When Delta 26, the Space Force unit that defends the National Reconnaissance Office from cyberattacks and online espionage, wanted to stage competitive training exercises this year, they used a private sector cyber range for part of the contests and run them at an unclassified level, its commander said this week.
Space Training and Readiness Command is “still working to build out their cyber range, so we had to go commercial,” Col. Erica Mitchell told Air and Space Forces Magazine on Nov. 18 on the sidelines of CyberSat, the cybersecurity conference for the space and satellite sector.
At the unclassified level, “It had to be a more generic exercise” in defending an enterprise network, as opposed to one that specifically gamed out a cyber attack on the NRO, the secretive spy satellite agency, Mitchell said. Five teams, each drawn from one of the five squadrons in Delta 26, competed over the course of four days.
The exercises, dubbed Cyber Spartan 24-1 and 24-2, were staged in January and August and represented the “crawl” phase in a crawl/walk/run progression, she said. STARCOM issued a release with a few details of the first one in March, but the second has not been previously reported.
The exercises were “a great success,” she said, despite “a few technical difficulties with the range,” which she declined to elaborate on. Her big takeaway as commander was that “we really have to move towards getting ready for multiple attack vectors in multiple places, not all looking for the same attack in the same place.”
Both exercises included a so-called Capture-the-Flag, or CTF, component, staged by a private sector provider Hack The Box. CTFs are a long-standing cyber tradition in the private sector—hacking contests where teams compete to use knowledge of IT networks and their vulnerabilities to locate and gather pieces of computer code known as flags. In a CTF like the one in Cyber Spartan, the teams compete to collect the most flags but don’t directly attack each others’ systems.
Despite the gamelike elements, CTFs are a proven method of assessing cyber skills, said exercise director Maj. Ryan Galaz. “A capture-the-flag event, to me, is a really fun way to determine the knowledge and proficiency levels of our operators,” he said.
Both exercises also included a “blue team” element, Galaz said, in which each team was responsible for a network under attack, competing to see which could most quickly understand and report on the attack they were facing.
Each team went through six attacks in which they were given just 30 minutes to figure out what had happened.
“What we wanted to do,” explained Galaz, “was not only test the ability of an operator to assess correctly what’s going on, but really test their timeliness, because, in the midst of a contested, integrated environment … we need to know how quickly you can identify, detect and report in an accurate manner.”
Again, the teams didn’t compete directly, Galaz said: “They were just up against the clock and against themselves, really.”
“It was what I call parallel play,” said Mitchell, “where you have your toddlers playing side by side” rather than directly engaging with each other.
Cyber Spartan 24-2 also included a third element, another simulated attack, said Galaz, where “we put all the teams together so they could practice working as a team, because we’re all geographically separated, to then respond to an adversary.”
Rather than the one-off attacks of the blue team exercise, he added, this third element tested the teams’ ability to work together effectively to fight off a concerted campaign by a determined attacker.
“The aim was to really force them into a corner where they’re going to have to talk [to each other]. We started disabling machines, leaving some traces [of what we’d done] on one of the team’s assets, and then leaving others on another team’s. So they would have to then communicate,” he said.
Galaz said the objective was to create a more realistic analogue of the chaotic and confusing conditions that would transpire in a real conflict. “No plan survives first contact with the enemy. So their mission plan went out the window 15 minutes into the action,” he said, “They have to continue to evolve, to stay ahead of the curve.”
The eventual objective would be to fuse the various elements of the exercise together into a more realistic war simulation, said Mitchell, “where the squadrons may start each with their own individual fights, but then it’s all going to be aggregated up, and then we’re going to direct [things] the way we would in an actual war scenario,” she said.
Both competitions were won by the Delta’s 661st Cyber Operations Squadron.
“They did a fantastic job,” Mitchell said.
In 24-1, the blue team contest was close but 661 came out ahead. In the CTF, “they destroyed the competition,” said Galaz. The second time around, though, things were much tighter. “It was razor close on both” the CTF and the blue team simulated attack events, he said.
Planners are currently working on the next iteration of Cyber Spartan, to be staged next year, Galaz said: “Now we’re looking at what type of craziness can we do for 25-1 that still keeps the operators enjoying themselves, because that’s the best way [to get them] to pay the most attention or learn the most—and get all the training value we want from it. So we’re excited about that.”
