UNCLASSIFIED (U)

UNCLASSIFIED (U)

DOD ENTERPRISE CYBERSPACE

RANGE ENVIRONMENT (DECRE)

COMMAND AND CONTROL (C2)

INFORMATION SYSTEMS (IS)

Mr. Rod Hallum

Joint Staff J6, IID

Suffolk, Virginia

Overview

Chairman’s

EXORD2011

Ensure the Warfighter receives jointly integrated and effective capabilities necessary to conduct operations

En

ab

le d

ec

isio

n a

nd

ac

tio

n a

t th

e s

pe

ed

of

the

pro

ble

mD

eliver a sustain

ed in

form

ation

advan

tage

PM’sC4/Cyber FCB

CIOMC4EB

DoD Intent

DSOC

Assessment: DoD lacks understanding and situational awareness of enterprise-wide Cyber activities, operations,

impacts and lacks an environment in which to develop, test and train such a capability

Provide an

Enterprise

Cyber Range

Environment.

Advance the ability of warfighters to fight through the cyber threat with greater understanding and precision

Implementation to Resolution

Joint IO

Range

CyberSecurity Range

C4AD/JDAT

National Cyber Range

C4/CyberTeam

J6AT&L/TRMC

DISAJ7

Here’s what it means to the Warfighting Commander

C4/CYBERAAR

Here’s what happened

Discovery Mapping Vulnerabil

ity

DOTMLPF-PAssessment

Here’s why it happened withrecommended corrective actions

Assess Ecosystem Defensive

Responses & Counters

TTPs

OSD

Joint Staff

UNCLASSIFIED (U)

UNCLASSIFIED (U)

DoD Enterprise Cyber Range Environment

2

UNCLASSIFIED (U)

UNCLASSIFIED (U)

3

Need

A DoD environment is required that supports the persistent portrayal of the warfighter network environments, is sufficiently supported by live virtual and constructive C2 IS systems and models to be operationally realistic, is instrumented to support the quantifiable measurement of C2 IS system effectiveness and survivability and is capable of portraying a robust cyber threat. (DSOC, DODI 8330)

UNCLASSIFIED (U)

UNCLASSIFIED (U)

4

Concepts Underlying DECRE C2 IS

Create an operational environment in which Blue Force Players, C2 information systems and networks and Red Teams can interact in a realistic manner

Integration of real C2 information systems and networks & virtual C2 information systems and networks

Integration of recorded exercise data and real time data from exercises to drive C2 data play on the Cyber Range

Cyber Range Red Team play is captured in the form of a playbook and integrated into exercise red team play.

Integration of instrumentation to quantify system performance, survivability and mission impacts

Follow up for system improvements

UNCLASSIFIED (U)

UNCLASSIFIED (U)

5

What Does it Look Like?

UNCLASSIFIED (U)

UNCLASSIFIED (U)

UNCLASSIFIED (U)

6

Partners:

NORTHCOM,

DOT&E, AT&L,

TRMC, NCR, JS J6,

J7, CSR, TSMO,

NIOC, 177th AS,

SNL, JHU, MIT-LL

DECRE C2 IS Event 3 Overview

Phase 1Engineering

Development

Objectives:

Represent CCMD

JOC & AOC

NCR integration of

NORTHCOM

critical supporting

IS systems/

processes

Increase M&S

supporting C2 IS

operations

Integrate :

C2BMC

ACTIVE

Support cyberspace

forces training

Demonstrate

adversarial ability

to exploit C2 IS

vulnerabilities

16-27 June 2014

Phase 2C2 System

Vulnerability

Discovery

Objectives:

Integrate:

CSR DODIN EOC

JMETC 2.0

AEGIS

MOC

177th Red Team

NIOC

NIOC Red and

Blue teams

conduct cyber

operations on the

Range

Demonstrate

adversarial ability to

create system

vulnerabilities

Conduct ACTIVE

initial assessment

21July-1 Aug 2014

Phase 3Vulnerability

Discovery, Cyber

Playbook

Objectives :

Integrate:

JMETC 2.0

MOC

Demonstrate

adversarial ability

to exploit system

vulnerabilities

(TDL)

Develop cyber

effects playbook

for VS15 (other

CCMD exercises)

15-19 Sept 2014

Phase 4VS 15 Execution

Cyber Range Support

Draft Objectives:

Demonstrate adversarial

ability to exploit system

vulnerabilities (TDL as

needed, Tactical Chat,

TBMCS, AFATDS,

JADOCS)

VS-15 Exercise Support

N-NC exercise M&S

data flows to C4AD

Support integration of

cyber effects into N-

NC exercise (TBD)

Employ N-NC

GCCS-J, Dagger,

JWinWAM, VOIP on

JIOR at N-NC

Develop cyber effects

playbook (other CCMD

exercises)

20-29 Oct 2014

6

4 Sep 10 Jul 9 Oct 13 Dec

Quick Look Ph 1 Quick Look Ph 2 Final Report,

Lessons Learned,

Recommendations

Leadership ReviewsDeliverables

8 Jul

9 Sep

10 Jun 8 Oct

14 Oct

Quick Look Ph 1Assessment Plan Quick Look Ph 3Final Report,

Lessons Learned,

Recommendations

16 Jul

Quick Look Ph 2

15 Aug

Mission-Based Assessments

Assessment of ability:• Protect, Detect, and

Respond• Mission Assurance• CNDSP Performance

DECRE C2IS Assessment of:• System Specific

Vulnerabilities• Ability to operate in a

contested cyber mission environment safely

Playbook Integration Into Exercise

Step 1

• The RT conducts offensive operations to deny/manipulate representative mission systems and networks on the DECRE prior to the supported exercise

Step 2

• System effects with requisite RT access & privileges are documented and used by the CYBER planners to drive effects via M&S, white cards or Red Team

Step 3

• The Red Team (RT) emulates a validated threat actor and gains access and privileges to networks and C2 systems

Step 4

• Documented Playbook effects are injected into the exercise by CYBER controllers via white cards, M&S or live Red Team

Step 5

• Success or failure of response actions determine duration C2 mission effects

Cyber Range Environment Exercise Environment Feedback Loop

UNCLASSIFIED (U)

UNCLASSIFIED (U)

7

UNCLASSIFIED (U)

UNCLASSIFIED (U)

8

Event: DTG To Inject (Z): From: Theme:

Subject: To: Inject Cell:

Classification: Mode: Model:

Event Description:

Pre-Conditions (Red Team Access & Privileges):

Red Team Actions:

Exercise Inject (Method and Description):

Remediation Action:

Playbook

UNCLASSIFIED (U)

UNCLASSIFIED (U)

9

How Do We Use This Environment?

Evaluate proposed

cyber defensive and

offensive concepts of

operation

Develop cyber

technologies to

requirements gaps?

Test System Resiliency to

failures /cyber attacks

Assess defensive

cyber architectures

Training in a realistic cyber

mission environment

Test Mission

Assurance and

effectiveness

SustainmentSystems Acquisition(Engineering & manufacturing development,

demonstration, LRIP & production)

Pre-Systems Acquisition

IOCA B

Concept & Tech Development

Concept

Exploration

Component

Advanced

Development

Decision

Review

System

Integration

InterimProgressReview

Production & Deployment

LRIP

FRPDecision Review

Full-Rate Production& Deployment

Operations

& Support

C

Mission Rehearsal in a

realistic operational

environment

UNCLASSIFIED (U)

UNCLASSIFIED (U)

DOD ENTERPRISE CYBERSPACE

RANGE ENVIRONMENT (DECRE)

COMMAND AND CONTROL (C2)

INFORMATION SYSTEMS (IS)

Mr. Bert Daniel

Joint Staff J6, C4AD

Suffolk, Virginia

Network Engineering

UNCLASSIFIED (U)

UNCLASSIFIED (U)

11

Network Topology

TSMOHuntsville, AL

Red Team

NIOCNorfolk, VA

Red Team

CPT Fort Gordon, GA

Blue Team

CPT Fort Meade, MD

Blue Team

JHU APL Laurel, MD

Instruments

JDAT Eglin AFB, FL

Instruments

C4AD Suffolk, VA

C2 Systems/Data

NCR Suffolk, VA

CDSA - AegisDam Neck, VA

Ship C2 Systems

MDA - C2BMC Schriever AFB, CO

BMD Systems

Cyber Security Range

Stafford, VA

DoDIN Backbone

Joint Information Operations Range

Norfolk, VA

Data Transport

Subject to Cyber Effects

Information Systems

Network

BMD – Ballistic Missile Defense

C2BMC – Command, Control,

Battle Management, and

Communications

C4AD – Command, Control,

Communications, and Computers

Assessments Division

CDSA – Combat Direction

Systems Activity

CPT – Cyber Protection Team

DoDIN – Department of Defense

Information Networks

JDAT – Joint Deployable

Analysis Team

JHU APL – Johns Hopkins

University, Applied Physics Lab

MDA – Missile Defense Agency

NCR – National Cyber Range

NIOC – Naval Information

Operations Command

TSMO – Threat Systems

Management Office

UNCLASSIFIED (U)

UNCLASSIFIED (U)

12

Command and Control Systems View

UNCLASSIFIED (U)

UNCLASSIFIED (U)

13

NCR Information Systems

UNCLASSIFIED (U)

UNCLASSIFIED (U)

14

Cyber Range Interoperability

UNCLASSIFIED (U)

UNCLASSIFIED (U)

DOD ENTERPRISE CYBERSPACE

RANGE ENVIRONMENT (DECRE)

COMMAND AND CONTROL (C2)

INFORMATION SYSTEMS (IS)

Mr. Wade Johnson, CCAT

Joint Staff J6, JDAT

Eglin AFB, Florida

Data Collection and Analysis

UNCLASSIFIED (U)

UNCLASSIFIED (U)

16

C2 Command and Control

IS Information Systems

JDAT Joint Deployable Analysis Team

Responsibilities

Mission: JDAT conducts field analysis of C2 IS and

procedures, producing decision-quality data to improve

Joint C2 integration and interoperability

Key functions

– Conduct field analysis of current and emergent C2 IS

and associated procedures to measure capabilities and

limitations, identify shortfalls and root causes, and

recommend improvements

– Provide decision-quality data and cogent solutions to

customers and stakeholders responsible for improving

Joint C2 IS integration and interoperability

UNCLASSIFIED (U)

UNCLASSIFIED (U)

17

Simulated Hostile Cyberspace Attack Vignettes

Effect Action

Vignette 1: Manipulate track amplifying data

Disrupt

situational

awareness

Change track ID: Friend to Hostile, Hostile to Friend, Friend/Hostile to Neutral

Change track location

Change track course, speed, and/or altitude

Change time latency of track updates

Create Web page and e-mail latency/intermittent denial of service

Vignette 2: Disrupt architecture and/or infrastructure

Disrupt

command

and control

Block reporting unit updates for a specific track

Prevent track updates

Manipulate data at rest (i.e., ATO, ACO, ID values, GEOREF point)

Perform distributed denial of service attacks

Modify network infrastructure via unauthorized access to virtual machine hypervisor

Deploy malware through group policy

Vignette 3: Manipulate the battlespace

Create

mistrust

Add false tracks with various IDs

Add numerous duplicate tracks (flood the picture)

Create numerous reporting units for a track

Remove tracks

Modify policies of intrusion prevention applications

ACO Airspace Control Order

ATO Air Tasking Order

GEOREF Geographic Reference

ID Identification

UNCLASSIFIED (U)

UNCLASSIFIED (U)

18

Red Team Activities

Lines of effort (examples)

– Information Systems and applications (file, exchange,

chat, and Web servers)

– Select Command and Control Information Systems

– Network and supporting infrastructure

– Cyberspace Protection Team training

JDAT DECRE C2 IS Data Collection Schema

ADSI Air Defense Systems Integrator

AFATDS Advanced Field Artillery Tactical Data System

AWSIM Area Weapons Simulation

BCS Battle Control System

C2 IS Command and Control Information Systems

C4I Command, Control, Communications,

Computers, and Intelligence

DCAAF Data Collection Architecture for Analytical Feedback

DECRE DOD Enterprise Cyberspace Range Environment

DIS Distributed Interactive Simulation

GCCS-J Global Command and Control System-Joint

EOI Event of Interest

ICSF Integrated C4I System Framework

JADOCS Joint Automated Deep Operations Coordination System

JDAT Joint Deployable Analysis Team

JWinWAM Joint Windows Warfare Assessment Model

LOTS Low Overhead Training System

MIG Multiple Interface Gateway

OTH Over the Horizon

XDARES Extreme Digital Audio Recording Enhanced System

Analysis

and

debrief

tools

GCCS-J

Sim

ula

tio

n

JWinWAM

DCAAF

MIG

Analyst

inputs

DCAAF clients

Post Office

Middleware EOI data

Database

Triggers

DIS

Operator logs,

chat logs

BCS

AWSIM LOTS

C2 I

SR

ed

Te

am

Lo

gs

ADSI

AFATDS JADOCS

Au

dio

Communication

gateways

(XDARES)

ICSF client data

gateways

Link 16 data

gateways

OTH Gold

data gateways

Postmission and

postevent

data processing

Web service data

gateways

Audio

communications

Simulated system messages

Actual system messages

Red Team data manipulations

Chat, analyst notes, operator logs

UNCLASSIFIED (U)

UNCLASSIFIED (U)

19

UNCLASSIFIED (U)

UNCLASSIFIED (U)

20

Near-Real-Time and Post Event Analysis Concept

Step Step Description Tool

1 Develop rule set for identifying an EOI DCAAF

2 Receive/display LOTS and C2 IS tracks * JWinWAM

3 Detect Red Team tactical message inject DCAAF Client

4 Identify type of message inject (e.g., new

track, modify existing track, or drop track)

DCAAF Client

5 Assess specific track modifications DCAAF Client

6 Assess dissemination to other C2 IS servers JWinWAM

7 Assess impact to operator SA JWinWAM

* During the event, near-real-time analysis used live data; post event

analysis used recorded system log files.

C2 IS Command and Control Information Systems

DCAAF Data Collection Architecture for Analytical Feedback

EOI Event of Interest

JWinWAM Joint Windows Warfare Assessment Model

LOTS Low Overhead Training System

SA Situational Awareness

UNCLASSIFIED (U)

UNCLASSIFIED (U)

21

Analysis Working Group Partners Data Collection

C4 Assessments Division (Joint Staff J6, DD C5I)

– Observe and document C2 IS operations; C2 IS operator logs

Johns Hopkins University Applied Physics Laboratory

– Pointillist: Near-real-time network activity visualization

– Galaxy: Post-mission network flow visualization indicating flow

volumes and protocols between various network nodes

– Dagger: Dependency model for visualization of overall mission success

U.S. Army Threat Systems Management Office

– NETT: Computer network operations threat platform for delivering an

integrated suite of open-source exploitation tools; operator logs

National Cyber Range

– Network sensor data and operator logs

Missile Defense Agency

– C2BMC Operator logsC2 Command and Control

C4 Command, Control, Communications, and Computers

DD C5I Deputy Director for Cyber and C4 Integration

IS Information Systems

NETT Network Exploitation Test Tool

UNCLASSIFIED (U)

UNCLASSIFIED (U)

22

Red Team Observations

• On a scale of 1-10 with 10 being real, how representative

of a CCMD network is the DECRE C2 IS?

– 8

• From an Operational Test perspective how does the

DECRE C2 IS environment compare to the others you

have worked in?

–As good or better than any we have seen

UNCLASSIFIED (U)

UNCLASSIFIED (U)

23

Questions?