In 2024, the Cybersecurity Infrastructure and Safety Company (CISA) recognized the necessity to develop a sequence of Skilling Continuation Labs to assist the federal workforce enhance operational cybersecurity in vulnerability administration, protection structure, and incident detection and response. The trouble would assist the Federal Civilian Government Department (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan and moreover present cyber operators with an atmosphere the place they will carry out rehearsals with safety instruments, methods, and configurations in accordance with CISA steerage, greatest practices, and publicly out there toolsets.
This submit particulars how the SEI Cyber Mission Readiness Staff (CMR), in partnership with CISA, developed a sequence of Skilling Continuation Labs (SCLs) to supply present, related, and distinctive hands-on immersive coaching to upskill the federal cybersecurity workforce.
Upskilling the Federal Workforce
Federal cybersecurity professionals face a novel set of threats, dangers, necessities, and rules. To handle this want, the SEI leveraged its expertise with cybersecurity greatest practices, federal authorities steerage, and workforce growth to ship partaking, specialised coaching for federal cybersecurity professionals.
CISA hosts the Federal Cyber Protection Skilling Academy to supply the federal workforce with fundamental information in key areas of cybersecurity similar to incident response, vulnerability evaluation, and defensive cybersecurity. Every pathway affords extra coaching to present federal IT and cybersecurity professionals but in addition supplies avenues for non-IT professionals to interrupt into the federal cybersecurity workforce. With this newest effort, SEI researchers wished to supply the subsequent degree of hands-on immersive coaching to upskill academy graduates as they proceed their transition into extra superior cybersecurity positions.
Studying By Immersive Methods
Immersive coaching supplies an interesting and relatable expertise for customers to achieve and apply making use of new lesson ideas. Not like conventional classroom and passive training fashions (e.g., lectures or autonomous video), immersive scenario-based content material supplies an atmosphere the place learners have a well-recognized context to raised purchase information and abilities.
Strengthening and rising the skillsets of cyber operators is essential for workforce capability constructing. As indicated within the SEI truth sheet, Method to Skilling the Cyber Workforce, deliberate apply and comprehension validation by means of immersive, hands-on content material is an efficient means for constructing important capabilities. This rehearsal for real-world operations and problem-solving permits defenders to enhance skillsets and strengthens total mission readiness.
Purchase, Apply, Affirm: The Catalyst for Skilling Continuation Labs
The place the army coaching mannequin has coined the phrase crawl, stroll, run, that method doesn’t lend itself to upskilling those that have already got foundational, novice-level abilities (i.e., already strolling). The SEI developed a broader upskilling philosophy of purchase, apply, affirm, a development designed for professionals who already possess foundational abilities and want structured alternatives to enhance these abilities or to be taught new ones. Our analysis workforce wished to develop topic-focused, hands-on, guided labs with assessments to take customers by means of the phases of buying, making use of, and affirming the lesson’s abilities.
CISA initially highlighted abilities hole areas similar to malware outbreaks, DNS safety options and techniques, proactive defensive methods, and fundamental safety practices, with additional subjects recognized all through the undertaking. Slightly than merely reteach generally addressed cybersecurity fundamentals, every SCL targeted on rising threats, related/current federal steerage, and cybersecurity traits tied on to FOCAL Plan targets. Every SEI-developed skilling continuation lab is “created for cyber professionals with some IT/cyber expertise who fall into the upper-beginner to lower-intermediate cyber ability vary … these labs will present a continuation of abilities for the cyber skilled.”
Throughout the year-long growth cycle, the SEI constructed 19 skilling continuation labs based mostly on subjects chosen in collaboration with our CISA mission companions. A fast have a look at three of the skilling continuation labs follows:
- DNS and Title-based Safety Resolution and Quick Flux Assaults and Defensive Measures – These labs reviewed DNS fundamentals whereas additionally introducing the idea of DNS sink holing, blocklist/allowlists, and highlighting how DNS can be utilized to avoid conventional blocking strategies in quick flux assaults similar to IP-based firewall guidelines.
- Community Segmentation with ICS/HMI and Introduction to SCADA Utilizing Modbus and BACnet – This set of labs introduces the learner to industrial controls programs, their site visitors varieties, and methods to implement community segmentation and entry management greatest practices.
- XZ Utils: A Case Examine of Provide Chain Belief – This set of labs offered learners a deep dive on the 2024 XZ Utils vulnerability whereas introducing the idea of Software program Invoice of Supplies (SBOMs) to evaluation open-source software program for vulnerabilities and improve the security of software program provide chains.
Along with the three labs detailed above, the record of labs, that are printed on CISA’s Observe Space, and accessible to all federal civilians and Division of Battle (DoW) personnel, consists of the next:
- Automated Defenses
- Detection Guidelines in Logging Made Straightforward
- Quick Flux Assaults and Defensive Measures
- Hardening Kubernetes: Pod Safety
- Incident Response with Velociraptor
- Introduction to SCADA Utilizing Modbus and BACnet
- Residing Off the Land Assaults
- Log Managements with Logging Made Straightforward
- Phishing Mitigation with MFA
- Safe Programming
- Safe Programming with Rust
- Safe Programming: Dependency Provide Chain Assaults
- Weaponized Archive Recordsdata: Extract at Your Personal Threat
- Weaponized .svg Recordsdata: The Hidden Risk in Vector Graphics
- Net Software Penetration Testing with Brute Drive Assaults
- Net Software Penetration Testing with Cross Web site Scripting
Extra artifacts are printed to CISA’s prescup-challenges/skilling-continuation-labs GitHub repository.
The SCL additionally included and promoted CISA instruments like Logging Made Straightforward and Protecting Area Title System (DNS) Resolver, launched proactive defensive measures similar to utilizing Endpoint Detection and Response simulation instruments to detect ransomware, and offered customers with environments to witness the consequences of vulnerability exploitation, net utility assaults, phishing assaults, and analyze weaponized file varieties.
What Makes the SCL Distinctive
The determine beneath illustrates the main target of SCLs on current traits, threats and advisories, CISA-promoted instruments, and the newest federal steerage.
Determine 1: Instance of a lab introduction highlighting related CISA steerage and assets
Tied to the FOCAL Plan and NICE Workforce Framework for Cybersecurity (NICE Framework), every lab supplies standalone and strategically aligned coaching in a practical digital community atmosphere that simulates real-world networks and supplies entry to dwell working programs and instruments. The adherence to open-source instruments and applied sciences implies that others can replicate the methods outlined inside every lab with zero obstacles and without charge.
Determine 2: Instance community diagram exhibiting inside and exterior programs
The Skilling Continuation Labs differ from conventional virtualized instructing labs in the way in which they assess and problem the learner. Every lab features a Expertise Hub as an authoritative server to trace and assess the learner’s progress, present in-game recordsdata and artifacts, and insert randomness into the atmosphere. As a substitute of merely offering step-by-step duties or asking questions, the Expertise Hub affords builders the flexibility to question the state of the atmosphere to gauge progress and the profitable completion of lab duties by means of Python-based grading scripts. The Expertise Hub tracks and regularly reviews the present state of the lab again to the learner by means of an in-lab webpage.
Determine 3: Instance: how the Expertise Hub tracks and shows a learner’s progress
Native scripts enable builders to dynamically generate actions, community site visitors, and generate recordsdata for evaluation. For instance, filenames, IP addresses, usernames and passwords, and extra may be randomized to create entropy throughout the atmosphere in order that no two situations are fully equivalent. The dynamic nature provides replayability to the coaching.
Moreover, as proven in Determine 4, lots of the labs embrace a mini-challenge that requires learners to use the talents discovered within the lab to a brand new drawback with minimal steerage, permitting them to affirm their readiness and understanding of the subject at hand.
Determine 4: Instance mini-challenge job and desired end result
Future Work in Growing Coaching for the Federal Cybersecurity Workforce
The SEI’s Cyber Mission Readiness workforce regularly strives to enhance its immersive coaching growth and supply processes. After each undertaking, builders focus on what enhancements must be made to assist future tasks. Following our work on the SCL undertaking, the SEI Cyber Mission Readiness workforce really helpful the next enhancements:
• Expertise Pathways. The CMR workforce is at present within the means of including abilities pathways to the SEI’s Crucible platform to assist roadmaps of content material and improve a learner’s ability degree in particular areas of cybersecurity or in sure cybersecurity roles. Including abilities pathways would stroll learners by means of a development of things of accelerating problem, from guided lab walkthroughs to unguided challenges, permitting them to advance in direction of abilities mastery.
• Bookmarking Session Standing. Presently, a learner should full a lab in a single session. Whereas utilizing lab phases permits learners to sort out duties in segments, learners should restart the lab and repeat work they’d beforehand achieved if their work didn’t full your complete session. With extra growth time, labs that require sequential phases could possibly be scripted to stage the atmosphere to the ultimate state of the best section accomplished by the learner. Labs with sequential or remoted phases would retailer a learner’s progress so they might not have to repeat beforehand accomplished evaluation gadgets.
• Help Chat Agent. Instruments for on-demand learner-initiated assist and steerage may assist learners when they’re caught. Leveraging logs and enormous language fashions (LLMs), the CRM directorate may create a chat agent able to answering consumer questions and offering steerage and hints.
• Self-Configured Surroundings. An atmosphere that learners can configure for performing cyber abilities coaching would enable the learner to pick from an inventory of abilities to apply, whereas the atmosphere that helps these abilities is deployed robotically. Expertise-based injects and actions could possibly be utilized to the atmosphere, and supporting situation documentation could possibly be generated with LLM help.