Locked Shields 2021

Luxembourg joined the largest and most complex international live-fire cyber defence exercise in the world, organised by NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), in the first Benelux cooperation in cybersecurity exercising.


For the first time, Belgium, the Netherlands and Luxembourg teamed up as a multinational Blue Team to practise protection of national IT systems and critical infrastructure under the pressure of a severe cyber incident involving both civilian and military players.

Locked Shields is an annual cyber defence exercise that integrates the technical and strategic game. Red Team faces Blue Teams. Blue Teams are formed by member nations and partners of NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) and play the role of national cyber Rapid Reaction Teams that are deployed to assist a fictional country in handling large-scale cyber incidents and all their multiple implications.

For the first time, Belgium, the Netherlands and Luxembourg teamed up as a multinational Blue Team – marking the first participation of Luxembourg as a Blue Team member – in this unique opportunity for national cyber defenders to practise protection of national IT systems and critical infrastructure under the pressure of a severe cyberattack.

In Luxembourg, SECURITYMADEIN.LU, with its C3 department, joined forces with Restena and the Governmental and Military CERT.

CIRCL, SECURITYMADEIN.LU’s CERT team, was part of the Yellow Team, responsible for creating and managing the MISP infrastructure (the Open Source Threat Intelligence and Sharing Platform). As of 2021, MISP became an integral part of the exercise as:

  • the core tool used for threat report and key event information sharing,

  • a feedback mechanism for organisers to interact with Blue Teams on their reporting.

CIRCL has built the tooling to deploy and manage more than 20 instances for the exercise, along with custom dashboards and data models to support the flow of the game.

The exercise scenario

The 22 Blue Teams practiced defence of complex IT networks in an exercise scenario described on CCDCOE’s website as « a fictional island country located in the northern Atlantic Ocean, Berylia, was experiencing a deteriorating security situation. A number of hostile events had coincided with coordinated cyberattacks against Berylian major military and civilian Information Technology systems. These attacks cause severe disruptions to the operation of military air defence, satellite mission control, water purification and the electric power grid. In addition, within the strategic track element of the exercise participants had to contend with major disruptions to the financial system ».

The Blue Teams were in charge of maintaining more than 5000 virtualised systems including realistic replications of critical national infrastructure, while experiencing more than 2500 attacks and tackling the influence of information operations. The teams had to be effective in reporting incidents, executing strategic decisions and solving forensic, legal and media challenges.

An exercise for multiple outcomes and lessons learned

According to CCDCOE, the 2021 exercise highlighted the “growing need to enhance dialogue between technical experts, civil and military participants and decision-making levels”.

The exercise seen from C3’s point of view -Practice, test, fail, learn

Most of the C3 team members were protecting specific systems, while a few of them were focusing on Threat Intelligence sharing and situational awareness. Such a large-scale exercise is a tremendous opportunity for learning and has only strengthened C3’s choice to focus on training by experience in order to develop and deepen competence.

At a collective level, it has showed how significant are preparedness, organisation and coordination, beyond technical prowess. As the Benelux Blue Team is multilingual and spread over several locations, achieving efficient coordination quickly was a challenge. However, the preparation week allowed to find the right balance to efficiently organise the teams.

Recognise failure in order to quickly adapt to the situation

Another key outcome is the team’s willingness to quickly acknowledge failure and to have an open discussion in order to find the best possible way to perform course correction. This is a critical capability when facing an elusive adversary in a context that is only partially known. Adaptation must be very quick and acknowledging what does not work is essential for rapid improvement.

The exercise seen from CIRCL’s point of view – “a roadmap for future developments”

From a MISP perspective, the exercise provided a view on what was needed to be improved in order to make the MISP deployments more adapted to scenarios where rapid deployment of fully integrated network of MISPs was required for exercise scenarios, as well as how to make the tool more useful for exercises with a heavy focus on dialogue and quantitative feedback.

The challenges faced during the exercise scenario have helped CIRCL shape both the trainings toolkit and the upcoming roadmap for future improvements.

Another side benefit was that seemingly unrelated side projects become core elements of completely different projects such as the COVID-19 dashboard that has supported military organisations in the largest cyber exercise. Open-source software proved their agility and efficiency in the military and intelligence services, who actively contribute to open-source projects such as MISP.