Rob Crawford
Federal SE – Ixia Solutions Group

Cyber Range Training Gives the Louisiana Army National Guard—and Other Defenders—a Powerful Edge

January 16, 2020 by Rob Crawford

When we hear the word "training," visions of classrooms and online tutorials come to mind, but for many the best training is learning by doing. In the world of cyber security, the U.S. military has taken that concept to heart with the saying "we train like we fight."

Cyber range exercises exemplify this motto with an opportunity for deep hands-on, team-based training. The combatants form Red and Blue teams, with Blue teams dividing up and competing against each other in protecting identical networks from real-time Red team attacks over the course of several hours or days.

For war fighters and a sprinkling of contractors — all hacking experts — the Red team room is the coolest place on earth for about two weeks. The team works day and night, until 3 AM or even through the weekend writing code and getting ready for attacks. Walk into Red team rooms at night and you’ll find windows blacked out, people working away at laptops, debating tactics, or grabbing more coffee (no decaf allowed!). On one wall hangs a pirate flag with a skull-and-crossbones sporting an eye patch, on another a 20-foot screen with updated operational info. "Guardians of the Galaxy" plays above the conversational din that goes all night.

My own introduction to the “cyber range” concept came in 2014 while supporting the Louisiana Army National Guard on the LSU campus in Baton Rouge. Watch the video or read the new case study.

As part of a major initiative to intensify cyber range training, we used Ixia’s BreakingPoint security testing to generate internet traffic to 25 websites on five servers, with teams of ten defending a server and five websites from attack. Traffic consisted of http, dns, ssh and other protocols with http pulling web pages from the servers and DNS traffic engaging a real DNS server to make things even more realistic. The Red team used BreakingPoint to generate traffic that camouflaged attack traffic making the effort more realistic and challenging for Blue team defenders.

Since then, the LA National Guard has become a go-to resource (or geaux-to resource as the locals say) in cyber defense and has recently been deployed to help response teams deal with cyberattacks from various sources. Check out the recent coverage in StateScoop to learn more about how Army National Guard units were deployed to school systems and other state agencies to help thwart ransomware attacks.

Over the years, I’ve participated in many cyber range environments for both military and private sector initiatives. I’m there because traffic generation using BreakingPoint is a powerful Red team ally. BreakingPoint generates real packets and lets experts easily tailor protocol mixes before placing traffic on the network.

For example, if the only RDP traffic present obviously comes from the Red team, Blue teams may notice and pay attention to those packets. To avoid easy detection, we might add a sampling of RDP sessions to real servers to give the red team something to “hide behind.”

Tailoring the challenge to each environment

While cyber range training remains a critical military training trend, the corporate world, industry, and universities have gotten into the swing of things creating their own training exercises. One important area for cyber range training is critical infrastructure as airports, chemical plants, oil refineries, power plants, and other facilities that keep the economy moving represent vulnerable installations. Here, cyber-attacks can result in massive property damage or loss of life.

Some of these installations use Industrial Control System (ICS) protocols, also called SCADA, to operate. Cyber range exercises incorporate SCADA protocols with simulated water or power infrastructure, generated SCADA traffic and Red teams trained to exploit SCADA-related vulnerabilities. For exercises focused on ICS environments, BreakingPoint can send SCADA commands to turn valves on or off in the ICS simulation.

The importance of cyber range training specific to the environment cannot be over-emphasized. The world’s next 9-11 scale attack might well be a cyberattack launched against critical infrastructure. If cyber-IT teams supporting these types of companies and government installations are not adequately prepped, thousands of lives remain at risk every day.

Cyber range exercises are among the most important training security teams can receive as they defend against threats to lives, the economy, and critical infrastructure. In general, adversaries may have the upper hand, at least for a while so more training is needed in all aspects of network design and protection. With everyone on the team participating, debating, and competing in realistic network environments, these fast-paced exercises improve readiness and competency, leaving government and industry better prepared to deal with increasing cyber threats.