Aggressors train cyber defenders to think, react, and adapt in Red Flag

  • Published
  • By Airman 1st Class Dwane R. Young
  • 57th Wing PA

For the last three weeks, eyes turned to the sky as aircraft took off and landed amidst the complex, non-stop motion of the joint large force employment exercise, Red Flag 20-1. However, inside the Combined Air Operations Center (CAOC), the nerve center of the air campaign, a critical fight took place. Blue Cyber Forces heightened security as Red Aggressor Forces attacked the CAOC, attempting to sabotage the mission and steal intelligence.

Representing the Red Forces are Airmen from the 57th Information Aggressor Squadron (57th IAS), U.S. Sailors, Soldiers and Marines as well as the United Kingdom’s Royal Air Force and the Royal Australian Air Force.

“For this Red Flag, we have a really diverse team – a coalition we developed for the Red team,” said Squadron Leader Gregory Atkinson, a Royal Australian Air Force officer assigned as an exchange officer to the 57th IAS, serving as chief of training. “This allows us to think outside the box and will provide better training for the Blue team, bringing bigger and better ideas to the table for this exercise.”

The mission of Information Aggressors is to know, teach and replicate. Cyber Aggressors are required to understand adversarial threat capabilities, possess the ability to explain the threat to the Blue Forces, and then replicate the threat to practice defense strategies.

“Our mission is to represent APTs, or advanced persistent threats around the world,” said 1st Lt. Nathan Grafton, 57th IAS deputy flight commander team chief. “We try to start off slow with a low-grade threat. We then ramp up our tactics to represent what we call a near peer threat to the cyber forces inside the building, so they can learn how to actually defend a network that has been compromised.”

Typically, Blue Forces are accustomed to protecting secured networks from cyber intruders. Red Flag exercises drive Blue Forces to react to live near peer threats from Red Forces at real-world speeds.

“Near peer threats force the blue team to not only think, but to react,” said Grafton. “We are trying to steal their information, take key players out of the game, make it so the tools they use don’t work anymore. They have to figure out how to get their mission plans and carry out the fight while someone is trying to shut down their computers and modes of communication.”

Communication is key as the teams work to complete objectives, maximizing the learning experience. There is constant communication between Blue and Red leaders to mirror the aggression of Red Forces to the progression of the Blue Forces.

“We want to get the most out of the three weeks, so we establish learning objectives with the team leads and then adjust accordingly,” said Grafton. “If the team is struggling with a technique I’m using, I’ll keep using that technique until they learned it, defend against it, and then I’ll move on to the next one. If it’s too easy, then we ramp it up to the next level.”

Red Flag prepares U.S. and coalition forces for future conflicts by providing opportunities for real-world thinking, adapting and reacting, said Atkinson.

“This isn’t a simulated threat,” said Atkinson. “There is no script. This is a living, breathing adversary, so instead of thinking, it now forces you to react. This is what the training and the repetition is all about. Instead of trying to figure out the next best move, you know, you’ve already trained it many, many times over, so you just do. You just react mentally.”

The collaboration of Red and Blue Forces is more than an exercise. Red Flag is an opportunity to strengthen alliances and train for the next big threat as a team.

“Red Flag brings a large diversity of people together, which brings a larger number of ideas together,” said Atkinson. “That’s the beauty of a coalition.”