CYBERCOP 2021-22

CyberCOP: Cyber Situational Awareness Demonstration Tool

Introduction
This report presents the CyberCOP, a cyber common operating picture (CyCOP) demonstration
tool. The purpose of the application is to explore how cyber-related information can be
presented to commanders and operators in a way that will aid them in decision making and
improve understanding, in real time, of the current state of cyber operations. This tool has been
developed by Solana Networks as a proof-of-concept application. CyberCOP runs scripted
cases that represent a sample of real-life cyber activities and how they are envisaged to be
presented to operations and strategic commanders and their staffs (OSC&S) as part of a bigger
and more complex CyCOP.
CyberCOP seeks to present information in a manner that would be helpful both to commanders
who need to see the big picture, as well as to the cyber security operators involved in supporting
missions. The tool utilizes standard graphical representations used in the military for situational
awareness in theatre. As a means of enhancing system navigation and use, the system
visualization and Graphical User Interface (GUI) utilizes symbols from military operations in
the kinetic domain to highlight entities in cyber warfare.
This report consists of two parts. The initial section covers the system design. It also presents
design decisions for CyberCOP and provides some background information which helps clarify
system operation. The second part of the report, included in an Appendix, is a User's Guide
which describes the step by step operation of the software, including detailed descriptions of
three scripted scenarios that can be used to demonstrate the software's capabilities.

CyberCOP Cyber-Situational Awareness Tool

CyberCOP is driven by the need to present OSC&S with a single source of information that
covers all activities in cyberspace. In theory, a CyCOP tool aggregates all information relevant
to operations in cyberspace and avails it to the applicable to OSC&S to effectively support
activities in cyberspace [LLOP2018]. Such a tool can improve decision making by allowing
commanders and cyber-operators to quickly and accurately picture the entities involved in a
mission and the relations between those entities. Commanders can see what resources are
available, and deployed, within a mission and what opposing entities are involved. Cyber
operators, those individuals involved in carrying out the actions of the mission, can use the tool
to see where their individual tasks/efforts fit into the larger picture of the mission as a whole.
In this section we present an overview of the design, the design objectives, and the rationale
behind the CyberCOP demonstration tool. It is intended to provide insight into how the tool is
intended to work and the considerations that have guided its development.

Dept. Of CSE, DSIT Page | 1

CYBERCOP 2021-22

PROJECT OBJECTIVES
CyberCOP was developed as demonstration software. It has been developed to elicit discussion
on the requirements and design of a future fully featured CyCOP tool. To the extent possible it
attempts to present realistic features and scenarios.
To demonstrate the capabilities of the software three pre-scripted scenarios have been
developed for demonstration:
A defensive cyber operations (DCO) scenario presents a defensive mission where malware has
been detected within the Department of National Defence(DND)/Canadian Armed Forces
(CAF) network and must be isolated and neutralized.
An offensive cyber operations (OCO) scenario demonstrates an offensive mission, in which
cyber operatives attempt to compromise external/hostile cyber assets.
A remediation scenario shows a remediation mission, where efforts to secure previously
compromised internal assets against future attacks is shown. The scenarios are static and
scripted such that most user interaction is only intended to demonstrate the operation of the
software and will not impact the story being told in any meaningful way.

SCENARIO DEVELOPMENT
The scenarios, included in the CyberCOP software, have been developed with a number of
considerations in mind:

• The scenarios are intended to be brief, taking no more than 10 to 15 minutes each for a
complete walkthrough.
• Scenarios are intended to have an element of realism, but, since they are scripted, they
lack the detail required to represent real-world cyber-operations. Furthermore, while
the scenarios revolve around real-world tools used in cyber operations, they are
included for illustrative purposes so their use, as described in the scenarios, may not
match actual use in practice.
• While the bases in the physical layer are, in some instances, real-world Canadian
military bases, all details about the bases are purely fictional.
• All individuals included in the military cyber operations command structure are
fictional.
Each scenario corresponds to a mission, where the goal is the achievement of some objective
in the cyber domain. Each of the scenarios included in the CyberCOP software corresponds to
a single mission and follows the mission from creation to completion. For the sake of creating
a realistic feel within the demo, references to other missions appear in the software. In the cyber
domain it is likely that an individual may be involved with multiple missions at any one time,
so the software reflects this.

Dept. Of CSE, DSIT Page | 2

CYBERCOP 2021-22

CYBERCOP INSTALLATION
The CyberCOP software is installed by executing the "CyberCOP Setup-1.0.exe" installer
application, the exact version of which may vary with future releases. Double clicking on the
executable should launch the installer process, the first dialog the user will see is shown in
Figure 3, which asks if the user wants to install for only themselves, or for all users. As this
software is intended for demonstration purposes, we recommend that it be installed for just the
current user and not system wide. It should be noted that for system wide (all users) installation
you will require administrator privileges.

The next step in the installation is to select the installation path. The default installation path
is \\User\AppData\Local\Programs\CyberCOP. The installation requires around 135 MB of
disk space.

Users can opt to create a desktop shortcut following the choice of installation path

Dept. Of CSE, DSIT Page | 3

CYBERCOP 2021-22

One final dialog is presented to the user to confirm installation options

Once the installation is complete the user will be asked if they wish to launch CyberCOP
upon the exit of the installer.
Installing CyberCOP installs the executable and all data required to run the three prepared
scenarios.

Uninstalling CyberCOP
Go to the installation directory and locate the file unins000.exe and execute it by double
clicking.

Dept. Of CSE, DSIT Page | 4

CYBERCOP 2021-22

BASIC OPERATION

When CyberCOP is launched the main CyberCOP window is displayed. The interface is very
simple, with just a few controls to learn. The main feature of the interface is the layer view,
which is initially just a large blank canvas where layers will be displayed once a scenario is
loaded. On the left hand side of the window are a series of views which display information
related to the scenario and provide controls for the main Layer View. The main window, as it
appears after loading a scenario.

The key components of the window are as follows:

Scenario Controls: The scenario controls allow the user to start or pause the scenario, and
speed up the simulation. Since most scenario transitions are controlled by changes to the
active persona, the user should rarely need to modify the timing.
Active Persona Widget: Through this widget the user sets the current active persona. The
active persona is the fictional individual currently using CyberCOP within the scenario. The
available persona corresponds to other persons associated with the current scenario. Through
the drop-down box the user can change the active persona, to see the scenario from another
point-ofview. All of the scenarios have been configured to advance in response to changes in
the active persona.
Layers Widget: Through this widget the user can control which layer is displayed in the layer
view. The active layer is changed by clicking the layer icon to the right of the desired layer
label. The currently active layer will be highlighted yellow.

Dept. Of CSE, DSIT Page | 5

CYBERCOP 2021-22

Ticket Widget: The Ticket Widget displays tickets for the active persona. Tickets are tasks, or
perhaps information, assigned to the current user. The tickets widget allows the active
persona to view all tickets currently assigned to them.
Mission Widget: This shows the missions to which the active persona is assigned, and is
included to make the interface more realistic, as in the cyber domain an individual may be
involved in many missions.
Layer View: The layer view is the main focus of the software. It is in the layer view that the
graphs depicting the entities of the current scenario are displayed.

LAUNCHING SCENARIOS

When CyberCOP is first launched nothing will appear in either the Layer View or on the
various dock widgets. The first step the user should take is to load a scenario. This is done
through the application menu, by selecting Scenario -> Load and selecting one of the three
available scenarios; Offensive, Defensive, or Remediation.

There is an ‘Other’ option, which can load a user defined scenario from a file. If you wish to
create your own user defined scenario, it should be noted that there is a base scenario which
is currently loaded as part of all scenarios. The corresponding file can be found in
“/<CyberCOP Install Path>\scenarios\base.json”. Any custom scenario will load all entities
from this base scenario, which includes the skeleton graph structure of all layers typically
seen when scenarios are first loaded.
Once a scenario is loaded, it must be started in order for the simulation to proceed. This can
be done through the main menu Scenario menu, Scenario -> Load -> Start/Resume, (see
Figure 8 above) or by simply clicking the arrow in the Scenario Controls icons. Until the
simulation is started, some features related to layers (such as the Zoom feature in the Physical
Layer) will not work. At any point during the execution of a scenario the simulation can be
paused through the main menu or by clicking the pause button in the Scenario Control icons.
Scenarios can also be restarted, which resets the scenario to its original state.

Dept. Of CSE, DSIT Page | 6

CYBERCOP 2021-22

RUNNING SCENARIOS

Before proceeding it is helpful to define the terms presenter and active persona. The presenter
is the real world individual operating the software. Within a running scenario at any given
time there will be an active persona. This is the fictional person that is operating the software.
The active person is identified in the Active Persona Widget. At any time the presenter can
change the active persona by selecting the person drop-down in this widget.
Once a scenario is launched various pre-scripted events can occur, either on a timer, or in
response to pre-defined presenter actions. To keep things simple for the presenter, we have
chosen to use a limited set of events, including one timer induced event to start off each
scenario, and a series of events triggered by changes to the current active persona. This setup
should allow the presenter to quickly determine at which point in a scenario they are at by
simply checking who the active persona is.
The three scenarios described below are presented in a similar fashion. First a brief synopsis
is given of what occurs in the scenario, followed by a table which outlines the scenario (as
indicated by the active persona). More detailed descriptions of the scenarios follow. Each
scenario is divided into stages, with a set of corresponding suggested actions. If the presenter
omits some action it will not derail the scenario, as long as the presenter advances through the
scenario by changing the active person as indicated. It is important that the sequence of
changes between active personas be followed as described, since the change in active person
triggers events that may not make sense if performed out of order. Failure to follow the
describe order may result in odd behavior, but the software will remain operational.
The tables detailing the scenarios divide them into stages with corresponding actions. For
example, Scenario 1 has six stages each with multiple actions. The various actions are
numbered. As some actions are self explanatory no further discussion is needed in the details
section that follows the table outline. In the descriptive text specific actions can be reference
by the combined stage/action numbers, so 4.1 indicates Stage 4, Action 1.
The fictional individuals in the persona layer are classified as commanders or cyber operators
and as having defensive or offensive responsibilities. A handful of personas have joint
offensive/defensive responsibilities. While the layer views remain constant whether a
commander or cyber operator is viewing them, the commanders have additional capabilities.
Specifically, they can assign nodes to the current mission while cyber operators are restricted
to viewing data.

Dept. Of CSE, DSIT Page | 7

CYBERCOP 2021-22

SCENARIO 1: DEFENSIVE
Synopsis
In this scenario malware has been discovered on a DND/CAF system. Initially the
commanding officer is notified of a breach of a single system. The commanding officer in
turn instructs subordinates to run diagnostic tools to determine the full extent of the breach
nationwide. The outcome of this search reveals that only a handful of systems have been
compromised two at headquarters (Ottawa) and one at an outlying base (Valcartier, Quebec).
Officers are also able to identify the command and control systems linked with this attack.
The commanding officer is able to watch the progress of the response, as the malware is
removed from DND/CAF systems and the command and control systems are blocked from
all DND/CAF networks. The final task is for the cyber-operations officers to identify the
original source of the intrusion so that such an attack can be guarded against in the future.

Scenario Summary
Table 1 gives a detailed description of steps that should be carried out by the operator when
demonstrating Scenario 1. Note that in this scenario, and all others, at each transition between
stages a dialog will appear indicating the next ticket for the new active persona. This dialog
serves two purposes. First, it mimics how the active persona would be notified of their next
task, or receive updates, within the system. Second, for the presenter, it serves as a marker
that you have progressed to the next stage.

Discussion
Note that Scenario 1 will be described in somewhat more detail than the other scenarios, as it
will provide information on the mechanics of working with the interface, which are constant
from scenario to scenario.
Stage 1: This scenario starts off with Fletcher as the active persona. He is the fictional leader
of our cyber-operations group and will be the initial active persona for all scenarios. After
launching the scenario (4.1) the presenter may want to pause it temporarily and give the
viewers a brief overview of the interface elements (4.2), though this is not part of the scenario
itself. Upon resuming the scenario a popup dialog should appear shortly indicating that
systems in our network have been compromised and that the commander should create a new
mission to address the situation. The presenter should select a priority for this mission and
click OK.
At this point the presenter may want to look at the different views (activated through the
Layers widget). In the Physical layer clicking on the nodes should present a popup menu that
lets the commander either view node details, assign, or zoom on the node. The user can select
zoom on either the Ottawa or Valcartier bases (this is the case for all scenarios). To return to
the national view they can select any node in the zoomed view and select zoom (which is
effectively zoom out). At this stage the presenter should also select Julie Gagnon to lead the
mission by clicking on her node in the Cyber Persona layer (human) and choosing the Assign
option from the popup. You will be prompted if you want to create a ticket, indicate yes, and
fill in the ticket details, description, and select a priority before hitting OK. The ticket priority

Dept. Of CSE, DSIT Page | 8

CYBERCOP 2021-22

need not match the priority of the current mission, so you can create a low priority ticket
within a high priority mission. Later in the scenario the presenter can see that this ticket
appears in Gagnon’s list of tickets (2.2).
To complete this stage select Julie Gagnon from the drop down menu in the Persona widget.
The presenter can optionally assign one of the team members to the mission (like Fletcher did
at the previous stage), but this is unnecessary as the simulation will assign all appropriate
individuals.

Figure 9: Creating a ticket for a subordinate.

Stage 2: In stage 2 the active persona is now Julie Gagnon. Gagnon is also a commander and
can assign individuals to the mission. A dialog will appear indicating that Gagnon is to take
command of mission M173. If the presenter views the Cyber Persona (human) layer they can
see that Gagnon’s node has been highlighted indicating her involvement in this mission. She
can look at her team members (her team consists of the nodes under her in the Cyber Persona
graph.
Stage 3: Once again when we transition to a new active persona a popup dialog appears
indicating the actions the active persona is supposed to take. In the Physical layer the Ottawa
base will be highlighted yellow, indicating it is the location of a confirmed infection.
Zooming in on the base will reveal that no hosts have yet been identified as the source of the
inflection.

Dept. Of CSE, DSIT Page | 9

CYBERCOP 2021-22

The most interesting changes will be in the Logical Layer (as depicted in Figure 10 below).
This layer shows the deployment of our team members and the various resources we are
evaluating. The infected system was part of our procurement group, so hosts at the Ottawa
base that are part of this group are being evaluated using Norton Anti-Virus by cyber-
operator Jackson. In addition, any base (nationwide) that has assets in the procurement group
is also being evaluated. In this case Kowalski is using the OpenVAS tool, a vulnerability
scanner, to identify potential target systems at these locations. Legault has been assigned to
monitor network traffic to the malware’s command and control (C2) centre, which we have
not yet identified but which we know must exist due to the nature of the malware. Legault is
using a packet sniffing/analysis tool, Wireshark, for this purpose. His goal will be to help
identify the IP addresses of the C2 servers.

Figure 10: Stage 3 Logical Layer.

Stage 4: For stage 4 we return to Fletcher. He receives a message indicating that the team has
been fully deployed and that the C2 servers have been identified. He should examine the
Physical layer and see that two bases are impacted (Ottawa and Valcartier) and the different
C2 servers that are being used to interact with these bases.
Stage 5: In this stage Kowalski has been assigned the task of blocking the C2 servers so they
can no longer communicate with our network. He switches to the Logical View (see Figure
11) to see the current situation. Jackson and Legault are still using Norton AV and OpenVAS
to perform additional analysis, but we now have the infection narrowed down to two hosts,
one in Ottawa and one at Valcartier. Kowalski will use the firewall software ipTables to
configure two of our outgoing routers to block traffic from the C2 servers.

Dept. Of CSE, DSIT Page | 10

CYBERCOP 2021-22

Figure 11: Stage 5 Logical Layer.

Stage 6: In stage 6 were return to Gagnon. She should check the Logical Layer and see that
the firewalls have been deployed. This will also appear in the Physical Layer.

SCENARIO 2: OFFENSIVE
Synopsis
DND/CAF has been asked to use our cyber-offensive capabilities to help infiltrate and
degrade the cyber-capabilities of a terrorist group that is attempting to recruit in Canada. In
the scenario the group is simply referred to as TGroup (though this has no specific meaning).
The commanding office assigns officers to perform reconnaissance of the terrorists group’s
digital resources. A web server and online accounts (Twitter/email) are identified as
belonging to the group. Once this information is obtained the cyber-officers go about
planning an attack against the group including a phishing effort aimed at the email accounts
to compromise the group’s server. The scenario ends with the server compromised with
malware under DND/CAF control installed.

Discussion
Many of the steps here are similar to those in Scenario 1, so we only discuss unique features
of the scenario here.
Stage 2: In this stage it is important to view the Cyber Persona layer, this shows various cyber
persona associated with our accounts, but also shows a pair of accounts known to be affiliated
with the terrorist organization we wish to infiltrate.

Dept. Of CSE, DSIT Page | 11

CYBERCOP 2021-22

Stage 3: At this stage we have now identified through our initial exploration key assets
belonging to the SA group. These can be view in the Logical Layer (see Figure 12), which
shows the opposition assets and assets we have deployed to investigating them. Jones is using
a Twitter account to present herself as a student interested in the group, a lost soul who goes
by the online persona of Surfer Dude and is the ideal target for groups such as this. Through
this she is able to identify a website affiliated with the group. Khoury is using the Wireshark
packet sniffer to watch traffic passing between the DND/CAF and SA group networks in
order to develop some understanding of their network.

Figure 12: Stage 3 Logical Layer.

Stage 4: In stage 4 we see preparations for infiltration of the SA group’s network (see Figure
13 for the Logical Layer view). We have obtained some additional information about their
setup, including which database server they are using. The Metasploit Framework tool has
been selected as the means of hacking into their network. Metasploit Framework is a
powerful penetration testing tool which can also be used to hack remote systems. It includes a
number of scripts that can deploy malware payloads to remote hosts. In this scenario we pick
two of these payloads that exploit vulnerabilities on MS Windows systems,
reverse_tcp and reverse_conn.
The connections between the Metasploit Framework scripts and the surfer.d Gmail account
indicate that we intended to use this email account as the delivery mechanism for our
malicious payload. Khoury will create an email with an attached PDF file (or something
similar) into which the payload will be embedded and send it to the recruiting@volab.ca
account and hope they don’t have Anti-virus tools that will detect it. This will be our attack
vector into their network.

Dept. Of CSE, DSIT Page | 12

CYBERCOP 2021-22

Figure 13: Stage 4 Logical Layer.

Stage 5: In this stage the presenter can check the Logical Layer to verify that the exploit has
been deployed. It now appears attached to the Azure VM, shaded in blue to indicate that the
script is under our control. We also show our C2 script run through Metasploit Framwork
which will communicate with the remote script over the Internet. We have now successfully
penetrated the targets network and can run arbitrary code on their server.

Figure 14: Stage 5 Logical Layer.

Dept. Of CSE, DSIT Page | 13

CYBERCOP 2021-22

SCENARIO 3: REMEDIATION
Synopsis
This is a follow on from Scenario 1 and the starting point is the end of that scenario. In this
case we are demonstrating efforts to clean up following a successful hack of DND/CAFs
networks. The C2 servers for the attack have been blocked at our firewall, but any traces of
the malware (WINNTI) need to be removed from all DND/CAF systems. This scenario walks
through the assignment and completion of the tasks required to secure and clean up the
infected systems.

Stage 1: This scenario starts off where Scenario 1 left off, so when we first launch the
mission we see the two C2 servers and the firewalls that were created at that point.
Stage 3: This is the most important stage, as subsequent stages are simply commanding
officers following up to verify that the work has been completed. Figure 15 below shows the
Logical Layer at this stage. Here we see the two affected hosts, ott-host-03 and val-host-02,
and our efforts to evaluate/secure these machines. Yang is using the Splunk tool, a log
analyzer to dig into system logs related to the systems. The purpose of this work is to see if
we can detect how the malware arrived in our networks. Yang is also running Nessus, a
vulnerability scanner similar to OpenVAS. Johnson and Belanger have access to the
administrator accounts on the two infected systems and are working to remove any remnants
of the malware.

Figure 15: Stage 3 Logical Layer.

Stage 4: The two infected hosts are shaded green (in the Logical Layer) to indicate that the
malware has been expunged from the systems and they are now secured.

Dept. Of CSE, DSIT Page | 14