Every year, the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) runs Locked Shields, the world’s most advanced cyber defence exercise that is designed to help nations strengthen their defences against sophisticated cyber threats.
The event brings together experts in cyber security, digital forensics, legal affairs, strategic communication and more from 40+ nations in a demonstration of the power of cooperation to enhance collective cyber security. It’s a huge task to organise and CCDCOE puts plenty of thought and planning into this flagship multi-national exercise – from designing a realistic scenario, to building the environments in the cyber range and organising the participant teams.
This military cyber exercise puts Blue Teams, acting as rapid reaction units, to the test as they defend a fictional state from complex cyber-attacks planned by Red Teams acting as the aggressor. Simulating intense crisis conditions, the teams apply national strategies and collaborate closely with international allies to forge effective responses.
Locking horns
This year, we were invited to support and participate alongside Ireland’s representatives – partnered for this exercise with South Korea – through our close relationship with the Irish National Cyber Security Centre.
Our contribution was focused on the Digital Forensics and Incident Response (DFIR) and Cyber Threat Intelligence (CTI) components, with our in-house experts assisting the Irish and South Korean team. The DFIR team participated in a ‘capture the flag’ style exercise including a live environment ransomware scenario, tasked with analysing approximately 140 GB of forensic evidence – simulating real cyber-attacks on a large virtual set of networks representing a country’s critical national infrastructure – to uncover the answers to a series of questions. This involved carrying out initial assessments and triaging of systems data and logs, putting the data through various tools to pinpoint indicators of stolen data and/or malicious files dropped.
The questions were themed around several areas including Linux and Windows forensics and malware reverse engineering, so we employed a range of practices to support our Irish and South Korean colleagues and uncover accurate answers.
On the other side of the room, the CTI team’s main objective was to provide situational awareness of the threat landscape by delivering intelligence reporting to the rest of the team focused on actionable, timely and relevant information – i.e. IoCs that they could put to use straight away. This was particularly difficult with so much activity in such a short time-frame, so we were challenged to provide concise summaries and recommend remediation action regularly, updating our picture as the scenario evolved.
Throughout the exercise, we brought specific skills and expertise (e.g. reverse engineering and malware analysis) that complemented those within the Irish contingent and built deeper relationships with Ireland’s NCSC team – which is part of the intention of exercises like Locked Shields.
Key takeaways
Events such as Locked Shields that simulate real-world incidents and provide experience of reacting to a cyber-attack offer significant value. They give teams a chance to test their abilities and see what they’re capable of in a safe environment, effectively providing a ‘dry run’ for the real thing.
There are plenty of recent examples of critical systems being impacted by cyber-attacks – such as those targeting Ukrainian Energy suppliers – so it’s important for us as an organisation and as a wider ecosystem to regularly assess our responses, generating insights into the actions that were taken and taking the time to understand the wider implications through a national security lens.
These exercises also support and encourage international cross-stakeholder collaboration – both between national governments and across industry and government. It was a great opportunity for us as industry experts to spend time working alongside our government partners. Providing visibility into the tools and workflows being used across the industry, sharing ideas to improve incident response processes, and fostering a teamwork mindset across the public and private sectors are all vital in enabling collective cyber defence.
We believe that strong digital defences come from security of both the Enterprise and the Nation
Understand the evolving threat landscape is a key part of maintaining robust defences. BAE Systems' Threat Intelligence team generate original insights through research and collaboration with customers and partners