Transcript CyberSecurityForum3Jun11wooten

UNCLASSIFIED
67th Network Warfare Wing
The Air Force’s Cyber Ops Wing
Col Kevin Wooton
Commander
31 May 2011
Overall Classification:
UNCLASSIFIED
UNCLASSIFIED
UNCLASSIFIED
Where we are… where we’re going
Cyber today is where Airpower was in the 1930s…
UNCLASSIFIED
UNCLASSIFIED
67 NWW Focus
• Conducting the full range of
Network Warfare
– Network Operations
(Establish)
– Net Defense
(Control)
– Full Spectrum
(Use)
Operate
Operations Of and On the
Net
Attack
Defend
67 NWW
690 NSG
Net Ops
26 NOG
Net Defense
UNCLASSIFIED
67 NWG
Full Spectrum
UNCLASSIFIED
AFNetOps Vision
•
CSAF’s Sep 00 One Air Force…One
Network NOTAM committed AF to
fundamentally changing the way we
leverage our networks.
•
CSAF’s msg established AFNetOps,
3 Jul 03…To effectively protect Air Force
networks and the advantages they provide,
network control…need[s] to be applied in a
coherent, disciplined fashion under control
of a single AF commander.
•
CSAF’s 3 Aug 05 memo on AFNETOPs
support to USSTRATCOM laid out a path to
provide C2 of the AF network.
•
CSAF’s 15 May 09 directive memorandum
established AFNETOPS/CC authority to
issue orders for the operation of AF
networks.
•
End-Game: C2 network with focused,
precision results
UNCLASSIFIED
UNCLASSIFIED
AFNetOps Reality
O&M responsibility Matrix
AFMC VPN
managed by NCC
Except at
Kirkland
where its
iNOSC-W
AFCYBER = MAJCOM NOSCs under one commander
UNCLASSIFIED
UNCLASSIFIED
AFNet Migration (NIPRNET)
One AF-wide
Active Directory Forest
SCOPE
14 Networks into One
840K users across 413 sites
BENEFITS
E-mail for Life
Single Sign-on  Anywhere
Reduce System Complexity
AF-wide Collaboration
UNCLASSIFIED
STATUS (9 May 11)
138K users // 29 sites
16% of AF
10 Legacy Nets Shutdown
UNCLASSIFIED
Net-Defense: Current TTP
PREVENT
DETECT

TCNOs up 28% since 2006

24/7/365 presence

ASIMS strings – filter
suspicious net activity

Crews review 10K+ suspicious
events per day

Strong relationship with
vendors – share knowledge

Report foreign IP activity to IC

Correlation analysis - low &
slow

Recommend IP blocks to NOD

Unity of effort w/other agencies

Blue assessment – see
what hacker sees
RESPOND

Highly skilled computer
network/forensics analysts

Focal point for net intrusions

Isolate exploitation method &
extent of compromise

Work closely with OSI &
counter-intel agencies
UNCLASSIFIED
Sensors
Air Force: 232
USJFCOM: 2
USCENTCOM: 108
UNCLASSIFIED
Mission Operations Tempo
1400
1287
1200
1000
906
812
800
600
490
400
200
127
204
204
75
0
2008
2009
2010
2011
UNCLASSIFIED
*CAO 20 Apr 11
Incidents
CAT VIII Investigations
UNCLASSIFIED
Full Spectrum Ops
Current Units
• 91 NWS
– Telephone Network Ops
• 315 NWS
– Core of AF Ops at Ft Meade
– Daily joint operations
UNCLASSIFIED
UNCLASSIFIED
Current/Future Initiatives
• Host-Based Security System (HBSS), desktop-level security
• Information Operations Platform (IOP), intrusion prevention
system
• Network defense common operating picture (ArcSight)
• EnCase – Remote Incident Response Forensics (EnCase)
• AF Gateways (aka AF Network Increment 1), network
demilitarized zone
• Vulnerability Lifecycle Management System (VLMS)
• Fidelis for Operations Security (OPSEC): SNS
monitoring/Insider threat
UNCLASSIFIED
UNCLASSIFIED
Current/Future Initiatives (cont’d)
• Continuity of Operations (COOP)/Alternate
Operations Locations (AOL)
• ROE-governed TTPs/Execution: Stan/Eval
• Partnerships for rapid TTP and tool development:
ESC, AFCA, Rome Labs, 688 IOW
• Active/Dynamic Defense
• Indications and Warnings of malicious activity
based on actionable, targeted Intel
UNCLASSIFIED
67 NWW - Air Force’s Execution Arm for
Cyber Warfare
NetD
NetE
NetOps
Full Spectrum
UNCLASSIFIED