Story by CW2 Jason Sanders
The ability to plan, synchronize, control and disseminate information in a secure and reliable fashion is essential in allowing commanders to exercise mission command during unified land operations. Major General John Morrison put it best when he stated, “a commander who loses the ability to access mission command systems, or whose operational data is compromised, risks the loss of lives and critical resources, or mission failure". To that end, most organizations deploy state of the art next-generation firewalls, endpoint security solutions or other mechanisms to harden their information systems but fall short in addressing the entire problem.
Cybersecurity is a team sport. It requires trained end users that understand the threats they face and the risks associated with their actions. Administrators that possess intimate knowledge of their systems, which aim to provide a secure service through proper patching and configuration. Cybersecurity tools that provide defense in depth and visibility of traffic traversing the network. Cybersecurity professionals which know the landscape and can analyze traffic to identify improper configuration or malicious use of information systems. Most importantly, it requires a well-defined plan of action to reduce the impact of an inevitable cybersecurity incident.
The Army's Cyber Protection Teams (CPT) are an excellent resource that can be leveraged by organizations to meet many of these objectives. They can augment units with immature cyber network defense (CND) program, provide additional personnel to check system configurations, provide over the shoulder training on existing systems and assist units in cyber threat hunting activities. In fact, that's exactly the support the 152nd CPT provided to the 3BCT 101st ABN during our recent Field Training Exercise (FTX) we prepared for our upcoming JRTC rotation.
The CPT conducted a survey of the brigade’s tactical network in order to assess the overall security posture of the network, determine the logical layout of the infrastructure, create a baseline of normal network connectivity, and recommend changes in order to fortify the tactical network. From a DCO perspective, this may be one of the most crucial steps in creating a successful cyber security program because it helps a cybersecurity analyst determine which systems are supposed to communicate and what protocols are used. Any deviations from the normal baseline should be scrutinized to determine if the traffic is malicious or benign.
152nd CPT also assisted in the installation, configuration, and validation of Security Onion sensors in a distributed mission command environment. These sensors enable real time network security monitoring and full packet captures of data as it traverses the network. In the event of a compromise it may enable cybersecurity analyst to determine the method of compromise as well as all of the systems affected by the compromise. Furthermore, they helped in confirming that the traffic produced from the sensors did not oversaturate the Brigade’s SATCOM links.
They assisted in the validation of DISA STIGs and IAVA patches of the information systems attached to the brigade’s tactical network. The DISA STIGs are a set of configuration best practices for implementing systems in a secure manner. IAVA patches are a set of software patches to fix bugs or vulnerabilities in software code. Combined, DISA STIGs and IAVA patches reduce risk associated with information systems by mitigating or even eliminating the vulnerabilities associated with them.
Training was another key component of the support provided by the CPT. They provided over the shoulder training on Active Directory, Palo Alto firewall, Enterprise Security Manager (ESM), Security Onion (SO), Host Based Security System (HBSS), and Endgame. The training provided is not designed to be full blown classes or replace traditional courses aimed at teaching these tools. However, they were useful at quickly familiarizing someone to the tools so they can begin using them to secure the network and analyze data.
152nd CPT was able to provide remote monitoring support from Fort Gordon, GA over Global Agile Integrated Transport (GAIT) connecting back to our Mission Command Augmentation Support (MCAS) infrastructure. The MCAS setup utilizing GAIT allowed for high bandwidth, high availability and low latency connectivity between the CPT and the Brigade’s C2 elements. This enabled real time collaboration between the CPT and the Brigade’s CND cell. Through this mutual cooperation we were able to determine areas of improvement to reduce network noise (false positives, chatty services, etc.) and improve the brigade’s overall security posture.
The support provided by the CPT during our FTX seems to serve the same function as the unit’s Information Protection Technician (255S) and Cyber Network Defender’s (25D). However, situations may arise when units require additional personnel to provide CND capabilities. In these cases, the CPT could be an excellent resource to produce personnel with relevant experience and knowledge on systems. They can assist in hardening your network infrastructure by reviewing Active Directory domain settings, evaluating firewall policies and provide over the shoulder training for your existing tools.
As a cyber defender, I believe it is our responsibility to enable network and system technicians in providing a secure service to the war fighter. This entails reviewing their system to ensure compliance, analyzing traffic and recommending solutions to optimize performance. Often times, units are understaffed, technician are fighting issues with availability, or their systems provide so much information that it is impossible for a couple people to analyze all the data in a timely manner. An outside resource like the CPT is a great way to combat these issues.