search menu icon-carat-right cmu-wordmark

Cyber Lightning Case Study

Created January 2018

In June 2016, the SEI hosted "Cyber Lightning," a three-day joint training exercise involving Air National Guard and Air Force Reserve units from western Pennsylvania and eastern Ohio. The exercise, designed and moderated by SEI researchers, provided an innovative training opportunity to Air Force Reservists and Guardsmen who needed training in cyber defense techniques.

Warfighters Need Cybersecurity Skills

Participating in the exercise were members of the 911th Airlift Wing, operating out of the Pittsburgh International Airport Air Reserve Station; the 171st Air Refueling Wing, operating out of the Pittsburgh International Airport; and the 910th Airlift Wing, operating out of the Youngstown-Warren Air Reserve Station in Ohio.

"All the participants work in traditional base communication squadrons," said the SEI's Robert Beveridge, cybersecurity exercise developer and trainer. "Their workload in maintaining computer systems does not provide the opportunities to gain hands-on cybersecurity skills in protecting the organizational networks. The Cyber Lightning exercise provided these men and women a chance to learn and test new cybersecurity skills in an environment that mimics real DoD networks, and it aligns with the desire of senior leaders in the Air Force Reserve and Air National Guard to help develop the cyber cadre."

Our Collaborators

Robert Beveridge is part of the SEI team that developed the training and competition program; he also serves as a Cyber Systems Operations NCIOC at the 910th Communications Squadron. "The STEPfwd platform, developed here at the Software Engineering Institute, allows us to rapidly develop replica DoD networks and launch cyber attacks from virtual adversaries using live malware and known tactics, techniques, and procedures, all of which provide these airmen the hands-on skills to detect and mitigate cyber threats. The training, value, and knowledge gained allows them to take these skills back to their squadrons. In addition, this exercise provides valuable insight so we can better understand the needs of our current customers."

Skills-Based Training Exercises Provide Needed Experience

As part of the three-day joint training exercise, SEI staff provided an overview of the SEI's STEPfwd training environment. They also trained participants on log analysis, firewall management using the Host Based Security System (HBSS), vulnerability scanning using the Assured Compliance Assessment Solution (ACAS), traffic analysis using the SEI's SiLK suite plus Netflow, and intrusion detection systems (IDS) using Security Onion.

"The teams found the vulnerability analysis portion challenging," noted Beveridge, "and this was on a small exercise network. At a base network connecting thousands of machines, and with potentially suspicious traffic, what they did today would require expertise and collaboration across all technical specialties." Beveridge added that this part of the exercise opened the participants' eyes to concepts such as identifying key cyber terrain, performing a qualitative risk assessment of those critical systems, and prioritizing the vulnerabilities to mitigate in a limited time frame.

"This is the first time three local Air Force Reserve and Guard squadrons have faced off in a cybersecurity mission competition," said the SEI's Geoff Dobson, exercise developer for the SEI's Workforce Development team. "This exercise is low cost, innovative, and of interest to many parties."

For the record, the 910th Airlift Wing Communication squadron took home the trophy, but all the participants earned a deeper understanding of cyber defense. "This is a great effort for the squadron," said Major Kelly Quigley, Commander of the 910th Airlift Wing communications squadron. "This is an opportunity for our men and women to learn about how cyber teams do their business and learn new skills."

Lieutenant Colonel Joseph Sullivan of the 171st Communications Flight of the Pennsylvania Air National guard also found value in Cyber Lightning. "The training received was relevant to our daily mission," noted Sullivan. "Working with the Host Base Security System (HBSS) and Assured Compliance Assessment Solution (ACAS), each Airman received hands-on training and understanding of the security solutions. The additional training and exercises on intrusions and malware detection provided our base communications personnel training they haven't received to date. Even though this training doesn't make them experts, they now have a true understanding of the importance in remaining vigilant in protecting Air Force systems."

For more on the SEI's efforts in cyber workforce development, visit https://sei.cmu.edu/education-outreach/workforce-development.

Software and Tools

CERT SiLK

June 2017

SiLK is a collection of traffic analysis tools used to facilitate security analysis of large networks.

download

Looking Ahead

The success of Cyber Lightning could pave the way for similar events. "We hope there are future opportunities to conduct this type of exercise again with other services and other units," said Beveridge. "As part of the SEI's Cyber Workforce Development group outreach initiative, our team is very encouraged by what we learned with Cyber Lightning, and we hope to build on this experience and continue to improve the skills-based training exercises we deliver to all our sponsoring organizations."

Learn More

An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems

An Analysis of How Many Undiscovered Vulnerabilities Remain in Information Systems

March 09, 2022 White Paper
Jonathan Spring

This paper examines the paradigm that the number of undiscovered vulnerabilities is manageably small through the lens of mathematical concepts from the theory of computing.

read
Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)

Prioritizing Vulnerability Response: A Stakeholder-Specific Vulnerability Categorization (Version 2.0)

April 30, 2021 White Paper
Jonathan SpringAllen D. HouseholderEric Hatleback

This paper presents version 2.0 of a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that takes the form of decision trees and that avoids some problems with the Common Vulnerability Scoring System (CVSS).

read
VINCE: A Software Vulnerability Coordination Platform

VINCE: A Software Vulnerability Coordination Platform

January 25, 2021 Podcast
Emily SarnesoArt Manion

Emily Sarneso, the architect of VINCE, and Art Manion, technical manager of the Vulnerability Analysis Team in the SEI CERT Division, discuss the rollout of VINCE, how to use it, and future work in vulnerability coordination.

learn more
CERT/CC Releases VINCE Software Vulnerability Collaboration Platform

CERT/CC Releases VINCE Software Vulnerability Collaboration Platform

June 04, 2020 News

The web-based platform enables direct communication between vulnerability stakeholders.

read
New SiLK Handbook Addresses Analyst Tradecraft

New SiLK Handbook Addresses Analyst Tradecraft

November 13, 2018 News

Complements recent update to the System for Internet-Level Knowledge (SiLK) traffic analysis tool suite.

read
Striving for Effective Cyber Workforce Development

Striving for Effective Cyber Workforce Development

September 12, 2016 White Paper
Marie Baker

This paper reviews the issue of cyber awareness and identify efforts to combat this deficiency and concludes with strategies moving forward.

read
Air Force Intelligence and Agile

Air Force Intelligence and Agile

June 29, 2016 Newsletter

This June 29, 2016 SEI Bulletin talks about "Cyber Lightning," a training exercise hosted by the SEI.

read