One of the greatest challenges in developing capable cyberspace operators is building realistic environments for training events. While many organizations have developed technologies and techniques for replicating enterprise-scale networks, the problem is how to realistically populate those networks with synthetic persons. Whether we are training network defenders or penetration testers, we want to pit them against adaptive and intelligent adversaries who can continuously put their skills to the test. In either case, we also need rich ecosystems in which realistic user agents exchange messages, interact with the web and occasionally assist (or hinder) the efforts of the attackers and defenders.
This talk describes our research and development of a family of Cyberspace Cognitive (CyCog) agents that can behave like attackers, defenders or users in a network. The attacker agent (CyCog-A) was developed to train defenders while its defensive counterpart (CyCog-D) was intended to help develop penetration testers. The user agent (CyCog-U), on the other hand, is much more versatile in that it can support either type of training. Furthermore, since these synthetic users are models of actual users on a network, they can display behaviors that can either hinder or assist attackers and/or defenders.
Our experiences and successes point to current gaps as well as future threats and opportunities. From the need for scalable cyberspace mapping techniques to our work in modeling behaviors to the lessons learned in human-machine teaming, the CyCog family of agents is opening a new dimension in cyberspace operations research and development.