In 2024, the Cybersecurity Infrastructure and Safety Company (CISA) recognized the necessity to develop a sequence of Skilling Continuation Labs to assist the federal workforce enhance operational cybersecurity in vulnerability administration, protection structure, and incident detection and response. The hassle would help the Federal Civilian Government Department (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan and moreover present cyber operators with an atmosphere the place they will carry out rehearsals with safety instruments, strategies, and configurations in accordance with CISA steerage, finest practices, and publicly out there toolsets.
This submit particulars how the SEI Cyber Mission Readiness Crew (CMR), in partnership with CISA, developed a sequence of Skilling Continuation Labs (SCLs) to supply present, related, and distinctive hands-on immersive coaching to upskill the federal cybersecurity workforce.
Upskilling the Federal Workforce
Federal cybersecurity professionals face a singular set of threats, dangers, necessities, and rules. To handle this want, the SEI leveraged its expertise with cybersecurity finest practices, federal authorities steerage, and workforce improvement to ship partaking, specialised coaching for federal cybersecurity professionals.
CISA hosts the Federal Cyber Protection Skilling Academy to supply the federal workforce with primary data in key areas of cybersecurity comparable to incident response, vulnerability evaluation, and defensive cybersecurity. Every pathway gives further coaching to present federal IT and cybersecurity professionals but in addition supplies avenues for non-IT professionals to interrupt into the federal cybersecurity workforce. With this newest effort, SEI researchers needed to supply the subsequent stage of hands-on immersive coaching to upskill academy graduates as they proceed their transition into extra superior cybersecurity positions.
Studying By Immersive Methods
Immersive coaching supplies an attractive and relatable expertise for customers to realize and apply making use of new lesson ideas. In contrast to conventional classroom and passive schooling fashions (e.g., lectures or autonomous video), immersive scenario-based content material supplies an atmosphere the place learners have a well-recognized context to higher purchase data and expertise.
Strengthening and rising the skillsets of cyber operators is essential for workforce capability constructing. As indicated within the SEI truth sheet, Method to Skilling the Cyber Workforce, deliberate apply and comprehension validation by means of immersive, hands-on content material is an efficient means for constructing crucial capabilities. This rehearsal for real-world operations and problem-solving permits defenders to enhance skillsets and strengthens general mission readiness.
Purchase, Apply, Affirm: The Catalyst for Skilling Continuation Labs
The place the army coaching mannequin has coined the phrase crawl, stroll, run, that method doesn’t lend itself to upskilling those that have already got foundational, novice-level expertise (i.e., already strolling). The SEI developed a broader upskilling philosophy of purchase, apply, affirm, a development designed for professionals who already possess foundational expertise and want structured alternatives to enhance these expertise or to be taught new ones. Our analysis staff needed to develop topic-focused, hands-on, guided labs with assessments to take customers by means of the phases of buying, making use of, and affirming the lesson’s expertise.
CISA initially highlighted expertise hole areas comparable to malware outbreaks, DNS safety options and methods, proactive defensive methods, and primary safety practices, with additional matters recognized all through the venture. Moderately than merely reteach generally addressed cybersecurity fundamentals, every SCL targeted on rising threats, related/latest federal steerage, and cybersecurity traits tied on to FOCAL Plan targets. Every SEI-developed skilling continuation lab is “created for cyber professionals with some IT/cyber expertise who fall into the upper-beginner to lower-intermediate cyber talent vary … these labs will present a continuation of expertise for the cyber skilled.”
Throughout the year-long improvement cycle, the SEI constructed 19 skilling continuation labs based mostly on matters chosen in collaboration with our CISA mission companions. A fast have a look at three of the skilling continuation labs follows:
- DNS and Title-based Safety Answer and Quick Flux Assaults and Defensive Measures – These labs reviewed DNS fundamentals whereas additionally introducing the idea of DNS sink holing, blocklist/allowlists, and highlighting how DNS can be utilized to avoid conventional blocking strategies in quick flux assaults comparable to IP-based firewall guidelines.
- Community Segmentation with ICS/HMI and Introduction to SCADA Utilizing Modbus and BACnet – This set of labs introduces the learner to industrial controls programs, their visitors varieties, and the way to implement community segmentation and entry management finest practices.
- XZ Utils: A Case Examine of Provide Chain Belief – This set of labs offered learners a deep dive on the 2024 XZ Utils vulnerability whereas introducing the idea of Software program Invoice of Supplies (SBOMs) to evaluate open-source software program for vulnerabilities and improve the security of software program provide chains.
Along with the three labs detailed above, the checklist of labs, that are revealed on CISA’s Apply Space, and accessible to all federal civilians and Division of Conflict (DoW) personnel, contains the next:
- Automated Defenses
- Detection Guidelines in Logging Made Simple
- Quick Flux Assaults and Defensive Measures
- Hardening Kubernetes: Pod Safety
- Incident Response with Velociraptor
- Introduction to SCADA Utilizing Modbus and BACnet
- Residing Off the Land Assaults
- Log Managements with Logging Made Simple
- Phishing Mitigation with MFA
- Safe Programming
- Safe Programming with Rust
- Safe Programming: Dependency Provide Chain Assaults
- Weaponized Archive Recordsdata: Extract at Your Personal Threat
- Weaponized .svg Recordsdata: The Hidden Menace in Vector Graphics
- Net Software Penetration Testing with Brute Power Assaults
- Net Software Penetration Testing with Cross Web site Scripting
Extra artifacts are revealed to CISA’s prescup-challenges/skilling-continuation-labs GitHub repository.
The SCL additionally included and promoted CISA instruments like Logging Made Simple and Protecting Area Title System (DNS) Resolver, launched proactive defensive measures comparable to utilizing Endpoint Detection and Response simulation instruments to detect ransomware, and offered customers with environments to witness the results of vulnerability exploitation, net software assaults, phishing assaults, and analyze weaponized file varieties.
What Makes the SCL Distinctive
The determine beneath illustrates the main focus of SCLs on latest traits, threats and advisories, CISA-promoted instruments, and the newest federal steerage.
Determine 1: Instance of a lab introduction highlighting related CISA steerage and sources
Tied to the FOCAL Plan and NICE Workforce Framework for Cybersecurity (NICE Framework), every lab supplies standalone and strategically aligned coaching in a practical digital community atmosphere that simulates real-world networks and supplies entry to reside working programs and instruments. The adherence to open-source instruments and applied sciences signifies that others can replicate the methods outlined inside every lab with zero limitations and for gratis.
Determine 2: Instance community diagram exhibiting inner and exterior programs
The Skilling Continuation Labs differ from conventional virtualized educating labs in the way in which they assess and problem the learner. Every lab features a Expertise Hub as an authoritative server to trace and assess the learner’s progress, present in-game recordsdata and artifacts, and insert randomness into the atmosphere. As a substitute of merely offering step-by-step duties or asking questions, the Expertise Hub affords builders the flexibility to question the state of the atmosphere to gauge progress and the profitable completion of lab duties by means of Python-based grading scripts. The Expertise Hub tracks and frequently experiences the present state of the lab again to the learner by means of an in-lab webpage.
Determine 3: Instance: how the Expertise Hub tracks and shows a learner’s progress
Native scripts permit builders to dynamically generate actions, community visitors, and generate recordsdata for evaluation. For instance, filenames, IP addresses, usernames and passwords, and extra will be randomized to create entropy throughout the atmosphere in order that no two cases are fully equivalent. The dynamic nature provides replayability to the coaching.
Moreover, as proven in Determine 4, lots of the labs embody a mini-challenge that requires learners to use the talents discovered within the lab to a brand new drawback with minimal steerage, permitting them to affirm their readiness and understanding of the subject at hand.
Determine 4: Instance mini-challenge activity and desired consequence
Future Work in Growing Coaching for the Federal Cybersecurity Workforce
The SEI’s Cyber Mission Readiness staff frequently strives to enhance its immersive coaching improvement and supply processes. After each venture, builders talk about what enhancements ought to be made to help future tasks. Following our work on the SCL venture, the SEI Cyber Mission Readiness staff beneficial the next enhancements:
• Expertise Pathways. The CMR staff is presently within the technique of including expertise pathways to the SEI’s Crucible platform to help roadmaps of content material and enhance a learner’s talent stage in particular areas of cybersecurity or in sure cybersecurity roles. Including expertise pathways would stroll learners by means of a development of things of accelerating problem, from guided lab walkthroughs to unguided challenges, permitting them to advance in direction of expertise mastery.
• Bookmarking Session Standing. At present, a learner should full a lab in a single session. Whereas utilizing lab phases permits learners to deal with duties in segments, learners should restart the lab and repeat work they’d beforehand executed if their work didn’t full your entire session. With further improvement time, labs that require sequential phases might be scripted to stage the atmosphere to the ultimate state of the best part accomplished by the learner. Labs with sequential or remoted phases would retailer a learner’s progress so they’d not have to repeat beforehand accomplished evaluation gadgets.
• Help Chat Agent. Instruments for on-demand learner-initiated help and steerage might assist learners when they’re caught. Leveraging logs and huge language fashions (LLMs), the CRM directorate might create a chat agent able to answering consumer questions and offering steerage and hints.
• Self-Configured Setting. An atmosphere that learners can configure for performing cyber expertise coaching would permit the learner to pick from a listing of expertise to apply, whereas the atmosphere that helps these expertise is deployed robotically. Expertise-based injects and actions might be utilized to the atmosphere, and supporting situation documentation might be generated with LLM help.
