Aberdeen Proving Ground, Maryland- -The U.S. Army Communications-Electronics Command (CECOM) conducted a no-notice cyber security exercise known as "Cyber Shield II" October 21st and 22nd 2014 to evaluate the command's response and engagement capabilities during potential cyber attacks. The intent was for CECOM to have a better understanding of its operations in a cyberspace environment contested by a thinking enemy's cyber attacks.
"Cyber Shield II was a cyber attack involving all of CECOM's world-wide staff and organizations," said Terry Kalka, CECOM Chief Information Officer (CIO)/G6 cyber security lead. "The purpose was to provide CECOM with a real world scenario that would be challenging and test our detection, reporting and mitigation skills. During Cyber Shield II, the CECOM Exercise Control Group, made up of select members of CECOM G2, G3/5, and CIO/G6, simulated network attacks in order to train and practice how they would respond to real-world cyber attacks."
The exercise activities consisted of a series of simulated data breaches including phishing, whaling and watering hole attacks. Phishing attacks consist of an email sent to a target with the goal to obtain sensitive or personally identifiable information (PII) and to lure the target into downloading malicious software. Whaling is a form of phishing attack with the target holding a senior level position. Watering hole attacks attempt to lure a target to click a link and unknowingly download malicious code.
"The attacks themselves targeted between 400 and 1300 people across CECOM world-wide," said Kalka. "From an enemy's point of view the success rate was 2 percent for the PII and phishing attacks and 10 percent for the whaling attack."
"Overall response across the command has been excellent. CECOM Network Defenders in our units and staff detected the attacks, sent warnings to their workforce, and blocked the links in the phishing emails," said Kalka. "This probably deterred individuals from reporting the attacks, but we still received over 300 individual reports. Additionally, cyber security specialists in the command used their forensic skills to analyze the emails, attachment and links.
"Having said that, we do need everyone to understand the threats they are exposed to every day," Kalka added. "If you replied to an email, and your signature includes your name, your work address, and your personal cell phone number, you just gave that to the attacker. If you clicked on one of the links and entered your CAC [common access card] PIN [personal identification number], you just gave the attacker your login information. You put yourself in danger of unknowingly downloading malicious code that could monitor your activities, take control of your computer, or use it as an entry point into the rest of the network."
Kalka explained that these exercises are a valuable tool for both the workforce and the command. The exercises assist the workforce in identifying various types of cyber threats that can lead to compromises. They ensure network and email users remain vigilant and aware of how to properly respond to attacks. The exercises also provided lessons learned of areas the command can improve upon for additional security. "We strove to make the email messages as realistic as possible," said Kalka, "in order to give our workforce an opportunity to respond to a realistic scenario. We were then able to give the command an accurate picture of this piece of our security posture. It wouldn't be possible to know how many of our personnel are susceptible to this kind of attack without putting them to the test."
Another component of the exercise was the activation of teams known as the Crisis Action Team and Crisis Management Team in response to the attacks. These teams are composed of CECOM personnel from across the command that provide guidance and expertise from within their respective fields. The teams will quickly activate and respond to a crisis situation such as a cyber attack.
Additionally, a table top exercise was conducted to review potential cyber threats and assess continuity plans for mission essential systems such as the Logistics Management Program and the General Fund Enterprise Business System in the event they were impacted by long-term outages.
"With cyber attacks occurring more frequently and becoming more complex, CECOM has increasingly been stepping up its efforts to defend its critical infrastructure networks and applications," said Kalka. "We can protect ourselves to a large extent by being diligent about some very simple things. When you see the Outlook icon that tells you that a message has an attachment, you should also look for the digital signature icon. When you see a hyperlink in an email, look for the digital signature. If you send a message with a link or attachment, be sure to digitally sign it. Those signatures provide a measure of trustworthiness. Any time a service provider, government or commercial, asks you to login somewhere and verify your information, you should think twice. It could be legitimate, and we've seen a few that are, but nine times out of ten it isn't."
"If you have any doubts about an email, you should contact your local Information Assurance Officer, Security Officer, or DOIM [Directorate of Information Network]/NEC [Network Enterprise Center]," said Kalka."
This is the 4th time CECOM has conducted the annual cyber exercise.
For more information on cyber security, please visit the following sites:
U.S. Army Cyber Command
http://www.arcyber.army.mil/cyber-awareness.html
U.S. Computer Emergency Readiness Team
https://www.us-cert.gov/ncas/tips/ST04-014
Social Sharing