To combat the growing sophistication and frequency of cyber-attacks, individuals who attempt to thwart or mitigate such attacks must train vigilantly. The primary methods for representing cyber threats in today's training exercises are methods involving either live red teams or “white cards.” Live red teams produce realistic results, but they are limited in their availability and the scope of what they can accomplish given real-world and exercise constraints. Command and control of live red teams during exercises, and restoration of operational networks and systems upon completion of these exercises, can also present challenges. Alternatively, white cards may be administered by an exercise control group, and these white cards typically simulate a degraded or denied condition for a period of time. For example, to reduce the potential for catastrophic damage, white cards may be used to simulate events such as system degradation or denial of service. White cards are typically events or attack actions that are printed on paper and handed to training participants, or posted on computer systems, to indicate an attack. If used properly, white cards can generate the desired conditions, but they offer little or no opportunity for the training audience to realistically detect and react to a threat.
Computer network defense training currently takes place either on operational networks or in virtual (e.g., simulated) environments. One major drawback to using virtual environments is that they lack a sufficient amount of realism. Virtualized systems are frequently overly simplified mock-ups of operational systems and lack the fidelity necessary for optimal and effective training. Training on operational networks may provide a full-fidelity environment, but attackers are often placed under significant restrictions to protect the operational network, since they typically cannot disrupt or damage network resources during the course of the exercise.