Last month, intruders hacked into a Coast Guard network. Instead of being alarmed by the incursion, cybersecurity personnel were grateful.
That’s because the “hackers” were part of the Coast Guard’s new cyber Red Team, an elite group of cybersecurity professionals who continuously try to breach the service’s networks and systems. The efforts highlight weaknesses and show how adversaries can take advantage of them.
“We pretend to be the bad guys,” said Lt. Kenneth Miltenberger who leads the team for CGCYBER. “The cool thing about the Red Team is that we can actually show you why cyber security matters.”
Red and blue teams are more than just Halo references and war gaming techniques. They play an important role in helping organizations protect communications, trade secrets and sensitive data from cyber-attacks, which are expected to cost $10.5 trillion annually worldwide by 2025. The Red Team is a recent addition to the Coast Guard’s ever-expanding arsenal of cybersecurity defenses.
In, August, the service released an updated Cyber Strategic Outlook, which outlined its approach to safeguarding both the Coast Guard’s overall operational platform as well as the vast network of waterways, ports and land-side connections that make up the Marine Transportation System (MTS) . Recently, the MTS completed a 60-day effort where specialists were sent to major US ports to oversee assessments, evaluating cyber security plans, leader preparedness, and response activities.
The Coast Guard’s new Cyber Operational Assessments Branch comprised of a Red Team and larger Blue Team, is tasked to proactively secure the service’s Enterprise Mission Platform: all the technology, data, systems and networks that keep the Coast Guard running.
A much larger unit within CGCYBER, the Cyber Protection Team (CPT), is responsible for helping secure and defend the vast network of operators and infrastructure in the MTS.
The Red and Blue Teams have slightly different missions, but there is some overlap.
The Blue Team primarily does cooperative cybersecurity assessments, security consulting, and enterprise scanning activities. Red Team members also perform cooperative assessments, looking for potential threats or vulnerabilities within a system that attackers might exploit. Even when they work with the knowledge of a unit or network, they tend to be adversarial.
Both teams, for example, might use a scanning tool to assess a system for potential vulnerabilities like passwords stored on a personal desktop. A Blue Team doing a cooperative assessment, however, might not pick up on the file The Red Team will not only find these passwords, Miltenberger notes, but use them to gain deeper unauthorized access to the system --all while trying to avoid being detected by network defenses.
“Let’s say that the most important thing about your system is command and control data and you want to keep that as protected as possible,” Miltenberger said. “If I can show you how I can go in and read that data and maybe manipulate it, that really tells you a story -- not just about the security of your systems, but whether your people are doing the right thing.”
The Red Team can also be integrated into operational exercises. For example, PACAREA, may want to include a cyber-opposing force as part of an operational exercise with cutters and aircraft. That’s one way, Miltenberger says, to test people’s ability to, “fight the ship” in a cyber contested environment.
To build the Red Team, Miltenberger transitioned some of the top members of Blue Team. “We chose the best of our best,” he said. The six individuals trained on the side for a year and expect to apply for DOD certification in 2022.” The elite credential will allow Red Team members to work not only with the Coast Guard, but also with the DoD and other federal agencies, which have benefits throughout U.S. cyber terrain. For a look at how to build a cyber career at the Coast Guard, refer to the Cyber officer career guide. There is currently no rating for enlisted personnel, but possibilities are under discussion.
Meanwhile, CG Cyber continues to strengthen this pipeline. Currently, Blue Team members also receive some training in Red Team procedures, so those who excel have the opportunity to advance. This can be critical in retaining these cyber specialists, whose much sought after skills can earn them two to three times as much in the private sector. “Our primary advantage, at least for the Red Team, is that the kind of work they get to do is exciting, challenging and desirable,” Miltenberger said. “People who tend to be passionate about cyber security tend to be drawn to these positions.”
It can take a member three to five years to make one of these teams, he adds. This includes six months of full-time C-school training, then another six months as a Blue Team apprentice operator. Add another year or two as a Red Team operator apprentice, then one to two years to become a journeyman operator (red or blue).
Red Team operations can take a week or as long as three months to run. Customers can range from a systems owner, such as the C51 Service Center, to a Pacific or Atlantic area operational commander, to CGCyber Commander, Rear Admiral Michael P. Ryan, according to Miltenberger. “The great thing,” he added, “is our Red Team training helps benefit the rest of the command by developing cyber skills in other branches.”
The Red Team is planning a return visit to the unit they breached in September. “Everyone was excited and extremely welcoming during our first mission,” Miltenberger said. “So now they want us to come back and test a number of other systems.”