Of the four types of teams that make up the cyber mission force — the 133-team cadre of cyber warriors the four service branches provide to U.S. Cyber Command — cyber protection teams (CPTs) serve as the quick reaction defensive force responding to network intrusions.
Each service also gets to retain a small subset of CPTs to help get at their own service-specific missions.
Maj. Josh Rykowski, mission team leader with a service-retained CPT in the Army’s Cyber Protection Brigade, explained that each 39-member CPT is broken into four sections.
The first, he told reporters during a media roundtable October 11 at the annual Association of the United States Army conference, is a headquarters section, which takes care of the administrative part of managing and running a team in addition to taking care of some of the planning in preparation for a mission.
Next, down in the actual team itself, there are two mission elements and a support element with the idea that each element has the same personnel and equipment and can be exchanged as need be and push them out on missions separately if required, Rykowski said.
In terms of the actual mission sets these teams perform, what’s different about a cyber protection team as opposed to a network operator or local administers is “at the end of the day they hunt for adversaries,” Lt. Gen. Paul Nakasone, commander of Army Cyber Command, told reporters at AUSA. “They’re looking for someone that does not want to be found in our network and that’s what is a core skill that we train in our cyber protection teams.”
CPTs can be thought of as quick reaction forces to assist local owners and are not meant to remain on the network for an extended duration.
“If I get tasked to go support a mission owner, no matter who it is, they’re not going to give me the keys to the kingdom,” a defensive cyber exercise participant at Cyber Flag, Cyber Command’s annual validation event, told C4ISRNET in June. “I’m going to have to go through the local defender, their network owner to get my recommended changes.”
“Really, I don’t want the keys to the kingdom. I wouldn’t want to become their system administrator,” another defensive team lead said. “Eventually, I’ve got to leave” their network.
For the cyber protection teams, this is a new environment into which they’re entering, another defensive team lead said. They look to the local administrators to see what normal on their network might mean or what might be anomalous behavior.
“Being an Army CPT, we’ve received a broad range of missions,” Rykowski explained. These include assisting network owners or the local defenders, educating them on CPT capabilities, and trying to leave the network in a much more defensible position, training and vulnerability assessment.
The network operators have a difficult job, Rykowski said, noting they’re on call 24/7 and focused on vulnerabilities. “What we bring to bear is we show up for a short duration with a threat focus. We help them close the gaps consistent with that particular threat,” he said.
When they show up, they bring their own kit that includes hardware (server stacks), software and sensors.
These kits provide teams with multiple tools, including: network assessment equipment; host forensics equipment, allowing them to look at the entire network and specific work stations; rudimentary defense mechanisms; plus a substantial amount of storage capability and substernal amount of computational power.
The combination “allows me to flexibly create tools on the fly from my repository of tools to figure out what my exact setup needs to be when I’m out working with my customers,” Capt. Sean Eyre, a computer network defense manger within the cyber protection brigade, told reporters.
These kits are standardized among the cyber protection brigade and for Army Cyber. Across the joint force, however, service has a different type of kit, despite CYBERCOM producing a standard requirements document that all kits must meet standard baseline requirements, Navy Lt. John Allen, CYBERCOM J35 Department of Defense Information Network operations CPT engagement lead, said during a June conference.
What exists today are four types of kits, each usually with its own specific suite of tools that all meet the requirements. This does present some interoperability challenges, but the command is working toward rectifying those, Allen said.
CYBERCOM is now looking toward standardizing kits.
Rykowski explained that they can reconfigure their kits on the fly if need be. “When we do that mission analysis ... and think through what capabilities do we need to bring to bear based on the network we’re working on and based on the adversary we need to be hunting, we can set those capabilities up ahead of time so we can hit the ground running,” he said.
“It also gives us the capability to reconfigure it on the fly, so if we do hit the ground and the network may not be what it as supposed to be … we can reconfigure on site to again bring different capabilities to bear.”
These kits also have internal defenses that prevent them from becoming infected when plugged into infected networks. “While we do connect our kit directly to the network, we have defenses on it to ensure we ourselves don’t get exploited if the adversary is still on the network,” Rykowski said.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.