For Oak Ridge National Laboratory (ORNL), cybersecurity is a top priority. There’s no shortage of bad actors that would love to get their hands on the data produced at one of the world’s foremost research institutions.
In an effort to further enhance the cybersecurity of the laboratory and the wider US Department of Energy (DOE) complex, in November of 2016 ORNL hosted Cyber Inferno, a cybersecurity event sponsored by the DOE’s Integrated Joint Cybersecurity Coordination Center (iJC3) that allowed responders from various sites to test their skills and apply their knowledge to resolve a real-life cybersecurity incident.
Los Alamos National Laboratory facilitated the event, presenting a scenario that actually affected DOE headquarters in 2013, to the 25 technical professionals who attended. Participants were separated into three teams with each team including people of varying skill levels to provide mentoring opportunities.
Teams learned of an initial incident trigger and then dug to find information about what occurred during the cybersecurity incident. The three teams—network archaeology, malware analysis, and host forensics—approached data from different perspectives to determine what transpired. Each day of the event concluded with a mock outbrief led by that day’s incident commander to summarize the day’s findings and next steps.
Amy Nuckols, cybersecurity manager at ORNL and the host and an observer of the event, said the exercise was designed to be practical so that responders could apply their skills and knowledge to resolve an incident based on a real-life scenario with real data. Nuckols added that exercise facilitators were pleased with the attendees’ work, attributing their success to their teamwork and sense of urgency.
“Cyber Inferno is really similar to what the lab does when we have a physical security exercise except it’s on cybersecurity incidents,” Nuckols said. “It features real-life incidents because it’s helpful to see what can really happen.”
Because cybersecurity incidents involve breaches of information, Nuckols said these kinds of exercises are important for improvements to intrusion protection on ORNL’s network. The iJC3 Cyber Inferno events allow technical professionals to hone their skills while ensuring the reliability of incident response plans and improving information sharing across the DOE.
“We’re always trying to stay ahead of this threat,” said Nuckols. “Just like researchers are always trying to learn about their domains, we are always trying to increase our knowledge of the constantly changing threat landscape. We want to be a partner and better anticipate threats so that they minimize disruption to our science and our research.”