Sandia LabNews

Sandia cyber specialists are turning purple, and that’s a good thing

Image of cyberforce
FRIENDLY COMPETITION — A team of experts from Argonne National Laboratory lead student competitors through challenges in St. Charles, Illinois, at the 2022 DOE CyberForce Competition. (Photo courtesy of Argonne National Laboratory)

It’s often said there’s nothing like a little friendly competition to bring out the best in people. In recent years, DOE has been emphasizing the friendly part at its annual undergraduate cybersecurity competition CyberForce. The event is increasingly incorporating a relatively new, cooperative concept in cybersecurity called purple teaming, reflecting a shift in how national laboratories and industry are approaching cyber defense.

CyberForce, hosted by Argonne National Laboratory, began in 2016 with eight college teams. Following a conventional training format, students formed what are called blue teams, scoring points for mounting successful defenses against cyberattacks from a red team composed of volunteer ethical hackers from national laboratories and private industry.

“We’re trying to give them a really quick crash course in infrastructure,” specifically in the energy sector and how defenders think through threats, said Amanda Theel, CyberForce program director with Argonne National Laboratory during a webinar in September.

The event serves a broader purpose too, seeking to build up a workforce to fill a huge shortfall in cybersecurity specialists.

“The number is still right around half a million open cybersecurity positions within the United States alone. And so that number, if we’re ever going to try to reduce that gap, we really need to start thinking through how to get better and more qualified candidates,” Theel said.

Sandia’s Kevin Nauer said, “Recruiting, training and retaining cybersecurity professionals really is a matter of national security and a challenge that Sandia has been attempting to address with programs like Tracer FIRE and CyberForce.”

Tracer FIRE is an educational program focused on developing and training students in cyber incident response, Kevin said. Sandia develops threat scenarios that emulate real-world attacks, then lets students at universities practice detecting and investigating the events in a simulated environment, with coaching from Sandia staff.

CyberForce has rapidly expanded since its inception, ballooning to 118 teams for the 2022 competition, which took place as a hybrid event in November, with many teams that participated remotely and others physically gathered in St. Charles, Illinois.

Its traditional, competitive red-blue dichotomy has long helped other organizations identify system vulnerabilities and train staff. As the DOE competition was growing, however, some people noticed the format was failing some of their students because red teams had vastly more experience than the blue teams.

“Earlier iterations of CyberForce competitions, and other competitions that are very similar, unfortunately ended up where just the red team is kind of beating up on the students, the defenders. And then the question is: What’s the value there? What’s the takeaway?” said Sandia’s Kandy Phan, a red team lead during the 2022 competition.

To improve the educational experience for the students, Kandy said, the program made a dramatic change.

They added a chat box.

In 2019, the competition implemented a new rule that made the red team responsible for scoring a blue team’s knowledge of what was happening. Organizers created a chat box — called the score chat — so the red team could probe their blue team’s understanding with questions.

The change was introducing to the competition the concept of purple teaming, a practice that was already appearing in industry.

“Everyone has their own definitions of these things, but ‘purple teaming’ is a result of collaboration and discussion after a red team engagement with a blue team,” said Cam Stark, a member of Sandia’s CyberForce red team. “The attacks from the red team are a test of the blue team’s capability to defend against attacks and discover persistence or exfiltration mechanisms. A deliberate purple team exercise is an in-depth interaction that explores the process the red team took and seeks to improve blue team’s response.”

Kandy said the addition of the score chat and the new scoring rule triggered a major shift in the attitudes of red teamers.

“What I found really interesting was that usually red teamers have a very adversarial mindset, and they just kind of see the defenders as the enemy that they have to defeat. But with the score chat, they kind of reenvisioned their role.”

Image of cyberforce2
HAPPY TO BE HACKED — Students from Lewis University defend an emulated solar facility on their laptops from national lab employees posing as hackers at CyberForce. (Photo courtesy of Argonne National Laboratory)

The new rule, Kandy said, forced the red team to think about what the blue team knew and how they were performing. With the chat box, feedback began flowing back and forth throughout the competition, something Kandy called a big achievement.

For some people, it also lightened the mood. Cam said his blue teams have fun sending him memes.

This was Cam’s third year as a CyberForce red teamer. He said purple teaming doesn’t just make the competition more enjoyable; it can make cybersecurity better, too.

“It requires that both the red and blue team focus on improving our defenses and not on ‘winning’ by red getting in or blue keeping them out,” Cam said. “If both teams can check their ego at the door and engage on a technical level, then our information security can be improved to its highest level.”

Jacob Valencia, a graduate student at New Mexico Tech and a Sandia intern who also was involved in CyberForce, said, “In this industry, you’ll never know everything, and ideas are constantly changing, so allowing for such a collaboration really expands the horizons of safety and security in cybersecurity.”

The 2022 event was purpler than ever, expanding red-blue communication beyond basic knowledge checks to include more deliberate instruction. Red teams also launched duplicate attacks so blue teams could practice responding to suspicious activity they missed the first time.

“This year in particular emphasized that the blue team should be walked through what red did so that they can understand what they could have done had they been looking in the right places,” Cam said.

“The blue team is getting better as the day goes along, and now they can take that back into the industry at large. This is how we really improve the defenders, actually helping them and trying to communicate with them instead of just competing against them and trying to beat them,” Kandy said.

Recent articles by Troy Rummler