US Army gathers Cyber Mission Force for CYBER ANVIL

In mid-February 2019, the U.S. Army’s Product Manager forCyber Resiliency and Training (PdM CRT) office gathered Cyber Mission Forces(CMF) from all of the services to operationally utilize the Persistent CyberTraining Environment (PCTE) prototype vB platform for a concurrent, distributedcollective and individual level training exercise from the command post set upat Johns Hopkins University - Applied Physics Laboratory (JHU-APL) in Laurel,Maryland. The training exercise, CYBER ANVIL, included elements of the CMFacross the Navy, Air Force, Army and Marines as well as the Air Force NationalGuard and Air Force Reserves operationally aligned to support several combatantcommands.

Personnel operated from Maryland, two sites in Florida,Georgia, Texas and Hawaii all connected to the PCTE working prototype. ManyNavy and Air Force teams trained on site in Maryland while Army personnelsupported distributed execution remotely from Fort Gordon. Marine and CoastGuard non-commissioned leaders attended the event at JHU-APL to evaluate theplatform on site for future use of the prototype. In total, CYBER ANVILencompassed nearly 100 participants across five time-zones and sevendistributed sites with the joint cyber force.

Collectively, these users (planners, operators, trainingmanagers, etc) operated the prototype to provide operational feedback on PCTEplatform that enabled them to directly plan-prepare-execute-assessment ofseveral cyber mission force training events across its lifecycle. Trainees accesseda cyber team hunt scenario and a Kibana Elastic Skills Builder (ESB) individualthreat hunting tool module, both developed by the Navy organically within theprototype, as well as Capture-The-Packet (CTP) external individual skillstraining content for forensics and traffic analysis.

The product manager is applying Development Operations, orDev Ops, based on commercial industry processes that are not like traditionalprocesses that follow a rigid timeline and process to achieve initial and finaloperating capabilities. Instead, the DevOps process connects the developersfrom several vendors and the government engineering team in a verycollaborative way to manage configuration updates and changes and allows themto adapt to input received from the operational community in a rapid way toensure platform relevancy.

On day One kicked off at JHU-APL the hunt teams laid out thedaily schedule to maintain a continuous presence in skill sets throughout theday. The team leader shared his screen while the team worked in pairs andcalled out notable activities to each other. Behind the scenes, the productmanager team initiated monitoring with technical operations to compute, networkand store.

The Navy has been the advocate for these training solutionsand has contributed the necessary content in this event for foundational cybertraining. In the middle and right cubicle sections, Navy and Air Force teamstrained on the individual ESB and CTP training content. Across most Departmentof Defense cyber ranges and training environments, quality content remains achallenge. Thanks to the dedicated efforts of Chief Warrant Officer Five JeffFisher, from Fleet Cyber Command, the content developed by the Navy wasimported into the PCTE working prototype and now is available for reuse by thecollective joint cyber mission force.

To keep the PCTE working prototype running for the Hunt, ESBand CTP training events, the PCTE engineering team used collaborative chatcapabilities to respond to operator questions. This allowed engineers and usersto share situational awareness as to the prototypes’ overall performance andthe status of issues. All operators accessed the platform through a virtualprivate network to maximize prototype availability and cyber mission forceparticipation.

As a winter storm approached central Maryland and theforecasts for rain changed to snow that Tuesday afternoon, Deputy ProductManager Liz Bledsoe let the team know, “There will be no snow days in cyber.” Bythe end of the business day Tuesday, most local and federal governments closedfor Wednesday. Undeterred, the product manager planned for a contingency CYBERANVIL operations cell in the nearby hotel used for billeting.

While the National Capital Region shutdown, the Orlando-basedPdM CRT team plowed through the snow storm to provide cyber training to remoteteams in Hawaii, Texas, Georgia and Florida. Hunt teams in Hawaii picked upwhere they had stopped the day prior. The CRT stayed online while Hawaii huntteams went back and forth in pursuing the adversary. Hunt team trainingoccurred without a hitch as the PdM CRT prepared to resume full operations thenext day.

Day three resumed where day one ended. Thanks to the staffat JHU-APL, the training facility resumed its buzz as Hunt, ESB and CTPtraining went full throttle. The Navy hunt team outlined its processes on thewhite board: Recon, Weaponize, Exploit, Install, Command and Control, andAction. Navy and Air Force teams continued ESB and CTP training.

CYBER ANVIL was a healthy initiation for the prototype. Following the DevOps process is enabling PdM CRT’s utilization and ensuring relevancy of its rapid prototyping initiatives across a multi-faceted CMF user base and mission sets. PdM CRT is expected to pick-up the OPTEMPO of these unit-driven touchpoints increasing in scope, size and scale across the services to rapidly battle-harden the platform for its v1.0 release in Jan 2020.

The end state PCTE platform will be accessible to all service cyber components. The next PCTE prototype event was CYBER VALHALLA held in March at JHU-APL for offensive cyber operations (OCO) teams to again battle test, harden and iterate on the platform. The success of the CYBER VALHALLA event was another step forward as PdM CRT battle-hardens the PCTE prototype in preparation for the Jan 2020 version 1 release.