Cyber aggressors attack Red Flag pilots

NELLIS AIR FORCE BASE, Nev. -- Blue forces have more to worry about than defeating aggressor pilots during Red Flag exercises. Cyber warfare is the new threat, with attackers attempting to debilitate all war-fighting capabilities from the ground.

The 57th Information Aggressor Squadron is deliberately building a red force component, training personnel to hack into computer systems and infiltrate secure areas for the purpose of increasing base vigilance.

The 926th Operations Group joined this endeavor when it added a cyberspace mission to its operations. Through Total Force Integration, the Reserve unit has augmented the active-duty run Red Flag exercises with fighter pilots and space aggressors since its inception at Nellis AFB. It now rounds out the fight with cyber professionals.

"Our fighting forces operate in the three primary domains of air, space and cyberspace," said Lt. Col. Keith Sudder, 926th OG deputy commander. "The integration of cyber in current and future warfare is vital to successful operations worldwide; our Reserve personnel are on the leading edge of integrating cyber into combat operations."

Cyber aggressors have the ability to run the full spectrum of cyber warfare, with one capability being close access. Previous iterations of the Cyber-Enabling Close Access Aggressor Course concentrated on operational security -- getting into buildings and searching offices -- now there is a deliberate focus on computer systems.

"The manpower and expertise of the Reserve force has been very beneficial to us; they bring continuity, which is critical to what we do," said Lt. Col. Andre Maugeri, 57th IAS commander. "Every year our scope gets bigger, and there's no way we could do this without TFI," said Maugeri.

Course developers are always looking ahead and changing the curriculum as the threat evolves. They scour news articles and other open source intelligence to learn how to mimic enemy tactics. They also attend hacker conventions like Black Hat and DEFCON to find out about the latest technology.

"The Aggressor mantra is 'know the threat, teach the threat, replicate the threat,'" said Maugeri.

Students become certified as close access team members in two weeks -- the first week is academics and the second is hands-on training.

Then they hit the ground running with the same equipment real-world adversaries have. Everything is commercial, off-the-shelf items like a 3-D printer, thumb drive, lock pick and simple duct tape.

They employ phishing attacks and use social engineering, sending emails to prod personnel to download malicious code. They hide GoPro cameras in coffee mugs. They target cipher locks, trying likely combinations such as a squadron's designation number. They jam doors so they can enter buildings after hours.

"People don't usually take the extra step to question or raise alarms about unusual things. They want to be nice, and we take advantage of that," said Mr. Quinn Carman, 57th IAS technical lead. "Our job is to get people to do that sanity check - anytime someone questions why we're in the building is the first step to thwarting the threat. If you see someone you don't know in your workplace, try to help them with what they need. If you're hovering over them, their cover story will start to break down."

After the exercise the team reports vulnerabilities to leadership, letting them know how and when they were caught, and when they weren't. The 57th IAS publicly discloses its close access practices to educate the base populace on what they should be looking for on a regular basis. "Our role is to remind people that we're at war; military installations and its people are targets," said Carman.