230 likes | 372 Views
Armed Forces Communications & Electronics Association (AFCEA). AFCEA International Non-profit membership association Serves the military, government, industry, and academia Advances professional knowledge and relationships in the fields of communications, IT, intelligence, and global security.
E N D
Armed Forces Communications & Electronics Association (AFCEA) • AFCEA International • Non-profit membership association • Serves the military, government, industry, and academia • Advances professional knowledge and relationships in the fields of communications, IT, intelligence, and global security. • AFCEA Activities • SIGNAL Magazine (Monthly) • SIGNAL Connections (Online Newsletter) • Educational Foundation • Professional Development Center • AFCEA Sponsored Conferences/Symposia • AFCEA Participants • 20,000 individual members • 11,000 corporate associates • 1,400 corporate members
Operationalizing Network Defense(or, “The Awakening of One Comm Guy”) Colonel Mark Kross Commander 26th Network Operations Group Overall Classification: UNCLASSIFIED
Overview • Importance of the Network • Net-D Primer • Net-D as a Recognized Operation • The Big Evolution • People • Systems • Intel • Planning
Net-Centric Battlespace AFFOR CAOC EOC Limited Regional Conflict Major Regional Conflict Disaster Relief Humanitarian Assistance Counter Insurgency International War Peacekeeping NEO Network Defense: The Operational Imperative • AF Operations today use a complex network of systems and airmen, enabling full spectrum dominance – we need our networks to fight. PACAF NCC AFSPC ACC PENTAGON “The first battle in the wars of the future will be over control of Cyberspace”- Dr Lani Kass
Threats to U.S. Air Force Networks 2007 • December 1998 – January 2003 • Most activity from moderately skilled individuals • Hackers, Script kiddies, Criminals 20,116,960,777 Suspicious Connections 5,804,970 Real-Time Alerts 28,398 Suspicious Events • 2007: 31 validated Incidents: • 78% had TCNOs • Patches/Updates not done • Default/Weak passwords • Poor permission settings 257 Non Compliance Validate 9 Root, 18 User 4 Malicious Logic 31 Incident • February 2003 – 2005 • Skilled / organized actors (possibly state-sponsored) • Physical destruction • Forces of Nature • Nation States • Non-State Actors • 2005 – Present • Trend reports identify associated state-sponsored attacks “As the nation with the world’s most advanced armed forces, we can’t afford to risk losing the freedom of action in the cyberspace domain.” - SECAF Jun 07
PENTAGON, 11 Sep 2001: Adversary Used: Internet for Recruitment International & Cell Comms for Coord; Training on Simulators Cyberspace is a Battlespace…We’re at WAR! Hundreds of Jihadi Web Sites and Internet Hosts, Thousands of Individual email Accounts
Network Defense Primer • CyberOps is an arms race that favors the offensive • Functionally, Network Defense (Net-D) is somewhat analogous to an Air Defense system (CRE), but… • “Missions” are not single engagements, but muiltiple and constant • No US historical precedent: • Perpetual, undeclared struggle • Against a myriad of peer-level adversaries whose identities are often un-prove-able • In which weapons and tactics emerge, evolve, and become obsolete in days or weeks
MD NetD NetA EP EA PSYOP OPSEC NS C-PRO PA CI ES Net-D as a Recognized Operation • AFDD 2-5: Net-D is a subset of Network Warfare Operations, as part of Information Operations • IO: “The integrated employment of the capabilities of influence operations, electronic warfare operations, network operations in concert with the specified integrated control enablers, to influence, disrupt, corrupt or usurp adversarial human and automated decision-making while protecting our own.” • New Doctrine pending—NetD will still be a type of op! Influence Ops Electronic Warfare Ops Network Warfare Ops Military Capabilities Sub-class Capabilities
The Big Evolution • Steps on the Evolutionary Trail of Network Defense: • Nothing • Information Assurance • Information Assurance plus Network Defense • Info Assurance plus Operationalized Net-D • OperationizedNet-D—the process to get there is a set of concurrent evolutions in many areas—including people, systems, intelligence, and planning!
The Evolution in People • Steps on the Evolutionary Trail of Building a Network Defender: • Nothing • Technical Training • Technical Training plus Operational Training in an IQT/MQT Construct • Certified Training Under a Stan/Eval Process
33 NWS Crew Qualification ASIM Operator Lead Analyst Sys Admin Commander Crew Chief Response CENTCOM Operator Incident Tech Crew Initial Assessment 33 NWS Common Block Course 33 NWS Technical Refresher IQT Test – 70% passing Unix 33 NWS NSD Fundamentals Course Routing/Networking 33 NWS ASIM Operators Training Course 33 NWS CENTCOM Operators Training Course ASIM Tech MQT Test – 85 % passing CENTCOM Tech Hands on Check Ride Commercial Training Courses 11
Undergraduate Network Warfare Training (UNWT) One Course – Two Parts Advanced Distributed Learning UNWT In-Residence – 39 IOS Full Crew Training Officer, Enlisted, Civilian Comm, Intel, Space, Engineer, AFOSI Partner w/ Industry SANS GSEC Bootcamp DoD 8570.1M Certification Idaho National Labs / Sandia National LabsPacific Northwest National Labs Hands-On Mission Simulators & Models Joint Cyber Ops Range / Telephony / Wireless / SCADA Joint IO & Space Range / IADS / TADIL / SATCOM Community Development Cyberspace Training Summit Missile & Space Intelligence Command / JRAAC / JIOR Community of Practice (CoP) (AFKN) Dept. of Homeland Security (DNS) DoD 8570.1M UNWT CoP https://wwwd.my.af.mil/afknprod
Standardization and Evaluation • Stan/Eval – Professionalizes Operations • Methodical mission planning • Synchronized Ops execution • Rigor/discipline/control - Career long evaluations • How? • Standard ROEs and TTPs • Mission Training • Mandatory Simulator time – critical thinking • Rigorous Evaluation • Elite Network Warriors – ready to affect the battle space Stan/Eval Weapons & Tactics Mission Training Operations
The Evolution in Systems • Steps on the Evolutionary Trail of a Net-D Weapon: • “Some IT Gear” bought and deployed • A System, tested prior to deployment • A System, obtained to achieve a specific Net-D effect, tested, certified, and weaponized prior to deployment
AF Info Ops Center (AFIOC) • Weapons • NetWarfare Tools OT&E • Countermeasure Development/Support • Network Warfare Systems Capability Integration • Wireless Signature support • New Technologies • Tactics Development • Architecture analysis support (incident response) • TTP Development • System/ Software Vulnerability Assessments • Modeling/Simulation
Net-D’s Weapon Systems • ASIMS – Automated Security Incident Measurement System • “Packet Sniffer on Steroids”: Monitors DMZ traffic, alerts on suspicious traffic • GOTS software – IDS signatures not shared outside of DoD • Working Block 3.1.1 – IPv6 logging, auto response/remediation, wild card string matches, 40% faster processing • BorderGuard • CENTCOM’s Intrusion Detection and Prevention system • Virtually NO major Net-D incidents in CENTCOM while deployed! • IO (Information Operations) Platform • Interoperable, survivable, real-time packet monitoring of all traffic for ID’d signatures • Captures context (pre/post compromise actions) • Allows Net-D operator to block, quarantine, log, alter, or deep-inspect traffic
+ AFIOC + OSI + NOSCs AF Net-D Weapon Systems AF Sensors: 215 USCENTCOM Sensors: 111 79% Cisco 21% ASIM Enlisted: 117 Officer: 51 Civilian: 10 Contractors: 107 + DoD + Joint 33 NWS + Civilian
The Evolution in Intelligence • Steps on the Evolutionary Trail of Net-D Intelligence: • Nothing • “Headline vignette” –quality Intel • “Headline vignette”, plus implications • Predictive, actionable Intel, through standard processes (PIRs, etc.)
Operational IntelligenceIntel Drives Operations Iterative process: Plan Execute Assess Centers Agencies Subject Matter Expertise Operational level C2 Analysis Real-time Mission Changes Tactical Execution & Mission Reporting Boards & Cells Targeting Time Sensitive Targeting ISR Ops / Collections The ISR process should not vary from one warfighting domain to the other!
Cyberspace Intel Requirements Provide predictive, timely and actionable intelligence to Commanders conducting operations in and through cyberspace (physical, digital, social, wireless networks) Collaborate with USGov, public, private and allied/coalition partners on cyberspace intelligence Perform operational assessments to improve cyber incident response Support operational assessment process with tailored analysis of cyberspace effectiveness in support of ongoing missions Develop and implement annual intel training requirements for all cyberspace operators Not much difference from ISR support to other forms of warfare…
The Evolution in Planning • Steps on the Evolutionary Trail of Net-D Mission Planning: • None—just “do what the systems force you to do” • Minimal—put context around “what the systems force you to do” • Plan in advance for what might happen—includes deliberate planning process • Self-initiated, aggressive Net-D Operations—”named” operations—Mission Planning • Campaign Planning
Mission Planning, Campaign Planning • Address specific adversaries and provide operational planning capability on the 2 week-to-1 year window • Focused on known adversaries • Focused on probable scenarios—develop mission concept from I&W to employment • Future capabilities will allow for more active defense, including ROE-based immediate response actions