An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

Mission Defense Team amps training capabilities

  • Published
  • By Staff Sgt. Noah J. Tancer
  • 910th Airlift Wing Public Affairs

Thanks to AFWERX squadron innovation funds, the 910th Communications Squadron’s Mission Defense Team was able to build its own replica cyber vulnerability and hunt-kit for training.

The capability to simulate a contested cyberspace environment off-network allows the MDT to search for malicious activity on a private network, analyze the data on that network and do survey missions.

“As part of surveying, we’re looking for any malicious activity or advanced persistent threats that may be on the network,” said Master Sgt. Scott Ranostay, a cyber-security analyst and MDT team member assigned to the 910th CS. “Someone could be downloading a suspicious file, but it’s our job to not only identify those files but also determine normal behavior.”

MDT members will achieve this by performing five core functions: identify, protect, detect, respond and recover. The tools of the trade are laptops called mobile interceptor platforms, capable of being connected to a network anywhere around the world, mission-permitting, and the server farm, which houses the MDT’s sensor. Both are part of the replica cyber vulnerability and hunt kit and are used for gathering network traffic and capturing data for analysis. Essentially, they’re tools for establishing a baseline for normal network traffic and identifying any anomalous activity.

“Data analytics is new and huge in the game of IT these days, especially when you’re looking at a lot of logs and data,” said Ranostay. “To be able to index all that data and pivot based off key indicators, it’s key to have the right technology, and we use what they call ELK stack and Kibana as our visualization dashboard so that we can see the data. Being able to track data down is paramount when identifying threats and vulnerabilities.”

Another key piece to MDT training is knowing cyber intel, being able to identify what type of threats are out there, how they work and how to fight back. Putting the tools and skills together allows the MDT to monitor network traffic in real-time for anything potentially harmful to the network.

For example, malicious activity like trying a brute force attack, meaning a user is trying to log in repetitively over and over and failing, will spawn a failing event code from that malicious activity. Once the event code is identified, the MDT can pivot over to protecting the network and detecting the offending machine’s IP address or the geological coordinates of that machine. Once found, the MDT then responds by informing the proper authority to take it from there, maybe resulting in a counterstrike or recovering with a tougher defensive posture.

“Our goal is to always be in constant contact with our adversary on the network,” said Ranostay. “We’re moving away from the mindset of the traditional ‘patch your machine, install all updates, make sure all software is up to date, turn off any services you don’t need and make a complex password’ that has always been historically the trend of how we protect our machines. I’m not

saying that’s bad, we should still be doing those things, but we’re now moving over to actively searching for those offensive malicious attacks.”

Along with the replica kit, the MDT now has a new place to call home. Constructed with a central conference area, the main room houses enough desks for the whole team to train together across from a large training display on the wall. If someone identifies something of interest and they want to show the team, they can put it up visually on screen for everybody to get their eyes on it and share ideas on how to react to it.

“So for the traditional reservists that are here, we do exercises when they come in,” said Ranostay. “We’re continually sharing the knowledge which is extremely beneficial, and with this new room’s capabilities we’re able to share that amongst the entire team now… we didn’t have the capability before, but we do now, so I’m super, super happy about that.”

Each MDT member has an initial qualification training plan requiring hours of computer-based training followed by an in-house test, which upon passing, qualifies the member to be sent to Little Rock Air Force Base, Arkansas, for six weeks of cyber protect and defend training. Through weekly tests on various applications installed in the toolset, they can become IQT compliant and certified to operate the CVA/H kit equipment. The 910th MDT’s official CVA/H production kit is expected to arrive in approximately two years. Until then, the focus is on training.