In 2024, the Cybersecurity Infrastructure and Safety Company (CISA) recognized the necessity to develop a sequence of Skilling Continuation Labs to assist the federal workforce enhance operational cybersecurity in vulnerability administration, protection structure, and incident detection and response. The hassle would help the Federal Civilian Government Department (FCEB) Operational Cybersecurity Alignment (FOCAL) Plan and moreover present cyber operators with an surroundings the place they will carry out rehearsals with safety instruments, strategies, and configurations in accordance with CISA steerage, greatest practices, and publicly accessible toolsets.
This submit particulars how the SEI Cyber Mission Readiness Group (CMR), in partnership with CISA, developed a sequence of Skilling Continuation Labs (SCLs) to supply present, related, and distinctive hands-on immersive coaching to upskill the federal cybersecurity workforce.
Upskilling the Federal Workforce
Federal cybersecurity professionals face a novel set of threats, dangers, necessities, and laws. To deal with this want, the SEI leveraged its expertise with cybersecurity greatest practices, federal authorities steerage, and workforce growth to ship partaking, specialised coaching for federal cybersecurity professionals.
CISA hosts the Federal Cyber Protection Skilling Academy to supply the federal workforce with fundamental information in key areas of cybersecurity similar to incident response, vulnerability evaluation, and defensive cybersecurity. Every pathway gives further coaching to present federal IT and cybersecurity professionals but in addition offers avenues for non-IT professionals to interrupt into the federal cybersecurity workforce. With this newest effort, SEI researchers needed to supply the following stage of hands-on immersive coaching to upskill academy graduates as they proceed their transition into extra superior cybersecurity positions.
Studying By means of Immersive Methods
Immersive coaching offers an interesting and relatable expertise for customers to realize and follow making use of new lesson ideas. In contrast to conventional classroom and passive schooling fashions (e.g., lectures or autonomous video), immersive scenario-based content material offers an surroundings the place learners have a well-known context to raised purchase information and abilities.
Strengthening and rising the skillsets of cyber operators is essential for workforce capability constructing. As indicated within the SEI truth sheet, Method to Skilling the Cyber Workforce, deliberate follow and comprehension validation via immersive, hands-on content material is an efficient means for constructing crucial capabilities. This rehearsal for real-world operations and problem-solving permits defenders to enhance skillsets and strengthens total mission readiness.
Purchase, Apply, Affirm: The Catalyst for Skilling Continuation Labs
The place the navy coaching mannequin has coined the phrase crawl, stroll, run, that method doesn’t lend itself to upskilling those that have already got foundational, novice-level abilities (i.e., already strolling). The SEI developed a broader upskilling philosophy of purchase, apply, affirm, a development designed for professionals who already possess foundational abilities and want structured alternatives to enhance these abilities or to study new ones. Our analysis crew needed to develop topic-focused, hands-on, guided labs with assessments to take customers via the phases of buying, making use of, and affirming the lesson’s abilities.
CISA initially highlighted abilities hole areas similar to malware outbreaks, DNS safety options and techniques, proactive defensive methods, and fundamental safety practices, with additional subjects recognized all through the venture. Relatively than merely reteach generally addressed cybersecurity fundamentals, every SCL targeted on rising threats, related/latest federal steerage, and cybersecurity developments tied on to FOCAL Plan objectives. Every SEI-developed skilling continuation lab is “created for cyber professionals with some IT/cyber expertise who fall into the upper-beginner to lower-intermediate cyber talent vary … these labs will present a continuation of abilities for the cyber skilled.”
Through the year-long growth cycle, the SEI constructed 19 skilling continuation labs primarily based on subjects chosen in collaboration with our CISA mission companions. A fast have a look at three of the skilling continuation labs follows:
- DNS and Identify-based Safety Answer and Quick Flux Assaults and Defensive Measures – These labs reviewed DNS fundamentals whereas additionally introducing the idea of DNS sink holing, blocklist/allowlists, and highlighting how DNS can be utilized to bypass conventional blocking strategies in quick flux assaults similar to IP-based firewall guidelines.
- Community Segmentation with ICS/HMI and Introduction to SCADA Utilizing Modbus and BACnet – This set of labs introduces the learner to industrial controls methods, their visitors varieties, and learn how to implement community segmentation and entry management greatest practices.
- XZ Utils: A Case Research of Provide Chain Belief – This set of labs supplied learners a deep dive on the 2024 XZ Utils vulnerability whereas introducing the idea of Software program Invoice of Supplies (SBOMs) to overview open-source software program for vulnerabilities and improve the security of software program provide chains.
Along with the three labs detailed above, the record of labs, that are printed on CISA’s Apply Space, and accessible to all federal civilians and Division of Struggle (DoW) personnel, contains the next:
- Automated Defenses
- Detection Guidelines in Logging Made Simple
- Quick Flux Assaults and Defensive Measures
- Hardening Kubernetes: Pod Safety
- Incident Response with Velociraptor
- Introduction to SCADA Utilizing Modbus and BACnet
- Residing Off the Land Assaults
- Log Managements with Logging Made Simple
- Phishing Mitigation with MFA
- Safe Programming
- Safe Programming with Rust
- Safe Programming: Dependency Provide Chain Assaults
- Weaponized Archive Recordsdata: Extract at Your Personal Threat
- Weaponized .svg Recordsdata: The Hidden Menace in Vector Graphics
- Net Utility Penetration Testing with Brute Pressure Assaults
- Net Utility Penetration Testing with Cross Website Scripting
Extra artifacts are printed to CISA’s prescup-challenges/skilling-continuation-labs GitHub repository.
The SCL additionally included and promoted CISA instruments like Logging Made Simple and Protecting Area Identify System (DNS) Resolver, launched proactive defensive measures similar to utilizing Endpoint Detection and Response simulation instruments to detect ransomware, and supplied customers with environments to witness the results of vulnerability exploitation, internet software assaults, phishing assaults, and analyze weaponized file varieties.
What Makes the SCL Distinctive
The determine under illustrates the main target of SCLs on latest developments, threats and advisories, CISA-promoted instruments, and the most recent federal steerage.
Determine 1: Instance of a lab introduction highlighting related CISA steerage and assets
Tied to the FOCAL Plan and NICE Workforce Framework for Cybersecurity (NICE Framework), every lab offers standalone and strategically aligned coaching in a practical digital community surroundings that simulates real-world networks and offers entry to dwell working methods and instruments. The adherence to open-source instruments and applied sciences signifies that others can replicate the methods outlined inside every lab with zero limitations and for gratis.
Determine 2: Instance community diagram displaying inner and exterior methods
The Skilling Continuation Labs differ from conventional virtualized educating labs in the best way they assess and problem the learner. Every lab features a Abilities Hub as an authoritative server to trace and assess the learner’s progress, present in-game recordsdata and artifacts, and insert randomness into the surroundings. As a substitute of merely offering step-by-step duties or asking questions, the Abilities Hub affords builders the flexibility to question the state of the surroundings to gauge progress and the profitable completion of lab duties via Python-based grading scripts. The Abilities Hub tracks and frequently stories the present state of the lab again to the learner via an in-lab webpage.
Determine 3: Instance: how the Abilities Hub tracks and shows a learner’s progress
Native scripts permit builders to dynamically generate actions, community visitors, and generate recordsdata for evaluation. For instance, filenames, IP addresses, usernames and passwords, and extra could be randomized to create entropy throughout the surroundings in order that no two cases are utterly equivalent. The dynamic nature provides replayability to the coaching.
Moreover, as proven in Determine 4, lots of the labs embody a mini-challenge that requires learners to use the talents discovered within the lab to a brand new drawback with minimal steerage, permitting them to affirm their readiness and understanding of the subject at hand.
Determine 4: Instance mini-challenge job and desired consequence
Future Work in Growing Coaching for the Federal Cybersecurity Workforce
The SEI’s Cyber Mission Readiness crew frequently strives to enhance its immersive coaching growth and supply processes. After each venture, builders focus on what enhancements must be made to help future tasks. Following our work on the SCL venture, the SEI Cyber Mission Readiness crew really useful the next enhancements:
• Abilities Pathways. The CMR crew is presently within the means of including abilities pathways to the SEI’s Crucible platform to help roadmaps of content material and improve a learner’s talent stage in particular areas of cybersecurity or in sure cybersecurity roles. Including abilities pathways would stroll learners via a development of things of accelerating problem, from guided lab walkthroughs to unguided challenges, permitting them to advance in the direction of abilities mastery.
• Bookmarking Session Standing. At present, a learner should full a lab in a single session. Whereas utilizing lab phases permits learners to sort out duties in segments, learners should restart the lab and repeat work that they had beforehand performed if their work didn’t full your entire session. With further growth time, labs that require sequential phases might be scripted to stage the surroundings to the ultimate state of the very best part accomplished by the learner. Labs with sequential or remoted phases would retailer a learner’s progress so they’d not have to repeat beforehand accomplished evaluation objects.
• Assist Chat Agent. Instruments for on-demand learner-initiated help and steerage may assist learners when they’re caught. Leveraging logs and huge language fashions (LLMs), the CRM directorate may create a chat agent able to answering person questions and offering steerage and hints.
• Self-Configured Atmosphere. An surroundings that learners can configure for performing cyber abilities coaching would permit the learner to pick out from an inventory of abilities to follow, whereas the surroundings that helps these abilities is deployed mechanically. Abilities-based injects and actions might be utilized to the surroundings, and supporting situation documentation might be generated with LLM help.
