Post on 12-Jan-2016
UNCLASSIFIED
UNCLASSIFIED
Col Kevin Wooton
Commander
31 May 2011
Overall Classification:
UNCLASSIFIED
67th Network Warfare WingThe Air Force’s Cyber Ops Wing
UNCLASSIFIED
UNCLASSIFIED
Where we are… where we’re going
Cyber today is where Airpower was in the 1930s…
UNCLASSIFIED
UNCLASSIFIED
67 NWW Focus
• Conducting the full range of Network Warfare– Network Operations
(Establish)– Net Defense
(Control)– Full Spectrum
(Use)
26 NOGNet Defense
67 NWGFull Spectrum
67 NWW
Defend
Operate
Attack
Operations Of and On the Net
690 NSGNet Ops
UNCLASSIFIED
UNCLASSIFIED
• CSAF’s Sep 00 One Air Force…One Network NOTAM committed AF to fundamentally changing the way we leverage our networks.
• CSAF’s msg established AFNetOps, 3 Jul 03…To effectively protect Air Force networks and the advantages they provide, network control…need[s] to be applied in a coherent, disciplined fashion under control of a single AF commander.
• CSAF’s 3 Aug 05 memo on AFNETOPs support to USSTRATCOM laid out a path to provide C2 of the AF network.
• CSAF’s 15 May 09 directive memorandum established AFNETOPS/CC authority to issue orders for the operation of AF networks.
• End-Game: C2 network with focused, precision results
AFNetOps Vision
UNCLASSIFIED
UNCLASSIFIED
AFNetOps Reality
AFCYBER = MAJCOM NOSCs under one commander
O&M responsibility Matrix
AFMC VPN managed by NCC
Except at Kirkland where itsiNOSC-W
UNCLASSIFIED
UNCLASSIFIED
One AF-wide Active Directory Forest
AFNet Migration (NIPRNET)
SCOPE14 Networks into One
840K users across 413 sites
BENEFITSE-mail for Life
Single Sign-on AnywhereReduce System Complexity
AF-wide Collaboration
STATUS (9 May 11)138K users // 29 sites
16% of AF10 Legacy Nets Shutdown
UNCLASSIFIED
UNCLASSIFIED
PREVENT
TCNOs up 28% since 2006
ASIMS strings – filter suspicious net activity
Strong relationship with vendors – share knowledge
Blue assessment – see what hacker sees
Net-Defense: Current TTP
DETECT 24/7/365 presence Crews review 10K+ suspicious
events per day Report foreign IP activity to IC Correlation analysis - low &
slow Recommend IP blocks to NOD Unity of effort w/other agencies
RESPOND Highly skilled computer
network/forensics analysts Focal point for net intrusions Isolate exploitation method &
extent of compromise Work closely with OSI &
counter-intel agencies
SensorsAir Force: 232USJFCOM: 2
USCENTCOM: 108
UNCLASSIFIED
UNCLASSIFIED
Mission Operations Tempo
2008 2009 2010 20110
200
400
600
800
1000
1200
1400
127204 204
75
812906
1287
490
IncidentsCAT VIII Investigations
*CAO 20 Apr 11
UNCLASSIFIED
UNCLASSIFIED
Full Spectrum Ops Current Units
• 91 NWS– Telephone Network Ops
• 315 NWS– Core of AF Ops at Ft Meade– Daily joint operations
UNCLASSIFIED
UNCLASSIFIED
Current/Future Initiatives
• Host-Based Security System (HBSS), desktop-level security
• Information Operations Platform (IOP), intrusion prevention system
• Network defense common operating picture (ArcSight)
• EnCase – Remote Incident Response Forensics (EnCase)
• AF Gateways (aka AF Network Increment 1), network demilitarized zone
• Vulnerability Lifecycle Management System (VLMS)
• Fidelis for Operations Security (OPSEC): SNS monitoring/Insider threat
UNCLASSIFIED
UNCLASSIFIED
Current/Future Initiatives (cont’d)
• Continuity of Operations (COOP)/Alternate Operations Locations (AOL)
• ROE-governed TTPs/Execution: Stan/Eval
• Partnerships for rapid TTP and tool development: ESC, AFCA, Rome Labs, 688 IOW
• Active/Dynamic Defense
• Indications and Warnings of malicious activity based on actionable, targeted Intel
67 NWW - Air Force’s Execution Arm for Cyber Warfare
NetE
NetOps Full Spectrum
NetD
UNCLASSIFIED