US Army gathers Cyber Mission Force for CYBER ANVIL - MS&T

US Army gathers Cyber Mission Force for CYBER ANVIL

In mid-February 2019, the U.S. Army’s Product Manager for Cyber Resiliency and Training (PdM CRT) office gathered Cyber Mission Forces (CMF) from all of the services to operationally utilize the Persistent Cyber Training Environment (PCTE) prototype vB platform for a concurrent, distributed collective and individual level training exercise from the command post set up at Johns Hopkins University – Applied Physics Laboratory (JHU-APL) in Laurel, Maryland. The training exercise, CYBER ANVIL, included elements of the CMF across the Navy, Air Force, Army and Marines as well as the Air Force National Guard and Air Force Reserves operationally aligned to support several combatant commands. 

Personnel operated from Maryland, two sites in Florida, Georgia, Texas and Hawaii all connected to the PCTE working prototype. Many Navy and Air Force teams trained on site in Maryland while Army personnel supported distributed execution remotely from Fort Gordon. Marine and Coast Guard non-commissioned leaders attended the event at JHU-APL to evaluate the platform on site for future use of the prototype. In total, CYBER ANVIL encompassed nearly 100 participants across five time-zones and seven distributed sites with the joint cyber force.

Collectively, these users (planners, operators, training managers, etc) operated the prototype to provide operational feedback on PCTE platform that enabled them to directly plan-prepare-execute-assessment of several cyber mission force training events across its lifecycle. Trainees accessed a cyber team hunt scenario and a Kibana Elastic Skills Builder (ESB) individual threat hunting tool module, both developed by the Navy organically within the prototype, as well as Capture-The-Packet (CTP) external individual skills training content for forensics and traffic analysis.

The product manager is applying Development Operations, or Dev Ops, based on commercial industry processes that are not like traditional processes that follow a rigid timeline and process to achieve initial and final operating capabilities. Instead, the DevOps process connects the developers from several vendors and the government engineering team in a very collaborative way to manage configuration updates and changes and allows them to adapt to input received from the operational community in a rapid way to ensure platform relevancy.

On day One kicked off at JHU-APL the hunt teams laid out the daily schedule to maintain a continuous presence in skill sets throughout the day. The team leader shared his screen while the team worked in pairs and called out notable activities to each other. Behind the scenes, the product manager team initiated monitoring with technical operations to compute, network and store.

The Navy has been the advocate for these training solutions and has contributed the necessary content in this event for foundational cyber training. In the middle and right cubicle sections, Navy and Air Force teams trained on the individual ESB and CTP training content. Across most Department of Defense cyber ranges and training environments, quality content remains a challenge. Thanks to the dedicated efforts of Chief Warrant Officer Five Jeff Fisher, from Fleet Cyber Command, the content developed by the Navy was imported into the PCTE working prototype and now is available for reuse by the collective joint cyber mission force.

To keep the PCTE working prototype running for the Hunt, ESB and CTP training events, the PCTE engineering team used collaborative chat capabilities to respond to operator questions. This allowed engineers and users to share situational awareness as to the prototypes’ overall performance and the status of issues. All operators accessed the platform through a virtual private network to maximize prototype availability and cyber mission force participation. 

As a winter storm approached central Maryland and the forecasts for rain changed to snow that Tuesday afternoon, Deputy Product Manager Liz Bledsoe let the team know, “There will be no snow days in cyber.” By the end of the business day Tuesday, most local and federal governments closed for Wednesday. Undeterred, the product manager planned for a contingency CYBER ANVIL operations cell in the nearby hotel used for billeting.

While the National Capital Region shutdown, the Orlando-based PdM CRT team plowed through the snow storm to provide cyber training to remote teams in Hawaii, Texas, Georgia and Florida. Hunt teams in Hawaii picked up where they had stopped the day prior. The CRT stayed online while Hawaii hunt teams went back and forth in pursuing the adversary. Hunt team training occurred without a hitch as the PdM CRT prepared to resume full operations the next day.

Day three resumed where day one ended. Thanks to the staff at JHU-APL, the training facility resumed its buzz as Hunt, ESB and CTP training went full throttle. The Navy hunt team outlined its processes on the white board: Recon, Weaponize, Exploit, Install, Command and Control, and Action. Navy and Air Force teams continued ESB and CTP training.

CYBER ANVIL was a healthy initiation for the prototype. Following the DevOps process is enabling PdM CRT’s utilization and ensuring relevancy of its rapid prototyping initiatives across a multi-faceted CMF user base and mission sets. PdM CRT is expected to pick-up the OPTEMPO of these unit-driven touchpoints increasing in scope, size and scale across the services to rapidly battle-harden the platform for its v1.0 release in Jan 2020.

The end state PCTE platform will be accessible to all service cyber components. The next PCTE prototype event was CYBER VALHALLA held in March at JHU-APL for offensive cyber operations (OCO) teams to again battle test, harden and iterate on the platform. The success of the CYBER VALHALLA event was another step forward as PdM CRT battle-hardens the PCTE prototype in preparation for the Jan 2020 version 1 release.