armed forces communications & electronics association (afcea)
DESCRIPTION
Armed Forces Communications & Electronics Association (AFCEA). AFCEA International Non-profit membership association Serves the military, government, industry, and academia Advances professional knowledge and relationships in the fields of communications, IT, intelligence, and global security. - PowerPoint PPT PresentationTRANSCRIPT
Armed Forces Communications & Electronics Association (AFCEA)
AFCEA International Non-profit membership association Serves the military, government, industry, and academia Advances professional knowledge and relationships in the fields
of communications, IT, intelligence, and global security.
AFCEA Activities SIGNAL Magazine (Monthly) SIGNAL Connections (Online Newsletter) Educational Foundation Professional Development Center AFCEA Sponsored Conferences/Symposia
AFCEA Participants 20,000 individual members 11,000 corporate associates 1,400 corporate members
I n t e g r i t y - S e r v i c e - E x c e l l e n c e
Operationalizing Network Defense
(or, “The Awakening of One Comm Guy”)
Colonel Mark KrossColonel Mark KrossCommanderCommander
2626thth Network Operations Group Network Operations Group
Overall Classification:UNCLASSIFIED
Overview
Importance of the Network Net-D Primer Net-D as a Recognized Operation The Big Evolution People Systems Intel Planning
Network Defense: The Operational Imperative
AF Operations today use a complex network of systems and airmen, enabling full spectrum dominance – we need our networks to fight.
PACAFPACAF
NCCNCC
ACCACC
Net-Centric Battlespace
EOC
CAOC AFFORAFSPCAFSPC
PENTAGONPENTAGONHumanitarian Assistance Peacekeeping NEO
Counter Insurgency
Limited Regional Conflict
Major Regional Conflict
International War
Disaster Relief
“The first battle in the wars of the future will be over control of Cyberspace” - Dr Lani Kass
Threats to U.S. Air Force Networks
December 1998 – January 2003Most activity from moderately skilled individuals
• Hackers, Script kiddies, Criminals
February 2003 – 2005Skilled / organized actors (possibly state-sponsored)
““As the nation with the world’s most advanced armed forces, we can’tAs the nation with the world’s most advanced armed forces, we can’t afford to risk losing the freedom of action in the cyberspace domain.”afford to risk losing the freedom of action in the cyberspace domain.”
- SECAF Jun 07- SECAF Jun 07
5,804,970 Real-Time Alerts
28,398 Suspicious Events
257 Non Compliance
20,116,960,777 Suspicious Connections
Validate
2007: 31 validated Incidents:- 78% had TCNOs- Patches/Updates not done- Default/Weak passwords- Poor permission settings
• Physical destruction Physical destruction • Forces of NatureForces of Nature• Nation StatesNation States• Non-State ActorsNon-State Actors
9 Root, 18 User4 Malicious Logic 31 Incident
2007
2005 – PresentTrend reports identify associated state-sponsored attacks
Cyberspace is a Battlespace…We’re at WAR!
Hundreds of Jihadi Web Sites and Internet Hosts, Thousands of Individual email Accounts
PENTAGON, 11 Sep 2001:Adversary Used: Internet for Recruitment
International & Cell Comms for Coord; Training on Simulators
Network Defense Primer
CyberOps is an arms race that favors the offensive
Functionally, Network Defense (Net-D) is somewhat analogous to an Air Defense system (CRE), but…
“Missions” are not single engagements, but muiltiple and constant
No US historical precedent: Perpetual, undeclared struggle Against a myriad of peer-level adversaries
whose identities are often un-prove-able In which weapons and tactics emerge, evolve,
and become obsolete in days or weeks
Net-D as a Recognized Operation
AFDD 2-5: Net-D is a subset of Network Warfare Operations, as part of Information Operations IO: “The integrated employment of the capabilities of influence
operations, electronic warfare operations, network operations in concert with the specified integrated control enablers, to influence, disrupt, corrupt or usurp adversarial human and automated decision-making while protecting our own.”
New Doctrine pending—NetD will still be a type of op!
Sub-classCapabilities
Military Capabilities
EA
ES
EP NetANetD
NS
MD PSYOPOPSEC
PA C-PROCI
Influence Ops
ElectronicWarfare Ops
NetworkWarfare Ops
The Big Evolution
Steps on the Evolutionary Trail of Network Defense: Nothing Information Assurance Information Assurance plus Network Defense Info Assurance plus Operationalized Net-D
Operationized Net-D—the process to get there is a set of concurrent evolutions in many areas—including people, systems, intelligence, and planning!
The Evolution in People
Steps on the Evolutionary Trail of Building a Network Defender: Nothing Technical Training Technical Training plus Operational Training in
an IQT/MQT Construct Certified Training Under a Stan/Eval Process
ASIM Tech
CENTCOM Tech
Routing/Networking
Unix
11
33 NWS Crew Qualification
Crew
Initial Assessment
33 NWS Common Block Course
33 NWS ASIM Operators Training Course
Commercial Training Courses
MQT Test – 85 % passing
33 NWS CENTCOM Operators Training Course
IQT Test – 70% passing
Hands on Check Ride
Crew
Chi
efLe
ad A
naly
stASIM
Ope
rato
rIn
cide
nt
CENTCO
M
Sys
Adm
inTe
ch
33 NWS Technical Refresher
Ope
rato
r
Res
pons
e
Comm
ande
r
33 NWS NSD Fundamentals Course
Undergraduate Network Warfare Training (UNWT)
One Course – Two Parts Advanced Distributed Learning UNWT In-Residence – 39 IOS
Full Crew Training Officer, Enlisted, Civilian Comm, Intel, Space, Engineer, AFOSI
Partner w/ Industry SANS GSEC Bootcamp DoD 8570.1M Certification Idaho National Labs / Sandia National Labs
Pacific Northwest National Labs
Hands-On Mission Simulators & Models Joint Cyber Ops Range / Telephony / Wireless / SCADA Joint IO & Space Range / IADS / TADIL / SATCOM
Community Development Cyberspace Training Summit Missile & Space Intelligence Command / JRAAC / JIOR Community of Practice (CoP) (AFKN) Dept. of Homeland Security (DNS)
DoD 8570.1M
UNWT CoP
https://wwwd.my.af.mil/afknprod
Mission Simulators, Academics, And Evaluations
Block I
Orientation
ADL Assessment
GSEC Assessment
OperationalConcepts,
Legal Authorities &
Responsibilities
Block II
CivilianGSEC Bootcamp
DoDI 8570.1m
Block IV – TCP/IP
Block VIII
Capstone Mission Exercise
Evaluation
Graduation
VTANGADL
On-LineTraining
Up to 45 Calendar Days
Block IV – Telephony
Block V – SCADA
Block VI – IADS
Block VI – TADIL
Block IV – SATCOM
Block VII – LMR
000
111000
111000
111000
111 222
111 222
111 222
Block III
NetworkingFundamentals
VTANG ADL 39 IOS – In-Residence
Up to 5 Training Days
Up to 8Training Days
Up to 5Training Days
Up to 12 Up to 12 Training DaysTraining Days
Up to 22 Up to 22 Training DaysTraining Days
Up to 27 Up to 27 Training DaysTraining Days
Up to 5Training Days
Standardization and Evaluation
Stan/Eval – Professionalizes Operations Methodical mission planning Synchronized Ops execution Rigor/discipline/control -
Career long evaluations How?
Standard ROEs and TTPs Mission Training Mandatory Simulator time –
critical thinking Rigorous Evaluation
Elite Network Warriors – ready to affect the battle space
Operations
Stan/Eval
Mission Training
Weapons & Tactics
The Evolution in Systems
Steps on the Evolutionary Trail of a Net-D Weapon: “Some IT Gear” bought and deployed A System, tested prior to deployment A System, obtained to achieve a specific Net-D
effect, tested, certified, and weaponized prior to deployment
AF Info Ops Center (AFIOC)
Weapons NetWarfare Tools OT&E Countermeasure Development/Support Network Warfare Systems Capability
Integration Wireless Signature support New Technologies
Tactics Development Architecture analysis support (incident
response) TTP Development System/ Software Vulnerability
Assessments Modeling/Simulation
Net-D’s Weapon Systems
ASIMS – Automated Security Incident Measurement System “Packet Sniffer on Steroids”: Monitors DMZ traffic, alerts on
suspicious traffic GOTS software – IDS signatures not shared outside of DoD Working Block 3.1.1 – IPv6 logging, auto response/remediation, wild
card string matches, 40% faster processing
BorderGuard CENTCOM’s Intrusion Detection and Prevention system Virtually NO major Net-D incidents in CENTCOM while deployed!
IO (Information Operations) Platform Interoperable, survivable, real-time packet monitoring of all traffic for
ID’d signatures Captures context (pre/post compromise actions) Allows Net-D operator to block, quarantine, log, alter, or deep-inspect
traffic
AF Net-D Weapon Systems
+ AFIOC
+ OSI
+ NOSCs
AF Sensors: 215
Enlisted: 117
Officer: 51
Civilian: 10
Contractors: 107
33 NWS
+ DoD
+ Joint
+ Civilian
USCENTCOM Sensors: 111
79% Cisco 21% ASIM
The Evolution in Intelligence
Steps on the Evolutionary Trail of Net-D Intelligence: Nothing “Headline vignette” –quality Intel “Headline vignette”, plus implications Predictive, actionable Intel, through standard
processes (PIRs, etc.)
Operational IntelligenceIntel Drives Operations
Iterative process:
Plan Execute Assess
Centers
Agencies
Subject Matter
Expertise
Operational level C2
Analysis
Targeting
ISR Ops / Collections
Bo
ard
s &
C
ells
Tactical Execution
&Mission
ReportingTime
SensitiveTargeting
Real-timeMissionChanges
The ISR process should not vary from one warfighting domain to the other!
Cyberspace Intel Requirements
Provide predictive, timely and actionable intelligence to Commanders conducting operations in and through cyberspace (physical, digital, social, wireless networks)
Collaborate with USGov, public, private and allied/coalition partners on cyberspace intelligence
Perform operational assessments to improve cyber incident response
Support operational assessment process with tailored analysis of cyberspace effectiveness in support of ongoing missions
Develop and implement annual intel training requirements for all cyberspace operators
Not much difference from ISR support to other forms of warfare…
The Evolution in Planning
Steps on the Evolutionary Trail of Net-D Mission Planning: None—just “do what the systems force you to do” Minimal—put context around “what the systems
force you to do” Plan in advance for what might happen—includes
deliberate planning process Self-initiated, aggressive Net-D Operations
—”named” operations—Mission Planning Campaign Planning
Mission Planning, Campaign Planning
Address specific adversaries and provide operational planning capability on the 2 week-to-1 year window
Focused on known adversaries Focused on probable scenarios—develop mission
concept from I&W to employment Future capabilities will allow for more active defense,
including ROE-based immediate response actions
Questions?