[ISN] Aggressors prowl for Air Force information

From: InfoSec News <alerts_at_private>
Date: Mon, 2 Mar 2009 01:08:28 -0600 (CST)
http://www.af.mil/news/story.asp?id=123137445

By Master Sgt. Eric M. Grill
Defense Media Activity-San Antonio
2/27/2009

NELLIS AIR FORCE BASE, Nev. (AFNS) -- A little known unit here, working 
in a bank of trailers hidden from the public, performs a unique mission 
for the Air Force: hacking into the vast Air Force computer networks to 
help protect those networks from an enemy's attack.

The Air Force hackers from the 57th Information Aggressor Squadron here 
and the Kansas Air National Guard's 177th Information Aggressor 
Squadron, known collectively as the Aggressors, help prepare Air Force, 
joint and allied personnel by replicating current and emerging threats 
as a professional information operations opposition force.

Gen. Stephen R. Lorenz, Air Education and Training Command commander, 
wrote in a commentary about cyberspace printed in December, that, "Our 
enemies are attacking our network, the same network (people) use to send 
e-mails, share documents and access the Internet. They are using stealth 
and surprise to insert malicious code into our network in order to gain 
intelligence. What is our enemy's intention? We don't know, but it's not 
friendly."

Most of the time these attacks are considered benign, basically scans, 
said Lt. Col. Reb Butler, the 57th IAS commander. But he said, each day 
the Air Force and the Department of Defense receive thousands of 
computer attacks against its computer networks.

"We want to make friendly forces better," Colonel Butler said. "The way 
to do that is to show them the threats that they're facing today and the 
ones that they will face tomorrow. So when they go out and face the 
threats in the real world, they actually feel it is a lot easier to 
conduct their operations."

The Aggressors, Colonel Butler said, operate on three basic principals: 
knowing the threat, teaching the threat, replicating the threat.

To get to know the threat, they partner with the intelligence 
organizations like the National Security Agency, Central Intelligence 
Agency, the National Air and Space Intelligence Center and other key 
intelligence organizations to study and characterize the threats that 
are out there.

Once they know the threat, they teach the threat.

"Once you understand what the threats are doing and how they're doing 
it, we take that information and teach people about the threat," Colonel 
Butler said. "We try to tailor to our training audience. In our case, 
every person who works on a DOD installation or touches a DOD network is 
part of our training audience because (they) face this threat everyday 
when they go to work. (The threats) may not be obvious to you and they 
not be known to you ... but they are out there and you need to be 
prepared as a user, as a consumer, and more importantly, as a network 
defender or an information defender, your role in doing that."

Finally the Aggressors will replicate those threats.

"We can see if our friendly tactics techniques and procedures, and in 
this area, policies, are effective to either mitigate or defeat those 
threats," Colonel Butler said. "Where they are not effective, we 
identify those shortfalls and gaps so that friendly forces can either 
build new tactics, write new policies or acquire new systems to defeat 
those threats or assume that they are acceptable risks."

One of the tools the men and women of the 57th IAS and 177th IAS use to 
teach network security to users at individual bases is called the 
Information Operations Road Show, a three-phased process.

The first phase is done remotely from dot-com means and open source 
information; Aggressors then go to the installation itself; and finally 
through replication of the attack, they train the network control 
centers and individual users on their responsibilities of securing the 
computer networks.

During the remote phase the Aggressors figure out what the key units, 
key functions and the key parts of that base are that contribute to the 
Air Force and Department of Defense.

"It helps us define our 'red' objectives, what we as an adversary would 
want to know about that installation," Colonel Butler said.

It's also where the Aggressors will infiltrate the network and basically 
establish their presence.

"That strategy is very simple.  We gain access to the network, usually 
through phishing attacks by attacking the human user (for their 
information) and making them a victim by gaining their privileges," he 
said. "Once we get into the network, we'll establish footholds into the 
network and then map the network."

The Aggressors will continue to try to escalate their privileges in that 
network and will try to "own" the entire base network and go beyond that 
installation to multiple installations and in some cases to multiple 
major commands, Colonel Butler said.

"Finally we'll exploit that network by data-mining it to find that key 
information about their mission or their key contributions to the DOD," 
Colonel Butler said. They use this information for phase three.

During phase two, a team is sent to the installation and starts from 
outside the gate. They'll defeat the layers of defense for the 
information and gain access through the installation's gate, the 
physical security of the buildings, the offices and the desks.

Then they will go after the more sensitive areas where work is being 
accomplished, whether that is the flightline or secure work areas, so 
they can see how far they can infiltrate to getting access -- long-term, 
unhindered access -- to that installations' information, Colonel Butler 
said.

"Phase three, the most important part of this form of threat 
replication, is where we put the uniform back on and provide training 
and feedback, not just for the commander, but for as many people as that 
commander makes available to us, so that we can improve friendly 
forces," Colonel Butler said.

"Up until phase three, it really is just an assessment," he said. 
"Friendly forces behavior doesn't change until we provide the feedback, 
both good and bad, and specialize the academics for those layers of 
defense, whether they are on the network, whether they are physical or 
whether there are other concerns so that friendly forces are better 
prepared to meet or defeat the information operations threats."

Based on the information from law enforcement and intelligence agencies, 
Colonel Butler said the current trend for hackers, whether they are 
criminal, nation-state or terrorist in nature, is not to attack the 
advancing technology being used, but attack the individual user to gain 
access to the networks.

The threats out there basically are trying to take advantage of the 
human interface, Colonel Butler said.

"Our Airmen are our first line of network defense, he said. "Ultimately 
they are the risk manager for all of our networks. Whether they knew 
that or not, they should now. We need to educate and train them so that 
they understand the types of threats they face and why we have certain 
policies and procedures in place.  They are there to defeat those 
threats."

As an example, Colonel Butler said that the least educated Airman here 
at Nellis, whether it be a civilian employee or an airman basic, is the 
risk manager for the network at Langley Air Force Base, Va.; at 
Barksdale AFB, La.; and Davis Monthan AFB, Ariz.  As Air Force officials 
consolidate the network operations centers into key centers of 
excellence, (those users) also will be the risk managers for Aviano Air 
Base, Italy, Ramstein AB, Germany and Royal Air Force Lakenheath in the 
United Kingdom.

"That tells you how widespread and how important it is to educate every 
user on their role and their responsibility for defending our networks," 
Colonel Butler said.

"If the individual is not prepared to understand the threat and know 
what to do when those threats happen to be successful, that is, mitigate 
those threats, the adversary wins and we lose," Colonel Butler said.

"Part of educating our Airmen about the threats is so they understand 
what (those threats) look like, so they can recognize them and identify 
them, and then activate the rest of the layers of defense to defeat or 
mitigate those threats," he said.


_______________________________________________      
Best Selling Security Books and More!
http://www.shopinfosecnews.org/
Received on Sun Mar 01 2009 - 23:08:28 PST

This archive was generated by hypermail 2.2.0 : Sun Mar 01 2009 - 23:15:33 PST