CAMP EDWARDS, Mass. — At a recent exercise, National Guard cyber units practiced how to get ready for a scenario that feels increasingly possible in the climate of raging ransomware and hacks: Cyberattacks took down utilities on the West Coast and migrated across the country toward New England critical infrastructure.

The East Coast states and utility companies turned to their Guard members to watch for anomalous activity on networks that might indicate intruders and to jump on any malicious actions that could disrupt citizens’ critical services, such as transportation hubs or water supplies.

While the gaming situation at the seventh annual Cyber Yankee exercise was fictitious, the organizers tried to make it as realistic as possible to help Guardsmen not only improve their cyber skills but collaborate better for holistic response across New England states.

Major cyber disturbances — particularly ransomware that typically seeks money to release attackers’ hold on information and digital systems — are becoming more pervasive, impacting utility services, school systems and municipalities. The Guard is developing into a critical resource to remediate these problems at the state and local level, acting as an extension of federal cyber teams, which have limited resources to act across the nation.

For the two-week training on Cape Cod, which wrapped up last week, exercise leaders crafted the gaming scenario to provide more specific and applicable training to Guardsmen on top of larger scale national cyber exercises for the National Guard.

“It’s really hard to do an exercise like this effectively,” Lt. Col. Cameron Sprague, J6 and CIO for the Connecticut Air National Guard and deputy exercise director for Cyber Yankee, told C4ISRNET. Many cyber exercises involve activities that resemble a game of capture the flag, which are too easy and aren’t necessarily applicable to real-world crises.

Using a more realistic situation, Cyber Yankee focused on improving operations in a complex threat scenario, Sprague said.

“Operating effectively in incident response environment is really hard. That’s what a lot of teams first take away when they’re walking through this is how we’re actually going to do an incident response plan. That’s the big point of this. That’s why a lot of them come back year after year,” he said.

To provide a real-life feel, members of the Guard worked hand in hand with partners in the private sector, just as they would if an actual cyberattack occurred.

Due to the COVID-19 pandemic, last year’s version was mostly remote. This year, all the military participants were in person, with most utilities, mission partners and some interagency partners dialing in remotely — including the FBI, the DHS Cybersecurity and Infrastructure Security Agency, Federal Energy Regulatory Commission and U.S. Cyber Command, among others. Planners expect next year’s event to be fully in person again to provide the most realistic collaboration environment.

Blue teams faced real-life malware to practice responding to threats from two to three main simulated threat actors, played by active and reserve Marine Corps Defensive Cyberspace Operations-Internal Defensive Measures companies. These companies are tactically focused cyber teams that will defend critical digital assets at the tip of the spear as part of marine expeditionary forces.

While these teams operatically are solely defensively focused, understanding cyber from the offensive or adversary perspective directly reinforces defensive operators.

“In order to be effective defenders of a network, you need to know what the adversary TTPs [tactics, techniques and procedures] are,” Maj. Michael Frank, cyber warfare officer for DCO-IDM company bravo, 6th Communications Battalion, told C4ISRNET. “Doing cyber threat emulation here and actually going through the steps of OCO [offensive cyber operations] and going through what we would expect an adversary to be doing to us, we have a better idea of how to defend our networks … For them to get a chance to do it from this side is hugely valuable.”

Participants also practiced using a new tool in cooperation with Cyber Command called the Cyber 9-Line. It is a channel that allows states’ Guard units to pass potential threats to Cyber Command to defeat in foreign cyberspace and conversely provides Cyber Command a way to alert states of potential threats discovered during operations.

Members of Cyber Command’s cyber national mission force monitored the exercise. Guard members can upload malware samples for Cyber Command to analyze through a collaboration portal called HIVE-IQ, designed for use by non-technical personnel across the states to share threat information on a cyber incident and provide others across the country an interactive map for situational awareness of cyber problems in progress.

The Connecticut National Guard used the 9-Line mechanism during an actual operation recently when attackers took down the municipal networks of the capital city, delaying the first day of school. The 9-Line capability was useful during that operation, officials said, and had it not been for Cyber Yankee the last year — the first year the 9-Line was created and integrated — the Connecticut National Guard wouldn’t have known about the tool.

“You’re talking about at the local level straight connection to U.S. Cyber Command and their resources that they have,” said Maj. Ryan Miler, state cyber operations officer for Connecticut Army National Guard and orange team lead in charge of coordinating industry partners for Cyber Yankee.

Collaboration across government and industry

In each successive year, the exercise has sought to better integrate industry participation and bring in more members. This was the first year it had the gas pipeline sector participation, which is critical following the recent Colonial Pipeline ransomware attack that threatened to severely disrupt East Coast gasoline supplies.

Participants recounted that in earlier years, the mission partners, Guardsmen and private sector participants worked in their own bubbles. Now, collaboration and communication are much more ingrained.

“At the very start there wasn’t a whole lot of [partner collaboration or communication] if any, if I recall correctly and there wasn’t so much gameplay around having a memorandum of agreement,” said Capt. Seth Williams, blue team 2 lead, who has participated in each Cyber Yankee. “We kind of defended the network as if it were our own, and when it’s not your network, it changes your approach in the things that you can do. Your ability to communicate with that mission partner becomes really key once you understand it’s not your network.”

One of the key objectives of the exercise is to build trust and relationships with companies and adjoining states. This trust is crucial in the event of a cyberattack in which utilities may invite Guardsmen into their networks to help. Lawyers on each side must establish memorandums of understanding regarding what the Guardsmen can do once granted network access.

The Guardsmen, in turn, use these exercises to demonstrate their capabilities to companies so they know how the Guard can assist in an emergency.

“We do it in an exercise environment so that when it does happen, we’ve already got those relationships established not just from a National Guard but from all of our critical infrastructure, our federal, local, state partners,” Miller said. “We’ve established those lines of communication and then it’s that much easier to get together and respond.”

Moreover, given the proximity of the New England states and their relatively small Guard footprint, the exercise provides an opportunity for each state to learn how its counterparts respond to incidents and builds a trust among them in the event they need to share resources during a cross-border cyberattack.

Other federal partners, including 3-year-old CISA, used the exercise as an opportunity to learn about state operations and educate the states on their capabilities.

“The first thing we want to do is see how CISA as an agency fits into the exercise, how we could support what they’re trying to do,” R. Mike Tetreault, cybersecurity adviser for Rhode Island at CISA, told C4ISRNET, adding this is the first time a regional cybersecurity adviser has participated in the exercise.

“I think what will be important this week is obviously for me to make sure that the teams that are here are aware of CISA in the region and specifically cybersecurity advisers and that those are somewhat codified or included in their operation plans and raising an awareness for when an event does happen, they know that’s something that’s available.”

Given the limited resources at CISA, and more largely at DHS, participants discussed opportunities for the National Guard to undertake some of their cybersecurity responsibilities at the state and local level, given that there are nearly 4,000 Guardsmen across the nation.

Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.

More In Cyber