search icon-carat-right cmu-wordmark

Cyber Lightning Case Study

Created January 2018

In June 2016, the SEI hosted "Cyber Lightning," a three-day joint training exercise involving Air National Guard and Air Force Reserve units from western Pennsylvania and eastern Ohio. The exercise, designed and moderated by SEI researchers, provided an innovative training opportunity to Air Force Reservists and Guardsmen who needed training in cyber defense techniques.

Warfighters Need Cybersecurity Skills

Participating in the exercise were members of the 911th Airlift Wing, operating out of the Pittsburgh International Airport Air Reserve Station; the 171st Air Refueling Wing, operating out of the Pittsburgh International Airport; and the 910th Airlift Wing, operating out of the Youngstown-Warren Air Reserve Station in Ohio.

"All the participants work in traditional base communication squadrons," said the SEI's Robert Beveridge, cybersecurity exercise developer and trainer. "Their workload in maintaining computer systems does not provide the opportunities to gain hands-on cybersecurity skills in protecting the organizational networks. The Cyber Lightning exercise provided these men and women a chance to learn and test new cybersecurity skills in an environment that mimics real DoD networks, and it aligns with the desire of senior leaders in the Air Force Reserve and Air National Guard to help develop the cyber cadre."

Our Collaborators

Robert Beveridge is part of the SEI team that developed the training and competition program; he also serves as a Cyber Systems Operations NCIOC at the 910th Communications Squadron. "The STEPfwd platform, developed here at the Software Engineering Institute, allows us to rapidly develop replica DoD networks and launch cyber attacks from virtual adversaries using live malware and known tactics, techniques, and procedures, all of which provide these airmen the hands-on skills to detect and mitigate cyber threats. The training, value, and knowledge gained allows them to take these skills back to their squadrons. In addition, this exercise provides valuable insight so we can better understand the needs of our current customers."

Skills-Based Training Exercises Provide Needed Experience

As part of the three-day joint training exercise, SEI staff provided an overview of the SEI's STEPfwd training environment. They also trained participants on log analysis, firewall management using the Host Based Security System (HBSS), vulnerability scanning using the Assured Compliance Assessment Solution (ACAS), traffic analysis using the SEI's SiLK suite plus NetFlow, and intrusion detection systems (IDS) using Security Onion.

"The teams found the vulnerability analysis portion challenging," noted Beveridge, "and this was on a small exercise network. At a base network connecting thousands of machines, and with potentially suspicious traffic, what they did today would require expertise and collaboration across all technical specialties." Beveridge added that this part of the exercise opened the participants' eyes to concepts such as identifying key cyber terrain, performing a qualitative risk assessment of those critical systems, and prioritizing the vulnerabilities to mitigate in a limited time frame.

"This is the first time three local Air Force Reserve and Guard squadrons have faced off in a cybersecurity mission competition," said the SEI's Geoff Dobson, exercise developer for the SEI's Workforce Development team. "This exercise is low cost, innovative, and of interest to many parties."

For the record, the 910th Airlift Wing Communication squadron took home the trophy, but all the participants earned a deeper understanding of cyber defense. "This is a great effort for the squadron," said Major Kelly Quigley, Commander of the 910th Airlift Wing communications squadron. "This is an opportunity for our men and women to learn about how cyber teams do their business and learn new skills."

Lieutenant Colonel Joseph Sullivan of the 171st Communications Flight of the Pennsylvania Air National guard also found value in Cyber Lightning. "The training received was relevant to our daily mission," noted Sullivan. "Working with the Host Base Security System (HBSS) and Assured Compliance Assessment Solution (ACAS), each Airman received hands-on training and understanding of the security solutions. The additional training and exercises on intrusions and malware detection provided our base communications personnel training they haven't received to date. Even though this training doesn't make them experts, they now have a true understanding of the importance in remaining vigilant in protecting Air Force systems."

For more on the SEI's efforts in cyber workforce development, visit https://sei.cmu.edu/education-outreach/workforce-development.

Software and Tools

CERT SiLK

June 2017

SiLK is a collection of traffic analysis tools used to facilitate security analysis of large...

read

Looking Ahead

The success of Cyber Lightning could pave the way for similar events. "We hope there are future opportunities to conduct this type of exercise again with other services and other units," said Beveridge. "As part of the SEI's Cyber Workforce Development group outreach initiative, our team is very encouraged by what we learned with Cyber Lightning, and we hope to build on this experience and continue to improve the skills-based training exercises we deliver to all our sponsoring organizations."

Learn More

Netflow in the Era of EDR and Cloud: Helicopter Parenting for Your Network

August 14, 2023 Blog Post
Daniel Ruef

Despite well-defined security policies, technical safeguards, and extensive user education, people still make mistakes and adversaries still succeed. A similar situation exists in raising...

read

Security Analytics: Using SiLK and Mothra to Identify Data Exfiltration via the Domain Name Service

April 03, 2023 Blog Post
Timothy J. Shimeall

This post explores how the DNS protocol can be abused to exfiltrate data by adding bytes of data onto DNS...

read

Mothra: Network Situational Awareness at Scale

January 16, 2023 Blog Post
Daniel Ruef

This SEI Blog introduces the SEI's Mothra tool, summarizes our recent research on improvements to Mothra designed to handle large-scale environments, and describes research aimed at demonstrating Mothra’s effectiveness at “cloud scale” in the Amazon Web Services (AWS) GovCloud...

read

Security Analytics: Tracking Software Updates

June 21, 2022 Blog Post
Timothy J. Shimeall

This blog post presents an analytic for tracking software updates from official vendor...

read

How Situational Awareness Informs Cybersecurity Operations

February 08, 2021 Blog Post
Nathaniel Richmond

Situational awareness (SA) helps decision makers throughout an organization have the information and understanding they need to make sound decisions about cybersecurity operations. In this blog post, I review and provide examples of how to use SA in cybersecurity...

read

Network Traffic Analysis with SiLK: Profiling and Investigating Cyber Threats

October 28, 2019 Blog Post
Paul Krystosek, Timothy J. Shimeall, Nancy Ott

Cyber threats are on the rise, making it vitally important to understand what's happening on our computer networks. But the massive amount of network traffic makes this job...

read

Network Traffic Analysis with SiLK

November 13, 2018 Handbook
Geoff Sanders, Paul Krystosek, Timothy J. Shimeall

This handbook makes it more analyst-focused and teach not only the toolset but also the tradecraft around using...

read

SiLK: A Tool Suite for Unsampled Network Flow Analysis at Scale

July 29, 2014 Conference Paper
Mark Thomas, Leigh B. Metcalf, Jonathan Spring, Paul Krystosek, Katherine Prevost

In this paper, the authors discuss SiLK, a tool suite created to analyze high-volume data sources without...

read