UNCLASSIFIED (U)
UNCLASSIFIED (U)
DOD ENTERPRISE CYBERSPACE
RANGE ENVIRONMENT (DECRE)
COMMAND AND CONTROL (C2)
INFORMATION SYSTEMS (IS)
Mr. Rod Hallum
Joint Staff J6, IID
Suffolk, Virginia
Overview
Chairman’s
EXORD2011
Ensure the Warfighter receives jointly integrated and effective capabilities necessary to conduct operations
En
ab
le d
ec
isio
n a
nd
ac
tio
n a
t th
e s
pe
ed
of
the
pro
ble
mD
eliver a sustain
ed in
form
ation
advan
tage
PM’sC4/Cyber FCB
CIOMC4EB
DoD Intent
DSOC
Assessment: DoD lacks understanding and situational awareness of enterprise-wide Cyber activities, operations,
impacts and lacks an environment in which to develop, test and train such a capability
Provide an
Enterprise
Cyber Range
Environment.
Advance the ability of warfighters to fight through the cyber threat with greater understanding and precision
Implementation to Resolution
Joint IO
Range
CyberSecurity Range
C4AD/JDAT
National Cyber Range
C4/CyberTeam
J6AT&L/TRMC
DISAJ7
Here’s what it means to the Warfighting Commander
C4/CYBERAAR
Here’s what happened
Discovery Mapping Vulnerabil
ity
DOTMLPF-PAssessment
Here’s why it happened withrecommended corrective actions
Assess Ecosystem Defensive
Responses & Counters
TTPs
OSD
Joint Staff
UNCLASSIFIED (U)
UNCLASSIFIED (U)
DoD Enterprise Cyber Range Environment
2
UNCLASSIFIED (U)
UNCLASSIFIED (U)
3
Need
A DoD environment is required that supports the persistent portrayal of the warfighter network environments, is sufficiently supported by live virtual and constructive C2 IS systems and models to be operationally realistic, is instrumented to support the quantifiable measurement of C2 IS system effectiveness and survivability and is capable of portraying a robust cyber threat. (DSOC, DODI 8330)
UNCLASSIFIED (U)
UNCLASSIFIED (U)
4
Concepts Underlying DECRE C2 IS
Create an operational environment in which Blue Force Players, C2 information systems and networks and Red Teams can interact in a realistic manner
Integration of real C2 information systems and networks & virtual C2 information systems and networks
Integration of recorded exercise data and real time data from exercises to drive C2 data play on the Cyber Range
Cyber Range Red Team play is captured in the form of a playbook and integrated into exercise red team play.
Integration of instrumentation to quantify system performance, survivability and mission impacts
Follow up for system improvements
UNCLASSIFIED (U)
UNCLASSIFIED (U)
5
What Does it Look Like?
UNCLASSIFIED (U)
UNCLASSIFIED (U)
UNCLASSIFIED (U)
6
Partners:
NORTHCOM,
DOT&E, AT&L,
TRMC, NCR, JS J6,
J7, CSR, TSMO,
NIOC, 177th AS,
SNL, JHU, MIT-LL
DECRE C2 IS Event 3 Overview
Phase 1Engineering
Development
Objectives:
Represent CCMD
JOC & AOC
NCR integration of
NORTHCOM
critical supporting
IS systems/
processes
Increase M&S
supporting C2 IS
operations
Integrate :
C2BMC
ACTIVE
Support cyberspace
forces training
Demonstrate
adversarial ability
to exploit C2 IS
vulnerabilities
16-27 June 2014
Phase 2C2 System
Vulnerability
Discovery
Objectives:
Integrate:
CSR DODIN EOC
JMETC 2.0
AEGIS
MOC
177th Red Team
NIOC
NIOC Red and
Blue teams
conduct cyber
operations on the
Range
Demonstrate
adversarial ability to
create system
vulnerabilities
Conduct ACTIVE
initial assessment
21July-1 Aug 2014
Phase 3Vulnerability
Discovery, Cyber
Playbook
Objectives :
Integrate:
JMETC 2.0
MOC
Demonstrate
adversarial ability
to exploit system
vulnerabilities
(TDL)
Develop cyber
effects playbook
for VS15 (other
CCMD exercises)
15-19 Sept 2014
Phase 4VS 15 Execution
Cyber Range Support
Draft Objectives:
Demonstrate adversarial
ability to exploit system
vulnerabilities (TDL as
needed, Tactical Chat,
TBMCS, AFATDS,
JADOCS)
VS-15 Exercise Support
N-NC exercise M&S
data flows to C4AD
Support integration of
cyber effects into N-
NC exercise (TBD)
Employ N-NC
GCCS-J, Dagger,
JWinWAM, VOIP on
JIOR at N-NC
Develop cyber effects
playbook (other CCMD
exercises)
20-29 Oct 2014
6
4 Sep 10 Jul 9 Oct 13 Dec
Quick Look Ph 1 Quick Look Ph 2 Final Report,
Lessons Learned,
Recommendations
Leadership ReviewsDeliverables
8 Jul
9 Sep
10 Jun 8 Oct
14 Oct
Quick Look Ph 1Assessment Plan Quick Look Ph 3Final Report,
Lessons Learned,
Recommendations
16 Jul
Quick Look Ph 2
15 Aug
Mission-Based Assessments
Assessment of ability:• Protect, Detect, and
Respond• Mission Assurance• CNDSP Performance
DECRE C2IS Assessment of:• System Specific
Vulnerabilities• Ability to operate in a
contested cyber mission environment safely
Playbook Integration Into Exercise
Step 1
• The RT conducts offensive operations to deny/manipulate representative mission systems and networks on the DECRE prior to the supported exercise
Step 2
• System effects with requisite RT access & privileges are documented and used by the CYBER planners to drive effects via M&S, white cards or Red Team
Step 3
• The Red Team (RT) emulates a validated threat actor and gains access and privileges to networks and C2 systems
Step 4
• Documented Playbook effects are injected into the exercise by CYBER controllers via white cards, M&S or live Red Team
Step 5
• Success or failure of response actions determine duration C2 mission effects
Cyber Range Environment Exercise Environment Feedback Loop
UNCLASSIFIED (U)
UNCLASSIFIED (U)
7
UNCLASSIFIED (U)
UNCLASSIFIED (U)
8
Event: DTG To Inject (Z): From: Theme:
Subject: To: Inject Cell:
Classification: Mode: Model:
Event Description:
Pre-Conditions (Red Team Access & Privileges):
Red Team Actions:
Exercise Inject (Method and Description):
Remediation Action:
Playbook
UNCLASSIFIED (U)
UNCLASSIFIED (U)
9
How Do We Use This Environment?
Evaluate proposed
cyber defensive and
offensive concepts of
operation
Develop cyber
technologies to
requirements gaps?
Test System Resiliency to
failures /cyber attacks
Assess defensive
cyber architectures
Training in a realistic cyber
mission environment
Test Mission
Assurance and
effectiveness
SustainmentSystems Acquisition(Engineering & manufacturing development,
demonstration, LRIP & production)
Pre-Systems Acquisition
IOCA B
Concept & Tech Development
Concept
Exploration
Component
Advanced
Development
Decision
Review
System
Integration
InterimProgressReview
Production & Deployment
LRIP
FRPDecision Review
Full-Rate Production& Deployment
Operations
& Support
C
Mission Rehearsal in a
realistic operational
environment
UNCLASSIFIED (U)
UNCLASSIFIED (U)
DOD ENTERPRISE CYBERSPACE
RANGE ENVIRONMENT (DECRE)
COMMAND AND CONTROL (C2)
INFORMATION SYSTEMS (IS)
Mr. Bert Daniel
Joint Staff J6, C4AD
Suffolk, Virginia
Network Engineering
UNCLASSIFIED (U)
UNCLASSIFIED (U)
11
Network Topology
TSMOHuntsville, AL
Red Team
NIOCNorfolk, VA
Red Team
CPT Fort Gordon, GA
Blue Team
CPT Fort Meade, MD
Blue Team
JHU APL Laurel, MD
Instruments
JDAT Eglin AFB, FL
Instruments
C4AD Suffolk, VA
C2 Systems/Data
NCR Suffolk, VA
CDSA - AegisDam Neck, VA
Ship C2 Systems
MDA - C2BMC Schriever AFB, CO
BMD Systems
Cyber Security Range
Stafford, VA
DoDIN Backbone
Joint Information Operations Range
Norfolk, VA
Data Transport
Subject to Cyber Effects
Information Systems
Network
BMD – Ballistic Missile Defense
C2BMC – Command, Control,
Battle Management, and
Communications
C4AD – Command, Control,
Communications, and Computers
Assessments Division
CDSA – Combat Direction
Systems Activity
CPT – Cyber Protection Team
DoDIN – Department of Defense
Information Networks
JDAT – Joint Deployable
Analysis Team
JHU APL – Johns Hopkins
University, Applied Physics Lab
MDA – Missile Defense Agency
NCR – National Cyber Range
NIOC – Naval Information
Operations Command
TSMO – Threat Systems
Management Office
UNCLASSIFIED (U)
UNCLASSIFIED (U)
12
Command and Control Systems View
UNCLASSIFIED (U)
UNCLASSIFIED (U)
13
NCR Information Systems
UNCLASSIFIED (U)
UNCLASSIFIED (U)
14
Cyber Range Interoperability
UNCLASSIFIED (U)
UNCLASSIFIED (U)
DOD ENTERPRISE CYBERSPACE
RANGE ENVIRONMENT (DECRE)
COMMAND AND CONTROL (C2)
INFORMATION SYSTEMS (IS)
Mr. Wade Johnson, CCAT
Joint Staff J6, JDAT
Eglin AFB, Florida
Data Collection and Analysis
UNCLASSIFIED (U)
UNCLASSIFIED (U)
16
C2 Command and Control
IS Information Systems
JDAT Joint Deployable Analysis Team
Responsibilities
Mission: JDAT conducts field analysis of C2 IS and
procedures, producing decision-quality data to improve
Joint C2 integration and interoperability
Key functions
– Conduct field analysis of current and emergent C2 IS
and associated procedures to measure capabilities and
limitations, identify shortfalls and root causes, and
recommend improvements
– Provide decision-quality data and cogent solutions to
customers and stakeholders responsible for improving
Joint C2 IS integration and interoperability
UNCLASSIFIED (U)
UNCLASSIFIED (U)
17
Simulated Hostile Cyberspace Attack Vignettes
Effect Action
Vignette 1: Manipulate track amplifying data
Disrupt
situational
awareness
Change track ID: Friend to Hostile, Hostile to Friend, Friend/Hostile to Neutral
Change track location
Change track course, speed, and/or altitude
Change time latency of track updates
Create Web page and e-mail latency/intermittent denial of service
Vignette 2: Disrupt architecture and/or infrastructure
Disrupt
command
and control
Block reporting unit updates for a specific track
Prevent track updates
Manipulate data at rest (i.e., ATO, ACO, ID values, GEOREF point)
Perform distributed denial of service attacks
Modify network infrastructure via unauthorized access to virtual machine hypervisor
Deploy malware through group policy
Vignette 3: Manipulate the battlespace
Create
mistrust
Add false tracks with various IDs
Add numerous duplicate tracks (flood the picture)
Create numerous reporting units for a track
Remove tracks
Modify policies of intrusion prevention applications
ACO Airspace Control Order
ATO Air Tasking Order
GEOREF Geographic Reference
ID Identification
UNCLASSIFIED (U)
UNCLASSIFIED (U)
18
Red Team Activities
Lines of effort (examples)
– Information Systems and applications (file, exchange,
chat, and Web servers)
– Select Command and Control Information Systems
– Network and supporting infrastructure
– Cyberspace Protection Team training
JDAT DECRE C2 IS Data Collection Schema
ADSI Air Defense Systems Integrator
AFATDS Advanced Field Artillery Tactical Data System
AWSIM Area Weapons Simulation
BCS Battle Control System
C2 IS Command and Control Information Systems
C4I Command, Control, Communications,
Computers, and Intelligence
DCAAF Data Collection Architecture for Analytical Feedback
DECRE DOD Enterprise Cyberspace Range Environment
DIS Distributed Interactive Simulation
GCCS-J Global Command and Control System-Joint
EOI Event of Interest
ICSF Integrated C4I System Framework
JADOCS Joint Automated Deep Operations Coordination System
JDAT Joint Deployable Analysis Team
JWinWAM Joint Windows Warfare Assessment Model
LOTS Low Overhead Training System
MIG Multiple Interface Gateway
OTH Over the Horizon
XDARES Extreme Digital Audio Recording Enhanced System
Analysis
and
debrief
tools
GCCS-J
Sim
ula
tio
n
JWinWAM
DCAAF
MIG
Analyst
inputs
DCAAF clients
Post Office
Middleware EOI data
Database
Triggers
DIS
Operator logs,
chat logs
BCS
AWSIM LOTS
C2 I
SR
ed
Te
am
Lo
gs
ADSI
AFATDS JADOCS
Au
dio
Communication
gateways
(XDARES)
ICSF client data
gateways
Link 16 data
gateways
OTH Gold
data gateways
Postmission and
postevent
data processing
Web service data
gateways
Audio
communications
Simulated system messages
Actual system messages
Red Team data manipulations
Chat, analyst notes, operator logs
UNCLASSIFIED (U)
UNCLASSIFIED (U)
19
UNCLASSIFIED (U)
UNCLASSIFIED (U)
20
Near-Real-Time and Post Event Analysis Concept
Step Step Description Tool
1 Develop rule set for identifying an EOI DCAAF
2 Receive/display LOTS and C2 IS tracks * JWinWAM
3 Detect Red Team tactical message inject DCAAF Client
4 Identify type of message inject (e.g., new
track, modify existing track, or drop track)
DCAAF Client
5 Assess specific track modifications DCAAF Client
6 Assess dissemination to other C2 IS servers JWinWAM
7 Assess impact to operator SA JWinWAM
* During the event, near-real-time analysis used live data; post event
analysis used recorded system log files.
C2 IS Command and Control Information Systems
DCAAF Data Collection Architecture for Analytical Feedback
EOI Event of Interest
JWinWAM Joint Windows Warfare Assessment Model
LOTS Low Overhead Training System
SA Situational Awareness
UNCLASSIFIED (U)
UNCLASSIFIED (U)
21
Analysis Working Group Partners Data Collection
C4 Assessments Division (Joint Staff J6, DD C5I)
– Observe and document C2 IS operations; C2 IS operator logs
Johns Hopkins University Applied Physics Laboratory
– Pointillist: Near-real-time network activity visualization
– Galaxy: Post-mission network flow visualization indicating flow
volumes and protocols between various network nodes
– Dagger: Dependency model for visualization of overall mission success
U.S. Army Threat Systems Management Office
– NETT: Computer network operations threat platform for delivering an
integrated suite of open-source exploitation tools; operator logs
National Cyber Range
– Network sensor data and operator logs
Missile Defense Agency
– C2BMC Operator logsC2 Command and Control
C4 Command, Control, Communications, and Computers
DD C5I Deputy Director for Cyber and C4 Integration
IS Information Systems
NETT Network Exploitation Test Tool
UNCLASSIFIED (U)
UNCLASSIFIED (U)
22
Red Team Observations
• On a scale of 1-10 with 10 being real, how representative
of a CCMD network is the DECRE C2 IS?
– 8
• From an Operational Test perspective how does the
DECRE C2 IS environment compare to the others you
have worked in?
–As good or better than any we have seen
UNCLASSIFIED (U)
UNCLASSIFIED (U)
23
Questions?