Armed Forces Communications & Electronics Association (AFCEA)

AFCEA International Non-profit membership association Serves the military, government, industry, and academia Advances professional knowledge and relationships in the fields

of communications, IT, intelligence, and global security.

AFCEA Activities SIGNAL Magazine (Monthly) SIGNAL Connections (Online Newsletter) Educational Foundation Professional Development Center AFCEA Sponsored Conferences/Symposia

AFCEA Participants 20,000 individual members 11,000 corporate associates 1,400 corporate members

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Operationalizing Network Defense

(or, “The Awakening of One Comm Guy”)

Colonel Mark KrossColonel Mark KrossCommanderCommander

2626thth Network Operations Group Network Operations Group

Overall Classification:UNCLASSIFIED

Overview

Importance of the Network Net-D Primer Net-D as a Recognized Operation The Big Evolution People Systems Intel Planning

Network Defense: The Operational Imperative

AF Operations today use a complex network of systems and airmen, enabling full spectrum dominance – we need our networks to fight.

PACAFPACAF

NCCNCC

ACCACC

Net-Centric Battlespace

EOC

CAOC AFFORAFSPCAFSPC

PENTAGONPENTAGONHumanitarian Assistance Peacekeeping NEO

Counter Insurgency

Limited Regional Conflict

Major Regional Conflict

International War

Disaster Relief

“The first battle in the wars of the future will be over control of Cyberspace” - Dr Lani Kass

Threats to U.S. Air Force Networks

December 1998 – January 2003Most activity from moderately skilled individuals

• Hackers, Script kiddies, Criminals

February 2003 – 2005Skilled / organized actors (possibly state-sponsored)

““As the nation with the world’s most advanced armed forces, we can’tAs the nation with the world’s most advanced armed forces, we can’t afford to risk losing the freedom of action in the cyberspace domain.”afford to risk losing the freedom of action in the cyberspace domain.”

- SECAF Jun 07- SECAF Jun 07

5,804,970 Real-Time Alerts

28,398 Suspicious Events

257 Non Compliance

20,116,960,777 Suspicious Connections

Validate

2007: 31 validated Incidents:- 78% had TCNOs- Patches/Updates not done- Default/Weak passwords- Poor permission settings

• Physical destruction Physical destruction • Forces of NatureForces of Nature• Nation StatesNation States• Non-State ActorsNon-State Actors

9 Root, 18 User4 Malicious Logic 31 Incident

2007

2005 – PresentTrend reports identify associated state-sponsored attacks

Cyberspace is a Battlespace…We’re at WAR!

Hundreds of Jihadi Web Sites and Internet Hosts, Thousands of Individual email Accounts

PENTAGON, 11 Sep 2001:Adversary Used: Internet for Recruitment

International & Cell Comms for Coord; Training on Simulators

Network Defense Primer

CyberOps is an arms race that favors the offensive

Functionally, Network Defense (Net-D) is somewhat analogous to an Air Defense system (CRE), but…

“Missions” are not single engagements, but muiltiple and constant

No US historical precedent: Perpetual, undeclared struggle Against a myriad of peer-level adversaries

whose identities are often un-prove-able In which weapons and tactics emerge, evolve,

and become obsolete in days or weeks

Net-D as a Recognized Operation

AFDD 2-5: Net-D is a subset of Network Warfare Operations, as part of Information Operations IO: “The integrated employment of the capabilities of influence

operations, electronic warfare operations, network operations in concert with the specified integrated control enablers, to influence, disrupt, corrupt or usurp adversarial human and automated decision-making while protecting our own.”

New Doctrine pending—NetD will still be a type of op!

Sub-classCapabilities

Military Capabilities

EA

ES

EP NetANetD

NS

MD PSYOPOPSEC

PA C-PROCI

Influence Ops

ElectronicWarfare Ops

NetworkWarfare Ops

The Big Evolution

Steps on the Evolutionary Trail of Network Defense: Nothing Information Assurance Information Assurance plus Network Defense Info Assurance plus Operationalized Net-D

Operationized Net-D—the process to get there is a set of concurrent evolutions in many areas—including people, systems, intelligence, and planning!

The Evolution in People

Steps on the Evolutionary Trail of Building a Network Defender: Nothing Technical Training Technical Training plus Operational Training in

an IQT/MQT Construct Certified Training Under a Stan/Eval Process

ASIM Tech

CENTCOM Tech

Routing/Networking

Unix

11

33 NWS Crew Qualification

Crew

Initial Assessment

33 NWS Common Block Course

33 NWS ASIM Operators Training Course

Commercial Training Courses

MQT Test – 85 % passing

33 NWS CENTCOM Operators Training Course

IQT Test – 70% passing

Hands on Check Ride

Crew

Chi

efLe

ad A

naly

stASIM

Ope

rato

rIn

cide

nt

CENTCO

M

Sys

Adm

inTe

ch

33 NWS Technical Refresher

Ope

rato

r

Res

pons

e

Comm

ande

r

33 NWS NSD Fundamentals Course

Undergraduate Network Warfare Training (UNWT)

One Course – Two Parts Advanced Distributed Learning UNWT In-Residence – 39 IOS

Full Crew Training Officer, Enlisted, Civilian Comm, Intel, Space, Engineer, AFOSI

Partner w/ Industry SANS GSEC Bootcamp DoD 8570.1M Certification Idaho National Labs / Sandia National Labs

Pacific Northwest National Labs

Hands-On Mission Simulators & Models Joint Cyber Ops Range / Telephony / Wireless / SCADA Joint IO & Space Range / IADS / TADIL / SATCOM

Community Development Cyberspace Training Summit Missile & Space Intelligence Command / JRAAC / JIOR Community of Practice (CoP) (AFKN) Dept. of Homeland Security (DNS)

DoD 8570.1M

UNWT CoP

https://wwwd.my.af.mil/afknprod

Mission Simulators, Academics, And Evaluations

Block I

Orientation

ADL Assessment

GSEC Assessment

OperationalConcepts,

Legal Authorities &

Responsibilities

Block II

CivilianGSEC Bootcamp

DoDI 8570.1m

Block IV – TCP/IP

Block VIII

Capstone Mission Exercise

Evaluation

Graduation

VTANGADL

On-LineTraining

Up to 45 Calendar Days

Block IV – Telephony

Block V – SCADA

Block VI – IADS

Block VI – TADIL

Block IV – SATCOM

Block VII – LMR

000

111000

111000

111000

111 222

111 222

111 222

Block III

NetworkingFundamentals

VTANG ADL 39 IOS – In-Residence

Up to 5 Training Days

Up to 8Training Days

Up to 5Training Days

Up to 12 Up to 12 Training DaysTraining Days

Up to 22 Up to 22 Training DaysTraining Days

Up to 27 Up to 27 Training DaysTraining Days

Up to 5Training Days

Standardization and Evaluation

Stan/Eval – Professionalizes Operations Methodical mission planning Synchronized Ops execution Rigor/discipline/control -

Career long evaluations How?

Standard ROEs and TTPs Mission Training Mandatory Simulator time –

critical thinking Rigorous Evaluation

Elite Network Warriors – ready to affect the battle space

Operations

Stan/Eval

Mission Training

Weapons & Tactics

The Evolution in Systems

Steps on the Evolutionary Trail of a Net-D Weapon: “Some IT Gear” bought and deployed A System, tested prior to deployment A System, obtained to achieve a specific Net-D

effect, tested, certified, and weaponized prior to deployment

AF Info Ops Center (AFIOC)

Weapons NetWarfare Tools OT&E Countermeasure Development/Support Network Warfare Systems Capability

Integration Wireless Signature support New Technologies

Tactics Development Architecture analysis support (incident

response) TTP Development System/ Software Vulnerability

Assessments Modeling/Simulation

Net-D’s Weapon Systems

ASIMS – Automated Security Incident Measurement System “Packet Sniffer on Steroids”: Monitors DMZ traffic, alerts on

suspicious traffic GOTS software – IDS signatures not shared outside of DoD Working Block 3.1.1 – IPv6 logging, auto response/remediation, wild

card string matches, 40% faster processing

BorderGuard CENTCOM’s Intrusion Detection and Prevention system Virtually NO major Net-D incidents in CENTCOM while deployed!

IO (Information Operations) Platform Interoperable, survivable, real-time packet monitoring of all traffic for

ID’d signatures Captures context (pre/post compromise actions) Allows Net-D operator to block, quarantine, log, alter, or deep-inspect

traffic

AF Net-D Weapon Systems

+ AFIOC

+ OSI

+ NOSCs

AF Sensors: 215

Enlisted: 117

Officer: 51

Civilian: 10

Contractors: 107

33 NWS

+ DoD

+ Joint

+ Civilian

USCENTCOM Sensors: 111

79% Cisco 21% ASIM

The Evolution in Intelligence

Steps on the Evolutionary Trail of Net-D Intelligence: Nothing “Headline vignette” –quality Intel “Headline vignette”, plus implications Predictive, actionable Intel, through standard

processes (PIRs, etc.)

Operational IntelligenceIntel Drives Operations

Iterative process:

Plan Execute Assess

Centers

Agencies

Subject Matter

Expertise

Operational level C2

Analysis

Targeting

ISR Ops / Collections

Bo

ard

s &

C

ells

Tactical Execution

&Mission

ReportingTime

SensitiveTargeting

Real-timeMissionChanges

The ISR process should not vary from one warfighting domain to the other!

Cyberspace Intel Requirements

Provide predictive, timely and actionable intelligence to Commanders conducting operations in and through cyberspace (physical, digital, social, wireless networks)

Collaborate with USGov, public, private and allied/coalition partners on cyberspace intelligence

Perform operational assessments to improve cyber incident response

Support operational assessment process with tailored analysis of cyberspace effectiveness in support of ongoing missions

Develop and implement annual intel training requirements for all cyberspace operators

Not much difference from ISR support to other forms of warfare…

The Evolution in Planning

Steps on the Evolutionary Trail of Net-D Mission Planning: None—just “do what the systems force you to do” Minimal—put context around “what the systems

force you to do” Plan in advance for what might happen—includes

deliberate planning process Self-initiated, aggressive Net-D Operations

—”named” operations—Mission Planning Campaign Planning

Mission Planning, Campaign Planning

Address specific adversaries and provide operational planning capability on the 2 week-to-1 year window

Focused on known adversaries Focused on probable scenarios—develop mission

concept from I&W to employment Future capabilities will allow for more active defense,

including ROE-based immediate response actions

Questions?