THREAT-ARREST Cyber Security Threats and Threat Actors Training - Assurance Driven Multi-Layer, end-to-end Simulation and Training

THREAT-ARREST aims to develop an advanced training platform incorporating emulation, simulation, serious gaming and visualization capabilities to adequately prepare stakeholders with different types of responsibility and levels of expertise in defending high-risk cyber systems and organizations to counter advanced, known and new cyber-attacks. The THREAT-ARREST platform will deliver security training, based on a model driven approach where cyber threat and training preparation (CTTP) models, specifying the potential attacks, the security controls of cyber systems against them, and the tools that may be used to assess the effectiveness of these controls, will drive the training process, and align it (where possible) with operational cyber system security assurance mechanisms to ensure the relevance of training. The platform will also support trainee performance evaluation and training programme evaluation and adapt training programmes based on them. The effectiveness of the framework will be validated using a prototype implementation interconnected with real cyber systems pilots in the areas of smart energy, healthcare and shipping, and from technical, legal and business perspectives.

The THREAT-ARREST platform will offer training on:
a) known and new advanced cyber-attack scenarios
b) use of different security tools for detecting and/or responding to cyber-attacks
c) taking different types of actions against cyber-attacks
d) use of security testing, monitoring and assessment tools at different layers (network, infrastructure, application) in a cyber system

The project's objectives include:
- Develop the means for specifying cyber security threat training and preparation models and programs to drive the realization of the training process
- Develop emulation capabilities enabling the creation of virtual cyber system components, subjecting them to cyber-attacks for training purposes, and enabling trainees to take appropriate response actions and hands-on experience against these cyber-attacks
- Develop multi-layer simulation capabilities enabling the realistic simulation of cyber systems, their usage and security attacks launched on them, through synthetic events at all layers in the implementation stack of these systems and their components reflecting realistic system conditions
- Develop cyber-security training based on serious games and enable trainees to get engaged in cyber-defence, elicit threats and learn about attacks
- Develop key capabilities for the effective delivery of CTTP programs, i.e. the visualization of the operation and state of cyber systems and the emergence and effects of attacks against them; assessing trainee performance in CTTP programs and adapting them depending on it; and assessing the overall effectiveness of a CTTP program and evolving it accordingly
- Align training and simulation with the continuous security assurance of real operational cyber systems, by integrating the developed capabilities into a common platform together with security assurance assessment capabilities
- Demonstrate the use of the THREAT-ARREST framework for effective training against cyber-attacks in the domains of smart energy, healthcare and transport (shipping), using real operational cyber systems within these domains as pilots and, through them, evaluate and validate the framework
- Ensure the uptake, commercialization, and the delivery of innovation of project outcomes by developing an ecosystem around the THREAT-ARREST framework.

The scope of the THREAT-ARREST project includes cyber security training and deployment of cyber-ranges. Therefore, we develop a training platform for advance training on virtual systems (representations of the pilot environments). The goal is not just the training itself, but to assess if the training affects the security level of the actual system afterwards, thus, if the trainees really apply what they learn in the piloting environment. The whole THREAT-ARREST platform operation is modelled in a formalism, called CTTP, and all the underlying functionality (e.g. creation of virtual labs, automated assessment of the trainee, etc.) is driven by the deployed CTTP models. The final goal is the composition of continuous assurance on the whole setting, where the training will be adapted continuously in order to increase the security status of the pilots up to a designated protection level.
For the successful evaluation of the platform, we also demonstrate its application and training capabilities for the three piloting sectors of smart energy, healthcare, and smart shipping. Following the initial analysis of the pilots, we designed 13 main CTTP driven scenarios.The scenarios cover the training for all the defined actuator types (e.g. simple users, administrators, security experts, etc.), the main security properties (e.g. confidentiality, integrity, availability) and key data states (i.e. data in-transit, at-rest, and in-processing), as well as the physical and software components of cyber systems. Moreover, the expected actions for the trainees include, among others, preparedness, detection and analysis, security incident response and post security incident response. For the first integrated version of the platform, we have implemented 3 full demonstrators, one indicative scenario for each pilot.
Once deployed in the platform, the main scenarios can be applied in the other pilots as well or cover different actuators and security properties, by slightly configuring the CTTP model and tailoring it to the examined use case. Thus, after the initial development of the main models, the generation of new scenarios can be increased exponentially.

The overall aim of THREAT-ARREST is to develop an advanced training platform to adequately prepare stakeholders with different types of responsibility and levels of expertise in defending high-risk cyber systems, and organizations to counter advanced, known, and new cyber-attacks. The THREAT-ARREST platform delivers security training, based on a model-driven approach where CTTP models, specifying the potential attacks, the security controls of cyber systems against them, and the tools that may be used to assess the effectiveness of these controls, will drive the training process, and align it (where possible) with operational cyber system security assurance mechanisms to ensure the relevance of training. The platform will also support trainee performance evaluation and training programme evaluation, and adapt training programmes based on them. The effectiveness of the framework is validated on a real pilot system in the area of smart energy.
The final THREAT-ARREST platform is meant to reach TRL7. Afterwards, the commercialization of our solution is becoming important. For this reason, the consortium has prepared a stakeholders’ engagement plan. Furthermore, to enhance the acceptability of the overall THREAT-ARREST approach, the final CTTP programmes have to be aligned with other professional training and certification schemes (e.g. ISACA, ISC2, etc.). The goal is to contact such organizations and include THREAT-ARREST in their affiliation lists. Therefore, our platform can be (a) for further professional development training (which can give CPE points to the certified professionals so that they retain their certification in specific cyber security fields) or even (b) as a training tool within specific sessions of the above training and specification schemes.