JOINT BASE LANGLEY-EUSTIS, Virginia –
Cyber Valhalla is an entirely unclassified cyber training event built and maintained by Vikings (341st Cyberspace Operations Squadron), for Vikings, to test their might against the tricks and traps that the fictional “Eruasian adversary” brings to bear, while working with and learning from each other across work roles and organizations.
It encompasses a tactically relevant [still new] scenario that provides the most realistic and holistic operationally focused training currently available to cyber Airmen. Cyber Valhalla began in 2019 to familiarize 341st Cyberspace Operations Squadron Airmen with intelligence and cyber methods and processes prior to attending required USCYBERCOM work role training, resulting in increased pass-rates and better preparing Airmen for their operational roles.
The exercise has expanded the training audience to include the 341st COS’ sister squadron, the 315th COS, as well as the 70th Operations Support Squadron and various TFI partners, including the 512th Intelligence Squadron (Air Force Reserve), 175 COS (Air National Guard), and other 67th Cyberspace Wing entities, in order to proliferate the training value of the exercise to meet the Sixteenth Air Force Commander’s intent for a ready and lethal cyber force.
This past summer, Cyber Valhalla’s reach extended to the Airmen of the 363d Intelligence, Surveillance, and Reconnaissance Wing at Joint Base Langley-Eustis, specifically the 36th Intelligence Squadron, from Aug. 21–23, 2023.
In the context of cybersecurity, “Cyber Valhalla” can be seen as a metaphor for the idea that those who defend computer networks and systems from cyber-attacks are engaged in a kind of modern-day warfare. The term can also refer to the notion that these defenders, who often work behind the scenes and may not receive public recognition for their efforts, should be honored for their contributions to society.
HOW DOES IT WORK
- The teams participating in the exercise are presented with an intrusion that affects U.S. interests.
- They are then tasked with identifying and neutralizing the ongoing cyber-attack by analyzing the provided intelligence.
- The team must enumerate the adversary’s infrastructure, create an operations plan, gain higher headquarters’ approval, and execute cyber effects to hold the adversary’s infrastructure at risk and eliminate future aggressions.
For the exercise, 36th Intelligence Squadron members were designated into specific roles: All-Source Analyst (ASA), Target Digital Network Analyst (TDNA), Joint Targeting Analyst, Malware Analyst, Operator/Exploitation Analyst (EA), Digital Network Exploitation Analyst (DNEA), and a Mission Commander (MC).
Each day typically began with a morning intel update, with the ASAs presenting a recap of previous days’ activities and a guide for the current-day operations.
According to the course, the TDNA would provide updates about prominent individuals in the environment, while the DNEA/EAs would discuss network maps and planned actions for the morning. At the end of each day, the team would provide higher headquarters an update, outlining the day’s activities and highlighting items of interest for Priority Intelligence Requirements/Commander’s Critical Information Requirements.
“The value of Cyber Valhalla lies in the ability of the participants to work across the aisle with their intel and cyber counterparts, enabling a collaboration that is normally complicated real-world by the geographic separation of the various work centers and Air Force units,” said U.S. Air Force Maj. Courtney Gallagher, 341st COS Director of Operations. “Players also get to experience the cradle-to-grave intel to operations processes in a condensed fast-paced environment, giving them a greater perspective of how everything fits together outside of just their usual piece of the operational puzzle.”
Since 2019, the 341st COS has expanded Cyber Valhalla to include eight different USCYBERCOM work roles, and the underlying cyber range for the scenario has grown to over 100 unique nodes, managed remotely during exercise execution by the 318th Range Squadron in San Antonio, Texas.
The capabilities within the range have also evolved, including things like malicious mail servers and honeypots, and the computer security vulnerabilities that the operators exploit for their cyber effects are current within the last two years.
According to Gallagher, the exercise now includes Malware Analysts who triage the fictional friendly partner networks and remediate any enemy malware found, providing a Defensive Cyber element to the scenario. Finally, the exercise has matured to the point to where the 341st can pick up the scenario and take it on the road as they have shown with bringing it to Langley.
“The exercise here at Langley has been one of our most successful executions to date, owing largely to the high caliber of the Intel Airmen as participants,” Gallagher said. “In real-world cyber operations, Airmen are more experienced with the technical aspects and struggle with incorporating doctrinal intelligence concepts into the cyber sphere. In this iteration we’ve witnessed how experienced Intel Airmen can apply those same concepts to a never-before-seen scenario and successfully execute cyber effects.
“Cyber operations are only one part of the Information Warfare spectrum, and in today’s warfighting environment, where non-kinetic options are valued on-par with traditional kinetic methods, it is crucial to learn to work across the aisle with all of the players to ensure mission success,” Gallagher added.