Cyber Militia Innovation Meets Mission Needs
National Guard cyber warriors build new systems to do the job.
National Guard members conducting cyber operations found themselves poorly equipped to meet some of the real-world challenges they faced, so they banded together and built the system they needed on a shoestring budget. That system detects anomalous behavior on the network, reduces the number of analysts and enriches network data provided to data scientists.
Elements of the Virginia National Guard deployed to Fort George G. Meade, Maryland, in support of Task Force Echo for about a year beginning in April 2017. The task force supports U.S. Cyber Command and its mission to direct, synchronize and coordinate cyberspace planning and operations. The task force is now in its third iteration. The initial deployment in 2017 marked the first National Guard task force mobilization of its size to support Cyber Command operations full time. In the past two years, more than 300 soldiers have been assigned to the unit, which is aligned under Army Cyber Command’s 780th Military Intelligence Brigade.
Chief Warrant Officer 3 Donald Abbasi, a member of the Virginia Army National Guard, and Sgt. Jeff Lam, with the New York Army National Guard, were two of the first to deploy with Task Force Echo as a part of the Computer Network Defense-Engineer team. The mission was to defend military networks overseas, and they were faced with some challenges. “We had a lot of different teams with remote access that we couldn’t keep track of,” Sgt. Lam recalls.
In addition, the commander needed to be able to detect anomalous behavior from threats both internal and external. “In order to do that, we had to create a system where we know what the user role was, what he was allowed to do, what systems he was allowed to log into, what his work hours were. We needed to capture that, and we didn’t have a system in place,” Chief Abbasi reports.
To solve the problem, the Task Force Echo team turned to their counterparts in Missouri, who had already developed a system known as RockNSM, short for Response Operation Collection Kit Network Security Monitoring. The system is based on an array of open source technologies. It provides a scalable sensor platform for both enduring security monitoring and incident response missions.
According to Capt. Derek Ditch, a cyber capabilities officer with the Missouri National Guard Cyber Team, RockNSM has garnered interest from “governmental organizations and corporate organizations” from Europe, the United States and around the world. “It’s fairly mind-blowing to me. It motivates me to have that kind of impact.”
The U.S. Navy is one organization that has shown interest in the system. A Navy cyber protection team paid for some Missouri National Guard personnel to spend a week in Hawaii, although Capt. Ditch says they were essentially locked in a room with no windows from sunup to sundown. “We set out to build one kit for them. We ended up building four.”
RockNSM became the basis for the Virginia team’s yet-to-be-named solution. Capt. Ditch says that soldiers from his team deployed about a dozen soldiers to Fort Meade for what they thought would be one week to support Chief Abbasi’s mission. They made significant progress that first week and were asked to stay on another five weeks. Like its successor built by Chief Abbasi’s team, the original RockNSM was built to meet a mission need. In 2010, the Missouri National Guard was being called upon to assist other organizations with incident response operations. Each time they did so, it would take about a week to build a system tailored to each specific mission. “We got pretty good at building the systems necessary to do the job, and over time we learned what tools we needed and what tools we didn’t,” Capt. Ditch explains. “Basically every mission required us about a week to prepare building our sensors to analyze the network traffic, to build them from scratch. A few of us worked together and came up with an automated solution, and it worked really well for us.”
They then made it available to others by placing it on GitHub.com, a software development platform. “We put it out on GitHub because teams and organizations were asking us to help build stuff. We’re just reservists, and we have full-time jobs and families and can’t be on the road all the time,” Capt. Ditch adds. “The National Guard wasn’t willing to pay for that [travel], so we put it out there and made it open source and available.”
The soldiers developed RockNSM largely on their personal time. “This is all stuff we’ve done on our own time after the kids have gone to bed, staying up late working on code, making it all work,” Capt. Ditch offers.
He indicates security is the system’s number one benefit. The Defense Department has strict security controls in place that are recommended and audited by the Defense Information Systems Agency, he points out. “We believe our sensors have to be the most trustworthy thing we have because if we can’t trust that data, then we can’t trust anything about what the network is telling us. Security is first and foremost our goal,” he adds.
He also stresses RockNSM’s efficiency. “Every ounce of performance we could squeeze out of that hardware was really important to us to be able to do our mission. We give you exactly what you need—nothing more and nothing less.”
The Missouri team stayed at Fort Meade for six weeks building RockNSM and tailoring it to the Task Force Echo team’s mission. “It was a customized, tailored RockNSM at that point, but we also helped them get started on their entire mission platform,” Capt. Ditch states. “We learned a lot from the unique scenario they faced.”
Chief Abbasi confirms that RockNSM was the basis for the system his team ultimately put together. “We took the tools that were already in that platform, and we added to them.”
That customized version of RockNSM was programmed with user information, such as shift hours and the programs, processes, server names and Internet protocol addresses users were authorized to access. It also included which team they were assigned to and who their supervisors were. The system looked for an array of indicators of anomalous behavior, such as suspicious communications between internal servers and between internal and external Internet protocol addresses.
Chief Abbasi and Sgt. Lam say their system offers several benefits, including reducing the workload, number of analysts and false alarms, while providing better data to data scientists. But they mostly emphasize its ability to counter the insider threat. “We could detect if a person is on a box that he’s not authorized to be on. We could check to see if he’s attempting to promote his privileges to superuser, if he’s trying to change over to root. If he did change over to root, we knew what tasks he was authorized to execute, and then also if he’s operating outside of his shift hours,” the chief warrant officer reveals. “It reduced a lot of angst for upper management because this system made us feel more confident in our ability to say everything’s good.”
Furthermore, by “enriching the data” so the data scientists can “do their magic tricks,” the system allowed the commander to understand his network signature, Chief Abbasi states. “It enriches the data to make it easier for the data scientists to correlate the data … as far as finding a signature for what our network looked like to the outside world.”
They also emphasize the system’s “passive tap” that does not bog down the network. “The network traffic would feed our system with a tap, which enabled us to not affect the performance of the production system,” the chief says.
The chief foresees the system being used fairly widely in Virginia. “The Virginia National Guard’s mission set is starting to expand into providing advice or an assessment of state and local organizations. State or local county organizations are starting to call on our services,” he says. “I’m going to attempt to bring it into our day-to-day operations.”
First, the team will have to rebuild the system. “We built it in a classified environment, and we can’t just go in there and ask for a copy of all this stuff,” Chief Abbasi notes. But we have the framework, and we’re going to take those concepts and implement them again and help the Virginia National Guard perform its mission set.”
And it’s likely the new version will improve upon the original. “We haven’t really pushed the boundaries of what it can do,” Sgt. Lam says.
Asked about a possible name for the Task Force Echo version of the system, Sgt. Lam replies: “We were actually tackling a problem we saw, and we just kind of worked at it. We never really thought where it would take us.”
Not only did the cyber warriors solve the problem, they did it with minimal funding. “We find the solutions and build the tools because we don’t have it in our budget to pay the costs for proprietary commercial products,” Chief Abbasi points out.
Indeed, that need for a low-budget solution was how RockNSM got its start. “We had a budget of zero, so everything we got was hand-me-downs or stuff that individual soldiers would go out and buy or bring in from home,” Capt. Ditch says. “That’s what we did mission with, which is unfortunate, but it’s also kind of inspiring. We were like the cyber militia—bring your muskets, bring whatever you’ve got at home.”