedynamicandpresentedinformationshouldchangeautomatically

whenalterationstodisplayparametersareissuedbytheuser.

Requirement2.9.4Individualtimeline

Timelinesshouldbeindividualaseachpersonhastheirownneedsforinformationto

formindividualSA.Ifpersonchangesdisplayparametersitaffectstopersonaltime-

lineonly.

Requirement2.9.5Shareabletimeline

Timelinesshouldbeshareableaspersonsmightwanttosharetheirviewstoadata

inordertoformsimilarSAfrominformationselected.

Requirement2.10Eventpane

Eventsshallbepresentedinaneventpaneaspersonsmightbeaccustomedtosee-

ingdataintraditionalformats.

Requirement2.10.1Searchableeventpane

Eventsshouldbefreelysearchablebyregularexpressionsorfreetext.

Requirement2.10.2Selectableeventpane

Eventsshouldbefreelyselectablebyfieldsvisibleinpane.

Requirement2.11Eventdashboard

Eventsshallbepresentedinselectabledashboardviewsaspersonsmightbeaccus-

tomedtoseeingdataintraditionalformats.Nottoomanyvisualizationsshouldbe

madeinordertokeepsystemassimpleasfeasible.

51

Requirement2.11.1Pie-chartdashboard

Eventpaneinformationshouldbeviewableinpie-chartformat.

Requirement2.11.2Key-valuepairchart

Selectedeventpaneinformationshouldbeviewableinkey-valuepairchart.

Withthehelpoftheserequirementsblueteamshouldbeabletodothefundamen-

taltasksneededinmanagingthecoreexerciseevents.Thissystemhelpstovisualize

theinformationteamhasdecidedtohandle.

7.4 Whiteteamrequirements

Theserequirementsarespecificforwhiteteams:theyneedtounderstandwhatthe

blueteam(s)is/arereporting,mitigatingandputtingresourcesto.Thisinformationis

criticalinordertomakesurethattheplannedanddeliveredinjectsgeneratethede-

siredeffectssothattheexerciseneedsaremet.(Damodaran2015,20)

Intheexercisecontext,asblueteamsareusingtheSAsystemtheyalsoreporttheir

findingsautomaticallytothewhiteteam.ReportingIOC’s,actionstakenandtheroot

causeanalysisbyblueteamsnotonlyensuresthatlearningobjectivesaremetbut

alsomakesthegamemanagementeasier,andmakessurethattimeisnotwastedin

issuesthatareunrelatedtotheexercise.

Thisblueteamsituationalawarenesssystem,therefore,functionsalsoasoneofthe

exercisecontrolmeansandthatwaycontributestowhiteteampersonnelsituational

awarenessabouttheexerciseitself.

Whiteteamisonlyobservingandusingthesystemasaninformationconsumerso

therearenotmanywhiteteamspecificrequirementsthatwoulddifferfromblue

teamrequirements.Somerequirements,however,arevitaltowhiteteamasithas

profoundneedstogatherinformationfrommultipleblueteams.

52

Requirement3.1Visualizemultipleblueteaminformation

Systemshallbeabletovisualizemultipleblueteams’informationinsingleviews.

Requirement3.2Multipleteamselection

Whiteteamshallbeabletoselectinformationfrommultipleblueteams.Thisselec-

tionislimitedonlytowhiteteamasblueteamsshallnotseeeachother’sinfor-

mation.

Requirement3.2.1Teamselectioninpane

Whiteteamshallhaveadditionalteaminformationineventpane.

Requirement3.2.2Teamselectionindashboards

Whiteteamshallhaveadditionalteaminformationselectionindashboards.

Requirement3.2.3Teamselectionintimeline

Whiteteamshallhaveadditionalteaminformationselectionintimeline.

7.5 Interconnectivityrequirements

Thisrequirementsectioncoverstherequirementscomingfromothertechnicalsys-

temsthatareconnectedintoSAsystem.TherearevastnumberofSArelatedinfor-

mationsystemsthatcanbeimplementedassourcefeedsintothisblueteamsystem.

Cyberenvironmentsevolveandchangerapidly.Itshouldbeevidentthatalsothe

businessmodelandareaofbusinessaffectstothecyberenvironmentneeds.These

needsaffecttothesecurityapproachandultimatelytothesecuritymeasuresand

53

processesimplemented.Thereareanumberofdifferencesinsecurityprovidingsys-

temsifonewouldcomparetheneedsofaroadtunneloperatortotheneedsofa

cloudserviceprovider.

Keepinginmindthecomplexityofcyberenvironmentsimplemented;differencein

datacomingfromsecuritysystemsandtheplan-baseddesignmethoditisobvious

thatflexibilityandadaptabilityininterconnectivitytothisblueteamSAsystemisa

must.Therearenocleardefinitionswhatdifferentapplicationprogramminginter-

faces(API)areultimatelyneededsothishastobedoneindesignandimplementa-

tionphase,butitisobviousthatnosingletechnologyexists.

Requirement4.1MultipleAPIsupport

Systemshallacceptdifferentmethodsinconnectiontoothercomputersystemsand

services.Genericapproachandflexibilitytointerconnectionispreferred.Stillsome

methodsthatcanbeconsidereddefactocanbestatedhere.Withthisrequirement,

wetacklemostofthepossibleinterconnectionneeds.

Requirement4.1.1RESTAPIsupport

Systemshouldimplementrepresentationalstatetransfer(REST)methodforinter-

connection.

Requirement4.1.2SOAPAPIsupport

Systemshouldimplementsimpleobjectaccessprotocol(SOAP)methodforintercon-

nection.

Requirement4.1.3JavaScriptAPIsupport

SystemshouldimplementJavaScriptmethodforinterconnection.

54

Requirement4.2Databaseconnectivity

Systemshouldbeabletoallowconnectionstoinformationdatabase.Methodsde-

pendonthetypeofdatabasethatisselectedindesignandimplementationphaseso

nostrictdefinitionabouttechnologycanbemade.

Requirement4.3XMPPmessagesupport

SystemshouldhaveintegrationpossibilitytochatsoftwareXMPPprotocol.Inexer-

ciseschattypeofsoftwareisoftenpreferredcommunicationmethod.Itismaybe

slightlyoutsidethescopeofthisthesisbutthereshouldbeautomatedmessagepush

accordingtokeywordsortagsthataresentintoSAsystem.

7.6 Dataprocessingrequirements

Theamountofinformationthatisgathered,reportedandprocessedincybersecu-

rityexercisesbytheblueteamisvastbutcan’tbeconsideredasabigdataordata

fusionissue.Thereareneedstoaggregate,normalizeandprocessthedatasothatit

manydifferentinformationtypesbutbecausetheultimategoalfortheSAsystemis

toformasituationawarenessabouttheexerciseandeventsinthiscontextandat

thesametimehelpincontrollingtheexercisealotofinformationishumaninputted

andhumanedited.

ThismeansthatstraighterrorfeedsintoSAsystemarenotpreferredapproach.The

actualdatafusionofforexamplenetworktrafficshouldbedoneinsomeothersys-

tem.IfsuchasystemismonitoringforanomaliesorforknownthreatbyIOCsthere

shouldbealerts.Thefindingsofsuchasystemshouldthenbeimplementedintothis

SAsystemasaninputevent.

Thesamelogicappliestologfilesystems,SIEMsystems,IDS/IPS,FWandothersys-

temsthataremeanttobeusedbyoperatorsinordertounderstandsituationdeeper

fromcertaintechnological

55

Requirement5.1Databaseimplementation

IthasbeendiscussedinternallyinJYVSECTECthattheapproachintothissystemand

alsotoothersystemsusedinexercisecontrolshallusedatabaseapproach.Otheral-

ternativeslikewiki-systemstostoreinformationhasbeendiscussedbutbecause

otherdevelopmentprojectsaredesignedwithdatabasesithasbeenselected.

Requirement5.2Automateddataaggregation

Systemshallhavedataaggregationfunctionalities.AstheRequirement1.2Simplic-

ityofusageandRequirement1.2.1Informationinputfieldmaximumarelimiting

theamountofinformationuserhastoinputthereisneedtoadddatatoeventsgen-

erated.Alsoappliestotherequirementsrelatingtointerconnectionrequirements

wheninformationisinputtedviamachineinterfaces.

Requirement5.2.1Automaticuserorsysteminformation

Systemshallautomaticallyaddtheinformationaboutwhoorwhatsysteminputted

informationsothatitwillbepresentedintheSAinformation.

Requirement5.2.2Automatictimestamping

Systemshallautomaticallymarktimestampstoallactionsmadeintoinformationbut

onlylatestmodificationtimestampshouldbechanged.Allothertimestampsare

storedrelatingtoactiondonesothatwhenreportingtherewillbeautomatically

timelineofactionsdone.

Requirement5.2.3Automaticrelationships

56

SystemshallautomaticallymakearelationshiptoinformationexistingintheSAsys-

temdatabase.Forexample,previousIOCsarelinkedifneweventisgeneratedhav-

ingthesameactionabledata.ThisrequirementhasrelationtoRequirement1.2.9

Automaticeventchangeindicator.

57

8 Systemconstruction

Ashasbeenexplainedinearlierchapters,therearehugeamountofinformation

sourcesandinformationusers.Also,aswasstatedearlierinthisthesis,thesitua-

tionalawarenessisalwaysindividualandshouldleadintoactionsviadecisionmak-

ing.Astherearenosolutionsinthemarketthataddressescybersituationawareness

andexercisecontrolinmannerthatisdescribedearlierthisthesisasolutionshould

bedeveloped.

Inthecontextofblueteamsituationawarenessincyberexercisethereisafunda-

mentalneedforanewconstructionproposalforSAsystemthatnotonlyhelpsinun-

derstandinghowblueteamformstheirSAbutalsohelpsthegamecontrolindeliver-

inganexercisethatfulfillslearningobjectivesset.

Themainreasonforthelackofthiskindofnovelsystememergesfromthefactthat

notmanyorganizationsareinthecybersecurityexercisebusiness.Also,quitemany

timestheexercisesareeithertabletopexercisesorsomeformofcompetitionsthat

arefocusingontechnicalthings.

JAMKcyberexercisesareoftentechnical-operationalbynature,andthefocusison

helpingteamstoformaunifiedsituationalawarenesssothatallparticipantshave

thepossibilitytolearnandbuildtheirindividualunderstandingaboutcybersecurity

incidentsandhowtohandlethem.

TheproposedsystemconstructioninFigure9derivesfromthesekeypointsand

showsthatacollectiveSAsystemconstructioncanbeformed,andthatexisting

cybersecuritysolutionscoveronlycertaintechnicalaspects.

58

Figure9Proposedblueteamsituationawarenesssystemconstruction

8.1 Userinterface

InFigure9theuserinterfacepartisillustratedasasinglesoftwarecomponent

wherethevisualizationofinformationandinputmodulesarevisibletotheusers.

59

Thereiscleardifferenceintheuserinterfaceforblueteammembersandtothe

whiteteammembers.Becausewhiteteammembersareonlyusingthesysteminor-

dertounderstandthesituationinteamstheinputmechanismistakenouttomake

surethatnowhiteteammembersareinvolvedintheexerciseascontributorstothe

situationalawarenessofblueteam.

Oneshouldalsorealizethatwhiteteam–blueteammembersonlyseethesituation

inteamrelatedtothembutgamemasterhasaccesstoallteams.Thisistoillustrate

thattherecanbesuchaselectionifitisneeded.

Fromblueteamperspectiveteam1onlyhasaccesstoteam1informationandteam

2onlyhasaccesstoteam2information.Thisistomakesurethatteamsarenotcon-

structingtheirSArelyingtoactionstakenandreportedbyotherteams.Theobjective

istolearnandformteamspecificunderstanding.

8.2 Datainputandselect

Thisconstructiondoesnotdictatethedesignofthesoftwareinfunctionalblocklevel

butitisobviousthatthemechanismininputtinginformationdiffersheavilyfrom

dataselect.

Inputisone-wayoperationtothesystemandhandleswritingneweventsviaevent

inputmodule.

Dataselectistwo-waycommunicationmodule.Thismeansthatselectmodulehan-

dlestheinformationrequestsandmodificationdoneviavisualizationmodule,dash-

boardorthepane.

8.3 DataAPI

DataAPImoduleisusedwheninformationisinputtedintoSAsystemfromoutside

sources.Thesemoduleshandlemostoftheinterconnectionrequirements.Theappli-

60

cationmodulesareconsideredasone-waysothatSAsystemdoesnotpushnewcon-

figurationstothedatasourcesystems.Theexercisemembersinblueteamshaveto

dothosetasksdirectlytosecurityandcontrolsystemsaccordingtotheSAandthis

leadstotheloopofgainingbetterSAviathesystemashasbeenpresentedearlier

accordingtosituationalawarenesstheory.

8.4 Dataaggregation

Dataaggregationmoduleisthemodulethataddsinformationtoeventsandmakes

therelations.Thismeansthatdataaggregationisfundamentallyhavingalotofauto-

matedtaskssuchasanalyzinginputandmakingdatabaserequestsaccordingtothe

information.

Dataaggregationneedstoberobustandthereisneedtofocusheavilyintothede-

signofthiscomponent.Ifthiscomponentisnotworkingproperlytheinformation

presentedtoUIislackingvitalinformationpiecesthatisneededinformingaccurate

SA.

8.5 Database

Databasemoduleconsistsofdatabaseinformationonlytospecificteamsandfrom

informationpresentedtoallteams.Thisseparationisneededinmakingsurethat

teamdon’tseeotherteaminformationbuthasaccesstogeneralinformationfeed

thatisneededinformingcoherentSA.

Examplefromsuchageneralsystemcouldbemalwareinformationsharingplatform

(MISP)thatisusedbyteamsandwheretheinputtedthreatintelligencewillbe

sharedbetweenteamsaccordingtothesharingrulestheyset.

61

9 Researchresults

ThisthesiswasassignedbecauseinJYVSECTECCENTER(JYVSECTEC.2017)project

theneedforresearchanddevelopmentintheareaofsituationalawarenesswas

identifiedasaprojectresult.Thescopeofthesiswasfurtherlimitedtospecificallyin

findingrequirementsforblueteamsituationalawarenesssystemincybersecurity

exercise.

Initialresultofthethesisisthestudyaboutthecybersituationalawarenesssystem

approaches.Therealizationthatthereisnotheoreticalresearchdoneforteamsitua-

tionalawarenessincyberexercisesisaresultinitselfandmakesitobviousthatthere

isstillalotmorefutureresearchobjectivestobefound.

Theresearchinthesituationalawarenessfieldismostlyfocusingoneitherthetech-

nicalinformationhandlingdilemmaorthesituationalawarenessforCERTandCSIRT

teamsinnationallevel.Inthefieldofcybersecurityexercisesresearchexistsbutthe

materialiscoveringmainlytheaspectsonhowtoinstrumentandconductsuchan

exerciseandnotonhowtheindividualsororganizationsarefunctioninginanexer-

cise.

Themainresultofthisthesisistheidentifiedgenericrequirementsmentionedin

chapter7.Requirementsinthisthesisfulfilltheassignment,covertheneededbasic

functionsforfirstdesignanddevelopmentiterationandprovideassuchasolidstart-

ingpointforademonstrationsystemsoftwareprojectforblueteamSAsystem.

Thereisatotalof56individualgenericrequirementslistedinthisthesis.Therequire-

mentsarelistedunderfivedifferentgenericsectionsinordertohelpunderstandthe

relevanceoftherequirementtothesystem.

Usagerequirementscovergenericrequirementstouserinterfaceanddatainput.

Blueteamsectioncoverstherequirementsblueteamhassothattheyareableto

utilizetheinformationaccordingtotheirneeds.Whiteteamrequirementscoverthe

differencefromblueteamusers.Interconnectivitycoverstherequirementswhen

62

othersystemsareconnectedtoSAsystem.Dataprocessingrequirementscoverdata

storageanddataprocessingareasoftheSAsystem.

Themainfunctionofthesituationalawarenesssystemisthattheblueteammem-

bersareabletoformindividualsituationalawarenessandatthesametimeform

teamsituationalawarenessabouttheeventstheyhavereactedtoincyberexercise.

Additionally,fromuserpointofviewthesystemshallbesimpletouseandatthe

sametimeautomaticallyhandlesthereportingfunctiontoexercisemanagementso

thatneedforanyadditionalsystemiseliminated.

Novelconstructionaccordingtotherequirementsisanothermajorresult.Thisnovel

designconceptframeworkforablueteamsituationalawarenesssystemispresented

andexplainedinchapter8.

Thesystemconstructionsectionisdividedinto5areas.Firsttheuserinterfacepor-

tionandthendatainputandselectsectiontomakeuseractionsfunctional.DataAPI

isfacilitatingthepossibleinterconnectionofotherinformationsourcestotheSAsys-

tem.Dataaggregationhasalotofthevitalfunctionsonhowthesystemisactually

operatingandiscriticalcomponentintheproposedconstructionmodel.Thelast

partisthedatabasewhichistheinformationstorageforthisblueteamSAsystem.

Theseresultsfulfilltheassignmentofthethesisandtheobjectivesaremet.Because

thereisnoresearchdonespecifictotheblueteamSAproblematicspresentedinthis

thesisitisquiteobviousthattherequirementlistisnotcomplete.Thereisnot

enoughactualinformationorreferencesavailabletoformaholisticrequirementset.

Itisprobablethatsomerequirementswillbealtered,newrequirementsaddedor

existingonesremovedinthedesignanddevelopmentphase.Itistotallyacceptable

asthisthesisispresentingfirstofakindconstructionproposal.

63

10 Conclusions

Theselectedconstructiveresearchmethodwasusedthroughoutthethesisprocess.

Theinitialreasoningwasthatbecausethismethodiswellsuitedtoappliedsciences

andobjectiveofthesiswastoconstructarequirementspecificationitiswellsuited

forthistask.Theaimfornovelconstructionwaskeptinmindthroughoutthewhole

thesisprocess.

Afterstartingthesis,thefirststagewastogatherreferencematerial.Byexamining

thematerialsfromsituationalawarenessandcybersecurityexercisesfielditbecame

quiteobviousthatatthemomentthereisresearchdoneforthosefields.Butatthe

sametimethereareonlylimitedmaterialthatisspecificallyaddressingtheblue

teamneedsandnonethatcombinesthese.

Choosingconstructiveresearchmethodmeantthatallaspectsoftheresearch

methodcouldnotbefulfilledinthisthesis.Constructiveresearchbydefinition

shouldhavepracticalfunctioningtotheresearchedfieldofexpertisebutlimitingthe-

sistorequirementsmeantthattherewillbenoactualfunctioningsolutiontobe

tested.

Thislimitationwasacceptedasanunderstandableflawwhendecisionforaresearch

methodwasmadebytheauthor.Othermethodswereexaminedbutconstructive

methodsuitedwellastherequirementsandconstructionitselfwereformedduring

thethesisworkasiterativeprocess.

Theproblemwithfunctioningsolutionisthatiterativeprocessdrivesintobuildingon

topoftheknowledgeandunderstanding.Thiscanleadintolackofobjectivityandit

mustbesaidthattheauthoralsohaddifficultiesincriticalthinkingtotherequire-

mentsandconstruction.Itisreallyeasytojustthinkthatyouunderstandtheprob-

lemfrommanyaspectsandbeunabletoformcriticalchallengestoself.

Theassignmentofthethesiswastofindandgeneraterequirementsforblueteam

situationalawarenesssystem.Therequirementsarefoundandlistedwithdefinitions

64

whichmeansthatthisthesiscanbeusedasabaselinedocumentfordesignandim-

plementationphaseinsoftwareprojectaimedatproducingafunctionalsituational

awarenesssystem.

Thisthesisoffersnewinformationtothesituationalawarenessresearchincyberex-

ercisecontextandprovidestheneededrequirementstotheorganizationthatwere

theobjectivesofthiswork.JYVSECTECprojectgoalsforresearchingsituational

awarenessarealsoenhancedbythisworkandifdecisionismadetodevelopthepro-

posedsystemtheparticipantsinfutureexerciseswillhaveamuchbetterwayofun-

derstandingthesituationandactionstheyexperience.

Theresearchpresentedherealsoopensfutureresearchpossibilitiestotheassignee

organizationandhighlightsthefactthateventhoughtherearealotofresearchdone

inthecyberexerciseareaandinthesituationalawarenessareastherearemanyas-

pectsthatarenotstudiedatthemoment.

Toomuchoftheindividualandorganizationalsituationalawarenesslearningprocess

isleftoutinresearchtopicsatthemomentandmostofthecybersecuritysituational

awarenessissuesareconsideredtobeonlytechnicaldataprocessingproblems.

Alotofissuesinsituationalawarenesscanofcoursebesortedoutforexampleby

automation,datafusionandanomalydetection.Thesetechnicalandmathematical

approachesarevitalinenhancingthebigdataproblematicsofcyber.Butasthisthe-

sisshowsitisultimatelythehumanwhosesituationalawarenessisthekeyinlearn-

ingsituations.Thisaspectneedsalotmoreresearch.

Bymakingasystemwhichhelpsbuildingatimelinebasedlearningdiaryofsorts

wouldhelphumantoreflecthisorhers’actionsandlearnfromthem.Atthesame

timesharingthisinformationtoexercisecontrolwillmakesurethatthelearningob-

jectivescanbefulfilledproperly.

65

Thisthesisalsobenefittedtheauthorpersonallyinmanyways.Theassignedtopicis

interestingandvalidtoauthorsdailyjobinJYVSECTEC.Atthebeginning,therewasa

falsepretensefromtheauthorthatalotoftheneededknowledgeisalreadygath-

eredduringmanyyearsofworkinginthecybersecuritybusinessandattendingto

numerouscyberexercises.Thefurtherthethesisworkadvancedthemorethere

wereaspectsthatstartedtointerestmoreandatthesametimeitbecameobvious

thattherearestillalotofaspectsthattheauthorislookingforwardtostudying

more.

66

References

Barford,P.etal.2010.CyberSA:SituationalAwarenessforCyberDefense.Advances

inInformationSecurity,Volume46,3-14.

BourqueP.,FairleyR.E.2014.GuidetotheSoftwareEngineeringBodyofKnowledge,

Version3.0,IEEEComputerSociety.Retrievedfromhttps://www.swebok.org

Celeda,P.etal.2015.KYPO–APlatformforCyberDefenceExercises.NATOScience

andTechnologyOrganization.Accessedon10June2017.Retrievedfrom

https://is.muni.cz/repo/1319597/kypo-paper-msg-133.pdf

Cichonski,P.,Millar,T.,Grance,T.,Scarfone,K.2012.ComputerSecurityIncident

HandlingGuide.NationalInstituteofStandardsandTechnology(NIST)SpecialPubli-

cation800-61Accessedon14October2017.Retrievedfromhttp://nvl-

pubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

CommitteeonNationalSecuritySystems.2010.CNSSInstructionno.4009.Accessed

on21.October2017RetrievedfromHomelandSecurityDigitalLibrary

https://www.hsdl.org/?view&did=7447

Damodaran,S.,Smith,K.2015.CRISCyberRangeLexiconVersion1.0.Accessed18

November2017.Retrievedfromhttps://www.researchgate.net/publica-

tion/316322192_CRIS_Cyber_Range_Lexicon_Version_10

Davis,J.,Magrath,S.2013.ASurveyofCyberRangesandTestbeds.DefenceScience

andTechnologyOrganisationEdinburgh(Australia)CyberandElectronicWarfareDiv.

Accessedon14October2017.Retrievedfromhttp://www.dtic.mil/cgi-

bin/GetTRDoc?AD=ADA594524

Endsley,M.R.1995.TowardaTheoryofSituationAwarenessinDynamicSystems.

HumanFactorsJournal37(1),32-64.

67

Franke,I.,Brynielsson,J.2014.Cybersituationalawareness–Asystematicreviewof

theliterature.InComputers&Security,Volume46,18-31.

Gordana,D.C.1970.ConstructiveResearchandInfo-ComputationalKnowledgeGen-

eration.Accessedon9April2017.Retrievedfromhttp://www.researchgate.net/pub-

lication/225481001

JYVSECTEC,2017.WebsiteforJYVSECTECCenterproject.AccessedonNovember24

2017.https://jyvsectec.fi/fi/hankkeet/jyvsectec-center/

Kasanen,E.,Lukka,K.,Siitonen,A.1993.Theconstructiveapproachinmanagement

accountingresearch.JournalofManagementAccountingResearch,241–264.

KickJ.,2014.CyberExercisePlaybook,TheMITRECorporation.Accessedon11

March2017.Retrievedfromhttps://www.mitre.org/sites/default/files/publica-

tions/pr_14-3929-cyber-exercise-playbook.pdf

Kokkonen,T.2016a.Dissertation:Anomaly-BasedOnlineIntrusionDetectionSystem

asaSensorforCyberSecuritySituationalAwarenessSystem.UniversityofJyväskylä,

FacultyofInformationTechnology.

Kokkonen,T.2016b.Architectureforthecybersecuritysituationalawarenesssys-

tem.LectureNotesinComputerScience,vol.9870,294-302.

KosolaJ.,2013.Vaatimustenhallinnanopas.MaanpuolustuskorkeakouluSo-

tatekniikanlaitos.Julkaisusarja5no12.

Lázaro,M.,Marcos,E.2005.ResearchinSoftwareEngineering:Paradigmsandmeth-

ods.Accessedon9April2017.Retrievedfromhttps://www.researchgate.net/publi-

cation/220921116

68

LehtirantaL,JunnonenJ-M.,KärnäS.andPekuriL.2015.TheConstructiveResearch

Approach:ProblemSolvingforComplexProjects.Chapter8ofDesigns,Methodsand

PasianB.PracticesforResearchofProjectManagement.Accessedon9April2017.

Retrievedfromhttp://www.gpmfirst.com/books/designs-methods-and-practices-re-

search-project-management/constructive-research-approach

NationalInstituteofStandardsandTechnology(NIST)ComputerSecurityResource

Center(CSRC)Publication.2013. Accessedon22April2017.Retrievedfrom

http://csrc.nist.gov/cyberframework/rfi_comments/tri-county_electric_coopera-

tive_part2_032613.pdf

RuefleR.,Murray,M.2014.CSIRTRequirementsforSituationalAwareness.Carnegie-

MellonUniversitySoftwareengineeringinstitute.Accessedon11October2017.Re-

trievedfromhttp://www.dtic.mil/get-tr-doc/pdf?AD=ADA596848

SecretariatoftheSecurityCommittee.2013.Finland’sCybersecuritystrategyand

thebackgrounddossier.Accessedon10January2017.Retrievedfrom

http://www.defmin.fi/files/2378/Finland_s_Cyber_Security_Strategy.pdf

Skopik,F.,Bleier,T.,Fiedler,R.2012.InformationManagementandSharingforNa-

tionalCyberSituationalAwareness.

SommervilleI.2011.SoftwareEngineering,9thed.Addison-Wesley.

Vatanen,M.etal.2017.JYVSECTECCYBERRANGE,RGCEandsolutions.Accessedon

5February2017.Retrievedfromhttp://jyvsectec.fi/wp-content/up-

loads/2017/02/JYVSECTEC-cyber-range.pdf

69

Appendices

Appendix1. Tableofrequirements

Table2RequirementsforaSASystem

ID Name Description Importance Action TypeofAction Relation

UsageRequirements

1.1 Multipleinfor-mationtypes

Systemshallbeabletohandlediffer-entmaininformationtypesneededindifferentexercisefunctions.

Mandatory general

1.1.1 InformationtypeObservation

Systemshallbeabletohandleobser-vationtypeofinformation. Mandatory input textual

1.1.2 InformationtypeIssue

Systemshallbeabletohandleissuetypeofinformation. Mandatory input textual

1.1.3 InformationtypeIncident

Systemshallbeabletohandleincidenttypeofinformation. Mandatory input textual

1.2 SimplicityofusageSystemshallbeeasytouseastoocomplexuserinterfacescanpushexer-cisepartici-pantstooptout.

Mandatory general 5.2Auto-mateddataaggregation

1.2.1 Informationinputfieldmaximum

ThereshouldbeamaximumofeightfieldstheuserneedstoinputinordertopushanyoftheinformationtypesintoSAsystem.

Important general 5.2Auto-mateddataaggregation

1.2.2 Noseparatelogincredentials

Systemshallnothaveseparatelogincredentials.Thisiscrucialbecausethemoresystemsexerciseparticipantshavetosigninto,themoreofthemareleftunused

Mandatory general automatic

1.2.3 Singlesign-onwithexercisecredentials

Loginshallbeautomaticallyimple-mentedassinglesign-onfunctionintoSAatthesametimewhenanexerciseparticipantisloggingintoacyberrangemachine.

Mandatory general automatic

1.2.4Automatedopen-ingoftheSAsys-

tem

TheusershallloginautomaticallyintoSAsystem. Mandatory general automatic

1.2.5Inputformaccord-ingtoinformation

type

Humaninputsystemshallchangetheinformationfieldsautomaticallyac-cordingtouserselectionofinfor-mationtype.

Mandatory visual automatic

70

1.2.6 IG-OOGhybridstructure

Thereshallbeonlyoneinterfaceforinformationinput.Theinformationcanbeusedfromin-gameorout-of-gameperspectives.

Mandatory general

1.2.7 Limitedamountofgraphics

Theuserinterfacesshouldnotbetoographicalinnature.Thesimpleinputfieldapplicationwithlimitedinfor-mationispreferred.

Important visual

1.2.8 Dynamicview

Theusershallbeabletoselectthepartstobevisible.ThesystemusersneedtoformindividualSAsotheviewintoSAsystemneedstobeindividuallycustomizable.

Mandatory visual automatic

1.2.9 Automaticeventchangeindicator

Thesystemshallchangethevisualmarkinginsystemwheneventischangedsome-how.

Mandatory visual automatic5.2.3Auto-maticrela-

tion

Blueteamuserrequirements

2.1 TitleofincidentUsersofthesystemshallbeabletoas-signfreetextformattitletoincidentsothatitiseasilyidentifiable

Mandatory input textual

2.1.1 SearchofincidentUsersshallbeabletosearchforexist-ingincidentsdirectlyfromthetitlefield.

Mandatory input textualornumerical

2.2 Criticalitylevelofincident

Usersofthesystemshallbeabletoas-signcriticalityvaluetoincident. Mandatory input textualor

numerical

2.2.1 Textuallevelofin-cident

Usersofthesystemshallbeabletoas-signtextualvaluetoincident.Ifateamisusingwrittencriticalityvaluestheycandoso.

Mandatory input textual

2.2.2 Numericallevelofincident

Usersofthesystemshallbeabletoas-signnumericalvaluetoincident.Ifateamisusingnumbersforcriticalitytheycandoso.

Mandatory input numerical

2.2.3 Changethecritical-itylevelofincident

Usersofthesystemshallbeabletochangethecriticalityofincidentac-cordingtotheirneeds.Incidentschangetheircriticalitywhentheyareinvestigated.

Mandatory input textualornumerical

2.3 Assignmentofinci-dent

Usersshallbeabletoassignindividualstoberesponsibleinhandlingincidentsinteam.

Mandatory input textual

2.3.1 Changeassignment

Usersshallbeabletochangeassign-mentofincidentaccordingtotheirneeds.Manyindividualsmighttakepartinhandlingincidents

Mandatory input textual

71

2.4 Stateoftheinci-dent

Usersshallbeabletoassignstatetoincidents. Mandatory input textual

2.4.1 Changethestateoftheincident

Usersshallbeabletochangestateofincidents. Mandatory input textual

2.5 Incidentdescrip-tioninput

Usersshallbeabletousefreetextfieldindescribingwhattheyaredoing. Mandatory input textual

2.6 Actionabledatain-put

Usersshallbeabletousefreetextfieldindescribingwhattheydefineasactionabledata.

Mandatory input textualornumerical

2.7 Taggingofevents Usersshallbeabletoassignfreetexttagstoevents. Mandatory input textualor

numerical

2.8 Relationshipofevents

Usersshallbeabletoassignrelation-shipstoeventsiftheyknowany. Mandatory input textual

2.9 Timelineofevents Usersshallbeabletoseeeventsofin-terestinagraphicaltimeline. Mandatory visual

2.9.1 Selectionofeventstotimeline

Usersshallbeabletofilterandselecteventsandmodificationpointstoeventsastheywishintimeline

Mandatory visual

72

2.9.2 Informationinputfromtimeline

Usersshallbeabletoaltertheinfor-mationdirectlyfromtimeline Mandatory input textualor

numerical

2.9.3 Dynamictimeline

Timelineshouldbedynamicandpre-sentedinformationshouldchangeau-tomaticallywhenalterationstodisplayparametersareissuedbytheuser.

Important visual automatic

2.9.4 Individualtimeline

Timelinesshouldbeindividualaseachpersonhastheirownneedsforinfor-mationtoformindividualSA.Ifpersonchangesdisplayparametersitaffectstopersonaltimelineonly.

Important visual automatic

2.9.5 Shareabletimeline

Timelinesshouldbeshareableasper-sonsmightwanttosharetheirviewstoadatainordertoformsimilarSAfrominformationselected.

Important visual automatic

2.10 EventpaneEventsshallbepresentedinaneventpaneaspersonsmightbeaccustomedtoseeingdataintraditionalformats.

Mandatory visual automatic

2.10.1 Searchableeventpane

Eventsshouldbefreelysearchablebyregularexpressionsorfreetext. Important input textualor

numerical

2.10.2 Selectableeventpane

Eventsshouldbefreelyselectablebyfieldsvisibleinpane. Important visual automatic

2.11 Eventdashboard

Eventsshallbepresentedinselectabledashboardviewsaspersonsmightbeac-customedtoseeingdataintradi-tionalformats

Mandatory visual automatic

73

2.11.1 Pie-chartdash-board

Eventpaneinformationshouldbeviewableinpie-chartformat. Important visual automatic

2.11.2 Key-valuepairchart

Selectedeventpaneinformationshouldbeviewableinkey-valuepairchart.

Important visual automatic

Whiteteamuserrequirements

3.1Visualizemultipleblueteaminfor-

mation

Systemshallbeabletovisualizemulti-pleblueteams’informationinsingleviews.

Mandatory visual automatic

3.2 Multipleteamse-lection

Whiteteamshallbeabletoselectin-formationfrommultipleblueteams. Mandatory input textual

3.2.1 Teamselectioninpane

Whiteteamshallhaveadditionalteaminformationineventpane. Mandatory input textual

3.2.2 Teamselectionindashboards

Whiteteamshallhaveadditionalteaminformationselectionindashboards. Mandatory input textual

3.2.3 Teamselectionintimeline

Whiteteamshallhaveadditionalteaminformationselectionintimeline. Mandatory input textual

Interconnectivityrequirements

4.1 MultipleAPIsup-port

Systemshallacceptdifferentmethodsinconnectiontoothercomputersys-temsandservices.

Mandatory general automatic

74

4.1.1 RESTAPIsupportSystemshouldimplementrepresenta-tionalstatetransfer(REST)methodforinter-connection.

Important general automatic

4.1.2 SOAPAPIsupportSystemshouldimplementsimpleob-jectaccessprotocol(SOAP)methodforinter-connection.

Important general automatic

4.1.3 JavaScriptAPIsup-port

SystemshouldimplementJavaScriptmethodforinterconnection. Important general automatic

4.2 Databaseconnec-tivity

Systemshouldbeabletoallowcon-nectionstoinformationdatabase Important general automatic

4.3 XMPPmessage

Systemshouldhaveintegrationpossi-bilitytochatsoftwareXMPPprotocol.Inexerciseschattypeofsoftwareisof-tenpreferredcommunicationmethod

Important general automatic

Dataprocessingrequirements

5.1 Databaseimple-mentation

IthasbeendiscussedinternallyinJYVSECTECthattheapproachintothissystemandalsotoothersystemsusedinexercisecontrolshallusedatabaseapproach.

Mandatory general automatic

5.2 Automateddataaggregation

Systemshallhavedataaggregationfunctionalities Mandatory general automatic

1.2Simplic-ityofusage,1.2.1Infor-mationinputfieldmaxi-

mum

5.2.1 Automaticuserorsysteminformation

Systemshallautomaticallyaddthein-formationaboutwhoorwhatsysteminputtedinformationsothatitwillbepresentedintheSAinformation.

Mandatory general automatic

75

5.2.2 Automatictimestamping

Systemshallautomaticallymarktimestampstoallactionsmadeintoin-formationbutonlylatestmodificationtimestampshouldbechanged.

Mandatory general automatic

5.2.3 Automaticrelation-ships

Systemshallautomaticallymakeare-lationshiptoinformationexistingintheSAsystemdatabase.

Mandatory general automatic

1.2.9Auto-maticeventchangeindi-

cator