What’s it like to participate in (and win!) the largest cyber defence exercise in the world?
Locked Shields is the annual NATO cyber defence exercise and the largest live-fire cyber defence exercise in the world. The Swedish Armed Forces are responsible for and coordinate the Swedish participation in Locked Shields which, for 2023, consisted of a joint team with Iceland.
Netnod had four staff members participating in the winning Sweden-Iceland team:
Tomas Agartz, Senior SRE; Filip Olofsson, Systems and Network Engineer; LM Jogbäck, who was Netnod’s CEO at the time; and Patrik Fältström who, participating on behalf of the Swedish Armed Forces, was Team Lead for Sweden and is Netnod’s Head of Security.
We spoke with Patrik and Tomas to find out more about the experience: how did it feel to work under that level of stress, what lessons did they learn, and what surprises did they encounter along the way?
1. How did it feel to participate in Locked Shields 2023?
Patrik: Locked Shields is a live-fire, operational exercise. It’s different from most other types of exercises where you make decisions without the pressure of a real-time situation. With Locked Shields the clock is always ticking. This year was also interesting for us teaming up with Iceland. Working as a joint team meant all communication was in English.
Tomas: The key is how you deal with issues under stress and the pressure of time. You need to fix one problem and then move straight on to the next. Everyone who gets to Locked Shields is experienced in working under pressure and dealing with crisis situations and there is a variety of skills for the different tracks involved in the exercise (legal track, media track, and technical track). While it was great for team Sweden-Iceland to come out top, the main point of the exercise was the opportunity to learn a lot from the people around you. I’d participated in Locked Shields before so this time I knew what to expect and was more prepared.
2. What level of preparation was needed?
Tomas: Ahead of time, we got some information about the scenario and a week or so before the exercise, we could start to work with the virtual machines to familiarise ourselves with the environment, see how it should work, and try out some reconfigurations.
We were split into teams well in advance of the exercise and had some preparatory meetings where we could read up on and share experiences from previous Locked Shields, discuss ideas for how to prepare, decide on which platforms to use, and make an overall gameplan.
Patrik: There is a lot of preparation that goes into an event like this. One very important area is the process for selecting participants. The Swedish Armed Forces decide what to focus on. For Locked Shields 2023, organisations from the financial and electronic communication sectors were chosen. Selected organisations from these sectors were then contacted to find the right individuals. We needed a range of skills on the team so the selection process was focused on ensuring the team had the proper range of competence. We also needed to balance the team between those who had prior experience of Locked Shields and those who had never done it before.
We divided the team into skill sets, and each subteam had preparatory meetings to discuss tools and read the after action reports from previous Locked Shields. It’s important that before the exercise starts, the teams agree on what tools they will use. Equally important was that we discussed our tactical plan so everyone knew our overall goal.
3. How did it feel to be dealing with a live-fire exercise?
Patrik: We were well organised and had clearly delegated things ahead of time. Everyone knew what the overall goal was so they could be more autonomous. Once the exercise started, we tried to maximise time to keep systems up and running. This meant, while I had some important decisions to make during the exercise, I wasn’t inundated with questions. I had time to help out getting people coffee!
After the first day, we got together in the evening so teams could do post-mortems and change tactics if necessary. After the second day, at the end of the exercise, everyone was exhausted!
Tomas: Team Sweden-Iceland were a blue team in Locked Shields 2023, which meant we were responsible for the infrastructure of a made up country. Once the attacks start coming, you can’t just shut everything down and reboot. So you run a script and of course something breaks and something on a dashboard goes red. Then you need to make the dashboard go green again! You need to figure out how a system was sabotaged and get in there and fix it all the while keeping things up and running.
Before the exercise started, we had a chance to test out our plans, installations, and scripts. As soon as Locked Shields starts, you just work like crazy, After dinner, we worked until midnight checking notes, rewriting scripts and fixing bugs.
4. What lessons did you learn from Locked Shields?
Patrik: This year we used some new tactics (and, no, I won’t go into details!). But it obviously worked! Nordic teams always seem to do well in these kinds of exercises. I think it has something to do with being small countries, used to working together, and having strong models of openness and cooperation.
Tomas: Participating in Locked Shields twice has been excellent training for me. I was exposed to people from different sectors that use different infrastructure elements. For example, banks, the military, and the energy sector all use firewalls from different vendors so you need people who understand the different types used. You also learn how important the other aspects of the exercise are beyond the technical side which is where we are focused. So it is very interesting to see, for example, the work done in the legal track where legal questions need to be handled in real-time.
I made a lot of notes during the exercise. In the evening between the first and second day, I went through the notes and any downloaded files checking backdoors and sharing info with the others in our team. I was trying to write improvements, add fixes for our playbooks, reverse engineer things we found, and talk to others to swap experience. I learnt so much from these talks, especially new tools and methods I would probably not have encountered otherwise.
In Locked Shields, you learn many different ways of solving problems and dealing with attacks. And this is the main value of this kind of exercise (though it is, of course, nice to win!). If this happens in real life, we are prepared and have all the skills and tools we need.
At Netnod, we are innovators at the core of the Internet with a worldwide reputation for our services and the expertise of our staff. We are always looking for talented, committed people to join our team. If participating in events like Locked Shields and working with experts in cybersecurity, interconnection, DNS and time services sounds interesting, check out our open positions here.