A Powerful Vision

U.S. Space Command’s Joint Task Force-Computer Network Operations unit directs attack and defense.

Protecting warfighting information technology systems requires the same situational awareness for networks that battlefield commanders rely on to maneuver forces to outflank and engage an enemy at maximum effective range. Without a near-real-time picture of the U.S. Defense Department’s Global Information Grid, the bubble could burst, leaving in question warfighter network defenses.

This network situational awareness is emerging as a fundamental element in information dominance, a pillar in all facets of an allied warfighting capability. Technical advances and new network management techniques are moving the Defense Information Systems Agency (DISA), Arlington, Virginia, toward real-time intrusion detection sensor grids, common cyberspace threat databases and recognition of network attack signatures. These cyberspace visualization elements are being harnessed for use by DISA to support the U.S. Space Command’s Joint Task Force-Computer Network Operations (JTF-CNO) unit.

Several trends are sweeping across the information assurance landscape to reshape the structure of network defenses. One example is a technical advance—an automated intrusion detection environment, or AIDE, system, according to Col. Larry K. Huffman, USA. He commands DISA’s Global Network Operations and Security Center (GNOSC) and its subordinate Defense Department computer emergency response team (CERT).

This AIDE system significantly enhances the Defense Department’s ability to detect network intrusions, correlate incidents within local or regional areas across a global network and improve timeliness of attack reports, Col. Huffman reveals. The GNOSC and CERT are collocated at DISA’s headquarters with the JTF-CNO organization, the operational arm for both computer network defense and attack missions. DISA Vice Director Maj. Gen. James D. Bryan, USA, also serves as the JTF-CNO’s commander. Daily task force operations are handled by the deputy commander, Capt. Bob West, USN.

Using both commercial and government off-the-shelf software and hardware products, the U.S. Air Force Research Laboratory in Rome, New York, developed the AIDE system. DISA is leading the effort to make this system operational, Col. Huffman explains. The Air Force serves as executive agent for defensewide intrusion detection sensors, he continues. A framework within the AIDE system receives data from boundary control devices such as firewalls, network-based intrusion detection systems and host-based computer sensors.

“AIDE’s strength is its ability to seamlessly integrate various intrusion detection devices into a standard display. It collects data from several different types of sensors, correlates and consolidates the input, displaying it as a single intrusion detection report at many operational levels,” Col. Huffman discloses. The AIDE system’s display enables timely and accurate decisions to help protect monitored computer networks. “The system depends on the successful accomplishment of three complementary objectives: data integration, data correlation and automated warning.”

This system takes the output from currently fielded intrusion detection devices for integration and, using bridging tools, portrays it in a single display. At the local level, analysts view all relevant data from their suite of sensors. At the regional level, filtered output from sensors at various sites under the network’s span of control is integrated into the display. The global-level integrated display consists of filtered output from regional AIDE systems.

GNOSC’s AIDE provides better visibility of network and system intrusions by harnessing many and varied sensors within an enclave to aggregate the output based on filtering mechanisms and techniques, Col. Huffman emphasizes. “This enhanced sensor output provides visibility of malicious intent in real or near-real time.”

A joint intrusion detection device (JIDD), developed by the U.S. Department of Energy’s Lawrence Livermore Laboratory, Livermore, California, is another step toward reshaping network defenses. Derived from network intrusion detection technology, it provides an incident database for signature reports and collaboration throughout the armed forces, Col. Huffman asserts. It is difficult to share commercial intrusion detection sensor signatures because of design differences and their inherent proprietary nature, each with its own private database. Government sensors do not suffer from this drawback.

An important information assurance initiative from The MITRE Corporation, Bedford, Massachusetts, is called the common vulnerability exposure (CVE) system, Col. Huffman divulges. A virtual team of highly trained industry technical experts, along with those from the GNOSC and Defense Department CERT, probes for weaknesses and examines known network and system vulnerabilities. As they are detected, each network defect is given a descriptive common name, which is based on specific criteria. The CVE is a joint program sponsored by the General Services Administration’s federal (Fed) CERT. The colonel is also a member of the CVE steering group.

The CVE system helps prevent redundancy and inundating system administrators with vulnerabilities, many of which may be duplications labeled with different names by each of the services. “The CVE gets down to specific elements, cataloging each vulnerability as it emerges in a precise and proper format so that the entire community will understand it in detail,” Capt. West explains.

Until recently, there was no taxonomy for classifying computing enclave or network intrusions. Each service has operated its own CERT and has relied on its own terminology to report and describe incidents, leading to database confusion and duplication, Col. Huffman comments. What one service calls an incident, another might not even consider to be in the same category. In addition, there are DISA regional CERTs and regional  NOSCs located in Europe, the Pacific, Bahrain and the United States. These regional CERTs are woven into the larger defensewide CERT fabric.

The GNOSC and the JTF-CNO now agree on what Capt. West terms the “top-level sentence,” a method and terminology for incident reporting that leaders and operators alike understand regardless of the service. JTF-CNO members, including the captain, who is a Navy P-3C pilot, blend technical expertise with operational military experience.

“Operators may not understand the underlying technology; however, they easily grasp the top-level sentence: You have an intruder using a certain tool to exploit a vulnerability, causing a network event,” Capt. West illustrates. “This event leads to some unauthorized result, based on some overall objective. This objective can be a hacker exercising his ego, a nation performing intelligence gathering or a criminal attempting electronic theft. The top-level sentence is a backbone, a set of fields in the database, and getting the services to agree to the same set of terms has not been an easy process.”

Nonetheless, inculcating the top-level sentence not only provides common incident classifications, it also enables the GNOSC and the JTF-CNO to see the definitions and the tools involved. This approach enables joint CERT database input, Capt. West explains. This is one more tool to help gain situational awareness through a threat database.

“As incidents occur, based on certain definitions and classifications, they enter a common Web-based system, where everyone involved has visibility. This approach allows us to spot trends, see when a compromise occurs and correlate data for use in the information assurance vulnerability notification process. This database helps determine whether an organization is ignoring a vulnerability notice, or if a specific operating system is compromised more often than some other operating system, perhaps pinpointing a weakness,” the captain observes.

Not only intrusion detection devices are employed to monitor networks for malicious intent, Capt. West comments. Data comes from a variety of sensors, intelligence community information or system administrator logs. “All of these inputs are useful in compiling a composite picture,” he asserts. “But this activity is still labor intensive, requiring massive analytical capabilities.”

The joint CERT database enables a U.S. Army analyst, as an example, to correlate incidents by Internet protocol addresses, by the protocols themselves or by tool vulnerability, Capt. West continues. “An analyst can query the database to determine whether a relationship exists between local incidents or [between incidents] across the entire Defense Department.”

DISA, seeking ways to protect a joint task force deployed in a theater, is developing an enhanced security program and defining an operational requirement. Still on the cusp of this effort, intrusion detection devices, other sensors and firewalls have been deployed in a pilot program to various theaters. The project is to test in real time how much incident information can be collected without overwhelming analysts, while avoiding a high percentage of false positive reports. Most deployed forces reach back via satellite to the United States, so it may be possible to provide protection at gateway terminals or teleports for military and commercial satellite communications.

Government and commercial intrusion detection devices are generally signature-based. But as attackers develop more sophisticated capabilities, operations must also be conducted against unknown signatures. In response, the GNOSC and the JTF-CNO are developing a Defense Department-wide reporting capability called commanders critical information items. “Based on certain criteria, observed network activity is analyzed to determine if it is malicious, and information is rapidly developed to program or reprogram network sensors to watch out for it,” Capt. West says. “In this research, we look for items that do not fit into a pattern. A sensor grid more diverse than intrusion detection devices is critical to this strategy.”

DISA controls its own sensor grid of approximately 150 intrusion detection devices in both the nonsecure Internet protocol (IP) router network (NIPRNET) and the secret IP router network (SIPRNET) located in worldwide enclaves. Separately managed Defense Enterprise Computing Centers are examples of these critical networks. Col. Huffman acknowledges that many of the sensors are also at important commander in chief (CINC) locations. However, the entire U.S. intrusion detection environment, with a wide variety of commercial sensors, is mostly decentralized and operational at individual service levels. DISA does not currently see much of the activity from within these enclaves, except through forwarded reports.

As the trend in incidents moves from enclave-level to network-level attacks, an improved network overview becomes a necessity. The NIPRNET, with between 3 million and 3.5 million host computers, is the biggest challenge because of its links to the Internet. “More than 70 percent of the network’s traffic transits the Internet,” the colonel clarifies, “from some 1,500 different enclaves—posts, stations and bases. DISA is seeking to bound the NIPRNET to determine the entry and exit points, not only for traffic but for security purposes.”

There are also 12 DISA gateways to the Internet, with large optical communications (OC) 3 pipes operating in many of them. “Moreover, there are some 189 backdoors—Internet service providers that must now be registered with the Defense Department as they move onto the Defense Information Systems Network,” he adds.

“During the next year, DISA anticipates developing a network situational awareness capability to view what is happening as traffic moves from the Internet onto the NIPRNET, spotting tendencies that could signal incidents or attacks,” Col. Huffman says.

The GNOSC operates with some 380 persons, most of whom are contractor employees. In addition, approximately 75 civilian government employees and a few military personnel have been assigned.

Capt. West notes that when the JTF-CNO became operational in 1998 in response to attacks on various military and Defense Department networks, the organization was established as an interim computer network defense (CND) solution under the formal name JTF-CND. Development of a unified plan to provide information assurance processes for the nine U.S. warfighting CINCs is resulting in task force changes, he explains.

Assignment of the JTF-CND last October to CINC Space Command is one of these changes. Another change, only several months ago, makes the JTF an operational arm for CINC Space that is responsible for both computer network attack (CNA) and computer network defense. Combining the CNA function with CND under the task force, Capt. West illustrates, results in computer network operations (CNO), giving the organization its new JTF-CNO designation.

Still a relatively small unit, the JTF-CNO is expected to increase in size as its mission and technical capabilities expand, the captain believes. “We are working hard to sort out all of the attack mission ramifications—political and international boundaries, hack-back attacks and corresponding legal issues.” But, he admits, the issues are thorny and the progress somewhat slow. “Intelligence community capabilities will also play a large role in the implications of military computer network attack operations.”

The goal is to have a single consolidated staff for the JTF-CNO “with the immediate priority, as the CINC has stated, on computer network defense,” Capt. West says. “If we do not have a network attack capability for the next conflict, relying instead only on traditional combat capabilities, we will probably be OK. But, if we cannot effectively defend our warfighter command and control infrastructure, we would have enormous difficulties,” he points out.

Even with the new network attack mission, the JTF-CNO will continue to orchestrate Defense Department computer network defense in concert with the military services and DISA. The task force, Capt. West explains, functions in a close relationship 24 hours a day, seven days a week, in the GNOSC command center to monitor and protect networks. With approximately 40 service members and several civilian employees, the task force observes cyberintrusions and potential threats and coordinates actions to halt them.

Capt. West reports that the Defense Department provides approximately 15 people to assist the interagency National Infrastructure Protection Center (NIPC) with its law enforcement role. This support is provided under the aegis of Presidential Decision Directive (PDD)-63 and creation of NIPC within the Federal Bureau of Investigation. He adds, “There are appropriate ways to use the military in law enforcement roles and, conversely, law enforcement agencies in military roles without violating of federal statutes.”

DISA’s emphasis will remain on defining and determining ways to manage the Global Information Grid (GIG) with its complexity across various military service domains. With the GNOSC and CERT as components, the focus is on the network defense mission. As the Defense Department’s service provider, DISA must have the ability to project a very strong defense for 13 vast networks that form the defense information infrastructure.

A priority for the Defense Department and the Joint Chiefs of Staff is for DISA to bring all of the decentralized sensor grids into an enterprise to facilitate visualization. According to Col. Huffman, showing where all of the intrusion detection sensors are located is an important aspect of supporting the JTF-CNO. The objective is to make certain that all critical links in the GIG are covered. “This is difficult to determine today without a centralized view,” he states.