REPORT DOCUMENTATION PAGE igniting Public reporting burden for this collection of information is estimated to average 1 hour per response including the time for reviewing instructions searching existing data sources gathering and maintaining the data needed and completing and reviewing this collection of information Send comments regarding this burden estimate or any other aspect of this collection of information including suggestions for reducing this burden to Washington Headquarters Services Directorate for information Operations and Reports 1215 Jefferson Davis Highway Suite 1204 Arlington VA 22202-4302 and to the Office of Management and Budget Paperwork Reduction Project 0704 0188 Washington DC 20503 1 AGENCY USE ONLY Leave blank 2 REPORT DATE 3 REPORT TYPE AND DATES COVERED Spring 1998 Newsletter Vol 1 No 3 4 TITLE AND SUBTITLE 5 FUNDING NUMBERS Information Assurance Technology IA Newsletter 6 Information Assurance Technology Analysis Center 7 PERFORMING ORGANIZATION AND 8 PERFORMING ORGANIZATION REPORT NUMBER IATAC Information Assurance Technology Analysis Center 3190 Fairview Park Drive Falls Church VA 22042 9 SPONSORING I MONITORING AGENCY AND 10 SPONSORING I MONITORING AGENCY REPORT NUMBER Defense Technical Information Center 8725 John J Kingman Rd Suite 944 Ft Belvoir VA 22060 11 SUPPLEMENTARY NOTES 12a DISTRIBUTION STATEMENT 12b DISTRIBUTION CODE Approved for public release distribution is unlimited A 13 ABSTRACT Maximum 200 Words The Information Assurance Technology Newsletter is published quarterly by the Information Assurance Technology Analysis Center IATAC The third issue continues the focus on current information assurance initiatives underway within the Department of Defense In addition an overview of the IA Tools Database is provided that highlights the current collection of Intrusion Detection tools 14 SUBJECT TERMS 15 NUMBER OF PAGES Information Security Information Assurance Intrusion Detection 16 PRICE CODE 17 SECURITY CLASSIFICATION 18 SECURITY CLASSIFICATION 19 SECURITY CLASSIFICATION 20 LIMITATION OF ABSTRACT OF REPORT OF THIS PAGE OF ABSTRACT UNCLASSIFIED UNCLASSIFIED UNCLASS IFIED None ten 4 133316 Q C ii iY mastitis 20001027 073 IATAC is at Oct Sponsored Information Analysis Center DEFEMJING AGAINST Wm Editor s Note This article is part of a continuing series that highlights current Information Assurance IA initiatives within the Department of Defense The Joint Command and Control Warfare Center is located at Kelty Air Force Base AFB in San Antonio Texas y 6 0 0 79 mar es 6'3 Sow I USAF papaya kecronforP m ac Jade 755 Jam Commanda ro Mata a Carr er The mission of the Joint Command and Control Warfare Center is to provide direct Command and Controi Warfare support to operational commanders 1 and serve as the principal field agency within the Department of Defense for non Service-specitic 02W support The JC2WC executes its mission through its direc- torates of Operations OP Pro tect Defense PD Operations Support and Technical Integra- tion OT Systems Integration the Office of Plans and Programs XR and the Special Technical Operations STO Di- vision The focus of the Pro- tect Defense Directorate is to assist the combatant commanw ders in the development of strategies to defend against C2W and information Warfare IW attacks The Directorate s original concept was that of Red Team ing or exploiting information op erations and rotated information technologies to raise the aware ness of and OSD pro- gram managers to information related vulnerabilities Howev- er as concepts and doctrine for IW and information Operations IO developed we realized that Coal Mad 0 7 0399 2 Penetration Testing Course 3 IA Tools Database Intrusion Detection 4 STINET 6 IATAC Products 6 Conferences Symposia 7 Penetration The US Army War Col- Iege Center for Strategic Leadership hosted an Infor mation Assurance Seminar Game that examined the emerging roles of the public and private sectors in protect- ing our criticai information in frastructures from information Warfare attacks The Seminar Game was held 3-5 February 1998 at the Center for Strategic Leadership CSL Carlisle Barracks and was jointly sponsored by the CSL Booz-Ailen Hamiiton and the Nationai Computer Security Association Seminar Game participants were composed of industry and government experts whose views influence national information assurance poiicy and direction The Seminar Game provided par- ticipants with a unique opportunity to interact on matters of increasing concern to aii and resulted in a more balanced view of information warfare and its threat to our nation s critical infrastruc ture private and public Presentations by recognized national security experts were provided to help participants de ne the threat assess vulnerabilities and consider ways to estimate damages in the wake of an in Testing Course Registration 8 formation infrastructure attack Participants in vestigated ways to detect and disciose infrastruc- ture attacks white addressing an appropriate process for response and recovery The seminar also considered the national response to a strategic information attack Resuits of the game will be dis- tributed to partici- pants key government of ces and select ed agencies for publication Fur- ther details can be obtained by contacting one of the foiiowing US Army War College Mr Robert F Minehart Jr 717 245-4472 International Computer Security Association Mr Fred Tompkins 717' 241 3241 Booz'Allen Hamilton Inc Mr Aibert J ROSS 410 684 6635 i he Information Assur ance Technology Newslet er is pubiished quarterly iy the Information Assur- ance Technology Analysis enter The third ssue continues the focus in current information as urance initiatives under vay within the Department f Defense In addition an verview of the iA Tools atabase is provided that lighlights the current col- ection of Intrusion Detec- ion Tools ATAC a DOD-Sponsored nformation Anatysis Cen- er IAC is administrative managed by the efense Technical Infor- nation Center inder the Pro- iram Inquiries about ATAC capabilities prod- icts and services may be iddressed to Robert Thompson Assoc Director IATAC Iile welcome your input '0 submit your related ar- icles photos notices eature programs or ideas or future issues please ontact ATTN C Wright 8283 Greensboro Dr Aiien 683-0 McLean VA 22102 Phone 703-902-317 Fax 703-902-3425 7039026869 Fax 902-3991 E-maii Iatac@dtic mii nternet ntelink-S ntelink rome 3 gov iatac mm Cyanogen rampage to vulnerabilities should be addressed in the larger context of IW and i0 That is since command and control C2 is a subset of IW we need to protect information with 02 application and value regardless of whether or not it resides in a C2 system In ad- dition we need to address those IO objectives and tasks associated with peacetime defense Accordingly the Protect Defense Directorates mission is evolving from 02 Protect and IW Defense to Defen- sive to In this context we are orienting our mission to the new definitions prescribed by DODD 8 3600 Informs tion Operations CJCSI 3210 1 Joint Information War fare Policy CJCSI 651001A Defensive IW Implements tion and Draft Joint Pub 3-13 Joint Doctrine for Information Assessment to CINC - BLUE IO System Vulnerability - IW Red Team Scenario Development Execution - Post-EX Recommendations Operations DODD 8-3600 provides that information systems critical to the trans- mission and use of minimum essential information for command and control of forces shati be designed em- ployed and exercised in a manner that minimizes or pre- vents expioitation degrada- tion or denial of service from a multiple variety of attacks to include computer network at tack Draft Joint Pub 3-13 refers to the following related defensive IO areas informa tion assurance physical secu rity OPSEC counter deception counter-PSYOP counter inteliigence elec tronic protect and special in formation operations The Defense to mission aiso in- voives responses to IW at- tacks that may be either defensive or offensive in ne- Develop Joint Defensive l0 Strategies Ensure the Best Possible l0 Technologies for the Warfightet ture and may involve interface with law enforcement agen- cies As you can see Defensive IQ is a relatively broad mis- sion It is also a dynamic one as IW and IO concepts and doctrine evolve so does our mission and we continue to examine processes that best support the combatant com manders in the areas listed above Since this is a new mission area for the we continue to seek out the best training available in these areas to enable us to provide the requisite expertise as a center of excellence To ac complish this mission the Di rectorate has established three functionai area teams see Figure 1 beiow to re- spond to our evoiving defen- sive IO mission These Con xhwo mpaga PROTECT WE AREAS Vulnerability Assessment of IO Tech niol69 ies- in Recommendationsto- ProgramManagement Figure 1 Protect Defense Functional Areas ourse Objective Fhe purpose of this full-day utorial is provide attendees an accurate depiction of the role Jenetration testing plays in analyzing a system s overall security posture The tutorial 8 designed to provide a thor Jugh understanding of penetra ion testing concepts erminology approaches and echniques that can be applied 0 all system and network onfigurations This course is NOT in- ended to teach specific system vulnerabilities or TOW to exploit them but witl rovide information on pub icly available sources and ools that are commonly lead by hackers During his course attendees will earn how penetration testing its into life-cycle system net- NOl'k security and how it can ompiement other commonly erformed security activities such as risk analysis and se 3urity test and evaluation At- endees will also team the imitations to penetration testir and that it is not a comprehen sive analysis of a system s sev urity At the completion of this tu- orial attendees should have etter understanding of what enetration testing is and is tot how it can be beneficial tr arganizations and restrictions mposed when performed by rofessional consultants withir egal boundaries Attendees Mill have obtained the basic oundation necessary for build ng a penetration testing capa Jility and performing enetration tests The tutoriai will be held as Sovernment Only see registraw ion form on page 8 at the Sooz-Allen Hamilton McLean Campus 8283 Greensboro Drive A registration fee of $225 00 is required and due by May 18 1998 A $50 00 late fee wilt be applied for ali registrations received after May 18 1998 and for payment at the door For more information concerning the tutorial please contact Christina Wright at 703902-3176 3377 or via e-mail at iatac@dtic mil unaw- nurse u mkm wf I Tritrodumo VA 1 190 Fm- caresses mm astirl I- 3 1 11 3 min-1n Qs'r WP $225 00 Mun we agar tit WM WW rearwi w WW Mew viaw iggaea eet zaewwi i rgf aim ABOUT THE INSTRUCTOR Debra Banning is a Senior Associate at Booz-Ailen Hamilton specializing in security risk assessments and pene tration testing Ms Banning has been planning performing and feeding penetration exercises for government and com- mercial ciients for 13 years She recently presented the Pen- etration Tutorial on which this workshop is based at the 13th Annuai Computer Security Applications Conference spon sored by the Computer Society Inraavmrau Assuuwa Toms The IATAC h onna on Assurance Tools Data base hosts hdonna on on intrusion detection vulnerability analysis firewalls and anti vhusapph ca ons A bnefsunn mawofM trusion Detection Tools is pro vided on these two pages For more infor rna on see IATAC Products on page 6 Title ADS ALVA Argus ARPWATCH ASAX ASIM CMDS Courtney CyberCop EMERALD Gabriel Guns lfstatus lnternet Scanner Toolset INTOUCH Kane Security Monitor md5check NADIR Attributes attack detection audit-based misuse detection anomaly detection audit-based audit-based system monitoring system monitoring system monitoring audit-based misuse detection anomaly detection anomaly detection audit-based expert system misuse detection system monitoring anomaiy detection misuse detection system monitoring anomaly detection system monitoring system monitoring anomaly detection anomaiy detection expert system misuse detection system monitoring misuse detection anomaly detection anomaly detection anomaly detection keystioke misuse detection anomaly detection auditwbased misuse detection misuse detection system monitoring le integrity anomaly detection Description Attack detection system for secure computer systems I I Distributed intrusion detection system that consists of agents on the monitored hosts and a central monitoring station with an expert system II Real- time tool for detecting potential security violations In audit logs The system gains some level of platform independence by analyzing command logs that are ore-computed from the system audit logs Generic IP network transaction auditing tool for Maps lP addresses to physical network or hardware addresses Ito monitor the usage of lP addresses on a network Aims to protect against address spoo ng by monitoring Ethernet activity and maintaining a database of Ethernet iP address pairings Distributed audit traii analysis system that also has incorporated con guration analysis Air Force project designed to measure the levei of unauthorized activity against its systems Reai time audit reduction and analysis to detect and deter computer misuse Monitors the network and identi es the source machines of SATAN probes attacks II Real time security solution that Issues alarms when attacks are identi ed recognizes networked etements under attack logs the activity and captures evidence of the intrusion Distributed scalable toot suite for tracking malicious activity through and across large networks and introduces a highly distributed building- block approach to network surveillance attack isolation and automated response SATAN detector available for Sun platforms written entirely' in and comes pre- built I Uses graph- based language for analyzing network connectlon activity In a LAN- MAN sized system to detect iarge- scale automated attacks on networked systems Reai- time intrusion detection expert system that observes user behavior on a monitored computer system and adaptively teams what is normal for individual users groups remote hosts and the overali system behavior Based on complexity of matching and temporal characteristics Checks network interfaces for promiscuous or debug mode in an attempt to determine if a sniffer is being run Perform scheduted and selective probes of a network s communication services operating systems key applications and routers in search of those vulnerabilities most often used by individuals to probeinvestigate I I Scans all network-based user activity regardless of the computer manufacturer or operating system being used utilizing keystroke level surveillance II Detect intruders or abuse by analyzing audit data from the operating systems it supports utilizing 3 rules engine Provides network security monitoring using arti cial intelligence and identities internal and external violations Compares the MDS checksums of several critical 4x system files to a database Rules-based expert system to automatically detect intrusion attempts and other network security anomalies l'itie ietRanger llD iloshelt DOLYCENTER teaISecure SecureNet Pro Stake Out Stalker Swatch news new JNICORN JSTAT NatchDogm NebStalker Pro Connection donitor Attributes system monitoring anomaly detection misuse detection system monitoring anomaly detection misuse detection anomaly detection expert system misuse detection system monitoring system monitoring system monitoring system monitoring misuse detection system monitoring system monitoring keyworddevel surveillance system monitoring anomaly detection misuse detection system monitoring misuse detection misuse detection system monitoring seesaw system monitoring audit-based misuse detection state transition analysis system monitoring Description Package of network monitoring and visualization tools for monitoring and dispiaying network communications Analyzes the data traf c for content and context while searching for signatures indicative of hacking attacks or other security violations Detects anaiyzes and gathers evidence of intrusive behavior on Ethernet and FDDI networks using the internet protocol Real-time monitoring of user activity on multiple target systems connected via Ethernet rule-base employs expert rules to characterize known intrusive activity represented in activity logs and raIses alarms Monitors network and system variabtes such as lCiVlP or RPC reachability RMON variabtes nameservers Ethernet load port reachability host performance modern line usage Apptetalk and Novell routes services BGP peers Provides the system administrator with additional information about who is logging into disabled accounts Network based network traffic monitor Knowledge- -based analysis of audit data to recognize and respond to simple security- -relevant events Real-time automated attack recognition and response system that rests on the network monitoring the network traf c stream looking for attacks and unauthorized access attempts Combines several key technotogies inciuding session monitoring rewaliing hijacking and keyword-based intrusion detection Monitors network traffic and detects intrusive or suspicious activity as it occurs identifies intruders and internal misuse by analyzing audit trail data and reporting on suspicious user and system activities Monitors events on a large number of systems and modi es certain programs to enhance their logging capabilities and software to then monitor the system iogs Compares a designated set of files and directories to information stored in a previously generated database Visualizes traf c and data transiting a network evaluates risks of certain transactions and dispiays connection transaction data that can either be logged or viewed during real-time monitoring Accepts audit logs from Unicos Cray UNIX Kerberos and a common ie system then analyze them and attempts to detect intruders in reat time Makes use of the audit trails that are coliected by the CZ Basic Security Module of and keeps track of oniy those critical actions that must occur for the successfui completion of the penetration Monitors and manages the audit trail produced by the system 3 C2 security features and responds In real time to events that appear and stores the audit trail misuse detection system monitoring Controls access to Web content les and can watch all web and non-Web accesses ail processes and all changes to Web and other files notifies in reattime through SNMP pager or e-maii when anything suspicious occurs Monitors connections by using to display user names when the ciient host supports RFC931 and allows the user to freeze and unfreeze connections or kill them independent of the client and independent of the server This unciassi- tied report de- scdbesthe models simuia- tions and tools being used or developed by selected organi i For more information on products 8 reports contact Alethia Tucker at 703-902-3177 zations that are I chartered with the information Assurance mis sion Data collection efforts I focused on the current de ni- tions of information Operations information Warfare and infor- mation Assurance as described in DOD Directives 33600 1 Information Operations and Chairman Joint Chiefs of Staff instruction 6510 1A Defensive information War - fare Poir'cy in addition the definitions prescribed by DMSO for model and simu iation were used to deter mine what entities shouid be included in this iA models sim- ulations and tools report the Dynamic Secure Service now has added the following Secure Customization provides the power to create and modify your own personalized web page See what has changed in STINET by ltering out what is old - and concentrating on what is up a personal profile based on subject fields and groups and automaticalty re- ceive citations via e-mail to the latest accessions in Technical Report coi- 7 lection twice a f search queries for both the Technical Report and Work Unit ln tormatlon System collections for re- use Abstracts are now included with citations to unciassi ed limited docu- ments in the Technical Reports Bibli- ographic Database Viewing is based nn individual times are This information Assurance Tools Report provides an index of intrusion m- detection tool descrip- tions contained in the Information As- surance IA Tools 5 Database The tA Tools Database hosts informa- tion on intrusion detec- tion vulnerability 5 analysis fire waits and anti- virus software applications infor- mation was ob tained via open source methods including direct in terface with vari- ous agencies organizations and vendors Re- search for this re port identified 43 intrusion detection tools currently employed and avail- able Tool information includes title author source contact in- formation and tooi abstract profile access restrictions If your pro le does not permit you to view a particular cltation s abstract you witl be allowed to view the rest of the cl tation minus the abstract Over 3 000 full-text technical re ports are now available for viewing and downloading Speciai Coilections highlights reports found in Technical Reports coilection based on the source topic or targeted group in addition to setting up your own search parameters you can search using preestablisned pro les deveioped by retrieval experts The Partnership tor Peace lnfor- maticn Management System PIMS is designed to enhance the educa- tion of US Service school students Topic searches developed by tor the community provide in- formation ranging from air traf c con- troi management to public affairs PIMR glen offers students the nann Nhuans In This State-Of TheA Report SOAR addresses l'via iicious Software Detection in- cluded within the report is a taxonomy for malicious soft were to provide the audience with a better understanding of commercial maiicious software An overview of the current commerciai me licious software detection prod ucts and initiatives as well as future trends is present- ed The same is then done for cur- rent state of-the-ar in regards to maiicious software detection Lastly the report presents ob- servations and asser ions to support the DOD as it grapptes with this problem en- tering the 2tst century This report is classifier and has a limited release billty to construct custom searches for information not covered in the topic searches The subscription for the Secure Service access via a web client is $50 per year per subscriber To subscribe to Secure STINET Ser vice contact Dth s Registration Branch Teiephcne 703 767-8272 DSN 427-8272 Toil Free 800-225-3842 menu selection 2 option 2 sub-option 2 Fax 703 7618228 DSN 427-8228 E-maii reghelp@dtic mii Questions concerning this prod- uct may be directed to the Product Management Branch 800-225-3842 menu selection 2 option 3 703 767-8267 or DSN 427 8267 Ca br ao lfampaga 2 'unctionat teams are entitled Zombat Support Advanced Technology and Field Sup- aort Since the directorate is eiatively small with only 17 aeople we leverage to oppo sition force and analytical ca aabilities of other national agencies service iW activities and contractors The Protect Defense Direc- orate supports six to eight SING-sponsored exercises aach year The Combat Sup ort Team provides direct de 'enslve IO support to the aombatant commander and serves as the joint coordina- ion focal point for vulnerability assessment exercise DONOP IW Red Team sce Iario development external agency coordination defen sive IO awareness training as 'equested Red Team sce- Iario execution and After-Ac ion Reporting The has been asked by OSD to perform vul- aerability assessments in sup aort of the Advanced Concept Technology Demonstration ACTD program During 3Y97 the Advanced Technolo- 3y Team provided vulnerability assessment support for the oiiowing ACTDs Rapid Ter 'ain Visualization Counter roliieration Air Base Port Bio Detection Combat lD Battle ieid Awareness and Data Dis- semination Joint Counter- nine Rapid Force Projection nitiative and Precision SIG- NT Targeting System ACTDs entatively planned for evalua- ion in FY98 include Naviga- ion Warfare Joint Logistics vlilitary Ops in Urban Terrain Extended Littoral Battlespace Zhemical Add-on to Air Base Port Bio Detection and Jnattended Ground Sensor Julnerability assessment sup- ort provides critical insight nto system design and aliows OSD and the Services to cor- rect de ciencies before pro- duction and elding of a system As such CINC users are made aware of the limita- tions associated with a system before depending on the infor- mation in an operational envi ronment Other FY98 approved ACTDs are stiil under review for assessment The Field Support Team functions as a self-sustaining deployable lW Red Team that supports the Combat Support and Advanced Tech nology teams Field Support Team deployabie capabilities include EHF Signet Intercept and DF Radar IR Detection and RF Jamming Instrumentation as- sets include GPS oscillo- scopes pulse analyzer and spectrum analyzer In addi- tion Field Support Team as sets include shelters generators and cargo trucks As the IO environment be comes more compiex and the Defense Information lnfra structure more integrated with the National and Global Infor- mation infrastructures defen sive IO measures also become more important and more difficult to assure in any case we will continue to leverage heavily off of the re sources and capabilities of National agencies such as Na- tionat Security Agency NSA and the Services iW Centers Activities in providing defen- sive IO support to the combat- ant commanders The will continue to strive to be the acknowledged IO ieader re- sponsive to the for in- tegrating information operations into the overall mili- tary campaign ptan 61 6157 5 725 Cd's far for 1776 Joth Comma adam Cora rm Wane a 0917 95 7 5 Sepiambar 79 04 mm A Fiesta Informacion '98 Convention Center - San Antonio TX The Virtuai Enterprise in the 21 st Century I For information call 800-564-4220 14 a16 Apr 98 10th Ann Software Technology Conferen Salt Palace Convention Ctr Salt Lake City UT Knowledge- Sharing Global Information Ne works - 19 24 Apr 98 USPACOM Information Assurance Conference Honolulu HI POC SFC Huff 808-477-1046 e-mail 28 30 Apr 98 Introduction to Information Operations clearance O- 3 through 0- 6 and equivag Ients Boliing AFB DC 67 POO Mr Doug Dearth 703 780-2584 e-mail dhdearth@aol com 4 8 May 98 Penetration Testing Course This course is Government Only Booz-Alten 8 Hamilton McLean Campus See page 3 for if complete description http iatac dtic m1l 4 Jun 98 Fee $225 00 Registration form on back of newsletter Intermediate Information Operations Warfare 13W 5 days SECRET clearance required 0 4 through 0- 6 and equivalents School of Info mation Warfare and Strategy Nationai Defense University Fort McNair DC POC Dr Fred Giessler 202 685-2209 IBW9804 13 17 Jul 98 - 12 23 Oct 98 TESTING 211255 Jul 4 VA US Distribution Only El Change L3 Add Organization check one a USA USN 3 USAF USMC 080 CI Contractor A ac paymm am ma M 73% 98 0 MIME 5263 Greensboro D i e Ale 663-0 Mad ea 22752-3838 5 i i El Send Technioai Area Task Info Govt Only Title 5 i Name Attendee Name Organization Govt or Titie Company Org Organization Address Address City State Zip i Phone Fax 5 Phone E mail Fax Fee $225 00 Add $50 00 after 18 May 1998 DSN 3 Check enoiosed for Email 5 i Wm am new from mm WM rm Mm 11 62 3mm arm mm mm mam were awn 56E Information Assurance Technology Anatysis Center 8283 Greensboro Drive Allen 663 McLean VA 22102-3838