EVE and ADAM: Situation Awareness Tools for NATO CCDCOE Cyber Exercises

We present a new situation awareness visualisation tool, the Events Visualisation Environment (EVE), and its internal events aggregator module, the Advanced Data Aggregation Module (ADAM), which have been successfully used during the most recent cyber exercises (i.e., Locked Shields and Crossed Swords) organised by the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE). The functional requirements for EVE and ADAM were based on the unique cyber exercise needs for analysis and game development, and were finalised after we had completed a state-of-the-art review to look for suitable tools that could meet our requirements. The main purpose of EVE is to visualise security alerts on any given network map. ADAM, the supporting events aggregation module, processes, combines and filters incoming notifications from various types of sensors, and makes them ready to be visualised by EVE. EVE offers an intuitive and real-time visualisation that is easily understandable at first glance by both technical and non-technical staff. It also allows for recording and playback, and considers attack types, game phases, attack sources, and targets. The information required by EVE is obtained from different sensors operating on the network. EVE allows for a very simplified communication channel with them, based on JSON formatted messages sent over an HTTP POST request. The sensors used during the cyber exercises to test the tools are also described here. The tools have provided an enhanced situation awareness experience over previous cyber exercises organised by NATO CCDCOE, and can be used in other exercises or, more generally, in real-life, production-ready environments. EVE (with ADAM included) is published as an open source tool, which is freely available on the GitHub page of the NATO CCDCOE.

[1]  Svetlana Mansmann,et al.  Interactive Exploration of Data Traffic with Hierarchical Network Maps , 2006, IEEE Transactions on Visualization and Computer Graphics.

[2]  Kaie Maennel,et al.  Frankenstack: Toward real-time Red Team feedback , 2017, MILCOM 2017 - 2017 IEEE Military Communications Conference (MILCOM).

[3]  Hideki Koike,et al.  Visualizing cyber attacks using IP matrix , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[4]  Mike O'Leary Snort , 2019, Cyber Operations.

[5]  Teemu Väisänen Categorization of cyber security deception events for measuring the severity level of advanced targeted breaches , 2017, ECSA.

[6]  Common Event Expression , 2008 .

[7]  Hideki Koike,et al.  STARMINE: a visualization system for cyber attacks , 2006, APVIS.

[8]  Lisandro Zambenedetti Granville,et al.  A Survey on Information Visualization for Network and Service Management , 2016, IEEE Communications Surveys & Tutorials.

[9]  Stefano Foresti,et al.  Visual correlation of network alerts , 2006, IEEE Computer Graphics and Applications.

[10]  Russ Burtner,et al.  CyberPetri at CDX 2016: Real-time network situation awareness , 2016, 2016 IEEE Symposium on Visualization for Cyber Security (VizSec).

[11]  Richard Lippmann,et al.  GARNET: A Graphical Attack Graph and Reachability Network Evaluation Tool , 2008, VizSEC.

[12]  G. Markowsky,et al.  Visualizing Cybersecurity Events , 2013 .

[13]  Chris North,et al.  Visualizing cyber security: Usable workspaces , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[14]  Diane Staheli,et al.  BubbleNet: A Cyber Security Dashboard for Visualizing Patterns , 2016, Comput. Graph. Forum.

[15]  Loukas Lazos,et al.  IMap: visualizing network activity over internet maps , 2014, VizSec '14.

[16]  Anthony M. Townsend,et al.  Exploring utilization of visualization for computer and network security , 2009 .

[17]  Russ Burtner,et al.  Ocelot: user-centered design of a decision support visualization for network quarantine , 2015, 2015 IEEE Symposium on Visualization for Cyber Security (VizSec).

[18]  Sami Noponen,et al.  Visualizing network events in a muggle friendly way , 2017, 2017 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA).