Professional Documents
Culture Documents
PROJECT OBJECTIVES
CyberCOP was developed as demonstration software. It has been developed to elicit discussion
on the requirements and design of a future fully featured CyCOP tool. To the extent possible it
attempts to present realistic features and scenarios.
To demonstrate the capabilities of the software three pre-scripted scenarios have been
developed for demonstration:
A defensive cyber operations (DCO) scenario presents a defensive mission where malware has
been detected within the Department of National Defence(DND)/Canadian Armed Forces
(CAF) network and must be isolated and neutralized.
An offensive cyber operations (OCO) scenario demonstrates an offensive mission, in which
cyber operatives attempt to compromise external/hostile cyber assets.
A remediation scenario shows a remediation mission, where efforts to secure previously
compromised internal assets against future attacks is shown. The scenarios are static and
scripted such that most user interaction is only intended to demonstrate the operation of the
software and will not impact the story being told in any meaningful way.
SCENARIO DEVELOPMENT
The scenarios, included in the CyberCOP software, have been developed with a number of
considerations in mind:
• The scenarios are intended to be brief, taking no more than 10 to 15 minutes each for a
complete walkthrough.
• Scenarios are intended to have an element of realism, but, since they are scripted, they
lack the detail required to represent real-world cyber-operations. Furthermore, while
the scenarios revolve around real-world tools used in cyber operations, they are
included for illustrative purposes so their use, as described in the scenarios, may not
match actual use in practice.
• While the bases in the physical layer are, in some instances, real-world Canadian
military bases, all details about the bases are purely fictional.
• All individuals included in the military cyber operations command structure are
fictional.
Each scenario corresponds to a mission, where the goal is the achievement of some objective
in the cyber domain. Each of the scenarios included in the CyberCOP software corresponds to
a single mission and follows the mission from creation to completion. For the sake of creating
a realistic feel within the demo, references to other missions appear in the software. In the cyber
domain it is likely that an individual may be involved with multiple missions at any one time,
so the software reflects this.
CYBERCOP INSTALLATION
The CyberCOP software is installed by executing the "CyberCOP Setup-1.0.exe" installer
application, the exact version of which may vary with future releases. Double clicking on the
executable should launch the installer process, the first dialog the user will see is shown in
Figure 3, which asks if the user wants to install for only themselves, or for all users. As this
software is intended for demonstration purposes, we recommend that it be installed for just the
current user and not system wide. It should be noted that for system wide (all users) installation
you will require administrator privileges.
The next step in the installation is to select the installation path. The default installation path
is \\User\AppData\Local\Programs\CyberCOP. The installation requires around 135 MB of
disk space.
Users can opt to create a desktop shortcut following the choice of installation path
Once the installation is complete the user will be asked if they wish to launch CyberCOP
upon the exit of the installer.
Installing CyberCOP installs the executable and all data required to run the three prepared
scenarios.
Uninstalling CyberCOP
Go to the installation directory and locate the file unins000.exe and execute it by double
clicking.
BASIC OPERATION
When CyberCOP is launched the main CyberCOP window is displayed. The interface is very
simple, with just a few controls to learn. The main feature of the interface is the layer view,
which is initially just a large blank canvas where layers will be displayed once a scenario is
loaded. On the left hand side of the window are a series of views which display information
related to the scenario and provide controls for the main Layer View. The main window, as it
appears after loading a scenario.
Ticket Widget: The Ticket Widget displays tickets for the active persona. Tickets are tasks, or
perhaps information, assigned to the current user. The tickets widget allows the active
persona to view all tickets currently assigned to them.
Mission Widget: This shows the missions to which the active persona is assigned, and is
included to make the interface more realistic, as in the cyber domain an individual may be
involved in many missions.
Layer View: The layer view is the main focus of the software. It is in the layer view that the
graphs depicting the entities of the current scenario are displayed.
LAUNCHING SCENARIOS
When CyberCOP is first launched nothing will appear in either the Layer View or on the
various dock widgets. The first step the user should take is to load a scenario. This is done
through the application menu, by selecting Scenario -> Load and selecting one of the three
available scenarios; Offensive, Defensive, or Remediation.
There is an ‘Other’ option, which can load a user defined scenario from a file. If you wish to
create your own user defined scenario, it should be noted that there is a base scenario which
is currently loaded as part of all scenarios. The corresponding file can be found in
“/<CyberCOP Install Path>\scenarios\base.json”. Any custom scenario will load all entities
from this base scenario, which includes the skeleton graph structure of all layers typically
seen when scenarios are first loaded.
Once a scenario is loaded, it must be started in order for the simulation to proceed. This can
be done through the main menu Scenario menu, Scenario -> Load -> Start/Resume, (see
Figure 8 above) or by simply clicking the arrow in the Scenario Controls icons. Until the
simulation is started, some features related to layers (such as the Zoom feature in the Physical
Layer) will not work. At any point during the execution of a scenario the simulation can be
paused through the main menu or by clicking the pause button in the Scenario Control icons.
Scenarios can also be restarted, which resets the scenario to its original state.
RUNNING SCENARIOS
Before proceeding it is helpful to define the terms presenter and active persona. The presenter
is the real world individual operating the software. Within a running scenario at any given
time there will be an active persona. This is the fictional person that is operating the software.
The active person is identified in the Active Persona Widget. At any time the presenter can
change the active persona by selecting the person drop-down in this widget.
Once a scenario is launched various pre-scripted events can occur, either on a timer, or in
response to pre-defined presenter actions. To keep things simple for the presenter, we have
chosen to use a limited set of events, including one timer induced event to start off each
scenario, and a series of events triggered by changes to the current active persona. This setup
should allow the presenter to quickly determine at which point in a scenario they are at by
simply checking who the active persona is.
The three scenarios described below are presented in a similar fashion. First a brief synopsis
is given of what occurs in the scenario, followed by a table which outlines the scenario (as
indicated by the active persona). More detailed descriptions of the scenarios follow. Each
scenario is divided into stages, with a set of corresponding suggested actions. If the presenter
omits some action it will not derail the scenario, as long as the presenter advances through the
scenario by changing the active person as indicated. It is important that the sequence of
changes between active personas be followed as described, since the change in active person
triggers events that may not make sense if performed out of order. Failure to follow the
describe order may result in odd behavior, but the software will remain operational.
The tables detailing the scenarios divide them into stages with corresponding actions. For
example, Scenario 1 has six stages each with multiple actions. The various actions are
numbered. As some actions are self explanatory no further discussion is needed in the details
section that follows the table outline. In the descriptive text specific actions can be reference
by the combined stage/action numbers, so 4.1 indicates Stage 4, Action 1.
The fictional individuals in the persona layer are classified as commanders or cyber operators
and as having defensive or offensive responsibilities. A handful of personas have joint
offensive/defensive responsibilities. While the layer views remain constant whether a
commander or cyber operator is viewing them, the commanders have additional capabilities.
Specifically, they can assign nodes to the current mission while cyber operators are restricted
to viewing data.
SCENARIO 1: DEFENSIVE
Synopsis
In this scenario malware has been discovered on a DND/CAF system. Initially the
commanding officer is notified of a breach of a single system. The commanding officer in
turn instructs subordinates to run diagnostic tools to determine the full extent of the breach
nationwide. The outcome of this search reveals that only a handful of systems have been
compromised two at headquarters (Ottawa) and one at an outlying base (Valcartier, Quebec).
Officers are also able to identify the command and control systems linked with this attack.
The commanding officer is able to watch the progress of the response, as the malware is
removed from DND/CAF systems and the command and control systems are blocked from
all DND/CAF networks. The final task is for the cyber-operations officers to identify the
original source of the intrusion so that such an attack can be guarded against in the future.
Scenario Summary
Table 1 gives a detailed description of steps that should be carried out by the operator when
demonstrating Scenario 1. Note that in this scenario, and all others, at each transition between
stages a dialog will appear indicating the next ticket for the new active persona. This dialog
serves two purposes. First, it mimics how the active persona would be notified of their next
task, or receive updates, within the system. Second, for the presenter, it serves as a marker
that you have progressed to the next stage.
Discussion
Note that Scenario 1 will be described in somewhat more detail than the other scenarios, as it
will provide information on the mechanics of working with the interface, which are constant
from scenario to scenario.
Stage 1: This scenario starts off with Fletcher as the active persona. He is the fictional leader
of our cyber-operations group and will be the initial active persona for all scenarios. After
launching the scenario (4.1) the presenter may want to pause it temporarily and give the
viewers a brief overview of the interface elements (4.2), though this is not part of the scenario
itself. Upon resuming the scenario a popup dialog should appear shortly indicating that
systems in our network have been compromised and that the commander should create a new
mission to address the situation. The presenter should select a priority for this mission and
click OK.
At this point the presenter may want to look at the different views (activated through the
Layers widget). In the Physical layer clicking on the nodes should present a popup menu that
lets the commander either view node details, assign, or zoom on the node. The user can select
zoom on either the Ottawa or Valcartier bases (this is the case for all scenarios). To return to
the national view they can select any node in the zoomed view and select zoom (which is
effectively zoom out). At this stage the presenter should also select Julie Gagnon to lead the
mission by clicking on her node in the Cyber Persona layer (human) and choosing the Assign
option from the popup. You will be prompted if you want to create a ticket, indicate yes, and
fill in the ticket details, description, and select a priority before hitting OK. The ticket priority
need not match the priority of the current mission, so you can create a low priority ticket
within a high priority mission. Later in the scenario the presenter can see that this ticket
appears in Gagnon’s list of tickets (2.2).
To complete this stage select Julie Gagnon from the drop down menu in the Persona widget.
The presenter can optionally assign one of the team members to the mission (like Fletcher did
at the previous stage), but this is unnecessary as the simulation will assign all appropriate
individuals.
The most interesting changes will be in the Logical Layer (as depicted in Figure 10 below).
This layer shows the deployment of our team members and the various resources we are
evaluating. The infected system was part of our procurement group, so hosts at the Ottawa
base that are part of this group are being evaluated using Norton Anti-Virus by cyber-
operator Jackson. In addition, any base (nationwide) that has assets in the procurement group
is also being evaluated. In this case Kowalski is using the OpenVAS tool, a vulnerability
scanner, to identify potential target systems at these locations. Legault has been assigned to
monitor network traffic to the malware’s command and control (C2) centre, which we have
not yet identified but which we know must exist due to the nature of the malware. Legault is
using a packet sniffing/analysis tool, Wireshark, for this purpose. His goal will be to help
identify the IP addresses of the C2 servers.
Stage 4: For stage 4 we return to Fletcher. He receives a message indicating that the team has
been fully deployed and that the C2 servers have been identified. He should examine the
Physical layer and see that two bases are impacted (Ottawa and Valcartier) and the different
C2 servers that are being used to interact with these bases.
Stage 5: In this stage Kowalski has been assigned the task of blocking the C2 servers so they
can no longer communicate with our network. He switches to the Logical View (see Figure
11) to see the current situation. Jackson and Legault are still using Norton AV and OpenVAS
to perform additional analysis, but we now have the infection narrowed down to two hosts,
one in Ottawa and one at Valcartier. Kowalski will use the firewall software ipTables to
configure two of our outgoing routers to block traffic from the C2 servers.
Stage 6: In stage 6 were return to Gagnon. She should check the Logical Layer and see that
the firewalls have been deployed. This will also appear in the Physical Layer.
SCENARIO 2: OFFENSIVE
Synopsis
DND/CAF has been asked to use our cyber-offensive capabilities to help infiltrate and
degrade the cyber-capabilities of a terrorist group that is attempting to recruit in Canada. In
the scenario the group is simply referred to as TGroup (though this has no specific meaning).
The commanding office assigns officers to perform reconnaissance of the terrorists group’s
digital resources. A web server and online accounts (Twitter/email) are identified as
belonging to the group. Once this information is obtained the cyber-officers go about
planning an attack against the group including a phishing effort aimed at the email accounts
to compromise the group’s server. The scenario ends with the server compromised with
malware under DND/CAF control installed.
Discussion
Many of the steps here are similar to those in Scenario 1, so we only discuss unique features
of the scenario here.
Stage 2: In this stage it is important to view the Cyber Persona layer, this shows various cyber
persona associated with our accounts, but also shows a pair of accounts known to be affiliated
with the terrorist organization we wish to infiltrate.
Stage 3: At this stage we have now identified through our initial exploration key assets
belonging to the SA group. These can be view in the Logical Layer (see Figure 12), which
shows the opposition assets and assets we have deployed to investigating them. Jones is using
a Twitter account to present herself as a student interested in the group, a lost soul who goes
by the online persona of Surfer Dude and is the ideal target for groups such as this. Through
this she is able to identify a website affiliated with the group. Khoury is using the Wireshark
packet sniffer to watch traffic passing between the DND/CAF and SA group networks in
order to develop some understanding of their network.
Stage 4: In stage 4 we see preparations for infiltration of the SA group’s network (see Figure
13 for the Logical Layer view). We have obtained some additional information about their
setup, including which database server they are using. The Metasploit Framework tool has
been selected as the means of hacking into their network. Metasploit Framework is a
powerful penetration testing tool which can also be used to hack remote systems. It includes a
number of scripts that can deploy malware payloads to remote hosts. In this scenario we pick
two of these payloads that exploit vulnerabilities on MS Windows systems,
reverse_tcp and reverse_conn.
The connections between the Metasploit Framework scripts and the surfer.d Gmail account
indicate that we intended to use this email account as the delivery mechanism for our
malicious payload. Khoury will create an email with an attached PDF file (or something
similar) into which the payload will be embedded and send it to the recruiting@volab.ca
account and hope they don’t have Anti-virus tools that will detect it. This will be our attack
vector into their network.
SCENARIO 3: REMEDIATION
Synopsis
This is a follow on from Scenario 1 and the starting point is the end of that scenario. In this
case we are demonstrating efforts to clean up following a successful hack of DND/CAFs
networks. The C2 servers for the attack have been blocked at our firewall, but any traces of
the malware (WINNTI) need to be removed from all DND/CAF systems. This scenario walks
through the assignment and completion of the tasks required to secure and clean up the
infected systems.
Stage 1: This scenario starts off where Scenario 1 left off, so when we first launch the
mission we see the two C2 servers and the firewalls that were created at that point.
Stage 3: This is the most important stage, as subsequent stages are simply commanding
officers following up to verify that the work has been completed. Figure 15 below shows the
Logical Layer at this stage. Here we see the two affected hosts, ott-host-03 and val-host-02,
and our efforts to evaluate/secure these machines. Yang is using the Splunk tool, a log
analyzer to dig into system logs related to the systems. The purpose of this work is to see if
we can detect how the malware arrived in our networks. Yang is also running Nessus, a
vulnerability scanner similar to OpenVAS. Johnson and Belanger have access to the
administrator accounts on the two infected systems and are working to remove any remnants
of the malware.
Stage 4: The two infected hosts are shaded green (in the Logical Layer) to indicate that the
malware has been expunged from the systems and they are now secured.