June 17, 2016—The SEI recently hosted “Cyber Lightning,” a three-day joint training exercise involving Air National Guard and Air Force Reserve units from western Pennsylvania and eastern Ohio. The purpose of the exercise, which was designed and moderated by the Workforce Development team in the SEI’s CERT Division, was to provide an innovative training opportunity to Air Force Reservists and Guardsmen needing training in cyber defense techniques. Participating in the exercise were members of the 911th Airlift Wing, operating out of the Pittsburgh International Airport Air Reserve Station; the 171st Air Refueling Wing, operating out of the Pittsburgh International Airport; and the 910th Airlift Wing, operating out of the Youngstown-Warren Air Reserve Station in Ohio.
“All the participants work in traditional base communication squadrons,” said the SEI’s Robert Beveridge, cybersecurity exercise developer and trainer. “Their workload in maintaining computer systems does not provide the opportunities to gain hands-on cyber security skills in protecting the organizational networks. The Cyber Lightning exercise provided these men and women a chance to learn and test new cyber security skills in an environment that mimics real DoD networks, and it aligns with the desire of senior leaders in the Air Force Reserve and Air National Guard to help develop the cyber cadre.”
Beveridge has a unique perspective on the Cyber Lightning exercise: He is not only part of the SEI team that developed the training and competition program, but he also serves as a Cyber Systems Operations NCIOC at the 910th Communications Squadron. “The STEPfwd platform, developed here at the Software Engineering Institute, allows us to rapidly develop replica DoD networks and launch cyber-attacks from virtual adversaries using live malware and known tactics, techniques, and procedures, all of which provide these airmen the hands-on skills to detect and mitigate cyber threats. The training, value, and knowledge gained allows them to take these skills back to their squadrons. In addition, this exercise provides valuable insight so we can better understand the needs of our current customers”
On the first day of Cyber Lightning, SEI staff provided an overview of the SEI’s STEPfwd training environment. They also trained participants on log analysis, firewall management using Host Based Security System (HBSS), vulnerability scanning using Assured Compliance Assessment Solution (ACAS), traffic analysis using the SEI’s SiLK suite plus Netflow, and intrusion detection systems (IDS) using Security Onion. The SEI staff also provided the participants a threat brief.
On the second day, participants engaged in mission planning for the competition phase of the exercise. Under the guidance of SEI staff, participants reviewed intelligence documentation specially created for the exercise and reviewed the competition scenario. SEI also briefed the staff on the rules of engagement. Participants then had the opportunity to use what they had learned to scan their networks and perform a vulnerability analysis. The teams reported their findings and were scored on the quality of their analysis.
“The teams found the vulnerability analysis portion challenging,” noted Beveridge, “and this was on a small exercise network. At a base network connecting thousands of machines, and with potentially suspicious traffic, what they did today would require expertise and collaboration across all technical specialties.” Beveridge added that this part of the exercise opened the participants’ eyes to concepts such as identifying key cyber terrain, performing a qualitative risk assessment of those critical systems, and prioritizing the vulnerabilities to mitigate in a limited time frame.
On the third day, all three teams engaged in a competition in which they applied the skills and techniques they learned on day one, and the clues obtained during pre-planning and the network scan conducted on day two, to find malicious network traffic and activity on their networks. “The teams did a good job identifying authentic malware that has been developed and used by attackers to infiltrate and steal secrets from large corporate networks over the past few years,” said Jonathan Frederick, cybersecurity exercise developer and trainer at the SEI. Frederick also serves as a member of the 171st Communications Squadron.
“This is the first time three local Air Force Reserve and Guard squadrons have faced off in a cyber security mission competition,” said the SEI’s Geoff Dobson, exercise developer for the CERT Division’s Workforce Development team. “This exercise is low cost, innovative, and of interest to many parties.”
For the record, the 910th Airlift Wing Communication squadron took home the trophy, but all the participants earned a deeper understanding of cyber defense. “This is a great effort for the squadron,” said Major Kelly Quigley, Commander of the 910th Airlift Wing communications squadron. “This is an opportunity for our men and women to learn about how cyber teams do their business and learn new skills.”
Lieutenant Colonel Joseph Sullivan of the 171st Communications Flight of the Pennsylvania Air National guard also found value in Cyber Lightning. “The training received was relevant to our daily mission,” noted Sullivan. “Working with the Host Base Security System (HBSS) and Assured Compliance Assessment Solution (ACAS), each Airman received hands-on training and understanding of the security solutions. The additional training and exercises on intrusions and malware detection provided our base communications personnel training they haven’t received to date. Even though this training doesn’t make them experts, they now have a true understanding of the importance in remaining vigilant in protecting Air Force systems.”
The success of Cyber Lightning could pave the way for similar events. “We hope there are future opportunities to conduct this type of exercise again with other services and other units,” said Beveridge. “As part of the SEI’s Cyber Workforce Development group outreach initiative, our team is very encouraged by what we learned with Cyber Lightning, and we hope to build on this experience and continue to improve the skills-based training exercises we deliver to all our sponsoring organizations.”
For more on the SEI’s efforts in cyber workforce development, visit http://cert.org/cyber-workforce-development/.
If you are a member of the media or analyst community and would like to schedule an interview with an SEI expert, please contact:
SEI Public Relations
Media Line: 412-268-4793
For other useful information sources, please visit the Contact Us page.