Information Protection Technician Cyberspace defense technician (MOS 255s) By CW5 Todd M. Boudreau deficiencies, and/or vulnerabilities that created the threat. The defeated adversary then slightly changes Where We Were the toolset in order to launch a new attack. More so- The analogy in this article is like a parable that phisticated adversaries create toolsets that automati- will help you understand the multidimensional arena cally morph on their own in order to prevent detec- into which the Army is deploying expert cyberspace tion or the capability of the remediation from being defense technicians. successful. To fully grasp the analogy you have to under- Finally, as the effects of Army transformation stand that our current cyberspace defensive measures and technological advances have caused MOS 254A are almost entirely reactive in nature. to shift into a role that mirrors MOS 251A, when Most often, adversarial activity is identified by both MOS were present in the same organization, the the loss of critical data and/or the malicious manipu- 251A has historically gravitated toward the NetOps lation of data elements and devices. After the fact, elemental gap of Information Assurance and Com- forensics often discover that such adversarial activity puter Network Defense (IA and CND respectively). had been going on for quite a significant amount of However, few 251A were properly trained and none time before it was discovered. At this point a “signa- received any institutional training. Furthermore, few ture” is created and placed in devices that are used to 251A were able to ensure consecutive assignments look for such adversarial activity. These devices look in such positions making it difficult to impossible to at current activity and if any matches this “signa- build upon skills and experience. ture” they then alert and activate devices that detect or in some cases prevent further adversarial activity. Where We Are Heading If placed on a scale in its simplest of forms, it would The current methods are completely inadequate look something like figure 1 below. for a variety of reasons. First, we cannot afford to Having established a protected posture, we scan allow adversarial activity to occur unnoticed for any our networks for evidence of adversarial activity by amount of time before we detect and take action. comparing cyberspace activity against our current Second, more and more we find our adversaries are signatures and various indications and warnings es- using polymorphic malware which means that the tablished and in place at the time. Once an adversary adversarial activity continues changing to make it al- has established intent to attack our networks, an op- most impossible to stop with signature-based defen- erational preparation of the environment sets the way sive measures. Instead, we need to begin focusing on for an attack which then may present a viable avenue to exploit our networks and extract critical informa- tion. Once an attack and/or exploit are defeated, we (Continued on page 36) begin the process of remediation to correct any faults, Figure 1 Current Scale Comparing Attack and Defense Cycles Army Communicator 35 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2011 2. REPORT TYPE 00-00-2011 to 00-00-2011 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Cybersoace Defense Technician (MOS 255s) 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION U.S. Army Signal Center,ATTN: ATZH-POM (Army REPORT NUMBER Communicator),Bldg 29808A (Signal Towers), Room 713,Fort Gordon,GA,30905 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE Same as 6 unclassified unclassified unclassified Report (SAR) Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 (Continued from page 35) so many alerts to possible mali- ence. So he introduces malicious cious activity on our networks, grass seed into our supply of grass anomalous activity. we are consumed wading through seed. The sheer amount of grass This is not an entirely new the plethora of false positives (i.e., seed sowed into the field makes it concept. Credit and banking alerts, indications, and warnings impossible to verify every single systems have been doing this for that turn out to be nothing) and/ seed. As the malicious seed begins years. Recently when my credit or inconsequential positives (i.e., to grow and take root, it soon pro- card had been refused, I imme- those that are of little to no con- vides a patch of grass that allows diately contacted my financial cern) that we miss the truly im- the adversary a foothold on our institution. They asked me two portant indications and warnings field. questions: had I recently charged allowing adversarial activity to Before we get to advancing the $1 to a common on-line DVD and continue unchecked for an unac- “detect and respond” to the left, Blu-ray disc rental-by-mail and ceptable amount of time. we must add two exasperating video streaming company and had We miss the truly important situations. First, the field has also I recently charged $1 to a not-so- alarm in the midst of the over- become overgrown with weeds common on-line clothing store. I whelming noise of alarms. This and saplings providing our adver- had done neither. This activity was needle in a pile of needles illustra- saries cover as they step onto the uncommon to my nominal pur- tion accurately presents the issue patch of malicious grass. Secondly, chasing history and was viewed as at hand. Finding the important the current field includes friendly an anomaly. This caused my credit alert amongst the blaring myriad plots of sod which are not central- card to be flagged. With a credit of alerts is truly like trying to find ly managed by the larger defender card, no funds are immediately a special needle in a pile of nee- of the field itself. transferred. Therefore, they were dles, which also continues to grow For unveiling the analogy, let able to put a hold on my account in number by the minute. While me reveal here that these patches and eventually disapprove the this illustration has a lot of merit of sod represent the disparate net- transactions with no money lost. under these circumstances, much works that are currently kluged to- I advocate an anomaly based more needs to be understood be- gether within the confines of Army cyberspace defensive posture that yond this one critical issue – espe- cyberspace. And finally the weeds moves the “detect and respond” cially in order to best present the and saplings are the result of poor further to the left of the attack need and capability of the Army’s IA practices. IA practiced upon cycle as illustrated below in figure expert cyberspace defense techni- cyberspace has been likened to 2. However, this calls for some cian. preventative maintenance checks changes in operations. Instead of Imagine a field of grass where and services. Taking a higher view the adversarial attack or exploit each blade is part of an integrated of IA, I include not only patching tipping our defensive measures, and monitored root system. Any and IA vulnerability alert response we must respond to the adver- pressure on the field has the abil- compliance, but also total asset sarial OPE. Let me make this clear ity to trip a sensor and send a visibility and network transpar- with the analogy. warning of a presence upon the ency. field. An adversary wants to step At the most recent Signal con- Defending a Field on our field and disrupt, exploit, ference at Fort Gordon, MG Rhett Some have described the or destroy those operations which Hernandez, Army Cyberspace nature of cyberspace defense as we conduct on and through this Command commanding general, trying to find a needle in a pile of field. mentioned three interrelated needles. The point of this illustra- However, to step on even a aspects of one significant effort tive presentation is that there are single blade may tip off his pres- that is necessary as part of mak- Figure 2 Future Scale Comparing Attack and Defense Cycles 36 Spring - 2011 ing cyberspace securely operational. The first two MOS 255S. To quickly identify an anomaly, one must be are to know ourselves and to know our enemy. The able to quickly discount what is normal. Begging your third is know the terrain one intends to defend. We patience to use another analogy, if someone is going to must first see our cyberspace terrain if we are to quickly, efficiently, and effectively defend your office effectively defend our cyberspace terrain. building against a physical attack, such as an explo- Setting these two immense problems aside sive device, they best know what normal looks like. (i.e., disparate networks and poor IA), let’s revisit Each desk, each box, each copy machine, each piece that analogy to ensure we are tracking. The seeds of furniture or physical structure that could be a fake represent normal network traffic that is nearly planted by an enemy and secretly housing an explosive impossible to detect in advance of an attack even device should be readily identifiable by the defender if if it is malicious. For example, I am not talking one plans to be successful. Similarly, if our cyberspace about spam or low-tech phishing attacks. I am defenders are not familiar with the network and net- instead alluding to highly sophisticated attempts worked data devices, they are ill prepared to notice an to attack our networks through e-mail traffic (for anomaly during the OPE phase of the adversarial attack. example) that have been crafted by a high-tech For the best defense posture, cyberspace defend- peer adversary. Most experts today admit this can- ers must live in the space they are assigned to defend. not be stopped. But the e-mail is only carrying a They must sense the anomaly within the normal as early malicious seed that by itself is yet inert. However, as possible – before the adversary even gets a toehold. as it begins to grow and root, before it has time to Know that we must move forward in this direction im- become a patch that allows even a toehold, it must mediately. We have no time to wait. We are unquestion- be detected and defeated. ably beyond phase zero in cyberspace operations con- In the physical domain of the field of grass in ducted in and through the cyberspace domain today. my analogy, the first step is to establish a field-of- fire. Basic warrior tasks and battle drills teach a Enter the Cyberspace Defense Technicians couple of basic principles in establishing a field- The below NetOps construct in figure 3 continues to of-fire. First, one must determine how big the field show its three elements which are also the Regiment’s can be and still be scanned effectively against the three major core competencies. Previous articles have adversary. Second, one ensures overlapping fields- already addressed MOS 255A (responsible for Cyber of-fire to prevent against a seam (at best) or a gap Content Management) and MOS 255N (responsible for (at worst) which could allow the adversary an av- enue of approach through our defenses. If the mag- (Continued on page 38) nitude of adversarial activity that is to be detected is as small as a blade of grass, the field-of-fire must be small enough to remain man- ageable. In the cyberspace domain, we must also default to these basic level cyberspace WT&BD and establish fields-of-fire that are manageable and include overlap- ping and interlocking fields-of- fire. These malicious e-mails don’t plant grass. They plant hooks that provide a point of presence in our networks and data devices. Our cyberspace defenders must be able to scan their sector and detect such malicious PoPs in order to defeat them while the adversary is still in the OPE phase of the attack. Cyberspace defenders must see these hooks as anomalous to their cyberspace fields-of-fire. One last thought is appro- priate before moving on to the practical aspects of discussing Figure 3 Network Operation Construct Army Communicator 37 (Continued from page 37)) level accession MOS. Instead, ac- dard of CyD training to be in the cessions into MOS 255S will be at Cyber Network Management); the hands of our commercial IT part- the senior W2 grade. This is in line last article in this particular series ners. Finally, we recognized the with preferred attendance at the will address MOS 255Z (responsi- necessity of partnering with our Warrant Officer Advance Course. ble for Cyber NetOps (CyNetOps) Intelligence Community partners This ensures newly reclassified in its entirety). who can provide actionable intel- 255S have a greater understanding This article now moves to ligence relative to our adversaries’ of their actions and the sugges- describe MOS 255S (responsible intent--their tactics, techniques, tions they make in the CyCM and for Cyber Defense) as the newest and procedures; and any real time CyNM areas to better posture for personnel capability added to the feedback on both their current ac- defense. Training will be discussed Signal warrant officer cohort. tivities as well as their knowledge below. However, the requirement As we began to look at the of ours. for all 255S to hold a top secret capability gap at hand (IA/CND), A properly trained and de- clearance with the ability to be we made a couple of decisions up ployed MOS 255S force will be key read on to special compartmen- front. First, we realized the need in meeting the first issue above. talized information is of utmost to move from a perimeter-posi- In order to move to an internally importance. This allows the IC to tioned and reactionary defensive proactive, anomaly based, true feed actionable intelligence into model to an internally proactive, defense-in-depth model, we need the CyD cell. anomaly based, true defense-in- an intelligent personnel capability Since there are no apprentice depth model. Second, knowing the to be a part of the solution set. cyberspace defense technicians, it interdependencies of CyD, CyCM To ensure that CyCM and is imperative that we get our train- and CyD, CyNM, we concluded CyNM efforts are not negatively ing right. The transition course the need for a more senior and affected, but supported and rein- from MOS 255S will also serve to experienced personnel base. Third, forced, it was decided that MOS give advance course credit (i.e., we acknowledged the current stan- 255S would not be an enlisted- it will also function as a WOAC). Figure 4. Current 255S Pilot Course Training Course Map 38 Spring - 2011 The most credible and holistic CyD They also supervise and/or over- training currently resides in the see subordinate sections required hands of our commercial IT part- to support information protec- ners. CISCO has a robust perim- tion and network defense such as eter security track of training and communications security sections, the SANS Institute has a number cryptographic network planning, of courses that meet both our cli- and electromagnetic spectrum ent and perimeter training needs operations to achieve electronic as well as a number of other very protect, and the implementation specific areas to be addressed. and use of electronic keys required Figure 4 below is our current 255S supporting communications net- course map. works and networked-systems. See figure 5. Journeyman Cyberspace It is imperative that com- Defense Technicians manders and senior leaders un- MOS 255S are the Army’s premier derstand that MOS 255S will not defenders of the Army’s portion of oversee IA compliancy. MOS 255S the cyberspace domain. They per- are required to know normal and form computer network defense hunt in our portion of cyberspace measures and advise information to identify and defeat adversarial Figure 5 assurance measures and actions to activity. Not all adversarial ac- include the protection, detection, tivity will be defeated. The 255S officer in most formations. Jour- and reaction functions at all levels provides the Signal Regiment a neymen 255S also find themselves in support of combat information basis to enter into full-spectrum in theater network operations superiority. Junior 255S (i.e., W1 cyberspace operations with our security centers, regional com- and W2) do not exist. Instead, ju- IC partners. The use of decep- puter emergency response teams, nior WOs who may look to access tion, cyberspace counter-fire, and and a number of similar hands-on into 255S should focus on acquir- adversarial cordoning are just a organizations to include as high as ing and refining technical and ad- few of the TTPs a full-spectrum combat divisions. ministrative skills within their re- cyberspace operation may use. spective MOS (i.e., 255A or 255N). Therefore, to limit MOS 255S to IA Master Cyberspace As they develop these skills and is a colossal waste of talent and achieve mid-grade CW2 status, completely misses the point of Defense Technicians should they desire to pursue MOS the MOS. Journeymen 255S may Senior 255s (i.e., newly pro- 255S, they should begin self-study advise IA and analyze IA deficien- moted W4), quickly master appli- in the cyber defense field, seek to cies to give the “so what” to their cations, techniques, systems, and find a senior 255S as a mentor, and respective commanders. They are CyD attributes which include ac- look to fill information assurance able to determine the difference tions to resist, recognize, respond, management positions that will between vulnerability and an ac- recover, and reconstitute. Highly lead them to meeting the 255S pre- tual threat and can provide mitiga- specialized and highly motivated, requisites. IAM positions may be tion courses of action. they quickly inculcate these and either focused on IA compliance in These journeymen 255S per- move from the outer edges of the CyCM or CyNM. fect the art of knowing normal by CyD circle in this Venn diagram Mid-grade 255S (W3) advise a continued and in-depth analy- toward the center. They too are information assurance efforts sis of the various feeds received now moving from mastery of one while focusing on their associated from sensors, data devices, and element toward the goal of W5-- sub-element (i.e., cyber defense) actionable intelligence received mastery of NetOps. as well as non-lethal electronic from various IC sources. Unlike Master CyDs, as senior-level protection efforts. They supervise the CyCM and the CyNM, it is the technical and tactical experts associated personnel and oversee journeymen CyD who is nominally in their chosen field, have also functions within the standards, assigned to a brigade combat team gained familiarity with the other transport, services, and applica- where he/she has the greatest abil- two elements of NetOps (i.e., tions layers of the network in ity to encounter the widest array CyCM and CyNM). As they con- order to achieve confidentiality, of devices and applications found tinue to develop as CW4 255S, they go integrity, and availability of infor- within the breadth of his/her as- beyond understanding the basic con mation, as well as the authentica- signed systems. This also makes tion and non-repudiation of users. the 255S the senior Signal warrant (Continued on page 40) Army Communicator 39 (Continued from page 39) acquire, reverse engineer, fabricate, and reproduce such equipment by cepts of information protection and our adversaries. Additionally, the assured system and network avail- circuit-switched nature of MSE and ability and ensure that these attributes TRI-TAC networks made it very dif- of NetOps are obtained. See figure 6. ficult to introduce rogue equipment Their prior experience as either 255As into our networks with the intent to or 255Ns is key to their rapid expan- exploit or disrupt. sion of knowledge. Today, these barriers have all The master CyD is nominally as- but disappeared with our reliance signed to a corps, ASCC, and higher on commercial off-the-shelf equip- level organization where their train- ment. Almost anyone with inclina- Figure 6 ing and experience has its greatest tion can find a virtual potpourri of and remediate. However, more impact. To prepare the CW4 255S attack toolsets from which to choose. complicated, high-tech, peer adver- for the duties and responsibilities A malicious personality merely sarial activity requires an expert encountered at these levels of orga- chooses from a variety of desired cyberspace defense technician who nization, attendance at the Warrant cyberspace effects much like one is fully equipped, informed and ac- Officer Staff Course is crucial. picks from an assortment of foods tively hunting anomalies within our The master CyD will be, without at al buffet restaurant. Attribution is complex networks and systems. argument, today’s intellectual made difficult with the virtual, non- Subsequent to promotion to capital to ensure the Army not only contiguous, yet ubiquitous nature CW5, the master CyD also becomes meets its future demands within in which cyberspace presents itself. part of an ever smaller, elite group and through cyberspace, but that One merely needs to walk into a of Signal warrant officers, the cy- it is secured and defended. While busy hotel and use the hotel’s busi- berspace network operations techni- this may not be a new problem-set, ness center as a platform to launch a cian, MOS 255Z. its scope has grown significantly. cheap, unsophisticated, yet often ef- As will be done for all 255Z, se- Past generations of Signal equip- fective attack against our networks. nior leadership will be cognizant of ment were mainly proprietary Presently, even a low-tech their past MOS and as such leverage and circuit-switched. As such, the attack often overwhelms our pri- their knowledge, skills, attributes, obstacle between our adversary and marily reactive defenses inundated and experience for future assign- our critical systems was quite large with a myriad of false-positives. ments. For further information on and almost insurmountable. Mobile This creates another source of noise MOS 255Z, an article summarizing subscriber equipment and TRI-TAC that helps to mask more compli- their career paths and describing systems were proprietary and not cated, high-tech, peer adversarial their skills, attributes, duties, and easily reproducible by others. A activity. IA compliance may lower responsibilities is included on page significant amount of intellectual the noise-floor making the former 48 in this edition of the Army Com- capital and funding were required to easier to spot, identify, categorize, municator. ACRONYM QuickScan ARCYBER – Army Cyberspace Command MSE – Mobile Subscriber Equipment ASCC – Army Service Component Command NetOps – Network operations CND – Computer Network Defense OPE – Operational Preparation of the Environment COMSEC – Communications Security PMCS – Preventative Maintenance Checks and Services CyCM – Cyberspace Content Management PoP – Point of Presence CyD – Cyberspace Defense R-CERT – Regional Computer Emergency Response CyNetOps – Cyberspace Network Operations Team CyNM – Cyberspace Network Management SCI – Special Compartmentalized Information CyNOT – Cyberspace Network Operations Technician T-NOSC – Theater Network Operations Security Center DVD – Digital Versatile Disc TS – Top Secret EMSO – Electromagnetic Spectrum Operations TTP – Tactics, Techniques, Procedures IA – Information Assurance WOAC – Warrant Officer Advance Course IAM – Information Assurance Management WOSC – Warrant Officer Staff Course IAVA – Information Assurance Vulnerability Alert WOSSC – Warrant Officer Senior Staff Course IC – Intelligence Community WT&BD – Warrior Tasks and Battle Drills MOS – Military Occupational Specialty 40 Spring - 2011