mum 3 xi Non-Responsive USSC Lt Col USSTRATCOM I J67 08 Jun 06 UNCLASSIFIEDEJFOP 0-5 me Her m lf l' kl Mil-aw I 1 a 352 r 1 mg A If i l u n 4- 7 v Intent - Assess ability of the Services respective NOSCs and network defenders to jointly conduct IA I CND - Exercise and validate the ability to protect networks from attack while ensuring the integrity and availability of information for the warfighter - Train network defenders to decisively fight - Confirm importance of defending networks to warfighters OFHCIAL USE 2 iiTrain personnel to defend against a directed professional attack against the GIG 2 Train and evaluate personnel in C2 procedures and operational tactics 3 Evaluate and refine information flowlfusionldissemination between the Service NOSCs I CERTs IJTF-GNO 4 Evaluate and refine NetOps Tactics Techniques and Procedures 2 3 Hm E l l 1 1 hll I I l I l J i I ah th MARCH SUNDAY MONDAY TUESDAY WEDNESDAY THURSDAY FRIDAY SATURDAY critical Data Ex ltration Dita 3 Ops RANGE RANGE RANGE RANGE toyRa'de TRAVEL CHECK PLAY PLAY PLAY PLAY GLOBAL RANGE HOTWASH FAM PLAY LIVE PLAY LIVE PLAY LIVE PLAY LIVE HOTWASH PLAY TRAVEL 1 33 Sf if m7 I KHz- awn a if r a ii m ago kins-A 11 Scenario 1 Critical information exfiltration Scenario 2 Simulated wireless SIPR compromise Scenario 3 Cross-service web compromise Scenario 4 AFNOSC Scenario 5 Misuse of network Scenario 8 Cross service classified incident Scenario 9 Hacker printer attack Scenario 1O Cross service Email DOS Scenario 11 Distributed Denial of Service Scenario 12 Email phishing attack Scenario 13 -- Rogue wireless device Scenario 14 Total Network Takeover TNT Fast Scenario 16 Attempted TNT - Slow Scenario 17 AF wide web attack Scenario 18 Multiple NCC targeted net ops events Scenario 19 scenario SYNC-ML 1 3 3 QNLY BD06 Scenario ummary I 2 - L154 a mm at met i EXERCISE BULWARK DEFENDER 06 Observations Top 5 Take-aways Enable 24x7 collaboration for agile responsive C2 awareness and defense Build a persistent IA I CND training exercise capability for premier defense Establish baseline defense capabilities at tactical level to improve CND Balance efforts to restore network services and optimize both Integrate offensive and defensive functions for effective proactive NetOps US 7 EXERCISE BULWARK DEFENDER 06 - Observations Top 5 Take-aways 1 Enable 24x7 collaboration for agile responsive CZ awareness and defense - Facilitated effective operational-tactical communications 0 Enabled awareness on enterprise-wide attacks in minutes - Supported near-real time correlation and response on attack events Action JTF-GNO Services DISA ONLY 8 Room Coordination Floor Jo' - - - NOSCs Coord Space In IWS agaimollnul 53525 I - m'srloraf Non-Responsive cum 2 EDGE norfolk investigating AFNOSC 300 - Non-Responsive apt MSG Multiple web defacements at this time 4Non-Responsive UCDIUSST apt muse initial read is that the source ips for lNon spoe cw the defacements are interns ank AFNOSC Capt i we now have two external IPs associated n with havebeen blocked w lCapt amuse 20 06 37 10 172 172 170 and 10 172 172 42 20 0 03 AFNOSC is now in the chat session '3 0 - I AFNOSC and MAJCOM Blue force Coord Space Techs Inworking to reconfig Non-Responsive 711 1 mare 19 38 58 Any idea What port is being used for Non-Responsive 27303 defacement 0359 Non-Responsive ISsgt 19 42 07 111-7301 reports Capt H0 AFSUC 21 port 1LIUSAFE 4 on our external switch 6 Non-Eons AFNOSC 2 Non-Responsivel Ssgt muse 19 43 22 All Hajcoms check your webpage and see if you have Non-Responswe been defaced llNon-Responsive l1 my Instructed to contact local USI and 1 twork or 35 if they want them to isolate and I Non-Responsiv 'l'Sgt mum-53 50 41 9- net -1 cap 19 45 21 How about your web server Have they been hacked E 8591' IFIIJSC 19 45 49 Anyone see a Ip associated with these webpage 6 gt 2 '03 defacements MSQIAFOT Non-Responsive 7591 mansc 2 1 17 15 HSD have you relocated to tour Non-Responsive I 11591 sea 19 47 25 3' 039137303 10 112 100 21 39 Non-Responsive lLt as csisc Dyess is hacked Dark_j ihadists federation CaptE-r Non-Responsuve mil-Classmuse non cm commas 19 42 42 c2 10 144 is unb ocked 83 CSISCIJ 19 58 02 10 172 172 170 sent hack for dyess That was 9 The Scott NBC webpage defacenen came from 19 41 3 H'Room Cmdinaihn mansion Ea i H Non'Responswe Capt mo 20 31 24 EDD Thunderz has evac'd due to a local industrial accident cat mo 20 31 40 they have not yet reached their COOP location Navy deteCtS Capt muse 21 32 32 We have blocked 10 172 172 33 due to web detacement Mon-Responsiv 21 29 21 BUG PHOC Pensacola reports IP is conducting a denial of service attack Destination 10420 43 Recommend watch for activity from source IP Non-Responsive 21 23 51 29 palms and quantico seeing similar activity - apt IEIDSC 21 33 52 ICHP traffic I tr yes reported activity to JTF-GND - cat mo 21 31 31 No locations here hit with ICHP Capt 21 31 50 Bur HDD has recommended a block or 11 11 traffic Tipped AF 9 N Resp 5i e Capt mo 21 46 12 Hercules HOSE 1301mm on HIPR on- es ns v 21 54 15 BUB PNDC Isolated 21502 I I 00' Haj 21 59 01 standby Response to your RFI coming via SIPRHET e-nail from CDO in minuteS_ Non-Responsive Capt armsc 22 22 49 NAVY cut muse 22 02 59 Have you attenpted routing ICHP traffic to Hull 55 Cant mo 22 03 11 One of our locations did th Non-Responsive 011 2 22 05 33 - am 2 22 20 05 5H0 the Karine Corps 5 Army has reported degradation of service due to port 53 5 ICHP three IPs in 3 220 119 is blocking class orunul AF shared solution to stop DDOS traffic 5 con IP ROUTE 10 245 00 255 255 2551 NUIID IP ROUTE 10 24600 255 255 2550 NUIIU 5 IP ROUTE 10 192 00 255 255 2550 QFF f l i USE i Di Cilia-ii EXERCISE BULWARK DEFEER 06 Observations Top 5 Take-aways 2 Build a persistent IA I CND training exercise capability for premier defense - Red Team-led training on tactics range most valuable learning activity - Joint range allowed community effort to improve defense - Range supported safe ability to exercise robust NetOps scenarios 0 A standing capability to train I shape defense tactics sustains advantage Time-sensitive training range enables responsive tactics maneuvering Action ASDINII JSIJ6 USSTRATCOM JFCOM NSA Services DISA USE may 11 3 Lf' hiin EXERCISE BULWARK 06 Observations Top 5 Take-aways 3 Establish baseline defense capabilities at tactical level to improve CND - Bases with intrusion detection intrusion protection and port security successfully blocked attacks Signature-based intrusion detection alone was not effective - Some Services have acquired capabilities but not yet fully fielded 0 User awareness remains a critical element of Action ASDINII Services USSTRATCOM swam 53 3 33 12 i Scenario 16 Results Cross-Service Total Network Takedown Range PROGRESS KEY - No compromises - Red compromised workstation - Red Compromised Domain Server - Red controls Network - Red locked all other accounts X - Red shut down network 83 33323 we 51smith EXERCISE BULWAR DEFEER 06 Observations Scenario 1- Exfiltration of Critical Information Red Objective Access unclassified AF networks and mine I copy critical data Targets AFNOSC MAJCOM NOSCs and participating NCCs Attack vector Use phishing emails to gain access to a computer Use compromised computer to gain access I control of network V mm H innit Ila-alum H II _r drone sun-mo ammo mo EmmLu-suurn-m Fogan alum Dyan-upcoming Fmtmaouar- 1 viiyou mound plus- mh am link la manilqu mm aim no maul-om whim Wm w'r Iva-rm- hall W Mice ma-um a Slim we - K i 1 smut Fw mm singing Mk Li In W 1 Ann T'kj Uf f awn um uut 14 I A qr - P'r va a I 2 a 25 C xvii Rd an Scenario 1 Res Its AF Exfiltration of Critical Information McGuire Pe erson tt Misawa Primary Compromise Presence on 9 Bases Secondary Compromise Red Team HQ Control of 3 Enterprises USE 15 irisr- r a mf11 2 m f a a EXERCISE BULWARK DEFE a shhr g-M' gm swig Observations Top 5 Take-aways 4 Balance efforts to restore network services and optimize both - We are training more of a service provider than a network defender - Many defenders focused on restoring service at the expense of defense - Defense-focused defenders effectively stopped attacks Action ASDINII USSTRATCOM Joint Staff Services JFCOM DISA SSE CNLY I 9 rmEXERCISE BULWA DEFENER 06 Observations Top 5 Take-aways 5 Integrate offensive and defensive functions for effective proactive NetOps Co-Iocated integrated NetOps functions are effective Unity of effort is required between offensive and defensive NetOps communities to achieve and sustain advantage Shared awareness of activities events and capabilities across CNA I CNE I CND communities promises economies and superiority Indications warnings enables proactive defense Integrated CNA I CNE I CND is required for dominant NetOps Action ASDINII Services USSTRATCOM JTF-GNO JFCC-NW JS NSA IC 17 - if imcal-seal EXERCI BULW 06 Observations Top 5 Take-aways Initial Recommendations 0 Establish 24 7 collaboration capability between key NetOps I network defense sites and JTF-GNO Achieve and resource a persistent IA I CND training capability - Advance efforts to acquire and operate baseline tactical-level capabilities enterprise-wide to detect defend and respond to attacks - Improve relationships and flow of information between providers and NetOps community - Exercise validate improve integrated offensive defensive NetOps errmm 3 13 3m 18 w i m EXERCISE BULWA ER 06 Observations Defense Capabilities Persistent IA I CND training exercise capability required for premier defense Tactical level functions require improved defense capabilities Automated patching capabilities required to improve vulnerability Active full-time scanning of wireless devices necessary for effective defense Must have local on-site personnel to isolate tlshoot local technical problems 3241 1 19 i v Fug-L1 06 9 if V 2717 a I 3i i 5 EXERISE BULW Observations C2 and Information Flow Collaboration required for agile responsive C2 awareness and response Communications between operational and tactical levels vital to response Co-located integrated NetOps defense and warfare functions are effective Adjust reporting in response to increase in threat environment Employl refine current INFOCON guidance for efficient enterprise defense Must coordinate NetOps and defense via secure communications Improve use of network intelligence and for agility speed in NetOps US an EXERCISE BULWANDER 06 Observations Tactics Techniques Procedures Better balance is required between efforts to restore service and defend Educate defenders on types of Red scans and appropriate responses Clarify ROE to deconflict law enforcement and network defense Enforce baseline password management of network printers Document coordinate COOP procedures including reporting for execution 32 our 21 BULWARK DEFENDER remains annual joint CND capstone event - Aligning BULWARK DEFENDER with GLOBAL STORM in 07 Execution includes focused tactics training by joint Red Team Using BD scenarios as template for CND events in other select exercises Leveraging BD lessons to shape prioritize near-term efforts to improve joint network defense capabilities C2 and TTP Continuing team effort with Joint Staff for permanent joint CND range - Requirement document and CONOPs - Potential to link with l0 range with joint training capability program Help shape priorities and more balance for IA spending across GIG us 331 3 Capstone Joint IA CND Event - Real-world threats 0 CND Assessments Time-sensitive targeting CF cur-am I l-C rf rst I ll Ul h - Turbo Challenge - Global Lightning - Terminal Fury 23 Drive operations effects enterprise-level Bring CND piece to operations exercises Linkages to National Regional Theater Functional levels Integrate with operations storyline PACOM road to war supported by TRANSCOM STRATCOM Conduct Red Team-led tactics training up front Emphasize free play--SIPR and NIPR range events in that order Aim for 24x7 operations Arrange NMCI participation Invite COCOMs to participate Promote activities to integrate offensive and defensive NetOps Exercise Leverage network sensors and l W Staff CND JECC guide and control support to ops exercise JECG errecmn 2 24 Joint Staff National National-Strategic Mobilization Deployment CPX I I PACOM eg'ona Logistics Sustainment Force Flow CPX Theater Func onai - I 0 Funchonal - 0mm 23 25 Questions 153 Exercise AF ability to surge on the live network Exercise AF ability to maintain identified baselines Exercise AF response to real world intrusion sets Exercise AF response to bolt out of the blue attack Exercise physical security and operational impacts in conjunction with 6807 Explore using Tactical comm Exercise and C2 relationship Exercise all new AFNETOPS relationships Force commanders to participate at the joint and AF level Exercise INFOCON levels Exercise local COOP for PACAF AFSPC AFNOSCICZDINSDINOD ACC Exercise TIER 1 and 2 CNDIRA requests Exercise AF response to direct targeting of AF NETOPS C2 Structure rea covered Partially covered Not covered OPERATE DEFEND RESPOND Threats scenario - Joint 6 Information Content Control Identity Authentication Authorization Education Training Awareness Security Operations Administration Info System Security Services OVERALL ASSESSMENT saansvaw 28 Defense 16 Capabilities Vo - Jomt saansvaw good needs improvement I signi cant shortfalls OPERATE Information Content Control Identity Authentication Authorization Education Training Awareness Security Operations Administration Info System Security Services OVERALL ASSESSMENT 29 OPERATE Eolxa onkoha - Joint mm mm 1 44 Q Information Content Control Identity Auiheniicaiion a Minimization Educaiion Training Awareness Security Operations a Adrn siroiion Info System Security Services OVERALL ASSESSMENT 62 and information Flow - Arm lnionnailon 0th Control identity a Authorization Educeiion Tubing a Securlw Operations Mmir simiion Info System Security Services 933087 OVERALL ASSESSMENT 3 I7 31 CZ and A0 Lillzoratlon 5 a I OPERATE hag-ml 'x i 0 1 Rd LM I m-4 i i EFENDER06 Assessment Framework - Biron hfounaiion Content Control Identity Aulhenticadon I mm Educaiion Tuning 3 Awnroness Security Operations 8 Administration Info system Security Services i6 saunsvaw OVERALL ASSESSMENT UNQLASSIFIEDH f Kf E V31 VI I I ICE f hll wwh - vu OPERATE DEFEND CZ and - Info mation zh g A Flow - Air Force mun-Ion Control mm Educaiion Training 8 Awareness Soou iy Operations 3 Administraiion Info a la 1 3 0 Services 7 11 I7 il saunavaw OVERALL ASSESSMENT 22 OPERATE oars o mm and - In matron Fa - Marines I Comm cm Info 3m Security LS1 Services 13 31 30 Scenario 1 Scenario 2 Scenario 3 Scenario 4 Scenario 5 Scenario 8 Scenario 9 Scenario 10 Scenario 11 Scenario 12 Scenario 13 Scenario 14 Scenario 16 Scenario 17 Scenario 18 Scenario 19 i r fur rs a a 1 aw ReligiglEi m emu 3 aw- ML i' BD06 Scenario Summary Scenario Live Net Range Net Critical information exfiltration 1 AF A Simulated wireless SIPR compromise 2 AF MC A Cross-service web compromise 3 AF MC A AF NOSC 4 AF Misuse of network 5 AF MC A Cross service classified incident 8 AF MC A AF Hacker printer attack 9 AF MC A Cross service Email DOS 10 AF A Distributed Denial of Service 11 AF A N MC Email phishing attack 12 AF MC Rogue wireless device 13 AF MC Total Network Takeover TNT Fast 14 AF A Attempted TNT - Slow 16 AF A MC AF wide web attack 1- AF Multiple NCC targeted net ops events 18 AF A MC scenario 19 AF OFFECEAL 31 rug13 L15 I -Lau 7 an we EXERCISE BULWADFER 06 Observatlons Take-aways for Way Ahead Joint IA I CND exercise serves as significant basis for improving joint NetOps Integrated CNA I CNE I CND play is required to fully exercise NetOps Based on recognized value Navy plans to extend future play to shore commands Fleet units Navy networks NMCI ONENET lT-21 USMC - exercising and coordinating with a deployed site proved beneficial USMC - range events increased attention to basic incident response USN - range enabled validation of watch officer responses certification Army - exercise significant play must include major commands select posts Include JTF-GNO in range play Add NMCI in next exercise US ONLY