Practical CND Operator Development

February 20, 2014
CND Tools: Post by Aaron Powell

Practical CND Operator Development

The strength of a CND shop is closely related to the skills and experience of its staff. In many organizations, there's a skills gap between highly experienced CND operators and junior CND staff, even though many of the junior staff have extensive education and training under their belts. In this post, I'll explore an option that we've put into place at MITRE to address this gap.

Skilled CND Operators

Due to their wealth of experience, top-notch CND operators can quickly identify the most impactful actions to take, thus avoiding resource-consuming activities that are less likely to produce results. These talented individuals are also skilled at automating tasks and integrating existing tools to more efficiently do their work. Because of these skills, experienced CND operators can be more valuable to securing an enterprise than any single tool or piece of code.

Necessary Skills Development

MITRE, like all organizations, faces employee turnover and seeks to not only retain existing skilled CND staff, but also to develop the skills of more junior staff to enhance its operations and improve the evolution of its capabilities. We encourage appropriate participation in conferences, training, certifications, and other educational opportunities. But training, while necessary, is often insufficient to ensure the best possible development of junior staff. If technical skills are not practiced regularly, they will be lost over time or become outdated.

Creating an In-House CND Operator Development Capability

To address the need to develop technical skills that will be sharp and relevant, we created an in-house program called "Cyber Operations Capability Advancement (COCA)," which blends traditional training with on-the-job, hands-on training to develop and build experience.

The COCA program provides computer network defense practitioners with the experience needed to become highly effective CND operators by exposing them to the enterprise's operational environment. This allows them to analyze real threats and solve real engineering problems in cyber threat analysis and defensive cyber operations.

The basic principles of COCA include:

  • Complete a suite of specialized training for cyber operations
  • Partner with internal cyber operations
  • Rotate assignments

Cyber Operations Training

COCA participants must first complete a suite of Security Operations Center (SOC) training courses, including topics such as Dynamic Malware Analysis, Disk Forensics, Incident Response, Network Flow Analysis, Log Analysis, etc. Although we offer an in-house training program, some of these courses can be found at local colleges, or through the Open Security Training program.

Partnership with Internal Cyber Operations

To achieve a real-world experience, some type of partnership needs to be established with the internal cyber operations center—those responsible for threat analysis, cyber defense, and incident response. In our case, the company funds the COCA program, which makes it possible for participants to temporarily work in our internal cyber operations center.

Rotating Assignments

COCA participants are rotated through our cyber operations center. Each participant is required to work in this capacity for about six months. While there, they are required to work directly with cyber defense staff on specialized projects. These projects include hands-on operational detection, response, and remediation activities to further strengthen the participant's existing SOC experience. In addition, they are partnered with an experienced information security professional who is responsible for overseeing the participant's tool development tasks.

These tool development tasks are designed to facilitate cyber operations and must be worthy of inclusion in current operations. For example, some of our COCA participants have developed tools for identifying malicious PDFs, fingerprinting email client traffic, and characterizing encrypted communications channels.

In addition, as appropriate, COCA participants work alongside employees responsible for cyber intelligence collection, incident analysis, and incident response.

Transitioning Newly Developed Skills to Customer Projects

After the training period ends, employees who have participated in the COCA program are well-prepared to transition to many customer projects. A recent participant remarked: "As a result of participating in COCA, and seeing the inner workings of a SOC, I've undertaken an interesting programming project that will assist other SOC analysts."

It also shouldn't be overlooked that the introduction of new employees into the existing internal CND organization injects ideas, enthusiasm, energy, and unique viewpoints.


In many respects, COCA is not a new idea, but rather a slightly more formal type of typical mentor/mentee relationships, with a focus on real-world experience and employee skill development. Junior COCA participants move beyond the more constrained and predictable problems faced in training and classroom environments, thus allowing them to face challenges, which are typically complex, non-standard, and ambiguous.

As with all advanced skills, CND operators require consistent practice to sharpen their skills. This program has been mutually beneficial to both MITRE's internal cyber operations and our customer programs. It has connected practitioners across internal organizational boundaries, provided up-to-date experience to the COCA participants, and reinvigorated our internal cyber operations with new people and ideas.

Another benefit is the creation of a common body of knowledge related to the most effective SOC architectures, practices, tools, procedures, and methods. Even though this body of advanced SOC knowledge continues to evolve, the COCA program has improved the consistency and availability of information used, which has helped us to make timely and actionable cyber defense recommendations.