11

“Defensive Battle Stations In Defensive Battle Stations In Network-Centric Warfare: Network-Centric Warfare: Rapid-Response Cyber Rapid-Response Cyber

ForensicsForensics””

Stephen B. Webb Stephen B. Webb Lockheed Martin Mission Lockheed Martin Mission Systems Systems

J. Philip Craiger, Ph.D J. Philip Craiger, Ph.D University of Nebraska at OmahaUniversity of Nebraska at Omaha

22

What Is Rapid-Response Cyber What Is Rapid-Response Cyber ForensicsForensics™™ ? ?

Rapid-Response Cyber Forensics is an approach to the defense of critical military computers and networks.

It augments “live” computer defense with skilled cyber forensic practitioners and adds a new element to defense-in-depth of critical automated systems.

33

What Rapid-Response Cyber What Rapid-Response Cyber ForensicsForensics Is NOT Is NOT

RRCF is NOT a substitute or replacement for any security tools or procedures being used on your systems today.

RRCF is NOT a “fire-and-forget silver bullet” which will magically solve all your defensive network concerns.

44

LM-MS and PKI PartnershipLM-MS and PKI Partnership

An uncommon partnership between Academics An uncommon partnership between Academics and Business with a common goal:and Business with a common goal:

““Field the Best Military Cyber-Defenders in the World”Field the Best Military Cyber-Defenders in the World”

Leverage the strengths of both LM-MS and PKI Leverage the strengths of both LM-MS and PKI to create a product neither could build aloneto create a product neither could build alone

55

Benefits of PartnershipBenefits of Partnership

LM-MS wanted to provide security training for LM-MS wanted to provide security training for our Government clientour Government client We knew what training could be valuable, but were We knew what training could be valuable, but were

not in the training businessnot in the training business

PKI wanted to expand into this area, but lacked PKI wanted to expand into this area, but lacked experience with a military clientexperience with a military client They knew how to train, but not what to trainThey knew how to train, but not what to train

Both partners shared a strong desire to make Both partners shared a strong desire to make the partnership workthe partnership work

66

Stones on the Path to SuccessStones on the Path to Success

Non-congruent Initial GoalsNon-congruent Initial Goals Culture ClashCulture Clash Lack of ProcessLack of Process

77

Network-Centric LandscapeNetwork-Centric Landscape

The U.S. holds a decisive edge in Network-Centric The U.S. holds a decisive edge in Network-Centric WarfareWarfare Asymmetric threats are emerging to challenge our pre-Asymmetric threats are emerging to challenge our pre-

eminenceeminence

Our combatant networked systemsOur combatant networked systems must be defended to must be defended to assure information superiority and victoryassure information superiority and victory Tools for network defense are rapidly superceded by ever-Tools for network defense are rapidly superceded by ever-

more-virulent attacksmore-virulent attacks

Nothing we are proposing replaces any of the defensive Nothing we are proposing replaces any of the defensive tools presently being usedtools presently being used

88

Network-Centric WarfareNetwork-Centric Warfare

As conflict in Iraq demonstrated, Network-Centric As conflict in Iraq demonstrated, Network-Centric Warfare gives a Commander a decisive advantage Warfare gives a Commander a decisive advantage against any adversary—this point is not lost on our against any adversary—this point is not lost on our future enemiesfuture enemies

The nature of network attack will continue to be The nature of network attack will continue to be appealing to those enemies as an “equalizer”appealing to those enemies as an “equalizer” low costlow cost technologically simpletechnologically simple effective, low profile, and low risk of attributioneffective, low profile, and low risk of attribution

Rapid response to attacks against our network-centric Rapid response to attacks against our network-centric forces will be necessary for military commanders to forces will be necessary for military commanders to sustain future operations sustain future operations

99

The Network-Centric CommanderThe Network-Centric Commander

  A successful military commander in the 21A successful military commander in the 21stst century century must “detect, diagnose, and decide”—then act—against must “detect, diagnose, and decide”—then act—against varying types and sources of cyber-attacksvarying types and sources of cyber-attacks

A Network-Centric Commander A Network-Centric Commander must sustain network must sustain network operations while under computer network attackoperations while under computer network attack

Tools and procedures for doing this have analogues in Tools and procedures for doing this have analogues in the non-military world, typically called cyber forensicsthe non-military world, typically called cyber forensics ““Classic” cyber forensics: acquiring and authenticating Classic” cyber forensics: acquiring and authenticating

evidence, analyzing that evidence for evidentiary value, evidence, analyzing that evidence for evidentiary value, and presenting the results in a court of lawand presenting the results in a court of law

These classic tools and procedures are ill-suited for a These classic tools and procedures are ill-suited for a commander under attackcommander under attack

1010

Cyber Forensic PracticeCyber Forensic Practice

Analysis after the fact—the “medical Analysis after the fact—the “medical examiner” modelexaminer” model A law enforcement mind setA law enforcement mind set

Post hoc analysisPost hoc analysis Duplicate evidence, verify authenticity, offline analysisDuplicate evidence, verify authenticity, offline analysis

Focus of present cyber forensic trainingFocus of present cyber forensic training Defensive and conservative, it has served law Defensive and conservative, it has served law

enforcement well, but fails to meet the needs enforcement well, but fails to meet the needs of a commander for sustained operations of a commander for sustained operations under cyber attackunder cyber attack Critical information repositories must remain onlineCritical information repositories must remain online Live-response is the keyLive-response is the key

1111

Rapid ResponseRapid Response

We propose a rapid response cyber forensic We propose a rapid response cyber forensic approach more resembling an Emergency approach more resembling an Emergency Medical Technician than a Medical ExaminerMedical Technician than a Medical Examiner

Tools, protocols, and techniques to perform Tools, protocols, and techniques to perform “cyber-triage” “cyber-triage” evaluating, prioritizing and defending against attacks evaluating, prioritizing and defending against attacks

against our war fighting networksagainst our war fighting networks intelligent application of tools and procedures intelligent application of tools and procedures

applicable to the warfighting contextapplicable to the warfighting context

1212

Warfighting Cyber ForensicsWarfighting Cyber Forensics

Development of new cyber forensic tools is a key Development of new cyber forensic tools is a key component of rapid-response forensics, and while crucial, component of rapid-response forensics, and while crucial, is not the primary focus of our effortsis not the primary focus of our efforts

A disciplined cadre of cyber forensic technicians will A disciplined cadre of cyber forensic technicians will remain the key to success in defending warfighting remain the key to success in defending warfighting systemssystems Live response to sustain operationsLive response to sustain operations

Expert cyber-triage of multiple and simultaneous attacksExpert cyber-triage of multiple and simultaneous attacks

1313

Rapid-Response Cyber ForensicsRapid-Response Cyber Forensics™™

Developed collaboratively between University of Developed collaboratively between University of Nebraska at Omaha and Lockheed Martin Nebraska at Omaha and Lockheed Martin Mission SystemsMission Systems An alternative to traditional law-enforcement-like An alternative to traditional law-enforcement-like

responseresponse ““Classic” forensics not suited to dynamic, real-time warfighting Classic” forensics not suited to dynamic, real-time warfighting

environmentenvironment

Both a human-capital and technological solutionBoth a human-capital and technological solution

Success depends upon a fusion of procedures, Success depends upon a fusion of procedures, techniques, and practicetechniques, and practice

1414

Three Foundations of RRCFThree Foundations of RRCF

Training tailored for RRCF Training tailored for RRCF practitionerspractitioners

Procedures for forensic Procedures for forensic examination of “live” examination of “live” computer systems in real computer systems in real timetime

Regular team practice in a Regular team practice in a lab environment mirroring lab environment mirroring real-world threatsreal-world threats

1515

Training as Key ComponentTraining as Key Component

Practitioners receive rigorous hands-on initial Practitioners receive rigorous hands-on initial training in RRCF techniques with realistic training in RRCF techniques with realistic examplesexamples

Training combines a deep understanding of: Training combines a deep understanding of: Techniques and technologiesTechniques and technologies Realistic hands-on scenario-based practiceRealistic hands-on scenario-based practice

As technology changes, rapid-response cyber As technology changes, rapid-response cyber forensicsforensics™ practitioners skills are reinforced practitioners skills are reinforced and upgradedand upgraded

1616

Rapid-Response Skill SetRapid-Response Skill Set

Understanding of TechnologyUnderstanding of Technology Networks: protocols, attack signatures, normal & Networks: protocols, attack signatures, normal &

abnormal network trafficabnormal network traffic Kept current through trainingKept current through training

Analytical SkillsAnalytical Skills Recognition and understanding of threatsRecognition and understanding of threats Refined through practice in the labRefined through practice in the lab

ToolsTools Employment of the right tool—at the right timeEmployment of the right tool—at the right time

1717

Procedure and DrillProcedure and Drill

Inter-related: Procedures are complex, and make Inter-related: Procedures are complex, and make drill central to proficiencydrill central to proficiency Development of detailed proceduresDevelopment of detailed procedures Application of the correct procedure to counter threatsApplication of the correct procedure to counter threats

Practice when (or “if”) a procedure should be Practice when (or “if”) a procedure should be usedused achieved in a lab setting where virulent attacks may be achieved in a lab setting where virulent attacks may be

staged without risk to actual systemsstaged without risk to actual systems

1818

ResultsResults

Two classes of RRCF practitioners trainedTwo classes of RRCF practitioners trained Screening with a pre-test identified good candidatesScreening with a pre-test identified good candidates All students successfully certified in RRCFAll students successfully certified in RRCF

Excellent customer responseExcellent customer response

Plans for expanding the programPlans for expanding the program

1919

Lessons LearnedLessons Learned

A partnership between Business and A partnership between Business and Academics must serve the goals of bothAcademics must serve the goals of both Expect some surprisesExpect some surprises

Rapid-Response Cyber ForensicsRapid-Response Cyber Forensics™™ is feasible is feasible It is possible to achieve effectiveness—affordably It is possible to achieve effectiveness—affordably Training was challenging, but successfully scaled to Training was challenging, but successfully scaled to

the target audiencethe target audience Importance of appropriate skill set in studentsImportance of appropriate skill set in students

2020

The Future of Rapid-Response The Future of Rapid-Response Cyber ForensicsCyber Forensics

As technology and tools change, so must the As technology and tools change, so must the RRCF practitionerRRCF practitioner Ongoing refresher training using realistic hands-on Ongoing refresher training using realistic hands-on

simulations and exercisessimulations and exercises Adopt and adapt new cyber forensic Adopt and adapt new cyber forensic

techniques that are developedtechniques that are developed Requires continuing education on the part of cyber Requires continuing education on the part of cyber

forensic trainersforensic trainers Develop new cyber forensic procedures in Develop new cyber forensic procedures in

concert with new network-centric warfighting concert with new network-centric warfighting capabilitiescapabilities

2121

Contact InformationContact Information

E-mailE-mail stephen.b.webb@lmco.comstephen.b.webb@lmco.com philip_craiger@unomaha.eduphilip_craiger@unomaha.edu

We’d be pleased to answer your questionsWe’d be pleased to answer your questions

Thank youThank you

2222

Back-Up SlidesBack-Up Slides

2323

Starting a Computer ConversationStarting a Computer Conversation

• Final ACK completes the connection.Final ACK completes the connection.• Computers now have a reliableComputers now have a reliable channel for channel for

communicationcommunication

SYN

SYN-ACK

ACK

2424

Computer Dialog Computer Dialog

This is an example of a normal “handshake” between two This is an example of a normal “handshake” between two computerscomputers whammo.cobalt.net asks to connect, s=“syn”, a request to whammo.cobalt.net asks to connect, s=“syn”, a request to

synchronizesynchronize Server1.unomaha.edu answers “syn-ack”, to acknowledgeServer1.unomaha.edu answers “syn-ack”, to acknowledge whammo.cobalt.net sends a final “ack” and establishes whammo.cobalt.net sends a final “ack” and establishes

connectionconnection

2525

Normal Traffic?Normal Traffic?

2626

SYN-AttackSYN-Attack

There is no final ACKThere is no final ACK Connection is never establishedConnection is never established 2nd Computer ends up using all of its resources waiting for 2nd Computer ends up using all of its resources waiting for

the final ACKthe final ACK

Let’s talk

Ok, I’m listening…

Let’s talk

Ok, I’m Listening

Let’s talk

Ok, I’m listening

2727

EndEnd

Thank youThank you