Request for a Surveillance Tower: Evasive Tactics in Cyber Defense Exercises

The cyber defense exercise (CDX) is an emerging live-fire exercise that enables diverse teams with different roles to train in one game. To evaluate the cyber defense capabilities of the training audience, organizers prepare various scores using different scoring methods ranging from technical to non-technical. The technical scores in Locked Shields, for example, consist of an availability check, a usability check, the success of the red team (RT) attack, and forensics.Immersed in scores due to excessive competition, a blue team (BT) may unnecessarily focus on the scoring process, aiming to perform evasive tactics (ET), which boosts scores unfairly by abusing the weaknesses of the scoring system. ET has occurred in various forms in existing CDXs, and similar cases have been found in the recent iteration of CDXs, meaning that ET is becoming BT’s selectable strategy.Such a phenomenon is undesirable since it will reduce the reliability of the evaluation and the effectiveness of the training. In this paper, we provide an overview of an availability check and examine ET that appeared in both the availability check and RT’s evidence-obtaining process, followed by several mitigations to them. We also discuss evidence and usability issues of ET in CDX and conclude by emphasizing the importance of supporting the green team (GT) in researching and implementing a robust scoring system.