Cyberspace Operations (CO) 29 July 19...•Although cyber warfare is currently limited to information networks and network-attached systems, it will drastically expand in the future

Cyberspace Operations (CO)

29 July 19

THIS LESSON IS UNCLASSIFIED

2UNCLASSIFIED

UNCLASSIFIED

This lesson is

UNCLASSIFIED

3UNCLASSIFIED

UNCLASSIFIED

Overview

• Criterion Objective

• Enabling Objectives

• MP1: Introduction to Cyber Operations

• MP2: U.S. approach to Cyber Operations

• MP3: Adversary approach to Cyber Operations

• Summary

4UNCLASSIFIED

UNCLASSIFIED

Objective

• Criterion Objective:

• Given associated reference materials and this lecture,

identify potential vulnerabilities and threats to your weapon

system with at least 80% accuracy

5UNCLASSIFIED

UNCLASSIFIED

Objective

• Enabling Objectives:


identify basic facts and terms pertaining to Cyber

Operations with at least 80% accuracy


summarize the United States approach to Cyber



describe the United States adversaries approach to

Cyber Operations with at least 80% accuracy

6UNCLASSIFIED

UNCLASSIFIED

Introduction to Cyber Operations

7UNCLASSIFIED

UNCLASSIFIED

• Joint Publication 3-12 (JP 3-12) provides direction to our

joint forces with regards to the use of cyberspace

• What is the definition for Cyberspace Operations (CO)?

• JP 3-12 defines CO as “the employment of cyberspace

capabilities when the primary purpose is to achieve

objectives in or through cyberspace”


8UNCLASSIFIED

UNCLASSIFIED

• What is cyberspace?

• “Cyberspace is the global domain within the information

environment consisting of the interdependent network of

information technology infrastructures and resident data,

including the internet, telecommunications networks,

computer systems, and embedded processors and

controllers”


9UNCLASSIFIED

UNCLASSIFIED

• Three layers: the Physical Network Layer, the Logical

Network Layer and the Cyber-Persona Layer

The Three Layers of Cyberspace

Physical Network Layer Logical Network Layer Cyber-Persona Layer


10UNCLASSIFIED

UNCLASSIFIED

• The Physical Network Layer: geographic component and

physical network component.

• The Logical Network Layer: the digital relationships or

associations that exist on a network.

• The Cyber-Persona Layer: the personnel operating the

terminals or workstations connected to the network.


11UNCLASSIFIED

UNCLASSIFIED

PROGRESS CHECK

• Guided Discussion:

• Identify the three cyberspace network layers

• Give examples of the physical network layer

• Explain the cyber-persona layer


12UNCLASSIFIED

UNCLASSIFIED

U.S. approach to Cyber Operations

13UNCLASSIFIED

UNCLASSIFIED

• Cyberspace Operations Terminology

• Joint CO consist of three general categories

• Offensive Cyberspace Operations (OCO)

• Application of force through cyberspace, authorized via

EXORD

• Defensive Cyberspace Operations (DCO)

• CO executed to defend DoD/friendly cyberspace assets

• Department of Defense Information Network (DODIN)

• Global network infrastructure used to manage critical DoD

data


14UNCLASSIFIED

UNCLASSIFIED

• Computer Network Exploitation (CNE)

• Spying through the cyberspace domain

• Computer Network Attack (CNA)

• Offensive operations through cyberspace to achieve

strategic objectives

• Deny - prevent use of capabilities

• Degrade - reduce capabilities

• Disrupt - temporarily interfere with operations

• Destroy - cause irreparable damage

• Manipulate – control/change data, IT systems and/or

networks


15UNCLASSIFIED

UNCLASSIFIED

PROGRESS CHECK


• Identify the three general categories of Joint Cyber

Operations.

• What is Computer Network Exploitation (CNE)?

• Summarize the 5 Computer Network Attack methods.


16UNCLASSIFIED

UNCLASSIFIED

Air Force Cyber Warfare

“I think most people today understand that cyber clearly

underpins the full spectrum of military operations,

including planning, employment, monitoring, and

assessment capabilities. I can’t think of a single military

operation that is not enabled by cyber. Every major

military weapon system, command and control system,

communications path, intelligence sensor, processing and

dissemination functions—they all have critical cyber

components.”

—Gen William L. Shelton


17UNCLASSIFIED

UNCLASSIFIED

• History

• Form of cyber warfare conducted in WWII using radio

signals

• German bombers used radio signals to find their targets

• British engineers developed countermeasures

• Broadcasted similar signals to confuse bombers

• Early use of frequency spectrum to create effects


18UNCLASSIFIED

UNCLASSIFIED

• Lessons learned during Operation Desert Storm

• Identified importance of information to military operations,

need to protect information from adversaries and need to

exploit adversary information to gain operational advantage

• Validated by attack on Air Force networks in 1994 (Rome

Labs incident)

• In 1993 the Air Force established the Air Force

Information Warfare Center (AFIWC)

• Information superiority center of excellence, dedicated to

offensive and defensive counter information and

information operations


19UNCLASSIFIED

UNCLASSIFIED

• In 1995 the 609th Information Warfare Squadron was

established

• Mission: Conceive, develop and field information warfare

combat capabilities

• From 1995 to 1999 the 609th Information Warfare

Squadron pioneered defensive counterintelligence

operations, then transferred mission to AFIWC


20UNCLASSIFIED

UNCLASSIFIED

• Events that took place during this time led to increased

interest in information operation at DoD level

• Attacks on military networks: Solar Sunrise and Moonlight

Maze

• Highlighted critical vulnerabilities in US Pacific Command’s

systems, as well as in 911 and power grids in nine US

cities

• Attackers stole tens of thousands of files from the

Pentagon, National Aeronautics and Space Administration

and Department of energy


21UNCLASSIFIED

UNCLASSIFIED

• In 1998 DoD activated Joint Task Force Computer

Network Defense under Maj Gen John Campbell

• Envisioned as having warfighting role

• In 2000 the task force was renamed to Joint Task Force

Computer Network Operations and took on and

additional offensive role

• Offensive mission later moved to Joint Forces Component

Command-Network Warfare


22UNCLASSIFIED

UNCLASSIFIED

• National Strategy to Secure Cyberspace released in

2003 and National Military Strategy for Cyberspace

Operations released in 2006

• These documents established the strategic importance of

cyberspace to national interest

• United States Cyber Command established in 2009


23UNCLASSIFIED

UNCLASSIFIED

• Current Cyber Operations

• Defined by a mixture of mature and developing capabilities,

doctrine, and organizations

• Initiatives

• Completed Air Force Network (AFNet) migration in 2014

• Maturation of cyber weapon systems to increase cyber

capacity in terms of number or missions conducted in

support of warfighters


24UNCLASSIFIED

UNCLASSIFIED

• Three Operational Mission Areas

• DODIN operations, DCO and OCO

• Each mission area enables effects in the air, space, sea

and land domain

• Across spectrum of conflicts from small special operations

missions to global conventional warfare

• DODIN Operations

• Increase in weapon systems and C2 systems that rely on

network and wireless connections

• Highlights importance of DODIN


25UNCLASSIFIED

UNCLASSIFIED

• DODIN operations construct, operate, and sustain the

cyber domain, offering mission assurance and defense

through prioritized network provisioning (dynamic

construction), hardening, and configuration

management.

• Provision access to information sources

• Harden friendly portions of the domain from unauthorized

access

• Configure network systems to provide ease of maneuver to

friendly forces

• Constrain the adversary’s options


26UNCLASSIFIED

UNCLASSIFIED

• Twenty-Fourth Air Force manages and defends the

AFNet

• AFNet is the Air Force portion of the DODIN

• 850,000 total force users

• Billions of dollars in systems and infrastructure


27UNCLASSIFIED

UNCLASSIFIED

• Air Force advanced AFNet’s defensive posture through

two initiatives

• Deployment of Air Force gateways reduced the number of

external network access points from 120 to 16

• Consolidated 850,000 users into a single integrated Air

Force network, enabling enterprise-wide collaboration and

improved, trusted secure communications

• This initiative delivers embedded security that substantially

reduces an adversary’s ability to act on the network by using

compromised user credentials


28UNCLASSIFIED

UNCLASSIFIED

• DODIN defensive improvements inverted the cost/risk

calculus of attack versus defense by forcing the

adversary to work harder to find vulnerabilities/making it

easier for the defender to guard critical assets

• DODIN operators limit attack vectors and reduce

vulnerabilities by strategic placement of defensive

capabilities on the network


29UNCLASSIFIED

UNCLASSIFIED

• DCO mission area

• Twenty-Fourth Air Force’s units prevent, detect, and

respond to enemy actions through both active and passive

defensive capabilities

• Conduct defense through a set of layered, overlapping

technologies called “defense in depth,” an architecture that

ensures monitoring and defense of avenues of access as

well as end points such as clients and servers

• DCO operators actively engage adversaries inside Air

Force networks to prevent intrusions, detect malicious

capabilities and techniques, and respond to system

compromises


30UNCLASSIFIED

UNCLASSIFIED

• DCO operators

• Monitor defenses for signs of attack

• Configure defenses to foil future attempts

• Detect known adversary tactics (signatures)

• Limit visibility into the AFNet

• Continuously monitoring intelligence streams for indications

of pending attacks

• Analyze capabilities and methods used by adversaries

• Develop signatures that match patterns unique to a

particular attack


31UNCLASSIFIED

UNCLASSIFIED

• Twenty-Fourth Air Force has both hunting and pursuit

capabilities to offer real-time defense and response

against adversary actions and regularly analyze

enterprise resources for indications of advanced enemy

presence or attempted access

• OCO Mission Area

• OCO have developed from being non-existent to being well

integrated into joint operations

• Mission set concentrates on gaining and maintaining

access to enemy areas of cyberspace without detection

• Requires operators to carefully plan missions to

characterize and exploit enemy networks


32UNCLASSIFIED

UNCLASSIFIED

• OCO operators

• Provide strategic alternatives to Combatant Commanders

• Perform network reconnaissance with sophisticated TTPs

• Develop techniques, weapons, or select one from an

existing repository

• After accessing a target, operators establish a

permanent presence on the machine while cloaking

indications of the incursion, allowing them to maintain

access indefinitely


33UNCLASSIFIED

UNCLASSIFIED

• OCO operators (continued)

• Persistent presence allows OCO operators to effectively

exploit information on the target in support of warfighter

objectives

• Adversaries can block a weapon using a specific signature

once it has been detected


34UNCLASSIFIED

UNCLASSIFIED

• Operational planners must assess the technical gain/loss

associated with the employment of OCO weapons

• If the desired effect is not substantial enough to justify the

potential loss of an OCO weapon, then they should

consider other methods

• Increased capacity for OCO will put enemy strongholds

at risk, forcing adversaries to divert manpower and

attention to defenses and reducing the defensive burden

on US networks


35UNCLASSIFIED

UNCLASSIFIED

• Future of US Cyberspace Operations

• Although cyber warfare is currently limited to information

networks and network-attached systems, it will drastically

expand in the future

• Cyber-based effects will not be limited to networks of

computers; rather, they will encompass all electronic

information processing systems across land, air, sea,

space, and cyberspace domains

• Full domain dominance will permit freedom of maneuver in

all war-fighting domains by holding the enemy’s electronic

information-processing systems at risk while defending

friendly systems from attack


36UNCLASSIFIED

UNCLASSIFIED

PROGRESS CHECK


• What were the lessons learned identified during Operation

Desert Storm?

• What effect does DODIN defensive improvements have on

adversaries?

• Explain some of the responsibilities of OCO operators.

Adversary approach to Cyber Ops

37UNCLASSIFIED

UNCLASSIFIED


38UNCLASSIFIED

UNCLASSIFIED

• Cyber warfare and the future of cyber security

• Common cyber attack targets

• Critical infrastructures

• Power grids, nuclear enrichment facilities, and missile

launch systems, civilian computers and other devices

• Many attacks rely on recruiting consumer devices into

botnets or simply using your devices as a way to infect

military and corporate networks with malware

• Everyone is exposed to the growing threats of cyber

weapons


39UNCLASSIFIED

UNCLASSIFIED

• What is cyber warfare

• Warfare between states in the cyber realm

• Objectives of launching these attacks vary

• Motives may include

• Steal corporate or state secrets

• Disrupt critical infrastructure, or merely infect the software

behind this infrastructure and lay silent until it is needed


40UNCLASSIFIED

UNCLASSIFIED

• What is cyber warfare continued

• Even if two states are not actively at war, they will often

launch cyber-attacks against each other.

• Launching cyber attacks is cheap and essentially

undetectable if done correctly

• Attacks can be launched covertly, and partly because there

is no internationally agreed framework for assigning blame,

or applying sanctions, for cyber-attacks


41UNCLASSIFIED

UNCLASSIFIED

• Types of cyber attacks

• Man in the middle attacks

• A type of cyber-attack where a hacker intercepts the data

passing between you and a website, app, or server

• Phishing

• Designed to get access to your banking details, but phishing

is also commonly used in cyber warfare

• Malware

• An attacker needs to infect as many computers as possible

with malware in order to increase the chances that one of

these civilian machines will then infect the target system


42UNCLASSIFIED

UNCLASSIFIED

• The future of cyber security

• Three key pieces of technology likely to drive the

development of cyber warfare in the coming decade

• Machine Learning and AI

• Artificial Intelligence is already being deployed in a wide range of

situations

• Likely that governments are already incorporating it into their

cyber weapons

• The Cloud

• Represents both a risk and an asset

• Distributed storage can make critical information easier to steal

• Blockchain

• Secure way to share key information between multiple users


43UNCLASSIFIED

UNCLASSIFIED

• Adversary attack behavior model

• Shows how three key aspects of an adversary’s successful

cyberattack translate into probability of success

• Means, Motive, And Opportunity for Cyber Attacks

• Analysis of attacker behavior in the cyber realm

• Adversary must first determine which attack steps are

available options, then determine which available attack step

option is most attractive

• Success of an attempt is determined by the capability of the

adversary to execute such an attack step


44UNCLASSIFIED

UNCLASSIFIED

• Three stages of an adversary’s attack attempt

• Opportunity: Attack Step Precondition

• Motive: Probability of Attempt

• Four attractiveness measures

• Cost to the adversary in attempting the attack step

• Payoff to the adversary for successfully executing the attack step

• Probability of successfully completing the attack step, as

perceived by the adversary

• Probability of being detected by the system during or after

attempting the attack step

• Means: Probability of Success Given Attempt


45UNCLASSIFIED

UNCLASSIFIED

• What to do about it

• Follow local cyber security procedures

• Encrypt everything

• A powerful tool to protect your information and privacy

• Encryption stops anyone from being able to

• Read the data you are sending

• Protects you against many common forms of cyber-attack

• Using a Virtual Private Network (VPN) you can make sure that

every piece of information you send or receive online is

encrypted

• VPNs will also protect against a wide array of online threats


46UNCLASSIFIED

UNCLASSIFIED

PROGRESS CHECK


• Identify the three stages of an adversary’s attack attempt

• Summarize the four attractiveness measure the contribute to

an adversary’s probability of attempt

• What is the one of the best tools you have to defend against

a cyber-attack?


47UNCLASSIFIED

UNCLASSIFIED

• Adversary cyber profiles

• Use the “Adversary Cyber Profile” handout

• Russia

• China

• Iran

• North Korea


48UNCLASSIFIED

UNCLASSIFIED

PROGRESS CHECK

• Open Book Discussion:

• Summarize one cyber strategy from one of the countries

identified in the handout

• Student summarize one cyber capability from one of the

countries identified in the handout


49UNCLASSIFIED

UNCLASSIFIED

• Top 10 of the world's largest cyberattacks

• Use “TOP 10 of the world's largest cyberattacks _ Outpost

24 blog” handout

• Adobe

• Sony

• South Korea

• Target

• Alteryx

• Equifax

• Adult Friend Finder

• Marriott Hotels

• Hold Security

• Yahoo!


50UNCLASSIFIED

UNCLASSIFIED

PROGRESS CHECK

• Open Book Discussion:

• Summarize one cyber-attack identified in the handout

• Identify protection measures your mission systems employ

that prevent these type of attacks


51UNCLASSIFIED

UNCLASSIFIED

Summary

• Criterion Objective:


identify potential vulnerabilities and threats to your weapon

system with at least 80% accuracy

52UNCLASSIFIED

UNCLASSIFIED

Summary

• Enabling Objectives:


identify basic facts and terms pertaining to Cyber



summarize the United States approach to Cyber Operations

with at least 80% accuracy


describe the United States adversaries approach to Cyber


53

UNCLASSIFIED

UNCLASSIFIED

QUESTIONS?

Documents

Cyberspace Operations (CO) 29 July 19...•Although cyber warfare is currently limited to information networks and network-attached systems, it will drastically expand in the future