Cyber Lightning Case Study
Created January 2018
In June 2016, the SEI hosted "Cyber Lightning," a three-day joint training exercise involving Air National Guard and Air Force Reserve units from western Pennsylvania and eastern Ohio. The exercise, designed and moderated by SEI researchers, provided an innovative training opportunity to Air Force Reservists and Guardsmen who needed training in cyber defense techniques.
Warfighters Need Cybersecurity Skills
Participating in the exercise were members of the 911th Airlift Wing, operating out of the Pittsburgh International Airport Air Reserve Station; the 171st Air Refueling Wing, operating out of the Pittsburgh International Airport; and the 910th Airlift Wing, operating out of the Youngstown-Warren Air Reserve Station in Ohio.
"All the participants work in traditional base communication squadrons," said the SEI's Robert Beveridge, cybersecurity exercise developer and trainer. "Their workload in maintaining computer systems does not provide the opportunities to gain hands-on cybersecurity skills in protecting the organizational networks. The Cyber Lightning exercise provided these men and women a chance to learn and test new cybersecurity skills in an environment that mimics real DoD networks, and it aligns with the desire of senior leaders in the Air Force Reserve and Air National Guard to help develop the cyber cadre."
Our Collaborators
Robert Beveridge is part of the SEI team that developed the training and competition program; he also serves as a Cyber Systems Operations NCIOC at the 910th Communications Squadron. "The STEPfwd platform, developed here at the Software Engineering Institute, allows us to rapidly develop replica DoD networks and launch cyber attacks from virtual adversaries using live malware and known tactics, techniques, and procedures, all of which provide these airmen the hands-on skills to detect and mitigate cyber threats. The training, value, and knowledge gained allows them to take these skills back to their squadrons. In addition, this exercise provides valuable insight so we can better understand the needs of our current customers."
Skills-Based Training Exercises Provide Needed Experience
As part of the three-day joint training exercise, SEI staff provided an overview of the SEI's STEPfwd training environment. They also trained participants on log analysis, firewall management using the Host Based Security System (HBSS), vulnerability scanning using the Assured Compliance Assessment Solution (ACAS), traffic analysis using the SEI's SiLK suite plus NetFlow, and intrusion detection systems (IDS) using Security Onion.
"The teams found the vulnerability analysis portion challenging," noted Beveridge, "and this was on a small exercise network. At a base network connecting thousands of machines, and with potentially suspicious traffic, what they did today would require expertise and collaboration across all technical specialties." Beveridge added that this part of the exercise opened the participants' eyes to concepts such as identifying key cyber terrain, performing a qualitative risk assessment of those critical systems, and prioritizing the vulnerabilities to mitigate in a limited time frame.
"This is the first time three local Air Force Reserve and Guard squadrons have faced off in a cybersecurity mission competition," said the SEI's Geoff Dobson, exercise developer for the SEI's Workforce Development team. "This exercise is low cost, innovative, and of interest to many parties."
For the record, the 910th Airlift Wing Communication squadron took home the trophy, but all the participants earned a deeper understanding of cyber defense. "This is a great effort for the squadron," said Major Kelly Quigley, Commander of the 910th Airlift Wing communications squadron. "This is an opportunity for our men and women to learn about how cyber teams do their business and learn new skills."
Lieutenant Colonel Joseph Sullivan of the 171st Communications Flight of the Pennsylvania Air National guard also found value in Cyber Lightning. "The training received was relevant to our daily mission," noted Sullivan. "Working with the Host Base Security System (HBSS) and Assured Compliance Assessment Solution (ACAS), each Airman received hands-on training and understanding of the security solutions. The additional training and exercises on intrusions and malware detection provided our base communications personnel training they haven't received to date. Even though this training doesn't make them experts, they now have a true understanding of the importance in remaining vigilant in protecting Air Force systems."
For more on the SEI's efforts in cyber workforce development, visit https://sei.cmu.edu/education-outreach/workforce-development.
Looking Ahead
The success of Cyber Lightning could pave the way for similar events. "We hope there are future opportunities to conduct this type of exercise again with other services and other units," said Beveridge. "As part of the SEI's Cyber Workforce Development group outreach initiative, our team is very encouraged by what we learned with Cyber Lightning, and we hope to build on this experience and continue to improve the skills-based training exercises we deliver to all our sponsoring organizations."
Learn More
Netflow in the Era of EDR and Cloud: Helicopter Parenting for Your Network
August 14, 2023 Blog Post
Daniel Ruef
Despite well-defined security policies, technical safeguards, and extensive user education, people still make mistakes and adversaries still succeed. A similar situation exists in raising...
readSecurity Analytics: Using SiLK and Mothra to Identify Data Exfiltration via the Domain Name Service
April 03, 2023 Blog Post
Timothy J. Shimeall
This post explores how the DNS protocol can be abused to exfiltrate data by adding bytes of data onto DNS...
readMothra: Network Situational Awareness at Scale
January 16, 2023 Blog Post
Daniel Ruef
This SEI Blog introduces the SEI's Mothra tool, summarizes our recent research on improvements to Mothra designed to handle large-scale environments, and describes research aimed at demonstrating Mothra’s effectiveness at “cloud scale” in the Amazon Web Services (AWS) GovCloud...
readSecurity Analytics: Tracking Software Updates
June 21, 2022 Blog Post
Timothy J. Shimeall
This blog post presents an analytic for tracking software updates from official vendor...
readHow Situational Awareness Informs Cybersecurity Operations
February 08, 2021 Blog Post
Nathaniel Richmond
Situational awareness (SA) helps decision makers throughout an organization have the information and understanding they need to make sound decisions about cybersecurity operations. In this blog post, I review and provide examples of how to use SA in cybersecurity...
readNetwork Traffic Analysis with SiLK: Profiling and Investigating Cyber Threats
October 28, 2019 Blog Post
Paul Krystosek, Timothy J. Shimeall, Nancy Ott
Cyber threats are on the rise, making it vitally important to understand what's happening on our computer networks. But the massive amount of network traffic makes this job...
readNetwork Traffic Analysis with SiLK
November 13, 2018 Handbook
Geoff Sanders, Paul Krystosek, Timothy J. Shimeall
This handbook makes it more analyst-focused and teach not only the toolset but also the tradecraft around using...
readSiLK: A Tool Suite for Unsampled Network Flow Analysis at Scale
July 29, 2014 Conference Paper
Mark Thomas, Leigh B. Metcalf, Jonathan Spring, Paul Krystosek, Katherine Prevost
In this paper, the authors discuss SiLK, a tool suite created to analyze high-volume data sources without...
read