bulwark defender 06 quick look aar

8/16/2019 Bulwark Defender 06 Quick Look AAR

1/32

ulwark

De

Join I

eND

::/: :


2/32

Intent

•

ssess ability of

the Services respective NOSCs and

network

defenders

to jointly conduct

I eND

• Exercise and validate the

ability to protect

DoD networks

from

attack

while

ensuring the

integrity

and availability

of

information

-

for

the warfighter

• Train DoD network defenders to decisively fight

• Confirm importance of defending networks

to

warfighters

UNCL SSIFIEDlirur\

r ; = i G ; ; ~

u ~ c ~ ~ : . . . .

2


3/32

Exercise Objectives

1

Train personnel

to

defend against a directed

professional attack against the GIG

2

Train and evaluate personnel

in

C2

procedures

and operational tactics

3

Evaluate and refine information

flow fusion dissemination between the Service

NOSes

/ CERTs /JTF-GNO

4 Evaluate and refine NetOps Tactics Techniques

and Procedures

i ~ ~ ~

•


4/32


5/32

Week attle Rhythm

MARCH

Scenario 1

SUNDAY MONDAY TUESDAY

WEDNESDAY THURSDAY FRIDAY SATURDAY

LIVE)

Critical

6 7

8

9

1

Data

Exfiltration

IN-BRIEFS RE-ROLLS

Starts 45

OPS

RANGE RANGE

RANGE

RANGE

Days

pr or

TRAVEL CHECK PLAY

PLAY PLAY PLAY

GLOBAL

to Range

STARTEX

RANGE

HOTWASH

FAM

12

13 14 15 16 17

18

NO

PLAY LIVE PLAY LIVE PLAY LIVE PLAY LIVE HOTWASH

PLAY

TRAVEL


6/32

BD 6 Scenario Summary

• Scenario 1 - Critical information exfiltration

• Scenario 2 - Simulated wireless SIPR compromise

• Scenario 3 - Cross-service web compromise

• Scenario 4 - AFNOSC DRP/COOP

• Scenario 5 - Misuse o network

• Scenario 8 - Cross service classified msg incident

• Scenario 9 - Hacker printer attack

• Scenario 1 - Cross service Email DOS

• Scenario 11 - Distributed Denial o Service

• Scenario

12

- Email phishing attack

• Scenario 13 - Rogue wireless device

• Scenario 14 - Total Network Takeover TNT) - Fast

• Scenario 16 - Attempted TNT - Slow

• Scenario 17 - AF wide web attack

• Scenario 18 - Multiple NCC targeted net ops events

• Scenario 19 - AFNOSC/NOD scenario

6


7/32

EXERCISE BULWARK DEFENDER 06

Observations

Top 5 T a k ~ a w a y s

1. Enable 24x7 collaboration for agile,

responsive

C2, awareness, and defense

2.

Build

a persistent IA / CND training exercise capability for premier defense

.

3. Establish baseline defense

capabilities

at tactical level to improve DoD CND

4.

Balance efforts to restore

network

services and defend ... o optimize both

5. Integrate offensive and defensive

functions for

effective, proactive NetOps

UNCLASSIFIEOIIFvr\

Gr-;-;C:A:' : ;8::::: 8 ~ ~ ' "


8/32


Observations

Top 5 Take-aways

1. Enable 24x7 collaboration for agile, responsive C2, awareness and defense

• Facilitated effective operational-tactical

communications

• Enabled awareness on enterprise-wide attacks in minutes

• Supported near-real time correlation and response on attack events

Action: JTF-GNO, Services, OISA

U N C L A S S I F I E D I I F ~ 8:-:-:C;';:

8 ~ ~ :

'.'

8


9/32

JoinUService NOSCs Coord Space

in

IWS

~ . I C D O C

n o ~ f o l k

investigating

• JfROSC (1 :53:1 ) : Multiple

web defacements

t

this time

•

JfROSC (1 :53:35): ini t i l ~ e a d

is

that the s o u ~ c e ips f o ~

~ ~ § ~ ~ E 5 I c ; ; ; . JfROSC \..:u. uu

•

..: I

we

now have

two

e x t e ~ n l IPs associated

10.172.172.170

and

10.172.172.42

session

t

IFSPC CSS/SCOO

(1 :38:58):

Any idea what p o ~ t is being used f o ~

(19:42:81): AFSOC ~ e p o ~ t s I N o n R e s p o n s i v e

Icapt. HQ

AFSOC

(2): p o ~ t

(1 :43:22):

All Majcoms check y o u ~ webpage and see i f you have

L. . . -_-- - - llLt

IFSPC CSS/SC

(1 :44:46): S h ~ i e v e ~ AFB web

page

defaced.

I n s t ~ u c t e d

to

contact local

OSI

a n d ~ _ ~ = - = = = = = : I : = = = = = = = = = = = =

i f

they

want

them

to isolate

and

Non-Responsiv

TSgt MTC/CSS/SCIIT

(4)

~ i W i I f

___

_ . _ W I i I _ ~ I I I i I I . ~ l i I I c l i i " ' ~

Ssgt JF.IDSC (1 :45:21): How about

y o u ~

web s e ~ v e ~ ,

Have

they been hacked?

Ssgt JrROSC (1 :45:4 ):

Anyone see a Ip associated with these webpage

~ , . . - - - - - , - - - - I

I n N ~ ~ m r n ~ ; - I T S g t . IFROSC

2) :41:15):

NSD have

you

~ e l o c a t e d to

COOP?

J59t .68

CS/SCOC

(1 :41:25):

The

Scott N

webpage defacemen came

f ~ o m

D a ~ k _ j i h a d i s t s f e d e ~ a t i o n )

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ P

~ ~ ~ ~ ~ ~ ~ = = = = = = = = = ~ ~ ~ ~ ~ ~ ~ ~ = 1 l L t

83

CS/SCO (19:51:12): 10.172.172.170 sent

hack

dyess;

That was

U N C L A S S I F I E D /

~ ~ ~

~ ~ , . .

......

h

• r> ....

" ~ I I

,

/ I VI V

I

I V I r \ 1 . . . V-.JL.. .

\ /1'11... I

9


10/32

(20:31:24): CDO: T h u n d e ~ 2 ha3 evac d due to a

local

i n d u s ~ i a l accident

c ~ t .

JrIDS

(28:31:48):

they have not yet ~ e a c h e d

t h e i ~

COOP

location

Navy detects,

~ t .

(20:32:32):

We

have

blocked

10.172.172.33

due

to

web

defacement

I I ~ ~ ~ ~ ~ ~ ~ L ~ C M D (21:2 :21):

PNOC

Pen3aco1a

~ e p o ~ t 3 lP

10.140.0.75

i3 conducting

a

denial

reports. '1'

~ ~ ~ ~ ~ ~ : ' : ' - i D e 3 t i n a t i o n

10.120.4.9

RecolULend

watch

f o ~ act iv i ty

f ~ o m

3 u ~ c e lP M \

Ctr

IOCIDSC ( 2 1 : 2 ' : ~ 1 ) : 29 pa1m3

and

quantico 3eeinq 3 i m i 1 a ~

activity

fmiiif-immimr 9'ld. ..

.-.osc

( 2 1 : 3 3 : ~ 2 ) : lCD

t ~ a f f i c ?

®

USMC same.

®

TippedAF.

®

Armyaware ...

in minutes. @

IOCHOSC (21:31:1 ):

ye3, ~ e p o ~ t e d

act iv i ty to JTF GNO

.-.osc (21:31:31): TWo

location3

h e ~ e

h i t

with

lCD

~ t

IfROSC 2 1 : 3 1 : ~ 0 ) :

NOD

ha3 ~ e c o nded a block of lCRP

t ~ a f f i c

t

ext ~ t ~ 3

Capt.

t - _ ~ ' _ ' 7 ' I r \ ( 2 1 : 4 3 : ~ 1 ) : A2TOC ha3

not

~ e c e i v e d

any

~ e p o ~ t of

thi3

type of activity on the A ~ I l Y

Capt. JrROSC (21:46:12): H e ~ c u l e 3 NOSC i301ated on RlPR

~ ~ ~ i ~ ~ ~

21:

4 : 1 ~ ) :

PBOC

l301ated

2150Z

dTF GRO (3) ( 2 1 : ~ ' : 1 1 ) : AFNOSC 3tandby. Re3p0n3e to

y o u ~

RFl coming via SlPRRET

t N n ; ; : R ; ; ; ; ; ~ : ; ; ; ; r

.-.osc

Capt. IfROSC Have you

atteapted

~ o u t i n g lCRP t ~ a f f i c to Bull?

~

. .-.osc

(22:03:

Wom:RiiSc;ons;....L..-

CII)R (2) ( 22 : 05: 33)

I _____

- - CI I )R

(2) 2 2 : 2 0 : 0 ~ ) :

t h ~ e e

lP3 in 10.220.119.

router

config for

route

to null

~ e p o ~ t e d

d e g ~ a d a t i o n of

i3

blocking c1a33

C.

IP ROUTE 10.245.0.0 255 255 255 0 NullO

IP ROUTE 10.246.0.0 255.255.255.0

NullO

IP

ROUTE 10.192.0.0 255 255 255 0

NullO

10


11/32


Observations

Top 5 Take-aways

2 Build a persistent IA / CNO

training/exercise capability for premier

defense

• Red Team-led training on tactics

range-most

valuable learning

activity

• Joint range allowed

community

effort to improve defense

• Range supported safe

ability to

exercise

robust

NetOps scenarios

• A standing capability to

train

/

shape

defense tactics sustains advantage

•

Time-sensitive

training range enables responsive tactics

maneuvering

Action:

ASO/NII JS/J6 USSTRATCOM JFCOM NSA Services OISA

UNCLASSIFIED//:--8:; 8:::8::\: ' ~ 8 ~ ~ : '

y


12/32


Observations

Top 5 Take-aways

3 Establish baseline defense capabilities at tactical level

to

improve

eND

• Bases

with intrusion

detection,

intrusion

protection and port

security

successfully

blocked

attacks

• Signature-based

intrusion detection

alone

was not

effective

• Some Services have acquired capabilities, but not yet fully fielded

• User awareness remains a critical element

of

defense ..

Action: ASD/NII, Services, USSTRATCOM

U N C L A S S I F I E D / ; ; G ~

G ; - ; - ; C ; ; ~ ~ ; ;

~ ~ ~ ,

12


13/32

Scenario 16 Results

Cross-Service Total

Network

Takedown Range)

PROGRESS KEY

* o compromises

«11»

Red

compromised workstation

« »

·

Red

ompromised

Domain Server

3) ·

Red

controls Network

4)

Red

locked all other

accounts

X) Red shut down network


14/32


Observations

Scenario

1- Exfiltration of Critical Information

Red Objective: Access unclassified AF networks and mine

copy

critical data

Targets: AFNOSC, MAJCOM NOSCs and participating NCCs

Attack

vector:

• Use phishing emails

to

gain access

to

a computer

• Use compromised computer to gain access control of network

....

FOf

Iho ...

IIIIK;

by 1M

Of :*

Bo d

--

lu

In *'

2M2

p

XI04 ....

w. .. I - pl• • • •

_i t

t l t . link

fN

HcM:IOMIIMI . . . . 1InI IrIg JIDt 1OM

.

p IU-

...


15/32

Misawa

rimary Compromise

Scenario Results

AF)

Exfiltration of

Critical

Information

Secondary Compromise

Presence on 9 Bases

Control of 3 Enterprises

edTeam Q

15


16/32


Observations

Top 5 Take-aways

4. Balance efforts

to

restore network services

and

defend ... o optimize both

• We are training more of a

service

provider than a network defender

•

Many

defenders

focused

on restoring

service

at

the

expense of

defense

• Defense-focused defenders effectively stopped attacks

Action: ASD/NII USSTRATCOM

Joint

Staff Services JFCOM DISA

6


17/32


Observations

Top 5 Take-aways

5. Integrate offensive and defensive functions for effective, proactive NetOps

• Co-located,

integrated

NetOps

functions

are effective

• Unity of

effort is

required between

offensive

and defensive NetOps

communities

to

achieve

and

sustain

advantage

• Shared awareness of activities events, and capabilities

across

CNA /

CNE CND

communities promises economies and

superiority

• Indications & warnings enables proactive defense

• Integrated CNA / CNE / CND

is

required for dominant NetOps

Action: ASD/NII, Services, USSTRATCOM (JTF-GNO, JFCC-NW), JS, NSA, IC

7


18/32


Observations

Top 5 Take-aways

Initial

Recommendations:

• Establish 24 7 collaboration capability between key NetOps 1

network

defense

sites

and JTF-GNO

•

Achieve

and resource a persistent

IA

1eND training capability

• Advance efforts

to

acquire and operate baseline tactical-level

capabilities

enterprise-wide to detect, defend,

and respond

to

attacks

• Improve relationships and flow of information between I W providers

and

NetOps

community

• Exercise, validate, improve integrated offensive defensive NetOps

UNCLASSIFIED/IF,:)?

' : ) ~ : : C : : , , \ : ~ c : : : : G ~ ~ :

,

18


19/32


bservations

Defense Capabi lities

• Persistent IA / CND training/exercise capability required for premier defense

• Tactical level functions require improved defense capabilities

• Automated patching capabilities required to improve vulnerability mgt

• Active full-time scanning of wireless devices necessary for effective defense

• Must have local on-site personnel to isolate tlshoot local technical problems

I

UNCLASSIFIED/Ie An

A..-r-''''',

\

I

1 > - r

I . . . . ~

...... 1

I r 1 . VV V I ~ L

I

19


20/32


Observations

C

and

Information Flow

• Collaboration required for agile

responsive

C2 awareness and response

•

Communications

between operational and tactical levels vital

to

response

• Co-located integrated NetOps defense and warfare

functions

are effective

• Adjust reporting in response

to

increase in threat environment

•

Employ

refine current INFOCON guidance for efficient enterprise defense

•

Must coordinate

NetOps and defense via secure

communications

• Improve

use

of network

intelligence and

I W for agility speed in NetOps

U N C L S S I F I E D l l r c ~

C ~ ~ : 8 : ~ : ' ~ : : : : :

C ~ ~ : /

2


21/32


Observations

Tactics Techniques Procedures

• etter balance is required between efforts

to

restore service and defend

• Educate defenders on types of Red scans and appropriate responses

• Clarify ROE to

deconflict

law enforcement and

network

defense

• Enforce baseline

password

management of

network

printers

• Document

coordinate

COOP procedures

including reporting

for execution

2


22/32

Way Ahead

for

BD 7

• BULWARK DEFENDER remains annual joint CND capstone event

•

Aligning

BULWARK DEFENDER with GLOBAL STORM in 07

• Execution includes focused tactics training by jOint Red Team

• Using BD scenarios as template

for

CND events in

other

select exercises

• Leveraging SO lessons to shape, prioritize near-term

efforts to improve

joint network

defense capabilities, C2, and TTP

•

Continuing

team

effort with

Joint

Staff

for permanent joint CND range

• Requirement

document and

CONOPs

• Potential

to link

with

10

range

• Synchronizing

with

joint training capability program

• Help shape priorities

and

more balance

for

IA spending across GIG

U N C L A S S I F I E D l ~ C : ~

c : = ~ ~ s ~ / \ ~

~ s : : :

8 ~ ~ : " " , '

22


23/32

Capstone Joint I CND Event

• Real world th reats

• CND

ssessments

• Time sensitive

targeting

• Turbo Challenge

• Global Lightning

• Terminal

Fury

23


24/32

Design Considerations

• Drive operations effects .. enterprise-Ievel

•

Bring

CND piece

to

operations exercises

- Linkages

to

National, Regional, Theater,

Functional

levels

• Integrate, synchronize

with

operations

storyline

- PACOM road

to

war, supported by TRANSCOM, STRATCOM

• Conduct Red Team-led

tactics

training up front

• Emphasize free play--SIPR and NIPR, range events in that order

• Aim for 24x7 operations

•

Arrange

NMCI participation

• Invite COCOMs

to

participate

•

Promote

activities

to

integrate

offensive

and defensive NetOps

•

Exercise

INFOCONs ... TROs

• Leverage

network

sensors and I W

•

Staff

CND JECC -

guide

and

control support to ops

exercise JECG

4


25/32

National

Regional

Theater

unctional

unctional

BD 7

Exercise Linkages

Joint

taff

National-Strategic Mobilization Deployment CPX

PACOM

Logistics/Sustainment Force Flow

PX

5


26/32


Questions

6


27/32

FObjectives

• Exercise AF ability

to surge on the

live

network

• Exercise AF

ability

to maintain identif ied baselines

• Exercise AF response to real world

intrusion

sets

• Exercise AF response to bolt

out of

the blue attack

• Exercise physical

security

and operational impacts

in conjunction

with GS07

•

Explore using

Tactical

comm

• Exercise MCCC and C relationship

• Exercise all new AFNETOPS relationships

• Force commanders to participate at the joint and AF level

• Exercise INFOCON levels

• Exercise local COOP for PACAF AFSPC AFNOSC/C2D/NSD/NOD ACC

• Exercise TIER 1 and 2 CND/RA requests

• Exercise AF response

to

direct

targeting

of

AFNETOPS

C

Structure

7


28/32

hreats

Information Content

Control

Identity Authentication

Authorization

~

~ -

m

Education Training

Awareness

c

::

Security Operations

r

Administration

Info System Security

Services

OVERALL ASSESSMENT

covered

o Partially covered

o

Not covered

8


29/32

Defense ~ G , . d ' ~

Capabil it ies

~ ~

' ~ ~

• · t 1:>

~ o l n

Information

Content

Control

Identity uthentication

uthorization

~ ~ -

m Education Training

wareness

c

: Security

Operations

~

dministration

Info System Security

Services

OVERALL ASSESSMENT

9


30/32


ssessment Framework

3


31/32

BD 6 Scenario

Summary

Scenario Live Net

Range Net

• Scenario 1

- Critical information exfiltration

AF MC

A N

• Scenario 2

- Simulated wireless SIPR compromise

2

AF MC A

• Scenario 3

- Cross-service web compromise

3

AF MC A N

• Scenario 4

- AFNOSC DRP/COOP

4

AF

• Scenario 5

- Misuse

of

network

5

AF MC A N

• Scenario 8

- Cross service classified msg incident

8

AF MC A

AF N

• Scenario 9

- Hacker printer attack

9

AF,MC

A N

• Scenario 10

- Cross service Email DOS

1

AF,A, N

• Scenario

11

- Distributed Denial of Service

11

AF,A, N MC

• Scenario 12

- Email phishing attack

12

AF MC, N

• Scenario 13

- Rogue wireless device

13 AF,MC

• Scenario 14 - Total Network Takeover TNT) - Fast

4

AF A

• Scenario 16

- Attempted TNT - Slow

16

AF,A, MC, N

• Scenario 17

- AF wide web attack

17

AF

• Scenario 18

- Multiple NCC targeted net ops events

18

AF,A, MC, N

• Scenario 19

- AFNOSC/NOD scenario

19

AF

31


32/32


Observations

Take-aways

for

Way Ahead

• Joint IA CND exercise serves as significant basis for improving

joint

NetOps

• Integrated CNA CNE CND play is required to fully exercise NetOps

• Based on recognized value-Navy plans to extend future play to shore

commands,

Fleet units, Navy

networks

NMCI, ONENET, IT-21)

• USMC -

exercising

and coordinating with a

deployed

site proved beneficial

• USMC - range events increased attent ion to

basic

incident response

• USN - range enabled validation of

watch officer

responses,

certification

• Army - exercise significant; play must include major commands, select posts

• Include JTF-GNO in range play

• Add NMCI in next exercise

32

bulwark defender 06 quick look aar

Documents