The second iteration of Crossed Swords 2020 differed greatly from all previous iterations not only by scope and complexity of the exercise but by also being the first exercise organized by CCDCOE that has been held remotely. Despite travel restrictions, over 300 virtual machines were deployed for the exercise alongside 74 technical offensive cyber operations experts and members of Cyber Commands from 20 different countries.
Overall 7th and the 1st online iteration of Crossed Swords 2020/II technical red teaming cyber defence exercise was organized by NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) and led from Cyber Range 14 in Tallinn, Estonia. The exercise brought together nearly 120 technical experts, members of Cyber Command of Estonian Defence Forces, Military Police units, and special operators. One of the focuses of the exercise was to advance the offensive technical skills in the fields of network, web, and client-side attacks as well as to develop the computer forensics capabilities, and to coordinate the actions between the technical teams, cyber command, special operators, and military police with the goal to prevent, detect, mitigate, and to respond to full scale cyber-hybrid operations.
During the exercise the teams had to achieve diverse tasks in different phases based on the operational order from the Cyber Command. In the recce phase the teams who fulfilled the role of a cyber task force received an order from the Cyber Command to identify and prioritize enemy’s attack vectors and targets. The objective in the second phase was to establish persistence in the enemy systems and the goal of the final impact phase was to cause as much disruption in the enemy systems as possible. At the same time, the special operators and military police were engaged in different tasks preventing the success of several kinetic operations, including challenges to industrial control systems. As a novel element of the iteration, the cooperation between military police and the cyber forensics team was added to the exercise where the military police collected the evidence to help the forensics team to retrieve relevant intel about the enemy.
“Crossed Swords is an exercise focusing on offensive cyber operations that is designed to train the specialist to successfully conduct cyber operations. The goal of the exercise is to practice and try out and experiment in a field that is highly relevant in today’s world. How do technical teams and technical tasks interact with each other, how do they take advantage of different tools and processes to achieve their goals, and how do technical people align with the people who in their daily tasks are involved in military decision making but do not always have technical backgrounds” said Carry Kangur, Head of Cyber Exercises at NATO CCDCOE. “This year the training audience was split evenly between technical teams and Cyber Command focusing only on one target audience group with the goal of reaching a successful cyber operation where both the Cyber Command and technical teams had to contribute towards success. Additionally, to the technical teams and Cyber Command, the exercise also included special operators and a military police unit. One of the goals of the exercise was also to practice the collaboration between military police and the computer forensics team – the military police had a goal to obtain the physical devices and deliver them to the forensics team, who in turn obtained and delivered the information from the physical devices to the cyber command for effective decision making.”
“The goal for the Cyber Command at Crossed Swords 2020/II is to detect cyber targets, create cyber situational awareness and to produce operational orders for tactical units. One of our main ambitions is to test out and to develop further an information system that can be effectively used for planning and fulfilling cyber operations. We have already received a lot of valuable feedback to improve our information system. There are unfortunately no standards or frameworks how to conduct cyber operations but at this time, after we have started developing the capabilities 8 years ago, we already have a clear vision how to move forward,” said Maj Marko Arik, the commander for the Cyber Command HQ during the exercise. “It is also very noteworthy, that our cyber command consists of cyber experts who have long term experience in the field of cyber defence and most of them are also highly educated cybersecurity graduates.”
The exercise was organized jointly by the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCDCOE), in partnership with Estonian Defence Forces, the Cyber Command and Cyber Lab of the EDF, CERT.LV, TalTech, the High Tech Crime Institute, NCIS Cyber Division, NSHQ, SpaceIT, Stamus Networks, Greycortex and Clarified Security. NATO CCDCOE is a NATO-accredited knowledge hub, research institution, and training and exercise facility. The Tallinn-based international military organisation focuses on interdisciplinary applied research, as well as consultations, training and exercises in the field of cyber security.