AUSTIN, TX, UNITED STATES

05.05.2017

Story by Maj. Ray McCulloch 

102nd Information Operations Battalion  

Members of the Texas Army National Guard and Air National Guard participated in a major network defense exercise at Camp Williams in Utah from April 17 to May 5, 2017.

Members of the Texas Army National Guard’s 102nd Information Operations Battalion and the Texas Air National Guard’s 273rd Information Operations Squadron participated in Exercise Cyber Shield 17, the Army National Guard’s premier cyber defense exercise.

The exercise, which included members of the National Guard from 44 states and territories, the U.S. Army Reserve, state and federal government agencies, nongovernmental organizations, and private industry, was designed to enhance participants’ ability to respond to cyber incidents.

Cyber Shield 17 kicked off with a week of training and preparation that culminated in a scenario-based cyber roleplay during the second week. This was the sixth iteration of the exercise.

Participants were broken up into several groups, or “cells,” for the exercise.

Red Cell members simulated hostile hackers attempting to compromise a computer network, while members of the Blue Cell attempted to defend their networks against the Red Cell’s attacks. The Gold Cell supported the Blue Cell members with coaching and mentorship, while White Cell members evaluated the Blue Cell’s performance.

Members of the 102nd IO Battalion served on the blue and red teams. Other battalion Soldiers provided network management to support the exercise and served in the fusion center. According to a Department of Homeland Security handout, fusion centers are owned by state and local governments and operate with federal support. Their mission is to “provide multidisciplinary expertise and situational awareness to inform decision making at all levels of government.”

Red team members, such as Sgt. 1st Class Jon Wachter, play the role of adversary hackers or the opposing forces. In IT, that would be someone hacking into the network.

“Our main job is to train the blue team,” Wachter stated. That training included exploiting vulnerabilities to pivot or maneuver through their networks.

“We find gaps in their systems in order to exploit vulnerabilities and establish a stronger foothold into the IT terrain to ultimately gain control of systems, networks, or infrastructure,” Wachter said. “We try not to hamstring them so that there is some learning value for the blue team.”

For example, Wachter and his team took control of the administrative password, which would have completely shut down the training for the Blue Team. After an hour, they gave the Blue Team their password back so they could reestablish control of their networks.

Wachter was a team member assigned to the Indiana Red Team. He played the part of a hacker and an insider threat to Indiana’s IT infrastructure. His team stole fictitious personal identifiable information, defaced websites and attempted to disrupt business processes. In general, they created havoc on the network and systems used by the Indiana Blue Team and their mission partners.

“I wasn’t expecting them to bring so much skill to the table; they had a lot of talent here. It was definitely challenging for me, us,” he said. “They actually have a lot of people on this team who do this for their civilian careers as well, so they had a huge advantage!”

Wachter also stated that this exercise helped him network with a variety of very intelligent individuals and learn from their skills and experiences. “I was also able to observe the Blue Team and take away tips, techniques and procedures from them. That was the big lesson for me,” he said.

On the other side of the exercise were the Blue Teams. Blue Teams are state-affiliated National Guard and mission partners who must react to a cyber incident in the exercise. Ultimately, they are charged with expelling the adversary Red Team from their network.

For Texas, this included Staff Sgt. Brian Jones. Jones is an intelligence analyst from the 102nd IO Battalion attached to the Texas Cyber Protection Team for this exercise. He provided embedded intelligence support to the Blue Team operators, including predictive analysis, intelligence summaries and disseminated information on known threats passed from the fusion cell.

“Cyber Shield 17 is a training exercise developed to enhance the skills of the Blue Team in order to defend the operational environment – or the friendly networks – from the adversary’s cyberattacks,” said Jones.

According to Jones, information flow was the most difficult task. That included between governmental agencies at the state and national levels, as well as between Army National Guard, Air National Guard and civilian mission partners. Understanding how intelligence flows between components of the Texas National Guard was an integral part to the success of the Texas Blue Team.

This was an excellent opportunity for them to experience the reality of communications shortfalls between mission partners, the National Guard and the U.S. government agencies according to Jones. “It’s definitely a challenge, but we are working through it really well.”

The provided training facilitated the Blue Team’s ability to identify indicators of compromise in the network. Indicators are “observables” that there may be an intrusion in the system – like malware, phishing or unauthorized access.

“This exercise was a great opportunity to work with multiple [mission partners] in a group effort of incident response to take back a compromised network that we have been called in to defend,” Jones emphasized.

Mission partners that participated in Cyber Shield this year included federal agencies such as the FBI and DHS, state departments of justice, as well as private companies such as Microsoft, Lockheed Martin and Monsanto. The Army and Air National Guards – in coordination with federal agencies – worked with civilian mission partners to resolve issues on their networks. 

The lessons learned here are vitally important moving forward to defend state infrastructure and networks from cyber threats, cyberattacks and other cyber incidents. “What we learn here makes us more effective communicators in the future. I’ve learned so much from this exercise,” Jones said.