WASHINGTON — The Air Force is using an unclassified training exercise to ready some personnel for offensive missions that protect the nation in cyberspace.
The 341st Cyberspace Operations Squadron — which falls beneath the 867th Cyberspace Operations Group and 67th Cyberspace Wing — designed Cyber Valhalla to better prepare the airmen they provide to U.S. Cyber Command’s elite Cyber National Mission Force, responsible for tracking and disrupting specific nation state actors in cyber space in defense of the nation.
Officials told C4ISRNET that nothing like this training exists. The unit identified a gap and took steps to create this training for its Cyber Command airmen.
Through the cyber training pipeline — joint standards set by Cyber Command that each service trains its cyber warriors to — students don’t learn certain practical skills. Much of it is academic.
Following the academics learned at the schoolhouse, the 341st wanted to provide cyber personnel with greater operational context they would need to know on an actual mission, such as the processes involved in working within the team.
Valhalla seeks to provide an unclassified, yet realistic operational scenario.
“It originally started with the intent to develop some of our highly specialized technical analysts because in a mission in real time, you don’t get a lot of opportunity to practice before you need to actually execute,” Maj. Heidi Kaufman, director of operations for the squadron, told C4ISRNET. “For those highly technical fields, we needed to give them as much practice in a realistic scenario as possible.”
Gaining the necessary skills to be successful in operations is not contingent upon access to specialized tools or networks.
“A lot of it is training the analyst how to think and work through the challenges that they will see when on a mission, but we don’t need to have those classified specifics to get after that goal,” Kaufman said. “We get after the training objectives we need for the people who are operating on mission while also giving an opportunity … for our uncleared airman, that they would never have in a normal training event.”
This allows personnel to be able to train prior to joining their mission while waiting for a security clearance, or before they receive training on their specific weapon system, given the event is more focused on concepts and teamwork over specific tools. It teaches personnel how to think through problem sets.
The exercises have run about four times since early 2019, with the most recent event in July 2020.
Cyber Valhalla has evolved to include several additional work roles with officials describing adding a third day to the event this year.
The exercise has grown to include six of the primary work roles within national mission and support teams, such as analysts, intelligence personnel and the on-keyboard operators. Given the unclassified nature of the exercise, it is harder to include other work roles, such as linguists, but Kaufman said there are other training opportunities for those roles.
The squadron is using the Persistent Cyber Training Environment, an online client that allows Cyber Command’s warriors to log on from anywhere in the world to conduct individual or collective cyber training and mission rehearsal, to build the exercise.
“I think what we see is, honestly the most realistic training experience our folks can get whether they’re brand new out of tech school or completely qualified work role member on a team,” Lt. Col. Tyler Wintermote, commander of the 341st Cyberspace Operations Squadron, told C4SIRNET. “The most impressive part is that we’ve created a no kidding, realistic soup-to-nuts operational experience for our folks.”
Officials noted the concepts exercised during the exercise can be transferred to other offensive teams not on the Cyber National Mission Force, such as combat mission and support teams. Combat mission teams conduct cyber operations on behalf of combatant commands, mostly in the offensive sphere, and cyber support teams provide intelligence, mission planning and other necessary support work for combat mission teams.
Given they are using PCTE for the exercise, any team within Cyber Command’s cyber mission force can choose to run the scenarios on their own.
While the training has mostly been focused on Air Force national mission teams to date, officials said there has been some joint participation with input from the Cyber National Mission Force’s training and exercise team.
Working together
Cyber Valhalla seeks to develop the intelligence picture and drive the activity of the on-net operators.
As opposed to other exercises that seek to validate teams or check off required training objectives — which officials say they hope to bake into Valhalla in the future to kill multiple birds with one stone — the event aims to zero in on completing a mission thread from beginning to end and to build awareness of the operational process for the various work roles.
An exercise consists of teams of 11 to 12 people who span the primary cyber work roles on the national mission team. They’ll go through the process of understanding their battlespace, developing a plan, collecting the intelligence, and executing their response options or offensive cyber operations against the simulated target.
Exercise participants must work through a simulated cyberattack against U.S. critical infrastructure and develop cyber response options. The team members must begin to pull intelligence to build a case against who they think perpetrated the attack, so they can then create a plan and go after the targets.
As part of the scenario, the architects have created a fictional country that contracts and subcontracts out cyberattacks, giving the exercise a hierarchical feel.
The subcontracting organization is constantly changing what it’s doing, and the cyber teams are being bombarded with intelligence as to how the fictional nation is contracting these attacks.
On day one of the event, the intelligence personnel come in with a few operators and identify a few requirements and intelligence in order to create a plan of attack. They’ll run through a few targets they know about and chart a course for the next few days.
Everyone comes in on day two. Operators and analysts begin going further into networks, while others map the network for critical nodes, read enemy emails, and map personalities and profiles. A holistic view of everything going on is then made, including what needs to happen next.
On day three — to be added this year — all the work culminates into a simulated attack. The teams identify where they need to go in the network and then execute their exploits to either deny, degrade, disrupt, deceive or destroy the target.
The exercise creators have produced over 1,000 intelligence injects, mock documents and emails, and other pieces of information for participants to interact with.
“We have malware throughout the network, we have botnets that are running. We have different types of exploits that they are going to have to throw,” Master Sgt. Christopher Boutin, the brainchild for Cyber Valhalla, told C4ISRNET. “Our operators are going to have to scan, identify vulnerabilities, use the appropriate exploit, once they’re in, collect the reasonable intel or wherever that intel is going to be, and move on.”
The operators have to earn their access to enemy networks, meaning it’s not assumed they’ll get in.
Possibly most important to the exercise is the realistic environment for personnel to learn how to conduct offensive operations for the CNMF within the team structure.
For Cyber Valhalla, the organizers decided to arrange the teams slightly differently than they would exist in the operational world, namely placing intelligence personnel right with the operators, which is not how the teams are structured.
This is because they want these members to have context for what they need to provide once they arrive at their teams. During a mission, an intelligence person is trying to provide actionable information to drive an operation. However, given they are likely geographically separated from the operators, they might not know what an operation looks like, Kaufman said. This exercises gives them that perspective to better inform them for when they go to their work role, in hopes that they will be of better assistance during a real-world mission.
“The context reinforces what’s supposed to happen, but it also builds the relationships so that when they are operational and they’re not sitting in the same place, they know the questions to ask, the people to ask, and the bigger context of how the operation should run to be more successful,” Boutin said. “Valhalla is a chance to show them that and its value — that you can’t really sit down and say, ‘Oh yeah, that’s really good.’ You have to actually understand and see it and do it.”
The exercise’s initial goal was the integration of the holistic team, Kaufman said.
The success of the intelligence personnel and operators is contingent upon each of their actions.
“If the operators … don’t provide the correct findings and don’t go through the network in the way that provides the right intelligence to the intelligence analysts, then they won’t discover the appropriate intelligence that’s going to drive the next step for the operators,” Kaufman said.
What’s next?
As Cyber Valhalla expands to a three-day event, officials will focus on improving the realism of the exercise.
“There is a limit to the realism that we can provide, but it’s mind-blowing for me how realistic we can make this for those analysts that participate,” Kaufman said.
With the extra day, organizers hope to incorporate the entire tactical loop, from mission planning through execution and debrief, Wintermote said.
The long-term goal is to maintain a squadron-tailorable training event to fill specific needs, Wintermote said, with the added benefit of making it available to all flavors of cyber teams across the cyber mission force.
With PCTE, any team will be able to run these scenarios and customize them as they see fit. In the past, such exercises required countless hours of preparation and set up for a shorter event. But now, that preparation is eliminated, allowing teams to run these events whenever they want through the PCTE platform.
“This is sharable outside of the 67th [Cyberspace Operations Wing] as well, so there are squadrons within the 70th [Intelligence, Surveillance and Reconnaissance Wing] that can still benefit from this capability, and then there are future things that if it’s taking up at the wing level or elsewhere that we can focus on,” Wintermote said. “It’s scalable to what ever people want it to become, but the primary focus from the 341st is that we also maintain some tailorable control to get after our specific needs.”
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.