ATLANTIC CITY AIR NATION GARD BASE, NJ -- Military and civilian members of the 177thth Communications Squadron Network Operations shop raised the cyber ops bar by pioneering a home-grown solution to keep their network safe. Air National Guard staffing and resource constraints, compounded by base-level user rights restrictions drove the Cyber Ops Airmen to reexamine the potentials of software tools and educational resources already available to them.
True to the Air Force’s character of innovation, and the Air Force Chief of Staff’s challenge to Airmen to Accelerate Change or Lose, the “ShadowProject” was born of these constraints by talented, problem-solving cyber ops members who designed and implemented automated scripts and databases, offsetting and streamlining the vulnerability management workload and providing a host of additional force-multiplier tools for the Comm focal points and network managers.
“We wanted a way to meet and beat the DISA [Defense Information Systems Agency] standard “Magic Number” where they have a computation based on network risks – critical- high-medium-low, categories one, two and three,” said U.S. Air Force Maj. Richard Ryan, commander of the 177th Communications Squadron.
The ShadowProject has lifted the 177th Fighter Wing of the New Jersey Air National Guard to the highest rating of cyber-risk readiness, leading every other unit in the Air National Guard, by lowering the unit’s vulnerability score, “Magic Number”, a number assigned to factor the amount of network risk for which the unit has prepared.
“There are always bad pieces of software, people trying to get into the network through a back door, a code or a script, so we have patches for everything,” said Ryan. “We started the ShadowProject because at one point our magic number was falling very short of our goals, and it wasn’t just us. The old way of thinking was, “Hey, let’s develop a tiger team – let’s get five or six Airmen on a Guard drill, burn a bunch of patches to a disk, and run out and manually install to machines that are high risk.” But that’s not even feasible. Updates come out all week long and there are thousands of them, so you just couldn’t do it.”
Mr. Stephen Hillmann, one of several assistant developers/design leads/project managers for the ShadowProject, explained the project's origins. “I was able to attend a Cyber Command readiness inspection staff assistance visit, and I got to tail the DISA inspectors themselves,” said Hillmann. “It was eye-opening how serious and how in-depth they got. They are very thorough and bringing that knowledge back here, I knew exactly what we had to focus on.”
With compliance as a requirement for keeping the base’s local area network operational and connected to the outside world, the Comm commander empowered his members to come up with new solutions.
“The big takeaway was sending them to school – Steve went to Microsoft school that certified him in servers and we sent our lead developer, Mr. Sebastian Zelazny, down to Florida and he came back with his Microsoft programming certification and when they both came back it was like light bulbs went off in their heads,” said Ryan. “Hey, I can do this and this and “Z" [Zelazny] started making databases for everything, helping anything on base that could be automated.”
The ShadowProject team also developed a user tracker for applying patches, prioritizing patch work for more severe vulnerabilities. Then came the scripting to automate these fixes.
“We started this project more towards the mindset of mission defense and securing the network, because that was getting a higher priority at DOD and Air Force levels, including at the National Guard Bureau,” said Hillmann.
Not only has the 177th Comm Squadron brought its magic number down to an acceptable level, but it has also assisted, to date, eight other Air National Guard units with the implementation of “ShadowProject” tools; and that number is growing.
“Some of the units we’ve assisted so far don’t even have full-time Comm staff in their NCC [Network Control Center] at all,” said Senior Airman Brian Driscoll, another assistant developer/design lead/project manager for the ShadowProject. “I targeted some of the worst units out there (for network vulnerabilities) and I said, ”Hey we have something available for you guys that could possibly help you and make a difference in your network.”"
Initially, units did not think they had enough people to run it or to sustain it. The initial hesitancy was overcome once they were educated on how the initial time investment lead to massive time savings derived from automation.
“In one night, we can throw out 5,000 patches and get these units caught up and up to date,” said Driscoll.
Helping other units with automation to stay up to date in patching vulnerabilities is not only a “nice to have” concept, but also required to stay operational.
“Every military base that has a network has to undergo a massive Risk Management Framework accreditation package,” said Hillmann. “We get approval to operate but we are still responsible for the network here behind our boundary at the base.”
“Right now we’re using everything that is legal, that the Air Force has given us, commercial off-the-shelf server and scripting software, and we’re using all of these tools as one entity to do this job,” said Ryan. “The tools are out there, but there was no direction. These guys invented the ShadowProject to fit our need, but I also see potential in the needs of the Guard.”
The benefits of the ShadowProject include a dramatic shift in timesaving for the Comm Focal Point staff, from computer inventory to deploying patches remotely to imaging or re-imaging computers.
“In the past, it could take up to five days of leaving a new computer on the network, for all of the policy-driven updates to be installed,” said Staff Sgt. Michael Siciliano, 177th Comm Focal Point IT specialist. “Now, with the ShadowProject tools, a machine can be fully updated in a day. On drill weekends, we are no longer inundated with calls for machines that haven’t been patched in a long time. ShadowProject solves much of that for us now.”
Ryan has received a number of letters from other commanders the ShadowProject team has helped out, detailing how this process, which could have taken a week and still not have hit the target minimums, now can be done in hours.
“If you look at the stats or talk to any other Comm squadron, especially in the Guard, we’re all short-handed and not fully funded,” said Ryan. “The cyber job market is also competitive. These guys worked smarter, not harder. They took their brains, made some codes, got really into creating a lot of automation and it’s a game changer.”