WASHINGTON — A U.S. Air Force cyber squadron is using a new training platform to mature concepts for defensive cyber operations and improve the readiness in the digital domain, officials said in a Nov. 3 interview with C4ISRNET.
While tradecraft in the highly dynamic cyberspace is always a moving target, that is especially true for the Pentagon’s defensive cyberwarriors. For the cyber teams that focused on offense, a playbook developed from years of National Security Agency operations guided their work. But on the defensive side, standards and processes had to be created from scratch, meaning there was a lack of uniformity and little tradecraft to follow.
This new redesign, which members of the Air Force’s 834th Cyberspace Operations Squadron are calling “cyber protection team 2.0,” has been in the works for some time. The approach essentially breaks teams into smaller elements. Previously, 39-person cyber protection teams were broken up into five teams by specific roles to include mission protection, cyberthreat emulation, counter-infiltration, cyber support and cyber readiness.
But many of those roles are better served by local IT personnel, officials have said. Under the redesign, teams are broken into two smaller elements — host and network — to more effectively respond to breaches. Officials also said this lets cyber protection teams focus more on hunting threat actors.
The squadron is using the Persistent Cyber Training Environment to test and mature this new design. PCTE is an online client that allows U.S. Cyber Command’s warriors from across the services to log on from anywhere in the world to conduct individual or collective cyber training as well as mission rehearsal. The Army is running the program on behalf of the joint cyber force and Cyber Command.
The squadron created a training tiger team — or a rapid response team — which is building training methodologies for what the squadron is calling “building lethality in defensive cyber operations sprint" and providing a pipeline for individual airmen to gain more in-depth training on their defensive weapon systems after they graduate from the schoolhouse and arrive at an operational unit.
“The new structure for CPTs [cyber protection teams] enhances rapid mobilization by deploying smaller, standardized team packages versus picking from a larger team,” said Capt. Jonathan Poole, team lead for 300 Cyber Protection Team. “This affords leaders flexibility in defending geographically separated networks, hunting adversarial presence simultaneously in multiple locations, and increasing readiness by training multi-talented cyber operators. In turn, we have increased our core lethality in defending critical missions at a moment’s notice around the globe.”
PCTE allows the squadron to test those new tactics and procedures on a more frequent basis for full teams, team elements and individual training. Such was the case with the recently concluded Vigilant Eagle exercise.
The event included more than 110 airmen across 15 geographically separated defensive cyber teams. It was the first threat-focused and intelligence-driven hunt exercise using PCTE for the 834th’s parent organization, the 567th Cyberspace Operations Group.
The exercise fused intelligence and data analytics capabilities into the operations of cyber protection teams, keying in on cyberthreat analysts, all-source analysts, analytic support officers and data engineers to test their work within the team’s construct.
The exercise was critical for helping test and train forces on the new training pipeline and team design.
“This exercise allows us to not only see if those pipelines are working [but] to provide us the skill sets we need as we revamped our training,” Poole said, adding that it also provided feedback to ensure future iterations of operators on these host and network teams are better trained and equipped.
Hunting the adversary
During the exercise, teams had to identify threats within the network as well as the threat’s objective and intent.
“In the environment we need to know not only just what the specific system does but also its political and canonical implications,” Master Sgt. Rob Kudratov, flight chief for operations training at the squadron, told C4ISRNET. “When we’re able to tie all of that together, it helps to build a better picture, not only just high-level perspectives, but also” at the tactical level.
The exercise, officials said, is also a critical stepping stone toward realizing Cyber Command’s vision for implementing complex and realistic training.
“Exercise Vigilant Eagle marks an inflection point in the methodology we use to train lethal airmen to integrate intelligence and data analytics in a realistic environment. These quarterly exercises will continue to provide realistic training that challenges and inspires our airmen and other partner organizations across the enterprise,” said Col. Lamont Atkins, commander of the 567th Cyberspace Operations Group.
Vigilant Eagle also follows smaller, unit-run hunt exercises within the 567th Cyberspace Operations Group, during which operators recognized a need to work on tradecraft outside of formal, annual exercises.
The joint nature of the PCTE environment allows units like the 834th to pull from training scenarios across other units.
“We not only have to be able to work with joint systems that may vary in complexity and maybe managed differently than we may typically see in the Air Force, but we also have to work with joint partners when it comes to defense,” Poole told C4ISRNET. “We have to be able to speak a common language with them. Having a platform that we can all come together on and train together is important for us to be able to create those communications styles that allow us to work with joint partners when we go out ... This platform will help us be able to exercise those capabilities and those strategies with them.”
Overall, using PCTE contributes to greater readiness within these forces because they can train more frequently in more robust scenarios.
“What we know is, as cyber operators and war fighters, that the enemy’s going to exploit those gaps and seams that exist within the unity of the team,” Lt. Col. Ken Malloy, commander of the 834th Cyberspace Operations Squadron, told C4ISRNET. “Sewing up those gaps and training as you would any other professional team and understanding where those weaknesses are so you can shore those up is what we’re trying to identify through the team exercise component such as Vigilant Eagle.”
PCTE also allows new members to gain real-world experience before going live on networks against actual adversaries — something that was impossible years ago.
“In this particular exercise, our CPT put some of our newer operators who may not have had a chance to execute on mission, we put them right there on the front lines so they can see what operations actually look like,” said Romero Edwards, operations officer for 300 Cyber Protection Team who served as cyber crew lead for one of the team’s elements in Vigilant Eagle. “A lot of them really excelled and thrived in their first time.”
Exercises like Vigilant Eagle that are underpinned by the training environment also allow units to participate outside of defensive teams. This is valuable because, when responding to network breaches, these teams — often referred to as cyber SWAT teams — must work with and gain the trust of local defenders.
Vigilant Eagle, in addition to the cyber mission force cyber protection team units, included participation from local installation defenders as well as Space Force cyber units like the 61st Communications Squadron that are currently being stood up.
“For them it was also important to understand how the CPTs operate and where they need to look ... to better integrate us as we go,” Kudratov said.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.