July 27, 2014    /    by

A new cyber exercise: Test your security team's incident response capabilities

The Michigan Cyber Civilian Corps, state and local government cyber analysts and the West Michigan Cyber Security Consortium participated in an attack-defend-respond tabletop exercise in a virtual city called Alphaville, which exists within the Michigan Cyber Range. Here's why it matters to a town near you.

MiC3 cyber exercise - all photos by Dan Lohrmann

There is a place called Alphaville. It is like many other towns all over the world – with a city hall, library, school, power plant and more.  

You can even watch this short video about Alphaville here.

Now the bad news. Imagine that your government’s incident response team has just learned that many computers in Alphaville were “hacked,” and someone(s) has gained unauthorized access to a variety of different systems, such as the Town’s web page. This compromise has triggered activation of your cyber incident response plan.

How will your Security Operations Center (SOC) team respond to this incident? Will your cyber response plan work? What are the appropriate processes and procedures? Can you prevent the attackers from compromising the power plant and taking down the electricity? If service is interrupted, can it be restore?

Or, simply stated - what do you do next?

Last week’s Red v Blue exercise on the Michigan Cyber Range

Last week at Davenport University near Grand Rapids, Michigan, a group of cybersecurity professionals from the State of Michigan Government and the Michigan Cyber Civilian Corps (MiC3) were confronted with this very situation as the “Blue Team” defending and responding to cyber incidents in Alphaville. The “Red Team” attackers were a mix of public and private sector professionals who were part of a group called the West Michigan Cyber Security Consortium.

The event included about 100 people, including participants, observers and sponsors. The local news in Grand Rapids covered the exercise. You can see this video during the lunch news break: “Davenport Hosts Cyber Security Workshop.”

The event was also covered by other local news articles like this one.

What actually happened in Alphaville?

Think of this training scenario as being similar to how fire departments train and test their skills and abilities all over the country on a regular basis. Of course, there are full time experts and volunteer firemen who respond to numerous emergency situations. Over time, professional certifications are obtained and maintained through an ongoing set of courses and hands-on drills and exercises

Many of the same principles are true for cyber emergencies, and there may very well be cyber emergency incidents that require a mix of full-time analysts and specialists along with a volunteer cyber corps in your jurisdiction.

Even though Alphaville is a virtual city, there were various situations that play out just as in real life cyberattacks. For example: people reuse passwords across computers systems at home and work – or library, city hall and the power plant.

Many cyber challenges around the country start from ground zero, with both teams attacking the other team’s computer systems while defending their own computers and networks. The US Cyber Challenge and the National Collegiate Cyber Defense Competition are just two other examples of team-based cyber exercises that are very popular.  This cyber exercise was new in that the focus was on incident response and not just on attacking and defending skills.

Exercise experts know that teamwork, communication, coordination and timely decision-making are tested in these cyber incidents perhaps even more than knowledge or hacking skills. While this incident did not trigger the activation of the State Emergency Operations Center (SEOC) or involve practicing formal press interaction, the scenarios were designed to hone and test the abilities of all participants to work together in new ways.

And a big challenge for the Blue Team defenders was to respond to incidents after the Red Team had already gained unauthorized access. The Red Team continued to try and gain additional access all day with techniques such as Cross Site Scripting and SQL Injection.   

Yes, these Red and Blue teams were in different rooms, and they didn't see each other or communicate during the event. There was a open meeting area in a middle room which displayed the real-time activity in Alphaville in a graphical format for observers to determine status. 

Local cyber exercise with national significance

As leaders from the public and private sector examine strengths and weaknesses on their cyber operations teams, a common perception is that more practice is needed in identifying and remediating compromised systems in a team environment. Cyberdefense is more like a team sport such as baseball, basketball or football rather than an individual sport such as singles tennis.   

This was also the first time that the Michigan Cyber Civilian Corps (MiC3) participated in an actual event with other organizations.  Although the formal launch of MiC3 happened in a ceremony back in May 2014, last week's event included seven cyber expert members who trained with other organizations in a hands-on environment.

For more background on why this development has national significance, this podcast provides many answers about MiC3 from late May.

In my view, many more states will eventually set up similar groups and/or organizations to respond to cyber emergencies. There are several different governance models that can work, but the problems being faced are global in nature.

As described by a Merit press release:

"This exercise is historic," said Brigadier General Michael Stone, Michigan Army National Guard. "Emergency Management planners have been dreaming of something like a Civilian Cyber Corps in Michigan for years. It's now a reality….  

 "Real-time hacking/defense exercises can always be valuable," said Matthew Carpenter of Grimm, who participated on WMCSC's Red Team. "However, the Michigan Cyber Range includes critical infrastructure, real-world weaknesses, great visualizations, and a compelling backstory for scenarios which provide far more than just your average 'hack-along-with-Mitch' games. Red/Blue Teams walk away with new battle scars, stories, and veteran experience. They also know more of what they need to improve on. Win win." 

Not a cyber expert? You can still: Stop. Think. Connect.

If you are reading this story and are not a cybersecurity analyst or technology professional, this story may seem like it is written in a foreign language. However, there is still an important role for everyone who uses the Internet. You can still learn how to protect yourself while having fun in the process. 

I want to highlight the great work being done by the West Michigan Cyber Security Consortium to build online awareness of threats within Michigan businesses on important role that everyone plays regarding Internet Safety.  

Barb Hiemstra, a co-founder of the West Michigan Cyber Security Consortium which now has over 400 members from the public and private sectors, says that the group exists to enhance the prevention, protection, response and recovery to cyber security threats.

And they have also been given federal grants to train their members and build fun cyber awareness videos like this one with a mainstream message:

 I encourage you to show this video to your family and friends to teach them the importance of their online actions.

Everyone wins in cyber training

In case you are wondering whether the Red or Blue Team won – they both were winners. I must admit that members from our “Bat Cave” or State of Michigan Security Operations Center (SOC) team thought that the Blue defenders won, but we’ll take that discussion over to another forum.

What is clear to me is that this is just the beginning of a new trend. Over the coming year, we expect the MiC3 to grow to around 50 members. I suspect that more and more organizations will use the Michigan Cyber Range or similar online capabilities to test and hone their team's cyber skills.

I also understand that Alphaville will be growing, with the possibility of hospitals and other businesses setting up shop in the virtual town. Existing scenarios within the town will evolve and become even more challenging and complex.

What is also clear is that we are, in reality, one cross-organizational team spanning a variety of industries as well as public and private sectors that must work together to address the growing challenges facing the nation and the world in cyberspace - and protect critical infrastructures. The Michigan Cyber Range and state and local government teams are also partnering with national experts in DC, California and even other countries.

What's next? There will be an international cyber exercise at the North American International Cyber Summit in Detroit, Michigan, this fall. Michigan Governor Rick Snyder's office announced the event will be on November 17, 2014 in this 'save the date' press release in early July. More to come on the details of this upcoming international cyber exercise this fall.

In conclusion, when a fire breaks out in a small town the trained volunteers help to restore things to normal. These emergency response teams practice on a regular basis. We need similar coordination regarding cyber emergencies all across the nation.

This approach to responding to computer incidents will become the new normal. Welcome to the 21st century team training in cybersecurity.

If you are interested in learning more, or helping, or joining the MiC3, you can assess your cyber capability at this MiC3 website