UNCLASSIFIED 67 th Network Warfare Wing The Air
- Slides: 12
UNCLASSIFIED 67 th Network Warfare Wing The Air Force’s Cyber Ops Wing Col Kevin Wooton Commander 31 May 2011 Overall Classification: UNCLASSIFIED
UNCLASSIFIED Where we are… where we’re going Cyber today is where Airpower was in the 1930 s… UNCLASSIFIED
UNCLASSIFIED 67 NWW Focus • Conducting the full range of Network Warfare – Network Operations (Establish) – Net Defense (Control) – Full Spectrum (Use) Operate Operations Of and On the Net Attack Defend 67 NWW 690 NSG Net Ops 26 NOG Net Defense UNCLASSIFIED 67 NWG Full Spectrum
UNCLASSIFIED AFNet. Ops Vision • CSAF’s Sep 00 One Air Force…One Network NOTAM committed AF to fundamentally changing the way we leverage our networks. • CSAF’s msg established AFNet. Ops, 3 Jul 03…To effectively protect Air Force networks and the advantages they provide, network control…need[s] to be applied in a coherent, disciplined fashion under control of a single AF commander. • CSAF’s 3 Aug 05 memo on AFNETOPs support to USSTRATCOM laid out a path to provide C 2 of the AF network. • CSAF’s 15 May 09 directive memorandum established AFNETOPS/CC authority to issue orders for the operation of AF networks. • End-Game: C 2 network with focused, precision results UNCLASSIFIED
UNCLASSIFIED AFNet. Ops Reality O&M responsibility Matrix AFMC VPN managed by NCC Except at Kirkland where its i. NOSC-W AFCYBER = MAJCOM NOSCs under one commander UNCLASSIFIED
UNCLASSIFIED AFNet Migration (NIPRNET) One AF-wide Active Directory Forest SCOPE 14 Networks into One 840 K users across 413 sites BENEFITS E-mail for Life Single Sign-on Anywhere Reduce System Complexity AF-wide Collaboration UNCLASSIFIED STATUS (9 May 11) 138 K users // 29 sites 16% of AF 10 Legacy Nets Shutdown
UNCLASSIFIED Net-Defense: Current TTP DETECT PREVENT n TCNOs up 28% since 2006 n 24/7/365 presence n ASIMS strings – filter suspicious net activity n Crews review 10 K+ suspicious events per day n Strong relationship with vendors – share knowledge n Report foreign IP activity to IC n Correlation analysis - low & slow n Recommend IP blocks to NOD n Unity of effort w/other agencies n Blue assessment – see what hacker sees RESPOND n Highly skilled computer network/forensics analysts n Focal point for net intrusions n Isolate exploitation method & extent of compromise n Work closely with OSI & counter-intel agencies UNCLASSIFIED Sensors Air Force: 232 USJFCOM: 2 USCENTCOM: 108
UNCLASSIFIED Mission Operations Tempo 1400 1287 1200 1000 906 812 800 Incidents 600 490 400 200 127 204 75 0 2008 2009 2010 2011 *CAO 20 Apr 11 UNCLASSIFIED CAT VIII Investigations
UNCLASSIFIED Full Spectrum Ops Current Units • 91 NWS – Telephone Network Ops • 315 NWS – Core of AF Ops at Ft Meade – Daily joint operations UNCLASSIFIED
UNCLASSIFIED Current/Future Initiatives • Host-Based Security System (HBSS), desktop-level security • Information Operations Platform (IOP), intrusion prevention system • Network defense common operating picture (Arc. Sight) • En. Case – Remote Incident Response Forensics (En. Case) • AF Gateways (aka AF Network Increment 1), network demilitarized zone • Vulnerability Lifecycle Management System (VLMS) • Fidelis for Operations Security (OPSEC): SNS monitoring/Insider threat UNCLASSIFIED
UNCLASSIFIED Current/Future Initiatives (cont’d) • Continuity of Operations (COOP)/Alternate Operations Locations (AOL) • ROE-governed TTPs/Execution: Stan/Eval • Partnerships for rapid TTP and tool development: ESC, AFCA, Rome Labs, 688 IOW • Active/Dynamic Defense • Indications and Warnings of malicious activity based on actionable, targeted Intel UNCLASSIFIED
67 NWW - Air Force’s Execution Arm for Cyber Warfare Net. D Net. E Net. Ops Full Spectrum UNCLASSIFIED