Software Engineering Institute

July 24, 2015—The world faces a new crisis: Dr. Diabolicov, reputed leader of an eco-terrorist group known as Satan’s Tsunami, wants to “hit the reset button on humanity.” Operating out of an undisclosed location, he has issued threatening statements through notorious websites and social networks, as well as various other channels in which he claims “humanity has lost its way” and that “it is time to press the reset button on humanity.” What’s worse, he claims to have placed weaponized smallpox in key locations around the globe. “Vote to preserve humanity or end it,” he demands, directing people to download a tool and cast their votes to automatically release the smallpox virus. “You have 2 days to decide.”  

That’s the scenario that confronted SEI Cyber Intelligence Research Consortium members gathered in Pittsburgh recently for the first Cyber Intelligence Research Consortium Crisis Simulation exercise. SEI experts crafted the exercise using video, live action, fictional websites, and a fully functional simulated internet environment provided by the SEI CERT Division’s STEPfwd platform. The two-day event, hosted by the SEI’s Emerging Technology Center (ETC), brought together participants from member organizations in the government, military, and industry sectors, including PNC and American Express. The participants were charged with a modest task: “Save the world by finding the source of the threat and developing a threat assessment to put it into context for decision makers.”

On hand to kick off the exercise was SEI Director and CEO Paul Nielsen. “The military does a lot of exercises like this,” said Nielsen. “They help you identify gaps and policy or operational issues you might have.” Nielsen noted that the Cyber Intelligence Research Consortium is trying to bridge the gap between industry and government. “We want this to be the first of a series of such events involving members of the consortium,” he said.

During the exercise, participants with an intelligence background focused on identifying the malicious actors and determining the relationships between events, while those with a technical background focused on reverse engineering a tool produced by the terrorist organization and reviewing evidence collected by field agents based on their findings. Two participants functioned as liaisons between the two groups and coordinated their efforts.
 
In the end, the participants were able to trace the terrorist activities back to a set of command and control servers connected directly to hardware designed to release the biological weapon. Shortly after presenting this information, the participants were treated to a “live view” of strike teams neutralizing the threat and securing the biological weapons.

“All of the participants remained engaged throughout the exercise,” said the CERT Division’s Rotem Guttman, who develops immersive training scenarios for cyber personnel as part of the Cyber-Heroes program. “They kept working, even through their lunch breaks. In hindsight, this shouldn't be surprising. After all, the safety of the world was at stake!”

Groups from across the SEI collaborated to produce the simulation. The SEI CERT Division’s Cyber Workforce Development team created large, simulated networks for participants to explore and authored custom malware for use by the threat actors. The SEI’s Emerging Technology Center created a trove of intelligence artifacts for participants to analyze. The CERT Division’s Network Situational Awareness team contributed a flow data analysis component. In addition, the SEI’s Asset Creation, Collection, and Conversion team was able to facilitate the creation of a series of high-quality briefing videos to immerse the participants in their role as agents.
“The event was a great success,” said the SEI’s Jay McAllister, ETC senior analyst and technical lead of the Cyber Intelligence Research Consortium. “It’s a testament to what the SEI can accomplish when folks with different backgrounds cast aside department identifiers and come together to build something that showcases the awesome power of the SEI at large.”

To learn more about the Cyber Intelligence Research Consortium, please visit http://sei.cmu.edu/about/organization/etc/overview.cfm.

STEPfwd is a virtual training environment that offers a rich library of cybersecurity and information assurance training. To learn more about STEPfwd, please visit https://stepfwd.cert.org/.