WEBVTT

00:06.039 --> 00:09.000
We base CyberShield on real world

00:09.000 --> 00:11.520
actors , real world events .

00:13.189 --> 00:15.356
Hands on keyboard , tip of the spear .

00:15.430 --> 00:19.270
It's a must have . CyberShield is

00:19.270 --> 00:22.379
National Guard's largest cyber exercise .

00:22.590 --> 00:25.629
It brings together all 54 states and

00:25.629 --> 00:28.030
territories , as well as civilian

00:28.030 --> 00:29.974
partners , public sector , private

00:29.974 --> 00:31.586
sector , close to about 1000

00:31.586 --> 00:33.808
participants every year . There's a lot

00:33.808 --> 00:35.919
of National Guard , and most of these

00:35.919 --> 00:38.252
guys are professionals in cybersecurity ,

00:38.252 --> 00:38.110
so they actually deal with this stuff

00:38.110 --> 00:40.277
all the time . The training we provide

00:40.277 --> 00:43.069
goes anywhere from a a brand new cyber

00:43.069 --> 00:45.346
support personnel . To high level

00:45.346 --> 00:47.568
cybersecurity professionals , the cyber

00:47.568 --> 00:51.175
shield exercise is by far the largest

00:51.175 --> 00:54.186
producer of on the job training to

00:54.186 --> 00:56.105
prepare the participants of the

00:56.105 --> 00:58.105
exercise to be successful when they

00:58.105 --> 01:00.105
really hit the ground . It's geared

01:00.105 --> 01:02.216
towards improving the cyber readiness

01:02.216 --> 01:04.494
of defensive cyber operations elements ,

01:04.494 --> 01:06.383
their cyber protection teams . We

01:06.383 --> 01:08.494
dedicate the first entire week of the

01:08.494 --> 01:10.549
exercise to getting people work well

01:10.549 --> 01:12.549
qualified . The training piece . Is

01:12.549 --> 01:14.605
very crucial . It's tailored to each

01:14.605 --> 01:16.827
one of their job work roles days to get

01:16.827 --> 01:19.101
certified like SISA , SANs , Cas Plus ,

01:19.222 --> 01:21.389
and those are things that are a little

01:21.389 --> 01:23.722
bit harder to come by with our op tempo .

01:23.722 --> 01:25.833
Ultimately success is measured in the

01:25.833 --> 01:27.889
second week so that we see the tasks

01:27.889 --> 01:30.000
and and things that they learned from

01:30.000 --> 01:31.944
week one . There's a lot of moving

01:31.944 --> 01:33.778
parts . And in order to properly

01:33.778 --> 01:35.944
exercise cyber soldiers , intelligence

01:35.944 --> 01:37.555
soldiers , the legal part of

01:37.555 --> 01:39.611
CyberShield . Everything has to make

01:39.611 --> 01:41.722
sense and it has to be synchronized .

01:41.722 --> 01:43.769
Once we get the scenario , Colonel

01:43.769 --> 01:45.547
Haley and I will put together a

01:45.547 --> 01:47.547
playbook of everything that's gonna

01:47.547 --> 01:49.547
happen in the exercise and how they

01:49.547 --> 01:49.330
should act . A blue team member , their

01:49.330 --> 01:52.089
life would consist of chaos . The op 4

01:52.089 --> 01:55.209
acts as the threat actor or the bad

01:55.209 --> 01:57.431
guys in this scenario . Initially their

01:57.431 --> 01:59.542
day is gonna start off looking at any

01:59.542 --> 02:01.542
type of alerts or any type of intel

02:01.542 --> 02:03.598
they receive or any type of feedback

02:03.598 --> 02:02.769
they're getting from their mission

02:02.769 --> 02:04.825
partner . The . The Team has certain

02:04.825 --> 02:07.047
tasks that they need to complete at the

02:07.047 --> 02:09.213
same time , the blue team is trying to

02:09.213 --> 02:11.269
detect that . They're going to be on

02:11.269 --> 02:13.491
alert 24/7 monitoring the system or the

02:13.491 --> 02:15.491
terrain that they've been tasked to

02:15.491 --> 02:17.547
defend . It could start off really ,

02:17.547 --> 02:19.713
really hectic at the very beginning or

02:19.713 --> 02:19.184
it could start off very smooth and

02:19.184 --> 02:21.184
gradually ramp up . They need to be

02:21.184 --> 02:23.240
very dynamic . They need to be fluid

02:23.240 --> 02:25.184
and be ready for all things at all

02:25.184 --> 02:27.406
times . This is somebody else's network

02:27.406 --> 02:29.628
that they're getting on , and there has

02:29.628 --> 02:31.740
to be somebody that that has like the

02:31.740 --> 02:33.851
vested interest in that network . But

02:33.851 --> 02:36.073
we also need to have that human feeling

02:36.073 --> 02:38.240
about , hey , I don't really trust you

02:38.240 --> 02:40.462
yet . You have to earn my trust . As if

02:40.462 --> 02:42.628
they were really responding to a cyber

02:42.628 --> 02:44.851
incident , falling in on a network that

02:44.851 --> 02:46.962
does not belong to them . People have

02:46.962 --> 02:48.851
different agendas , and you don't

02:48.851 --> 02:51.073
always know what those agendas are when

02:51.073 --> 02:53.017
you walk in . It might have been a

02:53.017 --> 02:52.899
cyber incident that was caused by that

02:52.899 --> 02:55.010
person . You don't know when you walk

02:55.010 --> 02:57.066
in , and they're trying to hide that

02:57.066 --> 02:59.288
fact . During CyberShield , it gives us

02:59.288 --> 02:59.089
the opportunity to focus on training .

02:59.440 --> 03:01.718
And it also allows us to make mistakes .

03:01.718 --> 03:03.884
It's a training environment , so if we

03:03.884 --> 03:06.107
do make mistakes , we learn from them .

03:06.107 --> 03:08.329
They're learning how to deal with those

03:08.329 --> 03:10.218
little human problems of are they

03:10.218 --> 03:12.218
giving me all the information ? Are

03:12.218 --> 03:14.496
they not giving me all the information .

03:14.496 --> 03:13.830
It's better to make mistakes in a

03:13.830 --> 03:15.997
training environment than it is on the

03:15.997 --> 03:18.108
field . Sometimes working with humans

03:18.108 --> 03:20.419
is the one unknown . What happens after

03:20.419 --> 03:22.641
CyberShield ? We wait patiently for the

03:22.641 --> 03:24.752
assessments . The first year was very

03:24.752 --> 03:26.697
difficult , just like you're going

03:26.697 --> 03:28.697
through that teeming . Stages where

03:28.697 --> 03:28.067
you're going through the forming and

03:28.067 --> 03:30.067
storming , it was very difficult to

03:30.067 --> 03:32.234
figure out where everybody's strengths

03:32.234 --> 03:34.234
and weaknesses were at . They get a

03:34.234 --> 03:36.345
report from the tool that we use that

03:36.345 --> 03:38.567
has all the micro assessments that were

03:38.567 --> 03:38.468
made by the assessors throughout the

03:38.468 --> 03:40.690
entire exercise , not only evaluation ,

03:40.690 --> 03:42.746
but comments from the assessor about

03:42.746 --> 03:44.968
why they are evaluated that way . Every

03:44.968 --> 03:44.947
day we're going in because we really

03:44.947 --> 03:48.147
want to see um how we uh ranked , how

03:48.147 --> 03:50.738
we scored , uh see where we can improve .

03:50.748 --> 03:53.417
We have seen multiple people come back .

03:53.595 --> 03:56.216
Over a year to CyberShield that started

03:56.216 --> 03:58.416
out as basic cyber operators with very

03:58.416 --> 04:00.626
little experience . They were very

04:00.626 --> 04:02.848
junior and over the years not only have

04:02.848 --> 04:05.106
they come back and built on that

04:05.106 --> 04:06.995
training and experience , but now

04:06.995 --> 04:09.217
they're they're staff members . We look

04:09.217 --> 04:11.328
at those results and we come back the

04:11.328 --> 04:10.945
next year and we make sure that we

04:10.945 --> 04:14.145
refined our SOPs or our techniques to

04:14.145 --> 04:16.312
ensure that whatever we had missed the

04:16.312 --> 04:18.367
year prior that we capture that . We

04:18.367 --> 04:20.534
take those skills that we learned here

04:20.534 --> 04:20.246
and apply them , but then we take those .

04:20.824 --> 04:22.935
that we get and we bring them back to

04:22.935 --> 04:25.102
cyber shows so it's kind of like an oo

04:25.102 --> 04:24.984
loop or an evolving process where we're

04:24.984 --> 04:27.206
able to take those those lessons on and

04:27.206 --> 04:29.095
keep applying them so that we can

04:29.095 --> 04:31.262
refine our processes and become better

04:31.262 --> 04:30.623
and better every year . I think this

04:30.623 --> 04:32.790
year we'll we'll do a lot better . I'm

04:32.790 --> 04:34.956
hoping because we're taking those past

04:34.956 --> 04:34.743
results and we're like , yeah , these

04:34.743 --> 04:36.854
are the things I love the mission . I

04:36.854 --> 04:39.933
love the exercise and I really do see

04:39.933 --> 04:42.354
the difference that it's making

04:42.664 --> 04:45.433
training our cyber teams across the

04:45.433 --> 04:48.342
nation technology , the people . The

04:48.342 --> 04:50.582
structure used to be just Army . Now

04:50.582 --> 04:52.932
we're an army and air and navy . The

04:52.932 --> 04:55.099
joint environment that we operate in ,

04:55.099 --> 04:57.043
you don't really see that anywhere

04:57.043 --> 04:59.265
where you're able to not only work with

04:59.265 --> 04:58.342
Army and Air Force , but we're also

04:58.342 --> 05:00.620
allowed to work with other departments .

05:00.620 --> 05:02.453
We have Navy , we have different

05:02.453 --> 05:04.620
organizations here from the Department

05:04.620 --> 05:04.221
of Defense or government agencies that

05:04.221 --> 05:06.443
are participating in cyber show , which

05:06.443 --> 05:08.665
is a great thing you won't get anywhere

05:08.665 --> 05:08.111
else , whether it be government sector ,

05:08.582 --> 05:11.421
universities , public , private , cyber

05:11.421 --> 05:13.582
is a huge problem , and we're all

05:13.582 --> 05:15.804
trying to solve the same . Problem , so

05:15.804 --> 05:17.804
why not come together every year we

05:17.804 --> 05:19.915
look forward to it every year we want

05:19.915 --> 05:22.026
to come back stronger . Participating

05:22.026 --> 05:24.082
in CyberShield will prepare a lot of

05:24.082 --> 05:26.138
the states and organizations against

05:26.138 --> 05:28.082
any type of real cyber threat that

05:28.082 --> 05:30.660
could be out there threat hunt or find

05:30.660 --> 05:34.019
vulnerabilities or make intel-based

05:34.019 --> 05:36.186
decisions . It's really important that

05:36.380 --> 05:39.100
we understand how to defend critical

05:39.100 --> 05:40.989
infrastructure , not just our own

05:40.989 --> 05:43.211
networks , but Also our networks of our

05:43.211 --> 05:44.989
mission partners . I think just

05:44.989 --> 05:47.377
building those relationships is key to

05:47.377 --> 05:49.488
being able to secure the state on the

05:49.488 --> 05:51.433
Doin side , but also being able to

05:51.433 --> 05:53.155
build out a program that works

05:53.257 --> 05:55.146
specifically in your state . With

05:55.146 --> 05:57.090
CyberShield's evolution going from

05:57.097 --> 05:59.417
defending just our regular dot mill

05:59.417 --> 06:01.778
military networks to all this

06:01.778 --> 06:03.667
operational technology , emerging

06:03.667 --> 06:06.138
technologies , now we can be better

06:06.138 --> 06:07.582
defenders of our critical

06:07.582 --> 06:09.880
infrastructure partners . Gives that

06:09.880 --> 06:13.109
exposure to to real world events , um ,

06:13.200 --> 06:15.760
real world malicious attacks that help

06:15.760 --> 06:17.871
us train the state government and the

06:17.871 --> 06:19.982
local governments in North Carolina .

06:19.982 --> 06:21.871
We've been able to take all those

06:21.871 --> 06:24.038
lessons learned and apply them in real

06:24.038 --> 06:26.093
world . It really has shaped the way

06:26.093 --> 06:28.720
that Pennsylvania's cyber has , you

06:28.720 --> 06:31.399
know , become really what it is . We

06:31.399 --> 06:33.799
have been put on state active duty to

06:33.799 --> 06:35.920
respond to ransomware attacks . If we

06:35.920 --> 06:38.000
didn't have the training that we got

06:38.000 --> 06:40.559
here , then I don't think we would have

06:40.559 --> 06:43.239
been ready to go out and respond to

06:43.239 --> 06:45.406
those types of incidents . It is not a

06:45.406 --> 06:47.517
might want to have . It's a must have

06:47.839 --> 06:49.959
to build our cyber workforce and

06:49.959 --> 06:52.239
maintain multi-domain operations

06:52.239 --> 06:53.239
successfully .

07:07.109 --> 07:09.331
Perfect . Do you have anything to add ?

07:10.390 --> 07:13.980
Styber shield rules . Yeah ,

07:15.239 --> 07:15.829
that's it .