In the days between the 24 and the 28 April it was held at the NATO Cooperative Cyber Defense Center of Excellence, in Tallin, the Locked Shields exercise, the largest and most advanced cyber defense exercise in the world.
The exercise aims to exercise cyber security experts in protecting national IT systems.
The participating groups had the task of protecting and maintaining the systems and services of a hypothetical nation (these teams of people from all over the world are called Blue Team). The exercise subjects teams to a series of tests ranging from the management of cyber incidents to broader legal, legal or strategic considerations. Everything must be as realistic as possible, so new-concept defense and attack techniques are widely used and all available emerging technologies are used.
Specifically, with this year's test, we tried to maintain the operation of networks and services of a military air base of a fictitious nation subject to complex attacks on the electricity system, the UAVs (unmanned aerial vehicles), Command and Control systems, critical information infrastructures and so on. I think it is clear that the dimension of this exercise and the type of challenges to which they are subjected Blue Team poses challenges that span the entire Cyber Space, whatever the definition adopted1.
More than 2500 possible different types of attack can be performed to test the capabilities of Blue Team. For this challenge to opposing parties in fact there are also the Red Team which have an antithetical role to Blue Team, or attack and destroy (or steal data, modify them, render them useless and thus destroy the capabilities of Control and Control of Opponents), network and services.
In addition to the tactical aspects of the operation, which aim to obtain practical advantages in the field, a Cyber Defense (or Cyber Attack!) Operation can have strategic aspects, for example by acting on the morale of an entire Nation or putting an industry at risk software world. The Locked Shields exercise, for the first time, also took into account the strategic aspects of operations conducted in the Cyber Space.
The exercise is not open to everyone but participation is by invitation. In the current edition they participated Team of 25 nations for a total of 800 participants. The location of the exercise was Tallin, in Estonia, but the Blue Teams could also participate from their own country, through secure access to the network.
The activity took place in two stages. First, on 18 and 19 April, everyone was given the opportunity to explore the exercise network. During this phase, the Blue Teams were able to build the maps needed for the defense.
The second phase, the active one, involved the contenders, among them the Blue Team Italian.
After this small introduction that aims to give everyone a minimum knowledge of the activity, now let's see in more detail what happened, through the voice of some participants in the Blue Team Italian of the Department of Computer Science of the Sapienza University of Rome.
Professor Mancini, how was the national team composed? Have you all played Blue Team?
Yes. The Team was made up of Defense, University and Industry components, we all worked as Blue Team but with specific tasks, such as Legal, Forensic, Rapid Response, Public Information, Ticketing etc. etc.
As far as you can tell the exercise must have been very challenging. What kind of documentation has been made available? Have you reconstructed the network schemes?
Of course we had access to the shared platform used for the tutorial where we had a brief description of the systems. We had effective access only with the familiarization of April 18-19 to touch some configurations.
We had the network scheme, not very detailed and with only the systems that should have been known to us. The complete scheme, with any Rouge AP or unmarked machines, was not known.
What were the goals of the Blue Team?
Our goal, as Blue Team, was to monitor the network and manage any incidents, from a technical, legal and communicative point of view.
Who played the Red Team part?
The Red Team is composed of members of the nations themselves located in Tallinn, in addition to members of the CCDCOE and companies. It represents a technical group that knows the entire infrastructure in advance, and the related vulnerabilities, and systematically attacks the various teams in order to evaluate the response and monitoring capacity.
Professor Mancini, according to your experience, how can such an exercise be considered realistic? In the real world, cyberspace is subjected to continuous changes in its components and eventual attackers have time on their own (APT is considered the greatest risk), in this exercise instead there is no time to study user habits and explore ways of attack. This strongly limits the possibility of attacking a subset of the real. What do you think? How should an exercise be organized and implemented to be as realistic as possible?
The exercise thus composed is certainly a way of training in real scenarios, it starts with the assumption that the systems are compromised, therefore certainly a mentality that should be used more often. The management of a complex infrastructure such as that of Locked Shields is certainly a stimulus for technicians, and must be used by the system to experiment with innovative solutions or test new products, whether they are Proprietary or Open Source.
One of the most challenging aspects of the exercise is certainly given by the limitations, for example you cannot monitor everything to the fullest but you have to make choices and the consequent triage of the events in order to understand what to treat in more detail or not, all while guaranteeing the user experience, which must continue to work without any kind of problem. We found ourselves facing user actions that brought security risks, and therefore we needed to mitigate these actions without affecting the user's operations.
Professor, thank you for your first answers, hoping to be able to deepen with you some aspects of this exercise and, more in general, this "cyberspace" that day after day we are beginning to know.
Note:
1 There is no shared definition of Cyber Space. We could adopt the Italian version provided in the recent 17 February 2017 DPCM published in 13 April 2017 GU. Art. 2.h defines cybernetic space as: "the set of interconnected information infrastructures, including hardware, software, data and users, as well as the logical relations, however established, between them". Other official definitions can be found at the link: https://ccdcoe.org/cyber-definitions.html.
Sources:
https://ccdcoe.org/locked-shields-2017.html;
https://ccdcoe.org/cyber-definitions.html
http://www.difesa.it/SMD_/Eventi/Pagine/Locked-Shields-2017-termina-eser...
