Warfield Air National Guard Base, Md. — During a recent election, bad actors accessed the public facing website that was tracking Presidential election results and changed the results the public was seeing in real-time, which skewed in favor of the losing candidate. In the background, cyber operators were fighting back against the bad actors, who were trying to delegitimize the election results.
Fortunately, these events were unfolding during an offensive and defensive cyber exercise called Cyber Blitz 22-3 with cyber professionals from the Maryland National Guard at Warfield Air National Guard Base located at Martin State Airport here.
The Cyber Blitz exercise is an constantly evolving cyber exercise, which aims to deliver realistic offensive operations and adversarial effects against cyber protection team elements conducting defensive operations on a virtual network.
The exercise participants were split into four cells: white, red, blue, and black. Each team had their own responsibilities and roles during the exercise but exercise planners wanted all of the teams to work together to reach their mission objectives.
The aggressors, who were attempting to gain access to private networks, were on the red team. They used the tools that are available to them to try and disrupt day-to-day operations.
“The red team is trying to infiltrate the network using open source tools to validate their skill sets,” explained U.S. Air Force Capt. Brandon Krantz, cyber officer assigned to the 275th Operations Support Squadron. “They leave artifacts as evidence of their actions.”
The blue team is the defender of the network and is working against the red team to ensure those bad actors do not infiltrate their networks.
“The blue team is working to secure the network through network hardening techniques such as using firewalls, network devices, and port security,” explained Krantz. “The goal is to only leave open the necessary ports and applications for the end user to perform their day-to-day tasks while minimizing the overall attack surface.”
The white cell, which was led by U.S. Army 1st Lt. Clarence Nowell, the mission element lead from the 169th Cyber Protection Team, Maryland Army National Guard, was responsible for coordinating the action between the other cells participating in the exercise.
“We wanted to create an exercise where all of the teams were working together,” explained Nowell. “A lot of times during exercises and even real-world activities we tend to work in a silo and we wanted to get away from that.”
The Cyber Blitz training environment, which was created using the CATTS system from CyberCents that was originally created to exclusively host offensive cyber operations, was created and monitored by the black cell. Mr. Dorsey Bohan, cyber support analyst assigned to the 275th Operations Support Squadron, led that team.
“We test everything beforehand to make sure the attackers’ and defenders’ access to the network allows them to do their jobs,” explained Bohan. “During the last Cyber Blitz, we used our CATTS system, which is designed to be used as an automated attack [network] but we configured it for this exercise to have a live red and intel team on it.”
The evolution of the annual cyber exercise was evident during this iteration as participants came from the Maryland Air National Guard’s 175th Cyberspace Operations Group and 175th Intelligence Squadron and the Maryland Army National Guard’s 169th Cyber Protection Team and 110th Information Operations Battalion.
“The integration of the Army and Air has been key to understanding different techniques and terminology that is used between the branches of service,” said U.S. Air Force Maj. Charles Gruver, 275th Operations Support Squadron flight commander of current operations. “When we get ready to deploy, we will normally be working in a joint environment, so this exercise is great preparation for future operations.”
On the final day of the exercise, leadership from the National Guard Bureau Cyber Division were present for the out-briefing and were able to learn about the ever-growing exercise at the 175th Wing.
One of the visitors, U.S. Air Force Col. Joed Carbonell, Cyber Division (J36) chief and former 175th Cyberspace Operations Group deputy commander, expressed his excitement at the evolution of the Cyber Blitz exercise.
“So it started as only exercise and it was really tough getting other squadrons to participate,” said Carbonell. “And now, fast forward to today, not only do you have players from outside of the wing but now you have a completely joint-integrated and self-generated exercise that they do every two months. This is what the guard does and I am continuously blown away with how they do it.”