defender's approach in cyber security exercises · situational awareness, requirements...
TRANSCRIPT
RequirementspecificationforcybersecuritysituationalawarenessDefender'sapproachincybersecurityexercisesJarnoLötjönenMaster’sthesisDecember2017SchoolofTechnologyMaster’sDegreeProgrammeinInformationTechnologyCyberSecurity
Description
Author(s)Lötjönen,Jarno
TypeofpublicationMaster’sthesis
Date2.12.2017
Languageofpublication:English
Numberofpages
75
Permissionforwebpubli-cation:x
TitleofpublicationRequirementspecificationforcybersecuritysituationalawarenessDefender'sapproachincybersecurityexercises
DegreeprogrammeMastersDegreeProgrammeinInformationTechnology,CyberSecurity
Supervisor(s) Kokkonen,TeroKarjalainen,Mika
AssignedbyJAMKUniversityofAppliedSciences,JYVSECTECKokkonen,TeroAbstract
Digitalizationoftheworldisrapidandposesnewthreatstodevelopedsocieties.Cyberse-curityexercisesheldinJAMKUniversityofAppliedSciencesprovidesignificantlearningop-portunitiestoindividualsandorganizationsinrealisticglobalcyberenvironmentRGCE.Theexercisesaretechnical-functionalbynatureandthismeansthatthesituationalawarenessofindividualsandteamsiscriticalinordertofulfillthelearningobjectives.Goodsitua-tionalawarenessmeansthatdecisionmakershavecorrectinformationtomakedecisions.Thesisstudiedsituationalawarenessinthecontextofcybersecurityexercisefromtheper-spectiveofthedefendingblueteam.Defendingteamsobserve,reportandmitigatecybereventsthatarehappeninginthecyberenvironmentassignedtothem.Therearemanydif-ferenttypesofcyber-attackshappeningthattheteamshouldbeabletodetect.Researchquestionsforthisthesisstatedthattheobjectiveofthethesisistofindthere-quirementsneededforasituationalawarenesssystemandmakeaproposalfornovelcon-structionforblueteamsituationalawarenesssystem.Additionally,thereisaneedtodomoreresearchinthefieldofsituationalawarenessandpartofthisthesiswastoidentifywherenewresearchisneeded.Asamainresult56requirementshavebeenidentifiedandaproposalforanovelsystemconstructionismade.Additionally,newresearchtopicsintheareasofindividualandor-ganizationalsituationalawarenesshavebeenidentified.
Keywords/tags(subjects)
Cybersecurity,Cyberexercise,Situationalawareness,Requirementspecification
Kuvailulehti
Tekijä(t)Lötjönen,Jarno
JulkaisunlajiOpinnäytetyö,ylempiAMK
Päivämäärä2.12.2017
JulkaisunkieliEnglanti
Sivumäärä75
Verkkojulkaisulupamyönnetty:x
TyönnimiRequirementspecificationforcybersecuritysituationalawarenessDefender'sapproachincybersecurityexercises
Tutkinto-ohjelmaMastersDegreeProgrammeinInformationTechnology,CyberSecurity
Työnohjaaja(t)Kokkonen,TeroKarjalainen,MikaToimeksiantaja(t)JAMKUniversityofAppliedSciences,JYVSECTECKokkonen,TeroTiivistelmä
Maailmandigitalisaatioonnopeaajaasettaauusiauhkiakehittyneilleyhteiskunnille.JyväskylänammattikorkeakoulunIT-instituutissapidettävätkyberturvallisuusharjoituksettarjoavatmerkittäviäoppimismahdollisuuksiayksilöillesekäryhmillerealistisessaglobaalissakyberympäristössäRGCE:ssä.Harjoituksetovatluonteeltaanteknis-toimin-nallisia,jatämätarkoittaa,ettäyksilönsekäryhmäntilannetietoisuusonkriittistäoppimis-tavoitteidensaavuttamisessa.Hyvätilannetietoisuusmahdollistaapäätöksenteonpe-rustuenoikeaaninformaatioon.Opinnäytetyötutkipuolustavanryhmännäkökulmastatilannetietoisuuttakyberturval-lisuusharjoituksenviitekehyksessä.Puolustavatryhmäthavainnoivat,raportoivatjatorju-vatkyberilmiöitäjoitaheilleannetussakybertoimintaympäristössätapahtuu.Ryhmäntu-leekyetähavaitsemaanmoniaerilaisiakyberhyökkäyksiä.Opinnäytetyöntutkimuskysymyksetmäärittivättyöntavoitteiksivaatimusmäärittelynvaatimuksienlöytämisensekäuudenkonstruktioehdotuksenmäärittämisenpuolustavanryhmäntilannetietoisuusjärjestelmälle.Lisäksitilannetietoisuudenalallaontarvetehdälisätutkimustajauusientutkimuskohteidentunnistaminenoliosatyötä.Pääasiallisinatuloksinaonlöydetty56vaatimustajanäidenperusteellaluotujärjestelmänkonstruktio.Lisäksiuusiatutkimuskohteitayksilönjaorganisaatioidentilannetietoisuudenalueeltaontunnistettu.
Avainsanat(asiasanat)Kyberturvallisuus,Kyberturvallisuusharjoitus,tilannetietoisuus,tilanneymmärrys,vaati-musmäärittely
4Contents
Glossary.................................................................................................................7
1 Introduction....................................................................................................8
2 Research........................................................................................................10
2.1 Researchobjectives..................................................................................10
2.2 Researchmethodology.............................................................................10
2.3 Researchquestions...................................................................................13
3 Requirementsspecification............................................................................14
3.1 Fundamentalsofrequirementspecificationinsoftwareengineering.....14
3.2 Requirementhandlinginsoftwaredevelopment.....................................15
3.3 Specificationinsoftwaredevelopment....................................................17
3.4 Requirementcategorization.....................................................................17
4 CybersecurityexercisesandtheinfrastructureinJAMK................................20
4.1 Overviewofcoreexercisetypes...............................................................20
4.2 Tabletopexercise.....................................................................................20
4.3 Hybridexercise.........................................................................................21
4.4 Fullliveexercise........................................................................................21
4.5 Exerciseteamdefinitions.........................................................................22
4.6 Cyberrange..............................................................................................25
4.7 RealisticGlobalCyberEnvironment(RGCE)cyberrange.........................26
5 Situationalawareness....................................................................................28
5.1 Theoreticalbackground............................................................................28
5.2 Differentlevelsofsituationalawareness.................................................29
5.3 Situationalawarenessforteams..............................................................32
5.4 Cybersecuritysituationalawareness.......................................................34
5.5 Situationalawarenessinformationconsumersandprovidersystems.....37
5
6 Cybersecuritysituationalawarenesssystemapproaches..............................39
7 RequirementsforblueteamSAsystem.........................................................41
7.1 BlueteamSAincybersecurityexercise...................................................41
7.2 Usagerequirements.................................................................................43
7.3 Blueteamuserrequirements...................................................................46
7.4 Whiteteamrequirements........................................................................51
7.5 Interconnectivityrequirements................................................................52
7.6 Dataprocessingrequirements.................................................................54
8 Systemconstruction......................................................................................57
8.1 Userinterface...........................................................................................58
8.2 Datainputandselect................................................................................59
8.3 DataAPI....................................................................................................59
8.4 Dataaggregation......................................................................................60
8.5 Database...................................................................................................60
9 Researchresults.............................................................................................61
10 Conclusions....................................................................................................63
References............................................................................................................66
Appendices...........................................................................................................69
Figures
Figure1ElementsofConstructiveResearch(Kasanenetal.1993,247)....................11
Figure2Agileprocess(Sommerville2011,63)...........................................................16
Figure3Plan-BasedDevelopment(Sommerville2011,63)........................................17
Figure4Thelevelsofsituationalawareness(Endsley1995,35)................................29
6
Figure5Theframeworkmodel(Endsley1995,35).....................................................31
Figure6Teamsituationalawareness(Endsley1995,39)...........................................33
Figure7CyberSecurityinformationconsumersandproviders..................................38
Figure8Systemscontributinginformationtothesituationalawareness..................42
Figure9Proposedblueteamsituationawarenesssystemconstruction....................58
Tables
Table1Contentofarequirement...............................................................................18
Table2RequirementsforaSASystem.......................................................................69
7
Glossary
JYVSECTEC JyväskyläSecurityTechnology
SWEBOK SoftwareEngineeringBodyofKnowledge
RGCE RealisticGlobalCyberEnvironment
DFIR DigitalForensicandIncidentResponse
SA SituationalAwareness
RT RedTeam
WT WhiteTeam
BT BlueTeam
GT GreenTeam
CERT Computeremergencyresponseteam
CSIRT Computersecurityincidentresponseteam
IR IncidentResponse
MISP MalwareInformationSharingPlatform
CAIS CyberAttackInformationSystem
OOG out-of-game
IG in-game
OSINT OpenSourceIntelligence
HUMINT HumanIntelligence
8
1 Introduction
Theworldhasgonedigital.Indevelopedinformationsocieties,suchasFinland,thisis
afactsoprofoundthatwithoutfunctioningdatanetworksandcomputersystemsthe
well-beingofhumansandeventhesecurityofthenationisatrisk.
Inthiscomplexworldwheretheboundariesofthedigitalizedinfrastructureandthe
physicalrealmareblurredtheinterconnectedenvironmentofphysicalandelectrical
systemsisoftendescribedascyberdomain.CyberdomainisdefinedintheFinnish
cybersecuritystrategyasadomainofinformationtechnologyinfrastructurespro-
cessingdata.(SecretariatoftheSecurityCommittee2013,12)
Intoday’sworldwherecyberdomainisanintegralpartofpeople’slives,theneed
fortrainingagainstdifferenttypesofcyberrelatedthreatsisevergrowing.JAMK
UniversityofAppliedScienceshasarrangedavastnumberofdifferenttypesofcyber
trainings.Thetrainingagainstthreatsshouldtakeplaceincontrolledenvironment
becausethereisaneedforrealisticsimulatedattacks,andtherisksforbreakinglaws
orharmingoutsidersbymakingmistakesintheopeninternetaresimplyputtoobig
andactual.Also,notmanyorganizationsarewillingtotaketherisksofharmingtheir
productionenvironmentorcontinuityofbusiness.
Forthispurpose,thecybersecurityexercisesareheldinclosedcyberrangesisolated
fromtheinternet;however,theymimictheservicesandstructuresoftherealinter-
net.Nevertheless,itmakesnodifferenceifoneistraininginsimulationsorstruggling
withrealCyberSecurityincidentsinone’sproductionsystems,theneedforaccurate
situationalawarenessisalwaysparamount.
Situationalawarenesscanmeanavarietyofthingstodifferentpeople.Peoplealso
havemanytypesofcomprehensionsaboutthesituationalawareness.Therefore,
thereisaneedtodefinewhatitmeansinthecontextofthisthesis.
Manytimes,tobeabletoresolveacybersecurityincidentthereisaneedtoknow
whathappened,whereithappened,whenithappened,whyithappenedandto
9
whomithappened.Thereareseveralsystemssoldandadvertisedassituational
awarenesssystems.Thesevaryfrominfrastructuremonitorsystemstologmanage-
mentsystemsandeventoticketingplatforms.Thesesystemsarecrucialtoolsforin-
formationgatheringforincidenthandling;however,theproblemisthatwhencom-
plexdecisionsneedtobemadeforsolvingcybersecurityincidents,mostoftheinfor-
mationisprocessedinthehumanheads.
Thereisaclearneedforasystemthatgatherspiecesofinformationsothattheinci-
denthandlercanmakerationaldecisionsfasterandfocusontherelevanttasks.In
manycybersecurityexercises,thesituationgetshecticandanysystemthathelpsin
prioritizationwouldbeusefulforthedefendingteam.
Thetheoreticalbackgroundforthisthesisisbasedonaresearchoncybersecurity
situationalawareness,requirementsmanagementandcybersecurityexercises.
Theoutcomeofthisthesiscanbeusedasahigh-levelrequirementspecificationfora
cybersecuritysituationalawarenesssystemforthedefenderincybersecurityexer-
cises.Itshouldbepossibletodesignanddevelopademonstrationsystemthatvisu-
alizesandhelpsinunderstandingwhatthecurrentoverallcybersecuritystatusand
situationofincidenthandlingisforadefendingteam.
ThisthesisisassignedbyJYVSECTEC(JyväskyläSecurityTechnology).JYVSECTECisan
independentcybersecurityresearch,traininganddevelopmentcenterwithinJAMK
UniversityofAppliedSciences,theInstituteofInformationTechnology.JYVSECTEC
arrangescyberexercisesofvarioustypesandsizes,andthepurposeofthisthesisis
toadvancetheresearchofSA(SituationalAwareness)incyberexercises.(JYVSECTEC
2017)
10
2 Research
2.1 Researchobjectives
Inthisthesis,thesituationalawarenessofcybersecurityexerciseteamisstudied.
Situationalawarenessinexercisecoverstheaspectofreportingteamactionsinthe
courseofanexercise.Thismeansthatteamreportsandunderstandstheactions
theymakeinexercisealongwiththemoreobvioustechnicalfindings.Thesisexplains
whythereisaneedforanewsituationalawarenesssystemconstruction.
Theobjectiveofthisthesisistocreatearequirementspecificationdocumentfora
cybersecuritysituationalawarenesssystem.Thedesignedsituationalawarenesssys-
temdescribedherecouldbeusedincybersecurityexercisesbyateamresponsible
fordefendingtechnicalcyberenvironmentsagainstvarioustypesofcybersecurity
threats.Hence,thedefinition,adefender’sapproach,inthesubtitleofthethesis.
Thereisavastnumberofsystemsandplatformsavailablemarketedassituational
awarenesssystemsonthemarkettoday.Becausealmostanytypeofvisualizationor
logmanagementsoftwareenhancestheawarenessofthesituationincomputersys-
temenvironmentstheuseofsituationalawarenessterminologyinmarketingisvalid.
Complexityofsituationalawarenessillustrateswhytherearemanywaystousethe
term.Definitionandcontextrelatedtothesisisexplained.
Systemsorplatformsspecificallydesignedforthecybersecurityexerciseusagein
mindarenon-existentoratleastnonewereavailableatthetimeofwritingthisthe-
sis.Therefore,theneedforthisresearchisjustified.
2.2 Researchmethodology
Gordana(2010)statedthatconstructivemethodologyisasuitableresearchmethod
tobeusedinsoftwareengineeringtheses.Notallrelevantfirsthandknowledgeis
usuallypresentedwhenreferringtomorefundamentalapproachessuchasempirical
method,groundedtheoryetc.Therefore,amethodofconstructiveapproachis
11
needed.Characterizationofaconstructivemethodanditsrelationtothemorefun-
damentalresearchmethodologies.(Gordana2010,1)
Gordana(2001,1)alsoreferstowhatLazaroandMarcos(2005)stated,thatinthe
fieldofcomputing,theengineeringresearchdiffersgreatlyfromtraditionalscientific
approachesasengineeringfocusesonhowathingiscreatedandhowitworksin-
steadofmetaphysicalissues.(Lazaro&Marcos2005,3)
Theconstructiveresearchmethodshouldaimatsolvingpracticalproblemsviaapro-
cessofselectingaproblem,obtainingknowledgeaboutareaanddesigningasolu-
tion.Whenthereareexistingtheoriesandpracticalproblems,thegapshowspoten-
tialforacontributiontoconstructiveresearch.(Lehtirantaetal.2015,1)
Constructiveresearchcanbeconsideredasatypeofappliedstudiesasproductionof
newknowledgeischaracteristictoit.Thisaspectsuitswellintothesisdoneforuni-
versityofappliedsciences.(Kasanenetal.1995,252)
Kasanenetal.(1993,247)introducedamodelwithfourelementsthatshouldbein-
cludedinconstructiveresearch.TheseareshowninFigure1withtheconstructionin
thecenterasthefinalsolution.
Figure1ElementsofConstructiveResearch(Kasanenetal.1993,247)
PracticalrelevancetothisthesiscomesfromtheneedwhatJYVSECTEC(JYVSECTEC
2017)hasfoundoutinfewyearsofrunningcyberexercises.Blueteamsoftenreport
12
thattheyhaddifficultiesinunderstandingthesituationanddon’tremembertheac-
tionstheymade.Thereisarealworldneedforanewsituationawarenesssystemto
beusedincyberexercisesandwithfeaturesthatarenotfoundinthemarket.Many
differentsystemsareusedseparatelyinexercisestoaccomplishthetaskscoveredby
thisthesis.
Practicalfunctioningistheproblematicissueinthiskindofapproachandisstatedto
besoalsobyKasanenetal.(1993,246)intheirresearch.Themainproblemliesin
understandingthefactthattheactualfunctioningofaproblem-solvingconstruction
canoftenbefoundonlyaftertheconstructionisactuallyimplemented.Thisisnot
eveninthescopeofthisthesissothisresearchmethodfailsinthisarea.
Theoreticalconnectiontoresearchcomesfromliteratureregardingsituational
awarenessandcybersecurityexerciseresearch.Reflectingthesewithauthorssev-
eralyearsofpracticalexperiencefrommanydifferentexercisesitiseasytounder-
standthattheoreticalliteratureisnotfocusingintothedilemmaofblueteamsitua-
tionalawareness.
Accordingtoastudyconsistingof102scientificarticlesbyFrankeandBrynielsson
(2014)Theoreticalresearchofcybersituationalawarenessisfocusingmoretowards
dataanalytic,datafusionandtoanswertothecyberthreatsbytechnicalmeans.
(Franke&Brynielsson2014,26-27)
Whencyberexercisesarestudiedtheresearchandliteraturefoundisfocusingon
coveringdifferentaspectsthatneedtobetakenintoaccountwhendesigningand
conductingexercisesbutdoesn’treallyfocusonteamperformanceinexercises.
Thisthesiscontributesintotheoreticalresearchbyexaminingtheteamsituational
awarenessandidentifyingtheneedforanovelconstructionandtherequirementsto
developsuchaconstruction.
13
2.3 Researchquestions
BecauseofthemassiveamountofdataincomplexICTenvironmentsandmanydif-
ferentcomputersystemsfordisplayingandanalyzinginformationareavailableassit-
uationalawarenesssystems,butfailtoaddresstheneedsofacyberexercise,there-
searchfornovelsystemdesignshouldbeperformed.Researchshouldshowthatre-
quirementsandconstructionforasystemwithsaidneedscanbefound.
Anotherproblemliesinthevastvarietyofanswerstothequestionwhatsituational
awarenessis.Whenspecifiedintoamoredetailedareaofcybersecuritysituational
awareness,therearebasicallyasmanyanswersastherearepeopleanswering.Ifany
definitionsornewresearchtopicsforblueteamsituationalawarenessincybersecu-
rityexercisecanbefounditshouldbestatedandsomenewresearchinformation
shouldbepresented.
Newresearchandsolutionsinthefieldofsituationalawarenessisaproductof
JYVSECTECprojectandthereisalsotheneedtofindoutaspectsofsituationalaware-
nessthatmightneedfurtherresearch.
Thequestionsthatarethedriversforthisthesiscanbesummarizedas:
• Whataretherequirementsforadefendingteamsituationalawarenesssystem
• Whatkindofframeworkconstructioncanbeproposed
• Whatresearchthereisforasituationalawarenessincyberexercises?
Anyadditionalfindingsshouldbereportedandattheminimumbelistedinthecon-
clusiontobeproposedasafutureresearchpossibilities.
14
3 Requirementsspecification
3.1 Fundamentalsofrequirementspecificationinsoftwareengineering
Inthischapter,somekeyelementsofasoftwareproject’srequirementspecifications
arestudiedtogainagoodunderstandingofhowandwhythisprocessisfundamen-
talwhendevelopingsoftwareproducts.
AccordingtowellrespectedsourceliteratureSWEBOK(SoftwareEngineeringBodyof
Knowledge),thesoftwarerequirementisstatedasapropertythatshouldsolvea
real-worldproblem.(Bourque&Fairley2014,33-34)
Softwarerequirementmanagementmeanstheanalysisandvalidationofrequire-
mentsthroughoutthelifecycleofproduct.Projectsarecriticallyvulnerableifre-
quirementmanagementisnotdoneeffectively.(Bourque&Fairley2014,32)
SWEBOK(2014,34)alsodefinesanexamplethatasolutionmayaimatautomation
ofataskoratsupportingabusinessprocess;however,sincethesefunctioninacom-
plexmanner,therequirementsarealsotypicallycomplexcombinationsfromvarious
peoplefrommultiplelevelsofanorganization.(Bourque&Fairley34)
Whenlaterinthisthesisthesituationalawarenessisdefined,itisquiteobviousthat
withoutaquitestrictandlimitedfirstapproachtorequirementspecificationwork,
therewillbesuchavastnumberofcomplexitythatitwouldbecomeanoverwhelm-
ingtasktostart.Hence,onlykeyrequirementsatsomewhatabstractlevelwouldbe
feasible.
Whendefiningtherequirementworkforasoftwareproject,thereshouldbeaclear
understandingabouttheproposedrequirementhandlingmodel.
15
3.2 Requirementhandlinginsoftwaredevelopment
Itisnotreallyarelevantpartofthisthesistodefinerequirementhandling;however,
ithelpsinlimitingthescopeandaidswithunderstandingwhyitmightseemthat
someinterestingelementsarenottakenintoaccountwhenrequirementsarecho-
sen.
Astheorganizationthatassignedthisthesisisauniversityandnotasoftwarecom-
pany,itisquitecommontoexperimentandtrynewmethods.Theultimategoal
mightnotbeacommercialsoftwaretobesoldbuttheaimistostudypossibleap-
proachestoacertaindilemma.
Therefore,toostrictguidelinesmightactuallylimitthepossibilities.Inthistypeof
workthemoreagile,fastandflexiblemethodstendtoworkthebest.Iftheideahad
beenasoftwareprojectthatexperimentsandevolvesintoactualcode,itwouldhave
beenpossibletousetheagiledevelopmentmethod.
TheagileapproachillustratedinFigure2considersdesignandimplementationas
centralactivities.Itincorporatesotheractivities,suchaselicitationofrequirements
andtestingofimplementationintodesignandimplementationaccordingtoSom-
mervilleinSoftwareEngineeringbook.(Sommerville2011,62)
16
Figure2Agileprocess(Sommerville2011,63)
Asthisthesisaimsmoreatbeingastudyanddefininganewideainthefieldofsitua-
tionalawarenessratherthancreatinganactualsoftwareproductwork,theagilede-
velopmentprocesswasnotthebestsuitableoption.Itmustbestatedthatrequire-
mentsforsuchanagileprojectcanbefoundasrequested.
Whenitcomestorequirementhandlinginthisproject,theauthorhasusedplan-
baseddevelopmentspecificationprocessasthisseamedwellsuitedforthiswork.
AsstatedbySommerville(2011,62-63),intheplan-drivenapproachthatisillus-
tratedinFigure3theiterationoccurswithinactivitiesthemselves.Eachfunctioniter-
atesintoformaldocumentsthatarepassedbetweendifferentprocessstages.There-
fore,therequirementengineeringtakesplacefirst,andtherefinementofthisphase
leadstoactualrequirementspecification.Theworkdoneforthisthesiscanbecon-
sideredasarequirementengineeringphaseandatthesametimethisthesiscanbe
consideredastheactualrequirementspecification.Thoughitmustbestatedthat
therearemorethesisrelatedresearchissueswrittenthanwouldbenecessaryina
commercialproject.
17
Figure3Plan-BasedDevelopment(Sommerville2011,63)
Thisplan-basedmodelissuitableforthistypeofthesiswork.Ithelpsindefiningthe
scopeofthethesismorestrictlythanagilemethod;however,atthesametimeitof-
fersthepossibilitytoleaveoutthedesignandimplementationpartwhichisnotin
thescopeofthethesis.
3.3 Specificationinsoftwaredevelopment
Thereasoningbehindsoftwarespecificationworkliesintherealizationthatthispro-
cessclarifiestheunderstandingandhelpswithdefiningwhatpartsthedesignedsys-
temrequires.Italsoidentifiestheconstraintsofthesystemoperations.
Sommervillealsostatestheobviousunderstandingthattherequirementsprocessis
notsimplycarriedoutinastrictsequenceofactions.Therequirementanalysisneeds
tocontinuethroughoutthedefinitionandspecificationphasesasnewrequirements
comeintolightastheworkcontinues.(Sommerville2011,38)
Keepingthisinmindthereisapointintimewhereitismandatoryfortheauthorto
freezetheprocessofaddingnewrequirementsintothisthesis.Itisobviousthat
therewillbeagreatnumberofnewideasthatcomeupduringtherequirement
specificationwork,whichleadstopossiblefuturedevelopmentopportunities.
3.4 Requirementcategorization
Inordertobeabletomanagerequirements,someformofcategorizationandre-
quirementformatneedstobedefined.
18
AccordingtotherequirementmanagementguideoftheFinnishDefenseForces,
everyrequirementmusthaveanindividualidentificationthatcanbemulti-layered.If
arequirementcontainsmultipleissues,theyshouldbedividedintosubrequire-
ments.Also,thereisarulethatidentificationsmustbeuniqueandtheIDmustnot
beduplicated.(Kosola2013,7-8)
Table1presentsamodelthattheauthorhasdevelopedforasinglerequirementthat
issuitedforgeneratingthesystemconstructionthisthesis.Requirementshavesome
keyattributesthataredefined.
Table1Contentofarequirement
CATEGORY INFORMATION ADDITIONALREMARKS
REQIDNUM Ex.1.1.1 Dependingonthecategorynumberingmightchange
REQNAME NameoftherequirementNeedstobesuchthatitsfunc-tionalityisunderstoodfromthe
name
DESC Description Moredetaileddescriptionoftherequirement
REQIMPORTANCE Importance Importancevalue,Mandatory,
Important,Necessary
ACTION Actiontype Whatshouldbedonewhenthisrequirementismet
TYPEOFACTION
TextualorNumericalinfor-mationetc.
Therecouldbealsomoreab-stractactionsthanvalueinputs
RELATIONTOOTHERREQ REQIDNUM IDofarequirementwhichhas
relationorclarification
Namefortherequirementistoaidreaderofthisdocumenttounderstandquickly
themeaningoftherequirement.
AccordingtoKosola(2013,14)descriptionforarequirementisfreetextualfieldthat
describestherequirementinmoreelaboratedetails.Thisdoesn’tmean,however,
thatanyrandomfreetextwordingisthereforearequirement.Requirementneedsto
defineprecisionandnotbetooabstract.
19
Therequirementsinthisthesishavetruerelevancetotheproblem,whichiswhy
therearenorequirementstobeleftoutbuttheirimportanceshouldbetakeninto
consideration.TheimportancelevelofarequirementisalsoderivedfromKosolaand
isdecidedtobethree-leveledwithmandatory,importantandnecessary.(Kosola
2013,15)
Mandatoryrequirementsaresuchthattheyshallbeimplementedtothesystemand
cannotbeoverlookedorleftoutfromimplementation.Importantrequirements
shouldbeimplementedbutarenotvitaltotheusageofthesystem.Necessaryre-
quirementsaresuchthatcanbeleftoutbutarevaluableandshouldbeimple-
mented.
Otherinformationfieldsintherequirementmodelaremoreorlessadditionalattrib-
utesandhavebeenselectedbytheauthorinordertohelpunderstandtheconstruc-
tionthatisformedbasedontherequirements.
20
4 CybersecurityexercisesandtheinfrastructureinJAMK
4.1 Overviewofcoreexercisetypes
Inthischapter,somekeyexercisetypesarecovered.Thereisavastnumberofdiffer-
entkindsofexercisesthatcouldbeusedwhenlearningaboutcybersecuritythreats
andaboutthewaysofhandlingdifferentkindofincidents.
Whenlookingforinformationabouthowtoconductsuchanexercise,abookfrom
MITREcomesupasanindustrybaselineforexercisebuilding.Also,theroughcatego-
rizationofdifferentexercisetypescanbefoundinthecyberexerciseplaybookpub-
lishedbytheMITREorganization.ItstatesthecoretypestobeTableTop,Hybrid
(scriptedinjectswithrealprobes/scans)andfulllive(realandscripted).(Kick2014,8)
InJAMKJYVSECTEC,thecyberexercisesarecategorizedaccordingtothebusiness
model.MITREcategoriesarealsovalidforJAMKbusinesscasesandtheywillbere-
flectedonwhenbrieflygoingthrough.Theyhavebeennamedsothattheywillbe
moreelaboratetocustomers.
InJYVSECTECcyberrange,RGCEandsolutionswhitepaper,themainexercisetypes
offeredarenamedasDigitalForensicsandIncidentResponse(DFIR)exercise,Indus-
trysectorexerciseandtailoredcyberexercise.(Vatanenetal.2017,13-15)
JAMKexercisesarereflectedontheirMITREcounterpartswhendefiningtheexer-
cisesviatheMITREcategorization.
4.2 Tabletopexercise
Tabletopexercisehasscriptedeventsandisoftenthefirsttypeofexercise.Table
topexercisesdonottaketoolongtimetoplanandneedlimitedresources.Thisisa
commonexercisetypethatiswellsuitedforplayingthescenariosforthedecision-
makinglevelattendees.Theplannersandplayersusuallysitatsametable,andthe
injectsarehypothetical,pre-coordinatedandwrittendown.Thisexerciseisoften
21
usedtobuildrelationshipsshareinformationbetweendifferentorganizations.They
shouldnotbetoobigandshouldofferaroomfordiscussions.(Kick2014,9)
AtJAMKJYVSECTEC,tabletopexercisesareusuallynothosted.Thefocusandthe
businessmodelisaimedmoreattechnicalandoperationallevels.However,insome
occasions,atabletopapproachhasbeenselectedinunisonwithtechnical-opera-
tionalexercisewithcompanyexecutives,whichhasbeenareallygoodwayofinte-
gratingtwodifferenttypesofexercises.
4.3 Hybridexercise
Hybridexercisesincludescriptedinjectsandrealprobesorscans,whichincreasethe
realismandtrainingopportunities.Thereshouldbearedteamthatgeneratesreal
eventsagainstpre-determinedtargets.Coordinationandplanningtakeslongeras
trainingalsosimulatesbusinessprocesses.Thistypeofexercisecouldbeconsidered
asa“walking”asthereisapre-determinedcourseofactions.(Kick2014,10)
InJAMKexercise,thedigitalforensicandincidentresponsecouldbeconsideredasa
variantofthisMITREhybridexercisedefinition.InDFIRexercise,thescriptedevents
arerealandconductedbyredteam(RT)members.Theexerciseitselfisnotliveac-
tionbutmoreofawalkthroughoftheoccurredincidentandhelpsinraisingaware-
nessofthemodernattackvectorsandtactics.Atthesametime,thetrainedorgani-
zationisabletounderstandtheprocessofincidentresponseandfamiliarizethem-
selveswiththeforensicartifactsofcybersecurityincidents.
4.4 Fullliveexercise
Fullliveexercisesarebasedonrealevents.Theyincreasetherealismandgivetrain-
ingaudienceagreatopportunitytoenhancetheircapabilitiestocounteractifand
whenrealworldincidentsoccur.Thereisliveredteamingongoing,andalthoughtar-
getsandproceduresaremostlyscripted,thereisroomforliveRTactionstobetaken
whentheopportunityopens.Fullliveexercisessimulatesimilarconflictionsaswould
occurinrealworldnetworks.(Kick2014,10)
22
Therealisminafullliveexerciseisthedeterminingsuccessfactor,whichraisesthe
needforplannerstounderstandthethreats,threatactors,theirobjectives,theirtac-
ticsandprocedures(TTPs).(Kick2014,11)
CyberexercisesheldbyJYVSECTECaremostlyliveexercisevariants.Theyareheldin
realisticready-madecomplexindustryorganizationsorinfullycustomizedand
scopedcustomerorganizationsrunningintheRealisticGlobalCyberEnvironment
(RGCE)cyberrangedevelopedjustforthispurposeinmind.
JAMKexercisesarealwaysheldinanisolatedcyberrangeenvironment;however,
MITREalsopointsoutthatinsomeoccasionscyberexercisescanbeheldinliveenvi-
ronmentsifallnecessaryprecautionsandrisksaretakenintoaccount.JAMKbelieves
thatatotallyisolatedenvironmentissafer,moreeconomicalandmakesitpossible
todoinjectsthatwouldnotbefeasibleinproductionenvironments.
4.5 Exerciseteamdefinitions
Inacybersecurityexercise,thereisacommonpatternofdefiningteamsbycolour.
Themostcrucialteamsforliveexercisesarewhite,redandblue.Othercolourscan
beused;however,thesearemusthaveteams.Thebasicfunctionsforteamsareas
follows:whiteisplan/exercisecontrol,redteamisattacker/adversaryandblueisde-
fendingteam.Thegreenteamisthemostcrucialteambecausetheyareresponsible
foralltechnicalissuesandtheadministrationofcyberrangeandpossiblyfacilitate
someinjectsalsowhenredteamisunabletodosoaccordingtolimitationsininfra-
structure.
Definitionsvaryformanythingsrelatingtocyber;however,quiteoftenwhenglossa-
riesarewrittenordefinitionsforterminologyareaddressed,namelyintheNorth
AmericanliteratureadocumentnamedCSNNI4009(CommitteeonNationalSecurity
Systems2010.)bythecommitteeonNationalSecuritySystemscomesup.Another
goodsourcefordefinitionsisCRISCyberRangeLexiconVersion1.0(Damodaran
2015.).
23
Whiteteam
Quiteoftenthewhiteteamismentionedinacontextofsomesortofcompetition.
AccordingtoCommitteeonNationalSecuritySystems(2010,81),thewhiteteamis
responsibleforactingasarefereeinanengagementbetweenaredteamandablue
team.Inanexercise,thewhiteteamactsasthejudges,enforcestherulesoftheex-
ercise,observestheexercise,resolvesanyproblemsthatmayarise,handlesallre-
questsforinformationorquestions,andensuresthattheexerciserunssmoothly.
Thewhiteteamalsohastheresponsibilityforderivinglessons-learned,conducting
thepostengagementassessment,andpromulgatingresults.(CommitteeonNational
SecuritySystems2010,81)
JAMKdoesnothostcompetitionssodefinitionpartswithcompetition-specificissues
isleftoutbypurposeinJAMKJYVSECTECexercisesheldinRGCE.InJAMKJYVSECTEC
whiteteamisusedtodefinetheplanningteamandalsotheExCon(exercisecontrol)
oftheactualexercise.Also,thepostexerciseactionslikereportingarewhiteteam
responsibilities.
BettersuiteddefinitionforJAMKisfoundfromDamodaran(2015,20)wherethe
teamisadministrativemanagementandmonitoringteamwhodoesassessmentof
eventsandteams.
Redteam
RedteaminJAMKisateamofspecialistsworkingmainlyforJYVSECTECbusiness
unit.RedteamattackstheorganizationsbuiltinsidetheRGCECyberrangeinexer-
cise.Inonlysomerareoccasions,personnelfromsomeotherorganizationother
thanJAMKmaybeapartoftheredteam.Emergingcommercialofferingtousered
teaminginrealworldpenetrationtestingmightgivedifferentdefinitionstored
teamingthanisdescribedhere;however,inJAMKthelimitationismadetousered
teamonlyintheRGCE.
24
Redteamisagroupofpeopleauthorizedandorganizedtoemulateapotentialad-
versary’sattackorexploitationcapabilitiesagainstanenterprise’ssecurityposture.
Theredteam’sobjectiveistoimproveenterpriseInformationAssurancebydemon-
stratingtheimpactsofsuccessfulattacksandwhatworksforthedefenders(i.e.,the
blueteam)inanoperationalenvironment.(CommitteeonNationalSecuritySystems
2010,59)
Blueteam
Asthisthesisfocusesontheblueteamthedefinitionofablueteamiscrucial.In
mostexercises,theblueteamistheteamthatactuallyisthetrainingaudience,and
allactivitiesfocusonaidingthisteamtounderstandandlearnthecyberevents.The
blueteamhastobeabletounderstandwhatthestatusoftheirenvironmentis,and
allintrusiondetectionandpreventionsystemsshouldbebuiltinsuchawaythatred
teamattackscanbeseenandmitigatedeitherbytheteamitselforwiththehelpof
thegreenteam.
Blueteamisresponsiblefordefendinganenterprise’suseofinformationsystemsby
maintainingitssecuritypostureagainstagroupofmockattackers(i.e.,theRed
Team).Typically,theBlueTeamanditssupportersmustdefendagainstsimulatedat-
tacksinarepresentativeoperationalcontextwiththehelpofaneutralgroupcon-
trollingthesimulationorexercise(i.e.,theWhiteTeam).(CommitteeonNationalSe-
curitySystems2010,7)
Thekeyfocusinthetechnicalexercisepartshouldbeondefendinganenterprise’s
useofinformationsystems.Tobeabletolearnasmuchaspossible,theexercisesin
JYVSECTECfocusheavilyondetection,gathering,reportingandsharingactionablein-
dicatorsofcompromise.ItisnotfeasibletoblocktheIP-rangeofacompletecountry
buttofigureouttheactualattackvectors,whattheattackerisdoing,wheretheat-
tackercomesfrom,howtheattackermaneuversinsidethecorporationnetworks
andwhatthemaingoalfortheattackeris.
25
ThisapproachgivesalreadysomeusefulrequirementsfortheblueteamSAsystem.
Theyneedtoknowandunderstandthesituationfrommultipleanglesandbeyond
thecommonandtraditionaltechnicalpreventativesystemperspectivetobesuccess-
fulinthecyberdefenseexercise.Thisunderstandingshouldbeimplementedinan
incidenthandlingapproachinliveenvironmentsaswell.OftentheattackerTTPisnot
regardedashighlyimportantbecausebusinesscontinuityisthemainfocus;how-
ever,understandingtheattacker’smotivesandtacticsmighthelpinthelongrunto
mitigatetherisksmorecomprehensively,andlearningthisisoneofthekeyelements
inJYVSECTECexercises.
Greenteam
GreenteaminJAMKistheteamresponsiblefordesigning,buildingandmaintaining
theRGCEcyberrange.Thismeanseverythingfromrangescoreservicestoorganiza-
tionalnetworksandout-of-gameinfrastructuressuchaslearningfacilitynetworks
andtheworkstationusedforconnectingintotherange.
Greenteamisagroupofoperatorsresponsiblefortheexerciseinfrastructure.They
configureallvirtualcomputers,networksandcomplexmonitoringinfrastructure.The
Greenteamalsomonitorsthehealthofthesandboxandfixescrashesandinfrastruc-
tureissuesifneeded.(Celedaetal.2015,6)
Thegreenteamalsogeneratessomepartoftheinjectsdesignedbythewhiteteam
andredteam.Redteamandgreenteammustworkcloselytogetherinwhite-box
mannerfortheenvironmentstobeexploitableincertainareas.Itisnotfeasibleor
costeffective,anditmightactuallybealimitingfactorforthesuccessoftheexercise
iftheredteamdoesnotknowtheinfracompletely.Redteamisnottheaudiencebe-
ingtrained.
4.6 Cyberrange
Rangeisaconceptthatisfamiliartomanyorganizations;however,itassociatesin
manydifferentways.ThereisanumberofcyberrangesnowadaysintheEurope;yet,
26
quiteoftentheytendtobeapartofamilitaryorothergovernmentalsecurityorgan-
ization.Notmuchispublicinformationandreferencematerialisquitehardtofind.
MITREstatesthatcyberrangeisacontrolledelectronicalcomputingenvironment
withsystems,networks,services,andusersgenerallyisolatedfromthelivenetwork.
Rangehasadefinedbaselineofphysicalorvirtualinstancesconfiguredforasce-
nario.However,MITREstatesrangemayhavedrawbackbycreatingunrealisticorar-
tificialsettings.(Kick2014,11)
Accordingtoastudybasedonpubliclyavailable,non-classifiedinformation,there
aremorethan30knowncyberrangesandtestbedsofemulationorsimulationtypes
thatcouldbeusedforcyberexercisesaccordingtoastudymadebyAustralianDe-
partmentofdefense.(DavisandMagrath2013,24-25)
JYVSECTECRGCEcyberrangebuiltinJAMKisoneofthemostadvancedandcompre-
hensivecyberrangesinEurope.Withitsrealisticinternetstructures,realisticsys-
tems,realisticservicesandrealisticusertrafficatthecoreofthedevelopmentwork,
thisapproachmakesJAMKJYVSECTEC’scyberrangeuniqueinmanyways.
AnotheracademiccyberrangeexampleistheKYPO–CyberExercise&Research
PlatformdevelopedandoperatedbyCSIRT-MU–thesecurityteamofMasarykUni-
versity.KYPOaimstoprovideavirtualizedenvironmentforperformingcomplex
cyber-attacksagainstsimulatedcriticalinfrastructure.(Celedaetal.2015,1)
4.7 RealisticGlobalCyberEnvironment(RGCE)cyberrange
ThefoundationforrealisminRGCEcyberrangeismadewithfunctionsthatmimic
thereal-worldinternetstructure.RGCEisatotallyisolatedenvironmentcontrolled
byJAMKstaff.ItfeaturesrealworldpublicIPstructurewithtier1-3operatorsand
fullyfunctionalBGProuting.IthasalsorealisticnamestructuresandPKIinfrastruc-
turestonameafewcoreservices.(Vatanenetal.2017,3)
27
Realisticusertrafficsimulationisakeyelementintechnicalcyberexercisesandfor
thispurpose,JAMKhasdevelopedahierarchicaltree-likenetworktrafficsimulation
botnet.Thetrafficgenerationfromthisbotnetcanbescatteredthroughoutthe
RGCEinternetIPaddressspacing.Withtheaidofthisbotnet,itispossibletosend
numerousdifferenttypesoftrafficanditisuptobotnetoperatorwhetheritismali-
ciousorlegitimateusertraffic.(Kokkonen2016,23)
JYVSECTEC’scyberrangealsohasmanydifferentcomprehensiveindustryspecificor-
ganizationenvironmentsrepresentingcertainfieldsofbusiness,theirservices,and
technicalenvironmentsincludingtheactualbusinessservicesystems.Thesecur-
rentlyincludeafinancialorganization,aninternetserviceprovider,aroadtunnel
providerandanelectricitycompany.TheseenvironmentsarenotjustICT-specific
systemsbutholisticenvironmentsdowntophysicalindustrialcontroldevices.
(Vatanenetal.2017,6)
28
5 Situationalawareness
5.1 Theoreticalbackground
Whensearchingfortheconceptofsituationalawareness,onefindsthatperhapsthe
mostreferencedtheoreticalmodelforfundamentalsismadebyEndsleyin1995.
Endsleystatesthatbasedondescriptiveviewofdecisionmaking,thesituational
awarenessisapredominantconcerninsystemdesign.(Endsley1995,32)
Endsley’sgroundbreakingworkinthesituationalawarenessarealaidthefounda-
tionsbyusingarewherethecorrectknowledgeoftherealtimesituationalaware-
nesshadbeenusedforadecisionmakingforalongtime.Thiswasaviation.Even
thoughtheyhadbeenmakingdecisionsbytheseprinciplesintheaviationfield,it
wasEndsleywhodefinedtheseintheacademicworld.(Endsley1995,32-33)
Itwassoonunderstoodthatactuallyallcriticalandreal-timedecision-makingpro-
cesseswheresomehowrelatedtothissituationalawarenessissue.Thismadeitclear
thatotherareasandfieldsofexpertiseadoptedsituationalawarenessintotheir
studies.
Cybersecurityisnotsomethingthathasbeenherelongasatermorasacomplete
business.Inthelastfewyears,thewholecybersecurityindustryandtheunderstand-
ingthatdigitalizationforcesallaspectsofamodernsocietyintotakingcybersecurity
asafundamentalpartalsodrivestheneedtodevelopanddefinethesituational
awarenessintocybersecurityrealm.
Cybersecuritysituationalawarenessinvolvestechnicalandcognitiveaspectsthat
contributetounderstandingofwhatneedstobedoneinordertoenhanceunder-
standingofthecyberenvironment.(Franke&Brynielsson2014,20)
29
5.2 Differentlevelsofsituationalawareness
Endsleydefinesthreeprimarylevelcomponentsofsituationalawareness(Figure4)
thathaveahierarchicalstructure.Thesearedefinedasindividual’sperceptionofob-
servedelements,comprehensionofthecurrentsituationandtheabilitytoproject
thefuturestatusofthings.(Endsley1995,36)
Figure4Thelevelsofsituationalawareness(Endsley1995,35)
Theperceptionofelementsinthecurrentsituationatlevel1inEndsley’smodel
simplymeansthatanindividualperceivesthestatus,attributesanddynamicsofrele-
vantelementsinordertoachievesituationalawareness.Incybersecurity,these
couldmean,forexamplealertsindefensivesystemssuchasfirewallsorIDS/IPSsys-
tems.Thesetypesofattributesshouldbeaccuratedatasothatdecision-makingis
basedonfacts.(Endsley1995,36-37)
Level2isthecomprehensionofthecurrentsituation.Thisisasynthesisoftheele-
mentsatlevel1.Theelementsthemselvesusuallydonotmakeaholisticunderstand-
ingbutacollectionofdatahelpsthedecisionmakerinformingpatterns.Inthecyber
securitycontext,itcouldmeanthatifasinglecomputerisaffectedwithmalware,it
couldbethatonepersonispossiblygeneratingariskbyaccidentorbypurpose.But
ifatrapidspeedmultiplecomputersstarttoalertfromasimilarissue,theremightbe
anoutbreakofmalware,orsomepatternmatchinghasstartedtoalertasafalsepos-
itive.InCSIRTthinking,thereisnotreallymuchdifferenceinreaction;however,asa
30
situationalawarenessissuethesetwoarecompletelydifferentscenariosdrivenby
thelevel1elements.(Endsley1995,37)
Theprojectionoffuturestatusistheabilitythatformsthehighestlevelofsituational
awareness.Itisachievedbyknowledgeofstatusanddynamicsofelementsandcom-
prehensionofsituationfromlevel1andlevel2situationalawareness.Asinacyber-
incidentmanagerrole,aseniortendstofigureouttheurgencyandcriticalityfaster
thanapersonjuststartinginthistypeofrole.Thisleadsintomorepreciseprojection
offuturestatuswhichisthelevel3SA.(Endsley1995,37)
Therefore,itisquiteobviousthatSAisbasedonfarmorethansimplyperceivingin-
formation.Itincludescomprehendingthemeaningofinformation,comparingitto
goalsandprovidingprojectionsintothefuturestateofenvironment.Thisiscrucial
fordecision-makingprocessasstatedbyEndsley.(Endsley1995,37)
BydefiningthesethreelevelsinamoredetailedmannerasisillustratedinFigure5,
Endsley(1995,35)demonstrateshowaperson’sdifferentlevelsofunderstanding
thesituationalawarenessworksasafoundationfordecisionmakingthatultimately
leadstoactions.
31
Figure5Theframeworkmodel(Endsley1995,35)
Endsley’sframeworkmodelshowstheloopwherethedecisionsformedbysitua-
tionalawarenessleadintotheperformanceofactions.Inadetailedmodel,thedeci-
sionpointneedsinputfromindividualfactorsincludingsuchissuesasobjectives,ex-
pectations,longtermmemoryandautomaticity.(Endsley1995,35)
Oneshouldnotefromthemodelthattheactionsalterthestateoftheenvironment,
andbythismechanismtheyactuallychangetheperceptionofelements,comprehen-
sionofsituationandprojectionoffuture.Thisloopalterstheindividualsituational
awarenessconstantly.Incybersecurityincidents,theactionstoblockhostiletraffic
orthemitigationofavulnerabilityinworkstationswillalterthevisibilityofelements
insecuritysystemsthatactasaninputforlevel1situationalawareness.
Ifoneunderstandsthecomplexityofmoderncorporatenetworksandsystemsandat
thesametimehasunderstandingabouttheamountofdataflowsandnetworktraf-
ficthatisgeneratedeveninsmallscaleenvironments,thesituationalawarenessof
theproblemstartstoform.
Thisisthereasonwhysomanyautomationsystemsandsecuritycontrolsaremar-
ketedtodayasasituationalawarenesstools.TheyactuallycanbeunderstoodasSA
systemsbecausetheyaidinperception,comprehension,projectionoffutureandaid
inperformingactions.They,however,dothisinoneormoreaspects;however,be-
causeofthecomplexitynosilverbulletsolutionsexist.Somehugesystemstryto
32
tacklethisandofferanumbrellasystemofsortsbutbecausetheissueissocomplex
theytendtoeatallpossibleresourcesandyetfallshort.
Inthecontextofcybersecurityexercise,thedecision-makingprocesstendstobe
fast.InJAMKexercises,theperceptionofelementspartisawell-thoughtissueand
thecyberincidentcanbefoundoutfromsystems.Whenthereareplentyofactions
goingon,thereisclearlyaneedforasolutionthathelpssomehowwithmakinga
moreholisticcomprehensionofcurrentsituationpossible.
Thisthesistriestostatearequirementsetforsuchasystemthatcouldbethende-
velopedorscrapped.Thesetypesofsystemsarenotfoundatthemoment;however,
theneedisrapidlygrowingalsooutsidethetrainingcontext.Inmanyde-briefingsaf-
teranexerciseithasbeenstatedthatitwouldbehelpfultohavesuchasystemnot
onlyinexercisesbutalsoatsecurityworkincompanies.
5.3 Situationalawarenessforteams
Laterthetypesofexercisesaredefined;however,thisthesisaimsinhelpingateam
toformsituationalawarenessinacybersecurityexerciseinordertoperformgood
actionsbasedondecisionsmadewithvalidinformation.
Aswasshownearlier,eachpersonformstheirownsituationalawarenessasitisan
individualprocess.ThenitmustbeobviousthatwhengatheringSAinateam,thefi-
nalSAisactuallyamixedcombinationfrommultiplepersons.
Mostoftenteammembershavetheirownspecificsetsoftheirinformationsources,
suchasdefensivesystemsforcyberincidentsthattheyknowbetterthansomeone
else,andthereforeitiscommonthattheindividualSAelementsoverlap.Itisalsoa
factthatapersoncategorizestheirownissuestobemorecriticalbecausetheyfor
theirindividualSAbasedontheirunderstandingofthesituation.
33
TeamsituationalawarenessisshowninFigure6.Someoverlapsbetweeneachteam
member’sSArequirementsareboundtohappen.Thissubsetofinformationconsti-
tutesmuchoftheteamcoordination.AccordingtoEndsley,thiscoordinationmay
occurasverbalcommunication,asaduplicationofinformationorbysomeother
means.TheoverallteamSAcanbeconceivedasthedegreeofinwhichallteam
memberspossesstheSAfortheirresponsibilities.(Endsley1995,39)
Figure6Teamsituationalawareness(Endsley1995,39)
Whenthinkinghowcrucialthissituationalawarenessisforateamsuccessandlearn-
ingpossibilitiesincyberexercise,itisunderstandablewhatEndsley(1995,39-40)is
saying.Thereisevidencethataperson’smannerofcharacterizingasituationwillde-
terminethedecisionprocessforsolvingproblems.Someotherevidencestatesthat
eventhewaytheproblemispresentedaffectsdecisions.Ontheotherhand,there-
lationshipbetweenSAandperformanceisnotdirectbutcanbepredicted.Ingen-
eral,itisunderstoodthatwithinaccurateorincompletesituationalawareness,the
decisionswillleadintopoorperformance.Therearestudiesthatstate,ontheother
hand,thatifteammembersunderstandthattheSAislacking,theytendtoperform
betterthanthosethatthinktheyhaveallneededelements.(Endsley1995,39-40)
Thesituationalawarenessisakeyelementandthemoretimecriticaltheproblems
arethemorecrucialthecorrectandwellsharedinformationis.Incybersecurityinci-
34
dents,thedataismovingsofastthathumansareunabletoprocessit.Also,thesys-
temsaresocomplexthathumanscannotlookatallthingsallthetime.Thisiswhy
automationandsituationalawarenesssystemsareneeded.
5.4 Cybersecuritysituationalawareness
Eventhoughinmostofthecasesthebasicideasforsituationalawarenessincyber
securityderivethemselvesfromtheworksofEndsley(1995),themodernimplemen-
tationsmadeforthecybersecurityhavemanyoutcomes.
Hence,itisoftensaidinthetalksthatthereareasmanydifferentunderstandings
aboutwhatthesituationalawarenessmeansincybersecuritycontextasthereare
talkersandlisteners.
Cybersecuritysituationalawarenesscanbetakenasasubsetofsituationalaware-
ness.Itisthepartofoverallsituationalawarenessthatcanbegatheredwithtech-
nicalsystemsandcognitiveunderstandingfromthecyberenvironment.(Franke&
Brynielsson2014,26-2
Thereare,however,somestudiesmadeanddefinitionsstatedthatmayhelpinde-
finingandscopingtheboundariesofunderstandingofthecybersecuritysituational
awarenessinmoredetailmanner.
Barfordetal.(2010,3-4)havedefinedinterestingcategorizationaspectsthatdiffer
fromthetraditionalEndsleymodelandactuallysomehowmakethesomewhattheo-
reticalmodelmoredefinedandperhapseasiertounderstandinnormaldaytoday
actions.Thiscategorizationhassevenmajorpoints:
1. Beawareofthecurrentsituation.Thisaspectcanalsobecalledsituationper-
ception.Situationperceptionincludesbothsituationrecognitionandidentifi-
cation.
35
2. Beawareoftheimpactoftheattack.Thisaspectcanalsobecalledimpactas-
sessment.
3. Beawareofhowsituationsevolve.Situationtrackingisamajorcomponentof
thisaspect.
4. Beawareofactor(adversary)behavior.
5. Beawareofwhyandhowthecurrentsituationiscaused.
6. Beawareofthequality(andtrustworthiness)ofthecollectedsituation
awarenessinformationitemsandtheknowledge-intelligence-decisionsde-
rivedfromtheseinformationitems.
7. Assessplausiblefuturesofthecurrentsituation.
Thesecanbeeasilyadoptedtofitthecybersecuritycontextandeventhoughthe
fundamentalshavethesameideologythatEndsley’smodelhas,themoreprecise
mentionsabouttheactualimpactofanattackandthereferencesmadetothreatac-
tororadversaryclearlydefinethiscategorizationtobehighlysuitablewhentalking
aboutthecybersecuritysituationalawareness.
This,ofcourse,isnottheonlywaytodefinethesituationalawarenessissueandby
lookingatoneothercategorizationthatgoesevenintomoredetailedandtechnical
level,onestartstounderstandthatthereisclearlyaneedtobesomewhatspecific
andpreciseinmakingdecisionsaboutwhatthecybersecuritysituationalawareness
meansinthisthesis.
OnesuchinterestingframeworkcanbefoundaccordingtotheNISTcybersecurity
frameworkpaperdonebyTri-CountyElectricCooperative,Inc.Itstudiedthesitua-
tionalawarenessforcriticalinfrastructureandkeyresources(CIKR)anditstatedthat
therearefivemajorpoints(NIST2013,2):
36
1. AccurateawarenessofautilitiescybersecuritynetworkandtheCIKRthatisa
partofthatnetwork.
2. Completeunderstandingoftheutilitiescybersecurityoperationsandtheindi-
vidualCIKRthatcontributestotheoverallprocessoftheutilitiessystem.
3. Properassessmentofthecurrentoperationsoccurringwithintheutilitiescy-
bersecuritynetworkandtheabilitytoassesspotentialbreakdowns,weakar-
easorvulnerabilitiesthatcanbeexploitedtoamaximumeffectincripplinga
utilitiessystem.
4. Monitoringofunusualeventsoroccurrenceswithinthecybersecuritynet-
work.
5. Flexibilitytoapproachpossiblethreatsandmitigatethembeforetheycanbe
successful.
Basedonthese,itissafetostatethatwhenthinkingofthesituationalawarenesssys-
temrequirementsfortheblueteamincyberexercises,thereisaneedtoaddressthe
humanfactorasadecisionmaker.Ontheotherhand,onemusttrytokeepinmind
notonlytheactualawarenessofwhatisthoughttobethenormbutalsotothink
abouthowtogatherinformationabouttheadversaries.Inthecoreandasafounda-
tionforallactivities,onemustalsounderstandthecorenatureofcybersecurity
eventsthatisthedetailedtechnicalaspectofthings.
Thereisplentyoftalkabouthowcybersecurityismuchmorethanjustthehacker
andtechnologyissues.Thisisofcourseafactinititself;however,itshouldbere-
memberedthattheveryissuewhycybersecurityissuchabigthingisthatdetailed
technicalsecurityflawsareattheheartofcyber.
37
Theamountofdatatobeprocessedeveninthesmallsystemsandnetworksisso
vastthattechnicalsolutionsarealsoakeyinsolvingabigpartofsituationalaware-
nessdilemmasothatthenon-technicaldecision-makingprocessofhumansisfeasi-
ble.
5.5 Situationalawarenessinformationconsumersandprovidersystems
Aswritteninthepreviousparagraphs,itisclearthatcybersecurityanditssituational
awarenessismuchmorethanjustatechnicalissue,whichleadsstraighttothecon-
clusionthatallaspectsareimpossibletounderstanddeeplybysingleindividuals.
Theconclusionthenmustbethatthereisavastnumberofrolesandresponsibilities
relatedtosituationalawarenessdecision-making.Theneedforinformationbymany
differentpersonsisclear.Onecouldarguecorrectlythatwhetheronerealizesitor
not,everyonerelatedtoeithersystemmanagement,cybersecurity,operationalor
strategicalleveldecisionmakingwillautomaticallyformtheirownpersonalcyberse-
curitysituationalawarenessunderstandingaccordingtotheinformationtheysee
andhear.Thetheoreticalbackgroundwasexplainedearlierinthisthesisaccordingto
theEndsleyframeworkinchapter5.2andrefinedbyBarfordandNISTdefinitionsin
chapter5.4.
Atleastsomeofthekeyinformationconsumersthathavebeenidentifiedbytheau-
thorduringtheprofessionalcareerofover10yearsinsystemsmanagementand
cybersecurityfieldareillustratedinFigure7.
38
Figure7CyberSecurityinformationconsumersandproviders
Bymakingthiskindofvisualization,itiseasiertounderstandthecoreelements
providinginformationanddisplayingitwhendefiningtherequirements.
Onecouldarguecorrectlythatbecausethereisnotoneclearandprecisedefinition
andunderstandingaboutthisissue,thenthiswayofthinkingisjustonepossibleout-
comeanddoesnotcoverallaspects.
Thisisunderstoodandthisthesisonlytriestocoverthefundamentalaspectsrelated
tocybersecurityexercisesheldatJAMKUniversityofAppliedSciences.This,how-
ever,isnotalimitingfactorandtherearenoreasonswhythisspecificationcouldnot
addressthissituationalawarenesssystemdilemmaforCERTsandCSIRTsalsoasa
possibleapproachforfuturestudiesandtrials.
39
6 Cybersecuritysituationalawarenesssystemapproaches
Therearesomecybersecurityspecificsituationalawarenessproposalsfoundfrom
scientificresearchpapers.Themainideologicaldifferenceswiththesystemspecified
inthisthesisversuswhatcanbefoundisthattheyaredesignedtotacklesometech-
nicalaspectsoraredrivenbytheneedtoaidCERTfunctions.
Inacyber-exercise,therearemanysimilaritiestoarealorganization’sthreatman-
agementandincidentresponseprocesses,andtheblueteamsusetheseprocesses
whentakingpartinexercises.However,theexerciseframeworksetsitsownneeds
tothesituationalawarenesssystemsandmakestheactualworksomewhatdifferent.
Inexercises,thereareneedstoreporteventstogamemanagementwhichisspecific
requirementsforasystemthatthisthesisisresearching.
Also,informationsharingtootherpartnersmightnotalwaysbeafeasibletaskinan
exercise.Oftenthelivethreatintelligencefeedfrominternet,outsidepartnersor
fromotherteamsmightnotatallbeapartoftheexercise.Therearesomeexercises
wheretheinformationsharingisfundamentalpart,andfortheseoccasions,generic
toolssuchasMISP(MalwareInformationSharingPlatform)canbeimplementedfor
thistask.InCERTworkthisisacorerequirementbutinexercisekeepingthesitua-
tionawarenessofteamactionsandthecommunicationtogamecontrolismuch
moreimportant.
CAIS(CyberAttackInformationSystem)projectproposedaconceptforasystemar-
chitecturetobeusedinAustriafornationalcybersituationalawareness.Thiscon-
ceptisatypicalexampleofthesituationalawarenesssystemdevelopmentwhere
thecollaborationandthreatsharingfrommultipleorganizationstonationalCERTis
thedriver.Thistypeofsystemarchitectureisnotsuitableforexerciseneeds;how-
ever,itcanprovideusefulinsightintosituationalawarenesssystemsandbeusedas
requirementgivingresearch.(Skopiketal.2012,4)
Anotherusualresearchapproachtosituationalawarenessistouseautomationand
technicalsensorapproach.Thistypeofapproachissuitablewhendatafusionisused.
40
Therearenotmanycommercialsystemsatthistimethatusethisapproach;how-
ever,anovelarchitecturedesignforsuchasystemwasproposedbyKokkonen
(2016,298-299)Thatresearchcanbethoughtasbaselineresearchforthisthesis.
Thatkindofapproachcouldsolvesomeaspects;however,itdoesnotcoverCERT
functionorcyberexercisecontrolfunctions.Itwasusedasarequirementsource.
41
7 RequirementsforblueteamSAsystem
Whenanalyzingtheblueteamdefinitions,situationalawarenesssystemsandexer-
cisetypesdefinedearlier,itisobviousthatdependingoftheexercisetype,theblue
teamconsistsofmultipletypesofpersonnel.Thismeansthatrequirementsforsitua-
tionalawarenesscanbefoundbyanalyzingmultipleoperationalfunctions.
Themainideaincyberexerciseistobeabletolearnfromtheinjects.Learningobjec-
tivesdon’tsaythatlearningtousesomenewandnovelsystemisthemainfocusin
theexercise.Thisfactalonesetssomerequirements.TheSAsystemneedstobein-
tuitiveandeasytouse.
Anotherlearningobjectiveistounderstandandfindouttheattackertactics,tech-
niquesandprocedures(TTP)fromsecuritycontrolsandtrytounderstandthewhole
attackscenario.Therefore,thereisafinelinewheretoomuchautomationisstarting
tohinderthislearningobjective.
ThissystemisaimedathelpingtheteamformtheirSAabouttheactionsintheexer-
cise,nottodotheworkforthembyutilizingdata-fusion,robotics,automationetc.
Theobjectiveistounderstandwhattheteamisdoingandhowtheyfigureoutwhat
isrelevantandwhatisnot.Atthesametime,theyactuallyreporttothegameman-
agementtheteamstatuswithouthavingtothinktoomuchreportingasaseparated
function.
Thissystemwillalsohelpinanalyzingaftertheexercisewhattheteamdidandwhen
andhow.ThishelpsJYVSECTECpersonnelinwritingbetterafter-actionreportstothe
exerciseorganizations.
7.1 BlueteamSAincybersecurityexercise
Becauseeveryoneintheteamneedstounderstandthesituation,andthereforeform
theirSA,theyareconsideredasinformationusers.IR(IncidentResponse)functionis
42
obvious;however,inmostexercises,thereisalsooperationaladministratorperson-
nelwhocontributestomitigationandobservationfunctions.Insomeoccasions,the
teamsmightalsoincludebusinessmanagerandcommunicationmanagerroles.
Otherrolesareusuallyplayedbythewhiteteamandarenotusersofthisblueteam
SAsystem.ThoserolesusetheSAsystemfromexercisecontrolperspective.
Regardingrequirements,theserolesandthesupportingsystemsneededbythemare
consideredasinformationconsumersorinformationproviders.Examiningthose
leadstoidentificationofmanytechnicalsystemsandsomeobviousrelationsthey
have.
TheauthorhasformedaroughlayoutinFigure8withsomeofthekeyelementsthat
contributeasaninformationsourcetothesituationalawarenessandshouldthere-
forebeconsideredassourcesforrequirements.
Figure8Systemscontributinginformationtothesituationalawareness.
Requirementsarebrieflystatedinthissectionandamorecomprehensivetableof
therequirementsisattachedinAppendix1.Therequirementsarethemainresultsof
thisthesiswiththeconstructionproposal.
43
7.2 Usagerequirements
UI(Userinterface)requirementssectioncoverstherequirementsthatarenotspe-
cificforanysystemusersbutarenecessarywhendefiningsomegeneralpointsin
thissystem.Theserequirementsfocusoneaseofuseandothergeneralaspects.The
actualdesignandgraphicalaspectsarenotdefinedbecausetheyareirrelevantin
thisstageandarepartofthedesignandimplementationphases.
Theinformationthatblueteamsneedtoforminacyber-exercisecanbecategorized
inmanyways;yet,inJAMKexercisesthemaininformationclassesaredefinedby
JYVSECTECas:
1. Observation:Thisisasingleeventaboutalmostanything;however,theexer-
ciseaudienceshouldreportmainlyexerciserelatedshortcomings,develop-
mentideasandotherfeedback.
2. Issue:Thisisaneventrelatingtoflaw,errorormissinginformationabout
OOG(out-of-game)orIG(in-game)thatishandledbytheGT(greenteam)
3. Incident:Thesearereportedandmanagedeventsinthegamethattheblue
teamhasseenanddecidestoinvestigatefurther;alleventsshouldleadtoac-
tionsandultimatelycontainactionabledataortheyareunderstoodasobser-
vations.CyberIncidentsincludealsoin-gameOSINT(Opensourceintelli-
gence),HUMINT(HumanIntelligence),socialmediaetc.relatedIncidents
Thereportingofinformationshouldbefast,quick,intuitiveandeasy.Mostofthe
systemsmarketedasSAsystemsarecomplexandyettheylackfundamentalele-
mentssuchastimelinefunctions,orarenotintuitiveandflexibleininformation
modification.
Requirement1.1Multipleinformationtypes
44
Systemshallbeabletohandledifferentmaininformationtypesneededindifferent
exercisefunctions.
Requirement1.1.1InformationtypeObservation
Systemshallbeabletohandleobservationtypeofinformation.
Requirement1.1.2InformationtypeIssue
Systemshallbeabletohandleissuetypeofinformation.
Requirement1.1.3InformationtypeIncident
Systemshallbeabletohandleincidenttypeofinformation.
Requirement1.2Simplicityofusage
Systemshallbeeasytouseastoocomplexuserinterfacescanpushexercisepartici-
pantstooptout.
Requirement1.2.1Informationinputfieldmaximum
Thereshouldbeamaximumofeightfieldstheuserneedstoinputinordertopush
anyoftheinformationtypesintoSAsystem.Thisrequirementisimportantbutmay
changeaccordingtolearningsfromdesign,implementationandtestphases.Itmust
beemphasizedstronglythatanyadditionsabovesixmightbecounterproductive.
Requirement1.2.2Noseparatelogincredentials
Systemshallnothaveseparatelogincredentials.Thisiscrucialbecausethemoresys-
temsexerciseparticipantshavetosigninto,themoreofthemareleftunused.
45
Requirement1.2.3Singlesign-onwithexercisecredentials
Loginshallbeautomaticallyimplementedassinglesign-onfunctionintoSAatthe
sametimewhenanexerciseparticipantisloggingintoacyberrangemachine.
Requirement1.2.4AutomatedopeningoftheSAsystem
TheusershallloginautomaticallyintoSAsystem.Thisprocesswillmakeitobvious
fortheexerciseparticipantsthatthissystemiscritical,andtheusageofsuchsystem
isanintegralpartoftheexercise.
Requirement1.2.5Inputformaccordingtoinformationtype
Humaninputsystemshallchangetheinformationfieldsautomaticallyaccordingto
userselectionofinformationtype.
Requirement1.2.6IG-OOGhybridstructure
Thereshallbeonlyoneinterfaceforinformationinput.Theinformationcanbeused
fromin-gameorout-of-gameperspectivesaccordingtoinformationuserbeingapart
ofblueteamorsomeotherteamrespectively.
Requirement1.2.7Limitedamountofgraphics
Theuserinterfacesshouldnotbetoographicalinnature.Thesimpleinputfieldap-
plicationwithlimitedinformationispreferred.Thelimitedgraphicsmeansthatitis
easilyadoptedanddon’tdistractusersfromthetasksoftheexercise.
Requirement1.2.8Dynamicview
Theusershallbeabletoselectthepartstobevisible.Thesystemusersneedtoform
individualSAsotheviewintoSAsystemneedstobeindividuallycustomizable.
46
Requirement1.2.9Automaticeventchangeindicator
Thesystemshallchangethevisualmarkinginsystemwheneventischangedsome-
how.ThisrequirementisrelatedtoRequirement5.2.3Automaticrelation.Theuser
needstoseesomekindofmarkingifautomationisaddingrelationsthattheuser
didn’tknow.Thiswayeveneventsmarkedasreadyordonemightactuallybevalua-
bleinsomelaterphaseoftheexerciseasnewinformationarise.
7.3 Blueteamuserrequirements
BlueteamcanbeconsideredasaformofCSIRTteamandthereforetohavecertain
requirementsforanSAsystemfromthisrole.RequirementsforCSIRTSAhastobe
takenintoaccount.Notmanyofthosecanbeeasilyadaptedtosuittheexercise
needsastheyfocusheavilyonnormalday-to-dayCSIRToperationsandoftenrelate
tobiggerphenomenathansingleorganization.Somerequirementscanstillbede-
rivedfrommaterialconcerningCSIRTSA.
AccordingtoRuefle(2014,5)CSIRTneedstounderstandwhereweaknessesoccur
andwhenmaliciousactorsaretakingadvantageoftheseweaknesses.Theyalsopro-
posethatanynewtoolforsituationalawarenessshouldnotonlyfocusoncurrentat-
tacksbutshouldalsostrivetocollectlessonslearnedandafter-the-factanalysis.
ThiswayofreasoningisalsocrucialforunderstandingbetterinJAMKcyberexercise
whathashappenedandhowtomitigate.Themaingoalistofindouttherootcause
sothatitcouldhelpinmitigatingtheattackseffectively.Anotherkeypointinblue
teamactionsistogatheractionableIOCs(IndicatorofCompromise)thatcanbede-
liveredtootherteamsortothewhiteteam.
Themajorityofneedsarefocusedonincidenteventclass.Issuesandobservations
aremainlysuchthattheinformationisnotchangingduringtheexercise.Theyare
snapshotsintimewheninputted.Incidentsare,however,handledbymanyandusu-
allytheinformationisgrowing,changingandrelationshipstootherincidentsare
addedduringinvestigations.
47
RegardingincidentsCichonski,Millar,Grance&Scarfone(2012,31)haveidentified
manyinformationthatincidenthandlersshouldgather.Fromtheseapplicableto
JAMKexercisecontextare;statusofincident,summary,indicators,relatedincidents.
Requirement2.1Titleofincident
Usersofthesystemshallbeabletoassignfreetextformattitletoincidentsothatit
iseasilyidentifiable.Thisshouldnotbetoolongastherearedescriptionfieldforac-
tualinformation.
Requirement2.1.1Searchofincident
Usersshallbeabletosearchforexistingincidentsdirectlyfromthetitlefield.Thisis
tohelpavoidgeneratingmultipleinputsfromsameincident.
Requirement2.2Criticalitylevelofincident
Usersofthesystemshallbeabletoassigncriticalityvaluetoincident.
Requirement2.2.1Textuallevelofincident
Usersofthesystemshallbeabletoassigntextualvaluetoincident.Ifateamisusing
writtencriticalityvaluestheycandoso.
Requirement2.2.2Numericallevelofincident
Usersofthesystemshallbeabletoassignnumericalvaluetoincident.Ifateamis
usingnumbersforcriticalitytheycandoso.
Requirement2.2.3Changethecriticalitylevelofincident
48
Usersofthesystemshallbeabletochangethecriticalityofincidentaccordingto
theirneeds.Incidentschangetheircriticalitywhentheyareinvestigated.
Requirement2.3Assignmentofincident
Usersshallbeabletoassignindividualstoberesponsibleinhandlingincidentsin
team.
Requirement2.3.1Changeassignment
Usersshallbeabletochangeassignmentofincidentaccordingtotheirneeds.Many
individualsmighttakepartinhandlingincidents
Requirement2.4Stateoftheincident
Usersshallbeabletoassignstatetoincidents.Teamusesthistomonitorwhatthe
statusofanincidentis.Statesvaryaccordingtodefinitionsusedbyteambutoften
theycouldbesomethinglikeopened,processed,closed,reopened.
Requirement2.4.1Changethestateoftheincident
Usersshallbeabletochangestateofincidents.
Requirement2.5Incidentdescriptioninput
Usersshallbeabletousefreetextfieldindescribingwhattheyaredoing.Itcouldbe
informationtheyhavemonitoredorsomethingtheyfoundininvestigation.
Requirement2.6Actionabledatainput
49
Usersshallbeabletousefreetextfieldindescribingwhattheydefineasactionable
data.ThesecanbeIOCs,notionsofattackersorotherinformationthatusersofthe
systemthinkarerelevanttootherteamsortowhiteteam.
Requirement2.7Taggingofevents
Usersshallbeabletoassignfreetexttagstoevents.
Requirement2.8Relationshipofevents
Usersshallbeabletoassignrelationshipstoeventsiftheyknowany.
Requirement2.9Timelineofevents
Usersshallbeabletoseeeventsofinterestinagraphicaltimeline.
Requirement2.9.1Selectionofeventstotimeline
Usersshallbeabletofilterandselecteventsandmodificationpointstoeventsas
theywishintimeline.Usercouldwanttoseesingleeventanditsmodificationsor
maybealleventswithsametagorIOCinformation.
Requirement2.9.2Informationinputfromtimeline
Usersshallbeabletoaltertheinformationdirectlyfromtimeline.Thisistomake
surethatdynamichandlingoftheeventsisimplementedandthereisnoneedtogo
intoinputsystemtosearchandchangethings.Informationshouldbeautomatically
visibleinotherusertimelineifdisplayparametersaresettofindthis.
Requirement2.9.3Dynamictimeline
50
Timelineshouldbedynamicandpresentedinformationshouldchangeautomatically
whenalterationstodisplayparametersareissuedbytheuser.
Requirement2.9.4Individualtimeline
Timelinesshouldbeindividualaseachpersonhastheirownneedsforinformationto
formindividualSA.Ifpersonchangesdisplayparametersitaffectstopersonaltime-
lineonly.
Requirement2.9.5Shareabletimeline
Timelinesshouldbeshareableaspersonsmightwanttosharetheirviewstoadata
inordertoformsimilarSAfrominformationselected.
Requirement2.10Eventpane
Eventsshallbepresentedinaneventpaneaspersonsmightbeaccustomedtosee-
ingdataintraditionalformats.
Requirement2.10.1Searchableeventpane
Eventsshouldbefreelysearchablebyregularexpressionsorfreetext.
Requirement2.10.2Selectableeventpane
Eventsshouldbefreelyselectablebyfieldsvisibleinpane.
Requirement2.11Eventdashboard
Eventsshallbepresentedinselectabledashboardviewsaspersonsmightbeaccus-
tomedtoseeingdataintraditionalformats.Nottoomanyvisualizationsshouldbe
madeinordertokeepsystemassimpleasfeasible.
51
Requirement2.11.1Pie-chartdashboard
Eventpaneinformationshouldbeviewableinpie-chartformat.
Requirement2.11.2Key-valuepairchart
Selectedeventpaneinformationshouldbeviewableinkey-valuepairchart.
Withthehelpoftheserequirementsblueteamshouldbeabletodothefundamen-
taltasksneededinmanagingthecoreexerciseevents.Thissystemhelpstovisualize
theinformationteamhasdecidedtohandle.
7.4 Whiteteamrequirements
Theserequirementsarespecificforwhiteteams:theyneedtounderstandwhatthe
blueteam(s)is/arereporting,mitigatingandputtingresourcesto.Thisinformationis
criticalinordertomakesurethattheplannedanddeliveredinjectsgeneratethede-
siredeffectssothattheexerciseneedsaremet.(Damodaran2015,20)
Intheexercisecontext,asblueteamsareusingtheSAsystemtheyalsoreporttheir
findingsautomaticallytothewhiteteam.ReportingIOC’s,actionstakenandtheroot
causeanalysisbyblueteamsnotonlyensuresthatlearningobjectivesaremetbut
alsomakesthegamemanagementeasier,andmakessurethattimeisnotwastedin
issuesthatareunrelatedtotheexercise.
Thisblueteamsituationalawarenesssystem,therefore,functionsalsoasoneofthe
exercisecontrolmeansandthatwaycontributestowhiteteampersonnelsituational
awarenessabouttheexerciseitself.
Whiteteamisonlyobservingandusingthesystemasaninformationconsumerso
therearenotmanywhiteteamspecificrequirementsthatwoulddifferfromblue
teamrequirements.Somerequirements,however,arevitaltowhiteteamasithas
profoundneedstogatherinformationfrommultipleblueteams.
52
Requirement3.1Visualizemultipleblueteaminformation
Systemshallbeabletovisualizemultipleblueteams’informationinsingleviews.
Requirement3.2Multipleteamselection
Whiteteamshallbeabletoselectinformationfrommultipleblueteams.Thisselec-
tionislimitedonlytowhiteteamasblueteamsshallnotseeeachother’sinfor-
mation.
Requirement3.2.1Teamselectioninpane
Whiteteamshallhaveadditionalteaminformationineventpane.
Requirement3.2.2Teamselectionindashboards
Whiteteamshallhaveadditionalteaminformationselectionindashboards.
Requirement3.2.3Teamselectionintimeline
Whiteteamshallhaveadditionalteaminformationselectionintimeline.
7.5 Interconnectivityrequirements
Thisrequirementsectioncoverstherequirementscomingfromothertechnicalsys-
temsthatareconnectedintoSAsystem.TherearevastnumberofSArelatedinfor-
mationsystemsthatcanbeimplementedassourcefeedsintothisblueteamsystem.
Cyberenvironmentsevolveandchangerapidly.Itshouldbeevidentthatalsothe
businessmodelandareaofbusinessaffectstothecyberenvironmentneeds.These
needsaffecttothesecurityapproachandultimatelytothesecuritymeasuresand
53
processesimplemented.Thereareanumberofdifferencesinsecurityprovidingsys-
temsifonewouldcomparetheneedsofaroadtunneloperatortotheneedsofa
cloudserviceprovider.
Keepinginmindthecomplexityofcyberenvironmentsimplemented;differencein
datacomingfromsecuritysystemsandtheplan-baseddesignmethoditisobvious
thatflexibilityandadaptabilityininterconnectivitytothisblueteamSAsystemisa
must.Therearenocleardefinitionswhatdifferentapplicationprogramminginter-
faces(API)areultimatelyneededsothishastobedoneindesignandimplementa-
tionphase,butitisobviousthatnosingletechnologyexists.
Requirement4.1MultipleAPIsupport
Systemshallacceptdifferentmethodsinconnectiontoothercomputersystemsand
services.Genericapproachandflexibilitytointerconnectionispreferred.Stillsome
methodsthatcanbeconsidereddefactocanbestatedhere.Withthisrequirement,
wetacklemostofthepossibleinterconnectionneeds.
Requirement4.1.1RESTAPIsupport
Systemshouldimplementrepresentationalstatetransfer(REST)methodforinter-
connection.
Requirement4.1.2SOAPAPIsupport
Systemshouldimplementsimpleobjectaccessprotocol(SOAP)methodforintercon-
nection.
Requirement4.1.3JavaScriptAPIsupport
SystemshouldimplementJavaScriptmethodforinterconnection.
54
Requirement4.2Databaseconnectivity
Systemshouldbeabletoallowconnectionstoinformationdatabase.Methodsde-
pendonthetypeofdatabasethatisselectedindesignandimplementationphaseso
nostrictdefinitionabouttechnologycanbemade.
Requirement4.3XMPPmessagesupport
SystemshouldhaveintegrationpossibilitytochatsoftwareXMPPprotocol.Inexer-
ciseschattypeofsoftwareisoftenpreferredcommunicationmethod.Itismaybe
slightlyoutsidethescopeofthisthesisbutthereshouldbeautomatedmessagepush
accordingtokeywordsortagsthataresentintoSAsystem.
7.6 Dataprocessingrequirements
Theamountofinformationthatisgathered,reportedandprocessedincybersecu-
rityexercisesbytheblueteamisvastbutcan’tbeconsideredasabigdataordata
fusionissue.Thereareneedstoaggregate,normalizeandprocessthedatasothatit
manydifferentinformationtypesbutbecausetheultimategoalfortheSAsystemis
toformasituationawarenessabouttheexerciseandeventsinthiscontextandat
thesametimehelpincontrollingtheexercisealotofinformationishumaninputted
andhumanedited.
ThismeansthatstraighterrorfeedsintoSAsystemarenotpreferredapproach.The
actualdatafusionofforexamplenetworktrafficshouldbedoneinsomeothersys-
tem.IfsuchasystemismonitoringforanomaliesorforknownthreatbyIOCsthere
shouldbealerts.Thefindingsofsuchasystemshouldthenbeimplementedintothis
SAsystemasaninputevent.
Thesamelogicappliestologfilesystems,SIEMsystems,IDS/IPS,FWandothersys-
temsthataremeanttobeusedbyoperatorsinordertounderstandsituationdeeper
fromcertaintechnological
55
Requirement5.1Databaseimplementation
IthasbeendiscussedinternallyinJYVSECTECthattheapproachintothissystemand
alsotoothersystemsusedinexercisecontrolshallusedatabaseapproach.Otheral-
ternativeslikewiki-systemstostoreinformationhasbeendiscussedbutbecause
otherdevelopmentprojectsaredesignedwithdatabasesithasbeenselected.
Requirement5.2Automateddataaggregation
Systemshallhavedataaggregationfunctionalities.AstheRequirement1.2Simplic-
ityofusageandRequirement1.2.1Informationinputfieldmaximumarelimiting
theamountofinformationuserhastoinputthereisneedtoadddatatoeventsgen-
erated.Alsoappliestotherequirementsrelatingtointerconnectionrequirements
wheninformationisinputtedviamachineinterfaces.
Requirement5.2.1Automaticuserorsysteminformation
Systemshallautomaticallyaddtheinformationaboutwhoorwhatsysteminputted
informationsothatitwillbepresentedintheSAinformation.
Requirement5.2.2Automatictimestamping
Systemshallautomaticallymarktimestampstoallactionsmadeintoinformationbut
onlylatestmodificationtimestampshouldbechanged.Allothertimestampsare
storedrelatingtoactiondonesothatwhenreportingtherewillbeautomatically
timelineofactionsdone.
Requirement5.2.3Automaticrelationships
56
SystemshallautomaticallymakearelationshiptoinformationexistingintheSAsys-
temdatabase.Forexample,previousIOCsarelinkedifneweventisgeneratedhav-
ingthesameactionabledata.ThisrequirementhasrelationtoRequirement1.2.9
Automaticeventchangeindicator.
57
8 Systemconstruction
Ashasbeenexplainedinearlierchapters,therearehugeamountofinformation
sourcesandinformationusers.Also,aswasstatedearlierinthisthesis,thesitua-
tionalawarenessisalwaysindividualandshouldleadintoactionsviadecisionmak-
ing.Astherearenosolutionsinthemarketthataddressescybersituationawareness
andexercisecontrolinmannerthatisdescribedearlierthisthesisasolutionshould
bedeveloped.
Inthecontextofblueteamsituationawarenessincyberexercisethereisafunda-
mentalneedforanewconstructionproposalforSAsystemthatnotonlyhelpsinun-
derstandinghowblueteamformstheirSAbutalsohelpsthegamecontrolindeliver-
inganexercisethatfulfillslearningobjectivesset.
Themainreasonforthelackofthiskindofnovelsystememergesfromthefactthat
notmanyorganizationsareinthecybersecurityexercisebusiness.Also,quitemany
timestheexercisesareeithertabletopexercisesorsomeformofcompetitionsthat
arefocusingontechnicalthings.
JAMKcyberexercisesareoftentechnical-operationalbynature,andthefocusison
helpingteamstoformaunifiedsituationalawarenesssothatallparticipantshave
thepossibilitytolearnandbuildtheirindividualunderstandingaboutcybersecurity
incidentsandhowtohandlethem.
TheproposedsystemconstructioninFigure9derivesfromthesekeypointsand
showsthatacollectiveSAsystemconstructioncanbeformed,andthatexisting
cybersecuritysolutionscoveronlycertaintechnicalaspects.
58
Figure9Proposedblueteamsituationawarenesssystemconstruction
8.1 Userinterface
InFigure9theuserinterfacepartisillustratedasasinglesoftwarecomponent
wherethevisualizationofinformationandinputmodulesarevisibletotheusers.
59
Thereiscleardifferenceintheuserinterfaceforblueteammembersandtothe
whiteteammembers.Becausewhiteteammembersareonlyusingthesysteminor-
dertounderstandthesituationinteamstheinputmechanismistakenouttomake
surethatnowhiteteammembersareinvolvedintheexerciseascontributorstothe
situationalawarenessofblueteam.
Oneshouldalsorealizethatwhiteteam–blueteammembersonlyseethesituation
inteamrelatedtothembutgamemasterhasaccesstoallteams.Thisistoillustrate
thattherecanbesuchaselectionifitisneeded.
Fromblueteamperspectiveteam1onlyhasaccesstoteam1informationandteam
2onlyhasaccesstoteam2information.Thisistomakesurethatteamsarenotcon-
structingtheirSArelyingtoactionstakenandreportedbyotherteams.Theobjective
istolearnandformteamspecificunderstanding.
8.2 Datainputandselect
Thisconstructiondoesnotdictatethedesignofthesoftwareinfunctionalblocklevel
butitisobviousthatthemechanismininputtinginformationdiffersheavilyfrom
dataselect.
Inputisone-wayoperationtothesystemandhandleswritingneweventsviaevent
inputmodule.
Dataselectistwo-waycommunicationmodule.Thismeansthatselectmodulehan-
dlestheinformationrequestsandmodificationdoneviavisualizationmodule,dash-
boardorthepane.
8.3 DataAPI
DataAPImoduleisusedwheninformationisinputtedintoSAsystemfromoutside
sources.Thesemoduleshandlemostoftheinterconnectionrequirements.Theappli-
60
cationmodulesareconsideredasone-waysothatSAsystemdoesnotpushnewcon-
figurationstothedatasourcesystems.Theexercisemembersinblueteamshaveto
dothosetasksdirectlytosecurityandcontrolsystemsaccordingtotheSAandthis
leadstotheloopofgainingbetterSAviathesystemashasbeenpresentedearlier
accordingtosituationalawarenesstheory.
8.4 Dataaggregation
Dataaggregationmoduleisthemodulethataddsinformationtoeventsandmakes
therelations.Thismeansthatdataaggregationisfundamentallyhavingalotofauto-
matedtaskssuchasanalyzinginputandmakingdatabaserequestsaccordingtothe
information.
Dataaggregationneedstoberobustandthereisneedtofocusheavilyintothede-
signofthiscomponent.Ifthiscomponentisnotworkingproperlytheinformation
presentedtoUIislackingvitalinformationpiecesthatisneededinformingaccurate
SA.
8.5 Database
Databasemoduleconsistsofdatabaseinformationonlytospecificteamsandfrom
informationpresentedtoallteams.Thisseparationisneededinmakingsurethat
teamdon’tseeotherteaminformationbuthasaccesstogeneralinformationfeed
thatisneededinformingcoherentSA.
Examplefromsuchageneralsystemcouldbemalwareinformationsharingplatform
(MISP)thatisusedbyteamsandwheretheinputtedthreatintelligencewillbe
sharedbetweenteamsaccordingtothesharingrulestheyset.
61
9 Researchresults
ThisthesiswasassignedbecauseinJYVSECTECCENTER(JYVSECTEC.2017)project
theneedforresearchanddevelopmentintheareaofsituationalawarenesswas
identifiedasaprojectresult.Thescopeofthesiswasfurtherlimitedtospecificallyin
findingrequirementsforblueteamsituationalawarenesssystemincybersecurity
exercise.
Initialresultofthethesisisthestudyaboutthecybersituationalawarenesssystem
approaches.Therealizationthatthereisnotheoreticalresearchdoneforteamsitua-
tionalawarenessincyberexercisesisaresultinitselfandmakesitobviousthatthere
isstillalotmorefutureresearchobjectivestobefound.
Theresearchinthesituationalawarenessfieldismostlyfocusingoneitherthetech-
nicalinformationhandlingdilemmaorthesituationalawarenessforCERTandCSIRT
teamsinnationallevel.Inthefieldofcybersecurityexercisesresearchexistsbutthe
materialiscoveringmainlytheaspectsonhowtoinstrumentandconductsuchan
exerciseandnotonhowtheindividualsororganizationsarefunctioninginanexer-
cise.
Themainresultofthisthesisistheidentifiedgenericrequirementsmentionedin
chapter7.Requirementsinthisthesisfulfilltheassignment,covertheneededbasic
functionsforfirstdesignanddevelopmentiterationandprovideassuchasolidstart-
ingpointforademonstrationsystemsoftwareprojectforblueteamSAsystem.
Thereisatotalof56individualgenericrequirementslistedinthisthesis.Therequire-
mentsarelistedunderfivedifferentgenericsectionsinordertohelpunderstandthe
relevanceoftherequirementtothesystem.
Usagerequirementscovergenericrequirementstouserinterfaceanddatainput.
Blueteamsectioncoverstherequirementsblueteamhassothattheyareableto
utilizetheinformationaccordingtotheirneeds.Whiteteamrequirementscoverthe
differencefromblueteamusers.Interconnectivitycoverstherequirementswhen
62
othersystemsareconnectedtoSAsystem.Dataprocessingrequirementscoverdata
storageanddataprocessingareasoftheSAsystem.
Themainfunctionofthesituationalawarenesssystemisthattheblueteammem-
bersareabletoformindividualsituationalawarenessandatthesametimeform
teamsituationalawarenessabouttheeventstheyhavereactedtoincyberexercise.
Additionally,fromuserpointofviewthesystemshallbesimpletouseandatthe
sametimeautomaticallyhandlesthereportingfunctiontoexercisemanagementso
thatneedforanyadditionalsystemiseliminated.
Novelconstructionaccordingtotherequirementsisanothermajorresult.Thisnovel
designconceptframeworkforablueteamsituationalawarenesssystemispresented
andexplainedinchapter8.
Thesystemconstructionsectionisdividedinto5areas.Firsttheuserinterfacepor-
tionandthendatainputandselectsectiontomakeuseractionsfunctional.DataAPI
isfacilitatingthepossibleinterconnectionofotherinformationsourcestotheSAsys-
tem.Dataaggregationhasalotofthevitalfunctionsonhowthesystemisactually
operatingandiscriticalcomponentintheproposedconstructionmodel.Thelast
partisthedatabasewhichistheinformationstorageforthisblueteamSAsystem.
Theseresultsfulfilltheassignmentofthethesisandtheobjectivesaremet.Because
thereisnoresearchdonespecifictotheblueteamSAproblematicspresentedinthis
thesisitisquiteobviousthattherequirementlistisnotcomplete.Thereisnot
enoughactualinformationorreferencesavailabletoformaholisticrequirementset.
Itisprobablethatsomerequirementswillbealtered,newrequirementsaddedor
existingonesremovedinthedesignanddevelopmentphase.Itistotallyacceptable
asthisthesisispresentingfirstofakindconstructionproposal.
63
10 Conclusions
Theselectedconstructiveresearchmethodwasusedthroughoutthethesisprocess.
Theinitialreasoningwasthatbecausethismethodiswellsuitedtoappliedsciences
andobjectiveofthesiswastoconstructarequirementspecificationitiswellsuited
forthistask.Theaimfornovelconstructionwaskeptinmindthroughoutthewhole
thesisprocess.
Afterstartingthesis,thefirststagewastogatherreferencematerial.Byexamining
thematerialsfromsituationalawarenessandcybersecurityexercisesfielditbecame
quiteobviousthatatthemomentthereisresearchdoneforthosefields.Butatthe
sametimethereareonlylimitedmaterialthatisspecificallyaddressingtheblue
teamneedsandnonethatcombinesthese.
Choosingconstructiveresearchmethodmeantthatallaspectsoftheresearch
methodcouldnotbefulfilledinthisthesis.Constructiveresearchbydefinition
shouldhavepracticalfunctioningtotheresearchedfieldofexpertisebutlimitingthe-
sistorequirementsmeantthattherewillbenoactualfunctioningsolutiontobe
tested.
Thislimitationwasacceptedasanunderstandableflawwhendecisionforaresearch
methodwasmadebytheauthor.Othermethodswereexaminedbutconstructive
methodsuitedwellastherequirementsandconstructionitselfwereformedduring
thethesisworkasiterativeprocess.
Theproblemwithfunctioningsolutionisthatiterativeprocessdrivesintobuildingon
topoftheknowledgeandunderstanding.Thiscanleadintolackofobjectivityandit
mustbesaidthattheauthoralsohaddifficultiesincriticalthinkingtotherequire-
mentsandconstruction.Itisreallyeasytojustthinkthatyouunderstandtheprob-
lemfrommanyaspectsandbeunabletoformcriticalchallengestoself.
Theassignmentofthethesiswastofindandgeneraterequirementsforblueteam
situationalawarenesssystem.Therequirementsarefoundandlistedwithdefinitions
64
whichmeansthatthisthesiscanbeusedasabaselinedocumentfordesignandim-
plementationphaseinsoftwareprojectaimedatproducingafunctionalsituational
awarenesssystem.
Thisthesisoffersnewinformationtothesituationalawarenessresearchincyberex-
ercisecontextandprovidestheneededrequirementstotheorganizationthatwere
theobjectivesofthiswork.JYVSECTECprojectgoalsforresearchingsituational
awarenessarealsoenhancedbythisworkandifdecisionismadetodevelopthepro-
posedsystemtheparticipantsinfutureexerciseswillhaveamuchbetterwayofun-
derstandingthesituationandactionstheyexperience.
Theresearchpresentedherealsoopensfutureresearchpossibilitiestotheassignee
organizationandhighlightsthefactthateventhoughtherearealotofresearchdone
inthecyberexerciseareaandinthesituationalawarenessareastherearemanyas-
pectsthatarenotstudiedatthemoment.
Toomuchoftheindividualandorganizationalsituationalawarenesslearningprocess
isleftoutinresearchtopicsatthemomentandmostofthecybersecuritysituational
awarenessissuesareconsideredtobeonlytechnicaldataprocessingproblems.
Alotofissuesinsituationalawarenesscanofcoursebesortedoutforexampleby
automation,datafusionandanomalydetection.Thesetechnicalandmathematical
approachesarevitalinenhancingthebigdataproblematicsofcyber.Butasthisthe-
sisshowsitisultimatelythehumanwhosesituationalawarenessisthekeyinlearn-
ingsituations.Thisaspectneedsalotmoreresearch.
Bymakingasystemwhichhelpsbuildingatimelinebasedlearningdiaryofsorts
wouldhelphumantoreflecthisorhers’actionsandlearnfromthem.Atthesame
timesharingthisinformationtoexercisecontrolwillmakesurethatthelearningob-
jectivescanbefulfilledproperly.
65
Thisthesisalsobenefittedtheauthorpersonallyinmanyways.Theassignedtopicis
interestingandvalidtoauthorsdailyjobinJYVSECTEC.Atthebeginning,therewasa
falsepretensefromtheauthorthatalotoftheneededknowledgeisalreadygath-
eredduringmanyyearsofworkinginthecybersecuritybusinessandattendingto
numerouscyberexercises.Thefurtherthethesisworkadvancedthemorethere
wereaspectsthatstartedtointerestmoreandatthesametimeitbecameobvious
thattherearestillalotofaspectsthattheauthorislookingforwardtostudying
more.
66
References
Barford,P.etal.2010.CyberSA:SituationalAwarenessforCyberDefense.Advances
inInformationSecurity,Volume46,3-14.
BourqueP.,FairleyR.E.2014.GuidetotheSoftwareEngineeringBodyofKnowledge,
Version3.0,IEEEComputerSociety.Retrievedfromhttps://www.swebok.org
Celeda,P.etal.2015.KYPO–APlatformforCyberDefenceExercises.NATOScience
andTechnologyOrganization.Accessedon10June2017.Retrievedfrom
https://is.muni.cz/repo/1319597/kypo-paper-msg-133.pdf
Cichonski,P.,Millar,T.,Grance,T.,Scarfone,K.2012.ComputerSecurityIncident
HandlingGuide.NationalInstituteofStandardsandTechnology(NIST)SpecialPubli-
cation800-61Accessedon14October2017.Retrievedfromhttp://nvl-
pubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
CommitteeonNationalSecuritySystems.2010.CNSSInstructionno.4009.Accessed
on21.October2017RetrievedfromHomelandSecurityDigitalLibrary
https://www.hsdl.org/?view&did=7447
Damodaran,S.,Smith,K.2015.CRISCyberRangeLexiconVersion1.0.Accessed18
November2017.Retrievedfromhttps://www.researchgate.net/publica-
tion/316322192_CRIS_Cyber_Range_Lexicon_Version_10
Davis,J.,Magrath,S.2013.ASurveyofCyberRangesandTestbeds.DefenceScience
andTechnologyOrganisationEdinburgh(Australia)CyberandElectronicWarfareDiv.
Accessedon14October2017.Retrievedfromhttp://www.dtic.mil/cgi-
bin/GetTRDoc?AD=ADA594524
Endsley,M.R.1995.TowardaTheoryofSituationAwarenessinDynamicSystems.
HumanFactorsJournal37(1),32-64.
67
Franke,I.,Brynielsson,J.2014.Cybersituationalawareness–Asystematicreviewof
theliterature.InComputers&Security,Volume46,18-31.
Gordana,D.C.1970.ConstructiveResearchandInfo-ComputationalKnowledgeGen-
eration.Accessedon9April2017.Retrievedfromhttp://www.researchgate.net/pub-
lication/225481001
JYVSECTEC,2017.WebsiteforJYVSECTECCenterproject.AccessedonNovember24
2017.https://jyvsectec.fi/fi/hankkeet/jyvsectec-center/
Kasanen,E.,Lukka,K.,Siitonen,A.1993.Theconstructiveapproachinmanagement
accountingresearch.JournalofManagementAccountingResearch,241–264.
KickJ.,2014.CyberExercisePlaybook,TheMITRECorporation.Accessedon11
March2017.Retrievedfromhttps://www.mitre.org/sites/default/files/publica-
tions/pr_14-3929-cyber-exercise-playbook.pdf
Kokkonen,T.2016a.Dissertation:Anomaly-BasedOnlineIntrusionDetectionSystem
asaSensorforCyberSecuritySituationalAwarenessSystem.UniversityofJyväskylä,
FacultyofInformationTechnology.
Kokkonen,T.2016b.Architectureforthecybersecuritysituationalawarenesssys-
tem.LectureNotesinComputerScience,vol.9870,294-302.
KosolaJ.,2013.Vaatimustenhallinnanopas.MaanpuolustuskorkeakouluSo-
tatekniikanlaitos.Julkaisusarja5no12.
Lázaro,M.,Marcos,E.2005.ResearchinSoftwareEngineering:Paradigmsandmeth-
ods.Accessedon9April2017.Retrievedfromhttps://www.researchgate.net/publi-
cation/220921116
68
LehtirantaL,JunnonenJ-M.,KärnäS.andPekuriL.2015.TheConstructiveResearch
Approach:ProblemSolvingforComplexProjects.Chapter8ofDesigns,Methodsand
PasianB.PracticesforResearchofProjectManagement.Accessedon9April2017.
Retrievedfromhttp://www.gpmfirst.com/books/designs-methods-and-practices-re-
search-project-management/constructive-research-approach
NationalInstituteofStandardsandTechnology(NIST)ComputerSecurityResource
Center(CSRC)Publication.2013. Accessedon22April2017.Retrievedfrom
http://csrc.nist.gov/cyberframework/rfi_comments/tri-county_electric_coopera-
tive_part2_032613.pdf
RuefleR.,Murray,M.2014.CSIRTRequirementsforSituationalAwareness.Carnegie-
MellonUniversitySoftwareengineeringinstitute.Accessedon11October2017.Re-
trievedfromhttp://www.dtic.mil/get-tr-doc/pdf?AD=ADA596848
SecretariatoftheSecurityCommittee.2013.Finland’sCybersecuritystrategyand
thebackgrounddossier.Accessedon10January2017.Retrievedfrom
http://www.defmin.fi/files/2378/Finland_s_Cyber_Security_Strategy.pdf
Skopik,F.,Bleier,T.,Fiedler,R.2012.InformationManagementandSharingforNa-
tionalCyberSituationalAwareness.
SommervilleI.2011.SoftwareEngineering,9thed.Addison-Wesley.
Vatanen,M.etal.2017.JYVSECTECCYBERRANGE,RGCEandsolutions.Accessedon
5February2017.Retrievedfromhttp://jyvsectec.fi/wp-content/up-
loads/2017/02/JYVSECTEC-cyber-range.pdf
69
Appendices
Appendix1. Tableofrequirements
Table2RequirementsforaSASystem
ID Name Description Importance Action TypeofAction Relation
UsageRequirements
1.1 Multipleinfor-mationtypes
Systemshallbeabletohandlediffer-entmaininformationtypesneededindifferentexercisefunctions.
Mandatory general
1.1.1 InformationtypeObservation
Systemshallbeabletohandleobser-vationtypeofinformation. Mandatory input textual
1.1.2 InformationtypeIssue
Systemshallbeabletohandleissuetypeofinformation. Mandatory input textual
1.1.3 InformationtypeIncident
Systemshallbeabletohandleincidenttypeofinformation. Mandatory input textual
1.2 SimplicityofusageSystemshallbeeasytouseastoocomplexuserinterfacescanpushexer-cisepartici-pantstooptout.
Mandatory general 5.2Auto-mateddataaggregation
1.2.1 Informationinputfieldmaximum
ThereshouldbeamaximumofeightfieldstheuserneedstoinputinordertopushanyoftheinformationtypesintoSAsystem.
Important general 5.2Auto-mateddataaggregation
1.2.2 Noseparatelogincredentials
Systemshallnothaveseparatelogincredentials.Thisiscrucialbecausethemoresystemsexerciseparticipantshavetosigninto,themoreofthemareleftunused
Mandatory general automatic
1.2.3 Singlesign-onwithexercisecredentials
Loginshallbeautomaticallyimple-mentedassinglesign-onfunctionintoSAatthesametimewhenanexerciseparticipantisloggingintoacyberrangemachine.
Mandatory general automatic
1.2.4Automatedopen-ingoftheSAsys-
tem
TheusershallloginautomaticallyintoSAsystem. Mandatory general automatic
1.2.5Inputformaccord-ingtoinformation
type
Humaninputsystemshallchangetheinformationfieldsautomaticallyac-cordingtouserselectionofinfor-mationtype.
Mandatory visual automatic
70
1.2.6 IG-OOGhybridstructure
Thereshallbeonlyoneinterfaceforinformationinput.Theinformationcanbeusedfromin-gameorout-of-gameperspectives.
Mandatory general
1.2.7 Limitedamountofgraphics
Theuserinterfacesshouldnotbetoographicalinnature.Thesimpleinputfieldapplicationwithlimitedinfor-mationispreferred.
Important visual
1.2.8 Dynamicview
Theusershallbeabletoselectthepartstobevisible.ThesystemusersneedtoformindividualSAsotheviewintoSAsystemneedstobeindividuallycustomizable.
Mandatory visual automatic
1.2.9 Automaticeventchangeindicator
Thesystemshallchangethevisualmarkinginsystemwheneventischangedsome-how.
Mandatory visual automatic5.2.3Auto-maticrela-
tion
Blueteamuserrequirements
2.1 TitleofincidentUsersofthesystemshallbeabletoas-signfreetextformattitletoincidentsothatitiseasilyidentifiable
Mandatory input textual
2.1.1 SearchofincidentUsersshallbeabletosearchforexist-ingincidentsdirectlyfromthetitlefield.
Mandatory input textualornumerical
2.2 Criticalitylevelofincident
Usersofthesystemshallbeabletoas-signcriticalityvaluetoincident. Mandatory input textualor
numerical
2.2.1 Textuallevelofin-cident
Usersofthesystemshallbeabletoas-signtextualvaluetoincident.Ifateamisusingwrittencriticalityvaluestheycandoso.
Mandatory input textual
2.2.2 Numericallevelofincident
Usersofthesystemshallbeabletoas-signnumericalvaluetoincident.Ifateamisusingnumbersforcriticalitytheycandoso.
Mandatory input numerical
2.2.3 Changethecritical-itylevelofincident
Usersofthesystemshallbeabletochangethecriticalityofincidentac-cordingtotheirneeds.Incidentschangetheircriticalitywhentheyareinvestigated.
Mandatory input textualornumerical
2.3 Assignmentofinci-dent
Usersshallbeabletoassignindividualstoberesponsibleinhandlingincidentsinteam.
Mandatory input textual
2.3.1 Changeassignment
Usersshallbeabletochangeassign-mentofincidentaccordingtotheirneeds.Manyindividualsmighttakepartinhandlingincidents
Mandatory input textual
71
2.4 Stateoftheinci-dent
Usersshallbeabletoassignstatetoincidents. Mandatory input textual
2.4.1 Changethestateoftheincident
Usersshallbeabletochangestateofincidents. Mandatory input textual
2.5 Incidentdescrip-tioninput
Usersshallbeabletousefreetextfieldindescribingwhattheyaredoing. Mandatory input textual
2.6 Actionabledatain-put
Usersshallbeabletousefreetextfieldindescribingwhattheydefineasactionabledata.
Mandatory input textualornumerical
2.7 Taggingofevents Usersshallbeabletoassignfreetexttagstoevents. Mandatory input textualor
numerical
2.8 Relationshipofevents
Usersshallbeabletoassignrelation-shipstoeventsiftheyknowany. Mandatory input textual
2.9 Timelineofevents Usersshallbeabletoseeeventsofin-terestinagraphicaltimeline. Mandatory visual
2.9.1 Selectionofeventstotimeline
Usersshallbeabletofilterandselecteventsandmodificationpointstoeventsastheywishintimeline
Mandatory visual
72
2.9.2 Informationinputfromtimeline
Usersshallbeabletoaltertheinfor-mationdirectlyfromtimeline Mandatory input textualor
numerical
2.9.3 Dynamictimeline
Timelineshouldbedynamicandpre-sentedinformationshouldchangeau-tomaticallywhenalterationstodisplayparametersareissuedbytheuser.
Important visual automatic
2.9.4 Individualtimeline
Timelinesshouldbeindividualaseachpersonhastheirownneedsforinfor-mationtoformindividualSA.Ifpersonchangesdisplayparametersitaffectstopersonaltimelineonly.
Important visual automatic
2.9.5 Shareabletimeline
Timelinesshouldbeshareableasper-sonsmightwanttosharetheirviewstoadatainordertoformsimilarSAfrominformationselected.
Important visual automatic
2.10 EventpaneEventsshallbepresentedinaneventpaneaspersonsmightbeaccustomedtoseeingdataintraditionalformats.
Mandatory visual automatic
2.10.1 Searchableeventpane
Eventsshouldbefreelysearchablebyregularexpressionsorfreetext. Important input textualor
numerical
2.10.2 Selectableeventpane
Eventsshouldbefreelyselectablebyfieldsvisibleinpane. Important visual automatic
2.11 Eventdashboard
Eventsshallbepresentedinselectabledashboardviewsaspersonsmightbeac-customedtoseeingdataintradi-tionalformats
Mandatory visual automatic
73
2.11.1 Pie-chartdash-board
Eventpaneinformationshouldbeviewableinpie-chartformat. Important visual automatic
2.11.2 Key-valuepairchart
Selectedeventpaneinformationshouldbeviewableinkey-valuepairchart.
Important visual automatic
Whiteteamuserrequirements
3.1Visualizemultipleblueteaminfor-
mation
Systemshallbeabletovisualizemulti-pleblueteams’informationinsingleviews.
Mandatory visual automatic
3.2 Multipleteamse-lection
Whiteteamshallbeabletoselectin-formationfrommultipleblueteams. Mandatory input textual
3.2.1 Teamselectioninpane
Whiteteamshallhaveadditionalteaminformationineventpane. Mandatory input textual
3.2.2 Teamselectionindashboards
Whiteteamshallhaveadditionalteaminformationselectionindashboards. Mandatory input textual
3.2.3 Teamselectionintimeline
Whiteteamshallhaveadditionalteaminformationselectionintimeline. Mandatory input textual
Interconnectivityrequirements
4.1 MultipleAPIsup-port
Systemshallacceptdifferentmethodsinconnectiontoothercomputersys-temsandservices.
Mandatory general automatic
74
4.1.1 RESTAPIsupportSystemshouldimplementrepresenta-tionalstatetransfer(REST)methodforinter-connection.
Important general automatic
4.1.2 SOAPAPIsupportSystemshouldimplementsimpleob-jectaccessprotocol(SOAP)methodforinter-connection.
Important general automatic
4.1.3 JavaScriptAPIsup-port
SystemshouldimplementJavaScriptmethodforinterconnection. Important general automatic
4.2 Databaseconnec-tivity
Systemshouldbeabletoallowcon-nectionstoinformationdatabase Important general automatic
4.3 XMPPmessage
Systemshouldhaveintegrationpossi-bilitytochatsoftwareXMPPprotocol.Inexerciseschattypeofsoftwareisof-tenpreferredcommunicationmethod
Important general automatic
Dataprocessingrequirements
5.1 Databaseimple-mentation
IthasbeendiscussedinternallyinJYVSECTECthattheapproachintothissystemandalsotoothersystemsusedinexercisecontrolshallusedatabaseapproach.
Mandatory general automatic
5.2 Automateddataaggregation
Systemshallhavedataaggregationfunctionalities Mandatory general automatic
1.2Simplic-ityofusage,1.2.1Infor-mationinputfieldmaxi-
mum
5.2.1 Automaticuserorsysteminformation
Systemshallautomaticallyaddthein-formationaboutwhoorwhatsysteminputtedinformationsothatitwillbepresentedintheSAinformation.
Mandatory general automatic
75
5.2.2 Automatictimestamping
Systemshallautomaticallymarktimestampstoallactionsmadeintoin-formationbutonlylatestmodificationtimestampshouldbechanged.
Mandatory general automatic
5.2.3 Automaticrelation-ships
Systemshallautomaticallymakeare-lationshiptoinformationexistingintheSAsystemdatabase.
Mandatory general automatic
1.2.9Auto-maticeventchangeindi-
cator