The Six Events of the Army Cyber Fitness Test

By Allison Moore, Data Scientist, Defense Threat Reduction Agency

Article published on: July 1st 2024, in the Summer-Fall 2024 Special Warfare Edition

Read Time: < 8 mins

To combat hostile cyber actors, military leaders at all echelons must understand the attack vectors used by cyber threat actors. The best way to truly understand these vectors is to become familiar with the tools a hostile actor uses when executing an offensive or reconnaissance cyber mission.

Despite the gravity of a very real threat to our network infrastructure, there are currently no standards for service members to follow to ensure they are “cyber conscious.” As a result, we propose six cyber functions to serve as foundational areas to transform the military’s cyber culture and enhance “unit cyber fitness,” a readiness achieved by mastering levels of performance and standards, such as the Army Cyber Fitness Test (ACFT).

The six events of the Cyber Army Combat Fitness Test are Securing a Machine, Securing Data, Securing Network Traffic, Concealing Network Traffic, Understanding Social Engineering, and Managing Location Data. They include a baseline minimum standard—which is defensive by nature— and an advanced maximum standard that goes beyond simple cybersecurity and ventures into the realm of understanding actions taken by malicious actors in cyberspace. It is important to note unauthorized access to a network is illegal, and several of the tasks required to max the Cyber ACFT will require users to provide or establish their own target and/or attacking device.

Event 1: Securing a Machine

MINIMUM - APPLY STRONG COMPUTER PHYSICAL SECURITY MEASURES.

We all know you should never leave your computer unattended in a public space, but there are additional measures you can take to secure access to your computer. This includes using separate administrator and user accounts, establishing strong passwords, and enabling good screen-lock settings. Although creating unique and complex passwords for all your accounts may seem inconvenient and challenging, a strong password manager can drastically reduce the annoyance while simultaneously increasing security.

MAXIMUM - EMPLOY A VIRTUAL MACHINE.

A virtual machine is essentially a computer within a computer. It uses a segregated portion of your computer’s hardware to sandbox the virtual machine from your operating system. This allows users to run any operating system (i.e., Windows, Mac, Linux, etc.) in a manner that minimizes the likelihood of spillage of information from the virtual machine to the user’s original operating system, and vice versa. Cybersecurity professionals and ethical hackers often use a virtual machine to test scripts and to create a target and/or attacking device for practice. If you find yourself wanting to practice some of the maxing events later but have another device to target legally, a virtual machine is probably a good solution.

Event 2: Securing Data

MINIMUM - ENCRYPT DATA.

Text encryption or other types of data inside an image file is known as steganography. Th ere ar e ma ny kn own vulnerabilities associated with basic password protection for files. File encryption may require a subscription or third-party software and regular maintenance. Using steganography adds an additional layer of protection for free. You can encrypt your data with a number of open-source software tools.

MAXIMUM - CRACK INTO A PASSWORD PROTECTED FILE.

A password-protected file is only as good as the password. To demonstrate the importance of selecting strong passwords and to develop an understanding of why certain criteria creates stronger passwords, you can create and hack into your own password-protected files. Passwords usually are not stored as plaintext. They are stored as a hash, a unique combination of characters generated by a one-way function.⁰¹ When you enter a password, the system checks if the hash of your entered text matches the stored hash of the true password. Salting involves adding characters to a password prior to hashing it, such that two identical passwords will have different salted hash values — thus, making them appear to be two different passwords. To crack passwords, hackers use a number of tools such as rainbow tables⁰², dictionaries⁰³ , and social engineering.

Event 3: Securing Network Traffic

MINIMUM - ESTABLISH STRONG ROUTER SETTINGS

The United States Special Operations Command (USSOCOM) provides a plethora of cybersecurity recommendations in Identity Management Smartcards.⁰⁴ After following USSOCOM Wi-Fi recommendations, you should also configure a firewall. Learn more about firewalls from InfoSec Institute.⁰⁵

MAXIMUM - IDENTIFY/TRACE ABNORMAL NETWORK TRAFFIC.

When you go on the internet, your computer sends and receives network packets, small segments of data that form the totality of the information shared.⁰⁶ You can view all these packets using a packet sniffer—or protocol analyzer—that can help identify abnormal or suspicious network traffic Open-source packet analysis tools are well documented and offers useful tutorials.⁰⁷ They offer a user interface that provides an intuitive design to reduce the learning curve.

Event 4: Concealing Network Traffic

MINIMUM - EMPLOY A VIRTUAL PRIVATE NETWORK (VPN).

Survey data from NordVPN demonstrates an increasing trend in VPN use within the United States following the COVID-19 pandemic, with approximately one third of Americans choosing to use a personal VPN.⁰⁸ If you are in the subset of Americans who does not know what a VPN is, you can get more information about them from cyber security and tech news and research websites, such as cybernews.com.⁰⁹ A VPN essentially masks your IP address as you navigate the web and is one of the simplest tools you can employ to increase your security online.

MAXIMUM - ESTABLISH A CUSTOM PROXY CHAIN.

A proxy chain is a chain of proxy servers used to achieve the similar goal of masking the originating IP address. These are much more advanced than simply hitting ‘connect’ and are generally easiest to implement by using proxy chain tools.¹⁰ Understanding the tools required to create a proxy chain will introduce users to some of the foundational knowledge hackers have.

Event 5: Understanding Social Engineering

MINIMUM - IDENTIFY SOCIAL ENGINEERING ATTEMPTS.

Social engineering involves manipulating people and exploiting their weaknesses. Social engineering aids bad actors during their attempts to gain access to systems or to gain information about their target. It can be done in any domain and is not limited to cyberspace. All basic users should be familiar with elicitation, shoulder surfing, baiting, tailgating, and phishing (and its variants).

MAXIMUM - ESTABLISH A REVERSE TCP CONNECTION.

A reverse TCP attack navigates around a firewall by socially engineering a target user into initiating a TCP connection (rather than the attacker initiating the connection). Once a user initiates the connection, an attacker can employ several malicious cyber activities. Kali Linux Metasploit is a common tool used to accomplish this task. Executing a reverse TCP connection without the knowledge and authorization of the target user is illegal. Maxing Event 5 will require you to establish a target and Linux attacker machine on your private network.

Event 6: Managing Location Data

MINIMUM - TURN OFF GEOTAGGING AND LOCATION SHARING.

Geotagging is the process applied to digital media that results in location and other data being applied as metadata to the media. You can turn off photo geotagging and location sharing settings on your devices by following the USSOCOM Identity Management Smartcards for your types of devices found under “Phones and Hardware.” Check out the “Smartphone EXIF Removal” smartcard for more information on geotagging.¹¹

MAXIMUM - GEOLOCATE A SPECIFIC DEVICE.

Although geolocating a specific device is no simple feat, you can make yourself an exceptionally hard target by minimizing your digital exposure and familiarizing yourself with the tools needed to track a device in time and space. It may be easiest to hack the password for a user’s ‘Find My Phone’ functionality (check your device’s Find Me function to see how well you locked down your location sharing). However, you can obtain geospatial information for a specific device using secured ingress platforms and some high-quality social engineering. Learn how from Loi Liang Yang.¹²

Conclusion

The minimum standards for the Cyber ACFT represent measures that are absolutely mission essential in protecting the joint force from hostile cyber actors. Although the minimum standards are not the only cyber events to be aware of, they provide a baseline for establishing a cyber-conscious foundation. As you progress through the events, you will find maxing the Cyber ACFT is quite difficult, as it demands a deeper understanding of networks and the tools available to malicious actors.