UNCLASSIFIED

UNCLASSIFIED

Col Kevin WootonCommander31 May 2011

Overall Classification:

UNCLASSIFIED

67th Network Warfare WingThe Air Force’s Cyber Ops Wing

UNCLASSIFIED

UNCLASSIFIED

Where we are… where we’re going

Cyber today is where Airpower was in the 1930s…

UNCLASSIFIED

UNCLASSIFIED

67 NWW Focus

• Conducting the full range of Network Warfare– Network Operations

(Establish)– Net Defense

(Control)– Full Spectrum

(Use)

26 NOGNet Defense

67 NWGFull Spectrum

67 NWW

Defend

Operate

AttackOperations Of and On the

Net

690 NSGNet Ops

UNCLASSIFIED

UNCLASSIFIED

• CSAF’s Sep 00 One Air Force…One Network NOTAM committed AF to fundamentally changing the way we leverage our networks.

• CSAF’s msg established AFNetOps, 3 Jul 03…To effectively protect Air Force networks and the advantages they provide, network control…need[s] to be applied in a coherent, disciplined fashion under control of a single AF commander.

• CSAF’s 3 Aug 05 memo on AFNETOPs support to USSTRATCOM laid out a path to provide C2 of the AF network.

• CSAF’s 15 May 09 directive memorandum established AFNETOPS/CC authority to issue orders for the operation of AF networks.

• End-Game: C2 network with focused, precision results

AFNetOps Vision

UNCLASSIFIED

UNCLASSIFIED

AFNetOps Reality

AFCYBER = MAJCOM NOSCs under one commander

O&M responsibility Matrix

AFMC VPN managed by NCC Except at

Kirkland where itsiNOSC-W

UNCLASSIFIED

UNCLASSIFIED

One AF-wide Active Directory Forest

AFNet Migration (NIPRNET)

SCOPE14 Networks into One

840K users across 413 sites

BENEFITSE-mail for Life

Single Sign-on AnywhereReduce System Complexity

AF-wide Collaboration

STATUS (9 May 11)138K users // 29 sites

16% of AF10 Legacy Nets Shutdown

UNCLASSIFIED

UNCLASSIFIED

PREVENT TCNOs up 28% since 2006 ASIMS strings – filter

suspicious net activity Strong relationship with

vendors – share knowledge Blue assessment – see

what hacker sees

Net-Defense: Current TTPDETECT 24/7/365 presence Crews review 10K+ suspicious

events per day Report foreign IP activity to IC Correlation analysis - low &

slow Recommend IP blocks to NOD Unity of effort w/other agencies

RESPOND Highly skilled computer

network/forensics analysts Focal point for net intrusions Isolate exploitation method &

extent of compromise Work closely with OSI &

counter-intel agenciesSensors

Air Force: 232USJFCOM: 2

USCENTCOM: 108

UNCLASSIFIED

UNCLASSIFIED

Mission Operations Tempo

2008 2009 2010 20110

200

400

600

800

1000

1200

1400

127204 204

75

812906

1287

490

IncidentsCAT VIII Investigations

*CAO 20 Apr 11

UNCLASSIFIED

UNCLASSIFIED

Full Spectrum Ops Current Units

• 91 NWS– Telephone Network Ops

• 315 NWS– Core of AF Ops at Ft Meade– Daily joint operations

UNCLASSIFIED

UNCLASSIFIED

Current/Future Initiatives

• Host-Based Security System (HBSS), desktop-level security

• Information Operations Platform (IOP), intrusion prevention system

• Network defense common operating picture (ArcSight)

• EnCase – Remote Incident Response Forensics (EnCase)

• AF Gateways (aka AF Network Increment 1), network demilitarized zone

• Vulnerability Lifecycle Management System (VLMS)

• Fidelis for Operations Security (OPSEC): SNS monitoring/Insider threat

UNCLASSIFIED

UNCLASSIFIED

Current/Future Initiatives (cont’d)

• Continuity of Operations (COOP)/Alternate Operations Locations (AOL)

• ROE-governed TTPs/Execution: Stan/Eval • Partnerships for rapid TTP and tool development:

ESC, AFCA, Rome Labs, 688 IOW• Active/Dynamic Defense• Indications and Warnings of malicious activity

based on actionable, targeted Intel

67 NWW - Air Force’s Execution Arm for Cyber Warfare

NetE

NetOps Full Spectrum

NetD

UNCLASSIFIED