Bulwark Defender 06 Quick Look AAR
Transcript of Bulwark Defender 06 Quick Look AAR
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
1/32
ulwark
De
Join I
eND
::/: :
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
2/32
Intent
•
ssess ability of
the Services respective NOSCs and
network
defenders
to jointly conduct
I eND
• Exercise and validate the
ability to protect
DoD networks
from
attack
while
ensuring the
integrity
and availability
of
information
-
for
the warfighter
• Train DoD network defenders to decisively fight
• Confirm importance of defending networks
to
warfighters
UNCL SSIFIEDlirur\
r ; = i G ; ; ~
u ~ c ~ ~ : . . . .
2
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
3/32
Exercise Objectives
1
Train personnel
to
defend against a directed
professional attack against the GIG
2
Train and evaluate personnel
in
C2
procedures
and operational tactics
3
Evaluate and refine information
flow fusion dissemination between the Service
NOSes
/ CERTs /JTF-GNO
4 Evaluate and refine NetOps Tactics Techniques
and Procedures
i ~ ~ ~
•
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
4/32
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
5/32
Week attle Rhythm
MARCH
Scenario 1
SUNDAY MONDAY TUESDAY
WEDNESDAY THURSDAY FRIDAY SATURDAY
LIVE)
Critical
6 7
8
9
1
Data
Exfiltration
IN-BRIEFS RE-ROLLS
Starts 45
OPS
RANGE RANGE
RANGE
RANGE
Days
pr or
TRAVEL CHECK PLAY
PLAY PLAY PLAY
GLOBAL
to Range
STARTEX
RANGE
HOTWASH
FAM
12
13 14 15 16 17
18
NO
PLAY LIVE PLAY LIVE PLAY LIVE PLAY LIVE HOTWASH
PLAY
TRAVEL
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
6/32
BD 6 Scenario Summary
• Scenario 1 - Critical information exfiltration
• Scenario 2 - Simulated wireless SIPR compromise
• Scenario 3 - Cross-service web compromise
• Scenario 4 - AFNOSC DRP/COOP
• Scenario 5 - Misuse o network
• Scenario 8 - Cross service classified msg incident
• Scenario 9 - Hacker printer attack
• Scenario 1 - Cross service Email DOS
• Scenario 11 - Distributed Denial o Service
• Scenario
12
- Email phishing attack
• Scenario 13 - Rogue wireless device
• Scenario 14 - Total Network Takeover TNT) - Fast
• Scenario 16 - Attempted TNT - Slow
• Scenario 17 - AF wide web attack
• Scenario 18 - Multiple NCC targeted net ops events
• Scenario 19 - AFNOSC/NOD scenario
6
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
7/32
EXERCISE BULWARK DEFENDER 06
Observations
Top 5 T a k ~ a w a y s
1. Enable 24x7 collaboration for agile,
responsive
C2, awareness, and defense
2.
Build
a persistent IA / CND training exercise capability for premier defense
.
3. Establish baseline defense
capabilities
at tactical level to improve DoD CND
4.
Balance efforts to restore
network
services and defend ... o optimize both
5. Integrate offensive and defensive
functions for
effective, proactive NetOps
UNCLASSIFIEOIIFvr\
Gr-;-;C:A:' : ;8::::: 8 ~ ~ ' "
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
8/32
EXERCISE BULWARK DEFENDER 06
Observations
Top 5 Take-aways
1. Enable 24x7 collaboration for agile, responsive C2, awareness and defense
• Facilitated effective operational-tactical
communications
• Enabled awareness on enterprise-wide attacks in minutes
• Supported near-real time correlation and response on attack events
Action: JTF-GNO, Services, OISA
U N C L A S S I F I E D I I F ~ 8:-:-:C;';:
8 ~ ~ :
'.'
8
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
9/32
JoinUService NOSCs Coord Space
in
IWS
~ . I C D O C
n o ~ f o l k
investigating
• JfROSC (1 :53:1 ) : Multiple
web defacements
t
this time
•
JfROSC (1 :53:35): ini t i l ~ e a d
is
that the s o u ~ c e ips f o ~
~ ~ § ~ ~ E 5 I c ; ; ; . JfROSC \..:u. uu
•
..: I
we
now have
two
e x t e ~ n l IPs associated
10.172.172.170
and
10.172.172.42
session
t
IFSPC CSS/SCOO
(1 :38:58):
Any idea what p o ~ t is being used f o ~
(19:42:81): AFSOC ~ e p o ~ t s I N o n R e s p o n s i v e
Icapt. HQ
AFSOC
(2): p o ~ t
(1 :43:22):
All Majcoms check y o u ~ webpage and see i f you have
L. . . -_-- - - llLt
IFSPC CSS/SC
(1 :44:46): S h ~ i e v e ~ AFB web
page
defaced.
I n s t ~ u c t e d
to
contact local
OSI
a n d ~ _ ~ = - = = = = = : I : = = = = = = = = = = = =
i f
they
want
them
to isolate
and
Non-Responsiv
TSgt MTC/CSS/SCIIT
(4)
~ i W i I f
___
_ . _ W I i I _ ~ I I I i I I . ~ l i I I c l i i " ' ~
Ssgt JF.IDSC (1 :45:21): How about
y o u ~
web s e ~ v e ~ ,
Have
they been hacked?
Ssgt JrROSC (1 :45:4 ):
Anyone see a Ip associated with these webpage
~ , . . - - - - - , - - - - I
I n N ~ ~ m r n ~ ; - I T S g t . IFROSC
2) :41:15):
NSD have
you
~ e l o c a t e d to
COOP?
J59t .68
CS/SCOC
(1 :41:25):
The
Scott N
webpage defacemen came
f ~ o m
D a ~ k _ j i h a d i s t s f e d e ~ a t i o n )
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ P
~ ~ ~ ~ ~ ~ ~ = = = = = = = = = ~ ~ ~ ~ ~ ~ ~ ~ = 1 l L t
83
CS/SCO (19:51:12): 10.172.172.170 sent
hack
dyess;
That was
U N C L A S S I F I E D /
~ ~ ~
~ ~ , . .
......
h
• r> ....
" ~ I I
,
/ I VI V
I
I V I r \ 1 . . . V-.JL.. .
\ /1'11... I
9
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
10/32
(20:31:24): CDO: T h u n d e ~ 2 ha3 evac d due to a
local
i n d u s ~ i a l accident
c ~ t .
JrIDS
(28:31:48):
they have not yet ~ e a c h e d
t h e i ~
COOP
location
Navy detects,
~ t .
(20:32:32):
We
have
blocked
10.172.172.33
due
to
web
defacement
I I ~ ~ ~ ~ ~ ~ ~ L ~ C M D (21:2 :21):
PNOC
Pen3aco1a
~ e p o ~ t 3 lP
10.140.0.75
i3 conducting
a
denial
reports. '1'
~ ~ ~ ~ ~ ~ : ' : ' - i D e 3 t i n a t i o n
10.120.4.9
RecolULend
watch
f o ~ act iv i ty
f ~ o m
3 u ~ c e lP M \
Ctr
IOCIDSC ( 2 1 : 2 ' : ~ 1 ) : 29 pa1m3
and
quantico 3eeinq 3 i m i 1 a ~
activity
fmiiif-immimr 9'ld. ..
.-.osc
( 2 1 : 3 3 : ~ 2 ) : lCD
t ~ a f f i c ?
®
USMC same.
®
TippedAF.
®
Armyaware ...
in minutes. @
IOCHOSC (21:31:1 ):
ye3, ~ e p o ~ t e d
act iv i ty to JTF GNO
.-.osc (21:31:31): TWo
location3
h e ~ e
h i t
with
lCD
~ t
IfROSC 2 1 : 3 1 : ~ 0 ) :
NOD
ha3 ~ e c o nded a block of lCRP
t ~ a f f i c
t
ext ~ t ~ 3
Capt.
t - _ ~ ' _ ' 7 ' I r \ ( 2 1 : 4 3 : ~ 1 ) : A2TOC ha3
not
~ e c e i v e d
any
~ e p o ~ t of
thi3
type of activity on the A ~ I l Y
Capt. JrROSC (21:46:12): H e ~ c u l e 3 NOSC i301ated on RlPR
~ ~ ~ i ~ ~ ~
21:
4 : 1 ~ ) :
PBOC
l301ated
2150Z
dTF GRO (3) ( 2 1 : ~ ' : 1 1 ) : AFNOSC 3tandby. Re3p0n3e to
y o u ~
RFl coming via SlPRRET
t N n ; ; : R ; ; ; ; ; ~ : ; ; ; ; r
.-.osc
Capt. IfROSC Have you
atteapted
~ o u t i n g lCRP t ~ a f f i c to Bull?
~
. .-.osc
(22:03:
Wom:RiiSc;ons;....L..-
CII)R (2) ( 22 : 05: 33)
I _____
- - CI I )R
(2) 2 2 : 2 0 : 0 ~ ) :
t h ~ e e
lP3 in 10.220.119.
router
config for
route
to null
~ e p o ~ t e d
d e g ~ a d a t i o n of
i3
blocking c1a33
C.
IP ROUTE 10.245.0.0 255 255 255 0 NullO
IP ROUTE 10.246.0.0 255.255.255.0
NullO
IP
ROUTE 10.192.0.0 255 255 255 0
NullO
10
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
11/32
EXERCISE BULWARK DEFENDER 06
Observations
Top 5 Take-aways
2 Build a persistent IA / CNO
training/exercise capability for premier
defense
• Red Team-led training on tactics
range-most
valuable learning
activity
• Joint range allowed
community
effort to improve defense
• Range supported safe
ability to
exercise
robust
NetOps scenarios
• A standing capability to
train
/
shape
defense tactics sustains advantage
•
Time-sensitive
training range enables responsive tactics
maneuvering
Action:
ASO/NII JS/J6 USSTRATCOM JFCOM NSA Services OISA
UNCLASSIFIED//:--8:; 8:::8::\: ' ~ 8 ~ ~ : '
y
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
12/32
EXERCISE BULWARK DEFENDER 06
Observations
Top 5 Take-aways
3 Establish baseline defense capabilities at tactical level
to
improve
eND
• Bases
with intrusion
detection,
intrusion
protection and port
security
successfully
blocked
attacks
• Signature-based
intrusion detection
alone
was not
effective
• Some Services have acquired capabilities, but not yet fully fielded
• User awareness remains a critical element
of
defense ..
Action: ASD/NII, Services, USSTRATCOM
U N C L A S S I F I E D / ; ; G ~
G ; - ; - ; C ; ; ~ ~ ; ;
~ ~ ~ ,
12
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
13/32
Scenario 16 Results
Cross-Service Total
Network
Takedown Range)
PROGRESS KEY
* o compromises
«11»
Red
compromised workstation
« »
·
Red
ompromised
Domain Server
3) ·
Red
controls Network
4)
Red
locked all other
accounts
X) Red shut down network
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
14/32
EXERCISE BULWARK DEFENDER 06
Observations
Scenario
1- Exfiltration of Critical Information
Red Objective: Access unclassified AF networks and mine
copy
critical data
Targets: AFNOSC, MAJCOM NOSCs and participating NCCs
Attack
vector:
• Use phishing emails
to
gain access
to
a computer
• Use compromised computer to gain access control of network
....
FOf
Iho ...
IIIIK;
by 1M
Of :*
Bo d
--
lu
In *'
2M2
p
XI04 ....
w. .. I - pl• • • •
_i t
t l t . link
fN
HcM:IOMIIMI . . . . 1InI IrIg JIDt 1OM
.
p IU-
...
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
15/32
Misawa
rimary Compromise
Scenario Results
AF)
Exfiltration of
Critical
Information
Secondary Compromise
Presence on 9 Bases
Control of 3 Enterprises
edTeam Q
15
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
16/32
EXERCISE BULWARK DEFENDER 06
Observations
Top 5 Take-aways
4. Balance efforts
to
restore network services
and
defend ... o optimize both
• We are training more of a
service
provider than a network defender
•
Many
defenders
focused
on restoring
service
at
the
expense of
defense
• Defense-focused defenders effectively stopped attacks
Action: ASD/NII USSTRATCOM
Joint
Staff Services JFCOM DISA
6
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
17/32
EXERCISE BULWARK DEFENDER 06
Observations
Top 5 Take-aways
5. Integrate offensive and defensive functions for effective, proactive NetOps
• Co-located,
integrated
NetOps
functions
are effective
• Unity of
effort is
required between
offensive
and defensive NetOps
communities
to
achieve
and
sustain
advantage
• Shared awareness of activities events, and capabilities
across
CNA /
CNE CND
communities promises economies and
superiority
• Indications & warnings enables proactive defense
• Integrated CNA / CNE / CND
is
required for dominant NetOps
Action: ASD/NII, Services, USSTRATCOM (JTF-GNO, JFCC-NW), JS, NSA, IC
7
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
18/32
EXERCISE BULWARK DEFENDER 06
Observations
Top 5 Take-aways
Initial
Recommendations:
• Establish 24 7 collaboration capability between key NetOps 1
network
defense
sites
and JTF-GNO
•
Achieve
and resource a persistent
IA
1eND training capability
• Advance efforts
to
acquire and operate baseline tactical-level
capabilities
enterprise-wide to detect, defend,
and respond
to
attacks
• Improve relationships and flow of information between I W providers
and
NetOps
community
• Exercise, validate, improve integrated offensive defensive NetOps
UNCLASSIFIED/IF,:)?
' : ) ~ : : C : : , , \ : ~ c : : : : G ~ ~ :
,
18
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
19/32
EXERCISE BULWARK DEFENDER 06
bservations
Defense Capabi lities
• Persistent IA / CND training/exercise capability required for premier defense
• Tactical level functions require improved defense capabilities
• Automated patching capabilities required to improve vulnerability mgt
• Active full-time scanning of wireless devices necessary for effective defense
• Must have local on-site personnel to isolate tlshoot local technical problems
I
UNCLASSIFIED/Ie An
A..-r-''''',
\
I
1 > - r
I . . . . ~
...... 1
I r 1 . VV V I ~ L
I
19
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
20/32
EXERCISE BULWARK DEFENDER 06
Observations
C
and
Information Flow
• Collaboration required for agile
responsive
C2 awareness and response
•
Communications
between operational and tactical levels vital
to
response
• Co-located integrated NetOps defense and warfare
functions
are effective
• Adjust reporting in response
to
increase in threat environment
•
Employ
refine current INFOCON guidance for efficient enterprise defense
•
Must coordinate
NetOps and defense via secure
communications
• Improve
use
of network
intelligence and
I W for agility speed in NetOps
U N C L S S I F I E D l l r c ~
C ~ ~ : 8 : ~ : ' ~ : : : : :
C ~ ~ : /
2
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
21/32
EXERCISE BULWARK DEFENDER 06
Observations
Tactics Techniques Procedures
• etter balance is required between efforts
to
restore service and defend
• Educate defenders on types of Red scans and appropriate responses
• Clarify ROE to
deconflict
law enforcement and
network
defense
• Enforce baseline
password
management of
network
printers
• Document
coordinate
COOP procedures
including reporting
for execution
2
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
22/32
Way Ahead
for
BD 7
• BULWARK DEFENDER remains annual joint CND capstone event
•
Aligning
BULWARK DEFENDER with GLOBAL STORM in 07
• Execution includes focused tactics training by jOint Red Team
• Using BD scenarios as template
for
CND events in
other
select exercises
• Leveraging SO lessons to shape, prioritize near-term
efforts to improve
joint network
defense capabilities, C2, and TTP
•
Continuing
team
effort with
Joint
Staff
for permanent joint CND range
• Requirement
document and
CONOPs
• Potential
to link
with
10
range
• Synchronizing
with
joint training capability program
• Help shape priorities
and
more balance
for
IA spending across GIG
U N C L A S S I F I E D l ~ C : ~
c : = ~ ~ s ~ / \ ~
~ s : : :
8 ~ ~ : " " , '
22
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
23/32
Capstone Joint I CND Event
• Real world th reats
• CND
ssessments
• Time sensitive
targeting
• Turbo Challenge
• Global Lightning
• Terminal
Fury
23
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
24/32
Design Considerations
• Drive operations effects .. enterprise-Ievel
•
Bring
CND piece
to
operations exercises
- Linkages
to
National, Regional, Theater,
Functional
levels
• Integrate, synchronize
with
operations
storyline
- PACOM road
to
war, supported by TRANSCOM, STRATCOM
• Conduct Red Team-led
tactics
training up front
• Emphasize free play--SIPR and NIPR, range events in that order
• Aim for 24x7 operations
•
Arrange
NMCI participation
• Invite COCOMs
to
participate
•
Promote
activities
to
integrate
offensive
and defensive NetOps
•
Exercise
INFOCONs ... TROs
• Leverage
network
sensors and I W
•
Staff
CND JECC -
guide
and
control support to ops
exercise JECG
4
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
25/32
National
Regional
Theater
unctional
unctional
BD 7
Exercise Linkages
Joint
taff
National-Strategic Mobilization Deployment CPX
PACOM
Logistics/Sustainment Force Flow
PX
5
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
26/32
EXERCISE BULWARK DEFENDER 6
Questions
6
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
27/32
FObjectives
• Exercise AF ability
to surge on the
live
network
• Exercise AF
ability
to maintain identif ied baselines
• Exercise AF response to real world
intrusion
sets
• Exercise AF response to bolt
out of
the blue attack
• Exercise physical
security
and operational impacts
in conjunction
with GS07
•
Explore using
Tactical
comm
• Exercise MCCC and C relationship
• Exercise all new AFNETOPS relationships
• Force commanders to participate at the joint and AF level
• Exercise INFOCON levels
• Exercise local COOP for PACAF AFSPC AFNOSC/C2D/NSD/NOD ACC
• Exercise TIER 1 and 2 CND/RA requests
• Exercise AF response
to
direct
targeting
of
AFNETOPS
C
Structure
7
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
28/32
hreats
Information Content
Control
Identity Authentication
Authorization
~
~ -
m
Education Training
Awareness
c
::
Security Operations
r
Administration
Info System Security
Services
OVERALL ASSESSMENT
covered
o Partially covered
o
Not covered
8
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
29/32
Defense ~ G , . d ' ~
Capabil it ies
~ ~
' ~ ~
• · t 1:>
~ o l n
Information
Content
Control
Identity uthentication
uthorization
~ ~ -
m Education Training
wareness
c
: Security
Operations
~
dministration
Info System Security
Services
OVERALL ASSESSMENT
9
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
30/32
EXERCISE BULWARK DEFENDER 6
ssessment Framework
3
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
31/32
BD 6 Scenario
Summary
Scenario Live Net
Range Net
• Scenario 1
- Critical information exfiltration
AF MC
A N
• Scenario 2
- Simulated wireless SIPR compromise
2
AF MC A
• Scenario 3
- Cross-service web compromise
3
AF MC A N
• Scenario 4
- AFNOSC DRP/COOP
4
AF
• Scenario 5
- Misuse
of
network
5
AF MC A N
• Scenario 8
- Cross service classified msg incident
8
AF MC A
AF N
• Scenario 9
- Hacker printer attack
9
AF,MC
A N
• Scenario 10
- Cross service Email DOS
1
AF,A, N
• Scenario
11
- Distributed Denial of Service
11
AF,A, N MC
• Scenario 12
- Email phishing attack
12
AF MC, N
• Scenario 13
- Rogue wireless device
13 AF,MC
• Scenario 14 - Total Network Takeover TNT) - Fast
4
AF A
• Scenario 16
- Attempted TNT - Slow
16
AF,A, MC, N
• Scenario 17
- AF wide web attack
17
AF
• Scenario 18
- Multiple NCC targeted net ops events
18
AF,A, MC, N
• Scenario 19
- AFNOSC/NOD scenario
19
AF
31
-
8/16/2019 Bulwark Defender 06 Quick Look AAR
32/32
EXERCISE BULWARK DEFENDER 06
Observations
Take-aways
for
Way Ahead
• Joint IA CND exercise serves as significant basis for improving
joint
NetOps
• Integrated CNA CNE CND play is required to fully exercise NetOps
• Based on recognized value-Navy plans to extend future play to shore
commands,
Fleet units, Navy
networks
NMCI, ONENET, IT-21)
• USMC -
exercising
and coordinating with a
deployed
site proved beneficial
• USMC - range events increased attent ion to
basic
incident response
• USN - range enabled validation of
watch officer
responses,
certification
• Army - exercise significant; play must include major commands, select posts
• Include JTF-GNO in range play
• Add NMCI in next exercise
32