The Integrated Threat Force (ITF) A Full Spectrum Advanced Persistent Threat for Operational Tests Steve Woffinden General Dynamics C4 Systems Sys Eng Tech Staff ITF Project Office: (480) 777-1718 steve.woffinden@gdc4s.com ITEA Advanced Persistent Threat Conference 28 November 2012
ITEA Advanced Persistent Threat Context ITEA Advanced Persistent Threat Theme: Cyber warfare is no longer something we'll have to worry about in the future. The Stuxnet virus, which targeted and damaged Iranian nuclear infrastructure, showed that internet warfare is happening now. The cost of securing U.S. infrastructure against our enemies will cost billions of dollars. U.S. Secretary of Defense Leon Panetta warned that the United States could be paralyzed by cyber warfare if it is not prepared. "The reality is that there is the cyber capability to basically bring down our power grid to create... to paralyze our financial system in this country to virtually paralyze our country," he told reporter Scott Pelley of CBS Evening News."And I think we have to be prepared not only to defend against that kind of attack but if necessary we are going to have to be prepared to be able to be aggressive when it comes to cyber efforts as well. We've got to develop the technology, the capability we've got to be able to defend this country." Maybe the most alarming part of cyber warfare is that it doesn't take an organized effort or millions of dollars to implement a devastating attack. A creative devious mind with access to a computer is all that it takes. This presentation will show that the ITF provides the needed opposing force perspective necessary to evaluate the integration of cyber, information interoperability, and C2! 2
ITF Presentation Abstract Title: The Integrated Threat Force (ITF) A Full Spectrum Advanced Persistent Threat for Operational Tests Discussions about, and definitions used for, the Advanced Persistent Threat usually include only the context of a cyber threat to Information Security and not the full spectrum of threat persistent behaviors. It is noteworthy that Joint Publication 1-02:... does include Persistent Surveillance and Estimative Intelligence, which are relevant to this topic. This presentation proposes definitions for Advanced Persistent Threat in the context of Operational Testing and presents how the Threat Systems Management Office s (TSMO) existing Integrated Threat Force (ITF) Program brings a scalable, adaptive, fullspectrum advanced persistent threat capability, to include cyber threats, to the operational test community. The ITF Initial Operating Capability (IOC) was delivered in December 2010 and has been deployed to support OT events in 2011 and 2012. The ITF is a capability with defined threat representations for high, medium, low and hybrid threats. The ITF also addresses the current Information Operations (IO) environment with threat Computer Network Operations (CNO) and Electronic Warfare (EW) systems integrated into the ITF tactical C4 capabilities. This allows the ITF to represent any set of estimative intelligence that test authorities want to define for the threat, as well as to incorporate cyber events on the Road To War as well as during operational execution, which then will define the context for the operational test vignettes. This allows the threat s persistent behaviors to extend across the definition of start conditions through execution of the tactical vignettes. What is the difference between stand alone persistent cyber events versus having a coordinated attack from a threat using cyber in combination with persistent surveillance? 3
Relevant Joint Definitions Joint Publication 1-02 Department of Defense Dictionary of Military and Associated Terms 8 November 2010 (As Amended Through 15 August 2012) persistent surveillance A collection strategy that emphasizes the ability of some collection systems to linger on demand in an area to detect, locate, characterize, identify, track, target, and possibly provide battle damage assessment and retargeting in near or real-time. Persistent surveillance facilitates the prediction of an adversary s behavior and the formulation and execution of preemptive activities to deter or forestall anticipated adversary courses of action. See also surveillance. (JP 2-0) estimative intelligence Intelligence that identifies, describes, and forecasts adversary capabilities and the implications for planning and executing military operations. (JP 2-0) Neither Advanced Persistent Threat nor Persistent Threat have an agreed definition in the current version of the Joint Pub 1-02: DoD Dictionary 4
Advanced Persistent Threat Definition It is proposed that, for Operational Testing, Advanced Persistent Threat can be defined as follows: Advanced Persistent Threat for Operational Test The representation of threats, to include Command and Control, traditional battlefield functions, and Information Operations, for use in the Operational Test and Evaluation of Systems which accounts for the accumulated knowledge available to the threat force, as well as the context gained during the Road to War leading to the test event. The Threat s persistent surveillance assets provide the basis for intelligence collection as well as offensive operations against the system under test, including the play of CNO, EW, and other sensors (ISR and Human). This allows the threat commander to synchronize cross-functional tactics, techniques and procedures to accomplish the threat s strategic goals and tactical missions. A Threat with persistent surveillance capabilities, to include persistent cyber, and the ability to bring a coordinated approach to achieving their strategic, operational and tactical objectives is a threat indeed!! 5
Integrated Threat Force (The Army s Answer to Threat) 6
Communicating Persistent Surveillance in the ITF 7
Operational Test Example: ITF C2 Capability Integrated with Threat Assets X (-) THQ CPV2 (-) CPV1 TCV2 TCV1 x1 EA ES CNO x4 18 DSMT 3X RPG-7 1xSniper x3 18 DSMT 3 X RPG-7 1xSniper x3 30 DSMT x2 x6 4 X RPG-7 2 X SA-7/18 3xSniper x 1 Comms jammer CICAD A x 1 Comms jammer TSIJ x 2 Comms (low) Jammer x 1 Comms (Medium) Jammer x 1 Comms (high) Jammer TIEW-E Constructive x 3 SIGINT/DF NESTS x1 CNO: Wired x1 CNO: Wireless NETT Constructive Virtual 8
ITF: Multi-Echelon C2 Capability Option National Authorities Echelons Above Corps Corps Level Threat Liaison Division Level Brigade Level Battalion Level Company Level Platoon Level Squad Level ITF Notebook THQ TNV CPV1 CPV2 TCV1 TCV2 Command And Staff Command And Staff Command And Staff Command And Staff Command Command ITF Cell Phone Dismounted ITF Assets THQ = Threat Higher Headquarters TNV = Tactical Network Vehicle CPV (1&2) = Command Post Vehicles TCV (1&2) = Tactical Command Vehicles 9
ITF Persistent Surveillance Capabilities NESTS The Networked Electronic Support Threat Sensors comes in High, Medium and Low capability variants. The High and Medium versions are able to conduct persistent spectrum surveillance as well as near real time signal identification and transmitter geo-location. NETT The Network Exploitation Test Tool brings together hundreds of hacker tools into a fully capable CNO suite. The TSMO CNO Teams are capable of short term testing or longer term surveillance and exploitation. TUD The Threat Unmanned Devices is a manned representation of a suite of ISR and EW capabilities from Unmanned Aerial Systems (UAS). This includes video and still imagery as well as SIGINT Direction Finding and jamming. 10
Advanced Persistent Threat Assets: Wired and Wireless CNO ITF NETT Thin Client CNO Target Nomination Surveillance and Attack Status Network Topology information Allows the Threat to correlate CNO with other assets NETT Wireless CNO for Exploitation and Attack Wireless Access Point detection Naming and Security data capture Mobile CNA capabilities Adds Wireless to Wired CNO Arsenal 11
Advanced Persistent Threat Assets: SIGINT, Electronic Attack, and ISR Aerial Surveillance and DF Capabilities with TUD Command Post Monitoring Change Detection Mission Rehearsal Activity Monitoring Target Verification Target Tracking Reaction Detection and BDA Ground-based SIGINT and EA SIGINT Locations Track Correlation and Display Target Shooter Pairing Engagement Control Spectrum Monitoring 12
The ITF is a threat with Advanced Persistent Surveillance and integrated Command and Control across the range of Information Operations to include Cyber! Questions? 13