Florida School Mod 3
MSB 1.2: Identify the AFCYBER forces conducting secure and defend functions within the AFIN. 688 CW Units that fulfill CSSP secure and defend functions
26th Network Operations Squadron, 33d Cyberspace Operations Squadron, 83d Network Operations Squadron, 561st Network Operations Squadron, 690th Cyberspace Operations Squadron, 691st Cyberspace Operations Squadron.
MSB 1.2: Identify the organizations supporting AFCYBER DODIN Operations (A)
616th Operations Center (616 OC) tasks AFCYBER tactical units based on 688 Cyber Wing (CW) and 67 CW
688 CW Units that fulfill secure and defend functions but are not designated as CSSPs
690th Intelligence Support Squadron and 692d Cyber Operations Squadron.
LO 2 Comprehend facts and principles about the AFIN architecture and the AFCYBER Forces performing cyberspace operations (B) MSB 2.1: Given a scenario or brief description, distinguish between the roles and responsibilities for AFCYBER weapon systems supporting cyberspace operations. (B)
???
Network Attack System (NAS)
???
MSB 1.3: Identify common cyber threat actor tactics, techniques, and procedures. (A)
Adversary Capability. The adversary's resources, skill-level, or expertise (i.e., the TTPs), weapons and platforms) are factors in determining the adversary's capability
MSB 1.2: Describe common cyber threat actor intentions and motivations. (B)
Adversary Intent. An adversary's intent is the goal or outcome that the adversary seeks, the consequences the adversary seeks to avoid, and how strongly and urgently the adversary seeks to achieve those outcomes or avoid those consequences. External cyber threat actor intentions Nation-States/State-sponsored - potentially the most dangerous, has access to advances, dedicated cyber operations programs and may leverage offensive cyber warfare. Has access to extensive, sophisticated resources. Intent to advance their interests in driving geopolitical outcomes such as gaining an economic/innovative or military edge. Advanced persistent threats (APTs) Cyber Criminals/Organized Crime - sell or use for financial gain or power. used as surrogates by nation-states or transnational actors. The cybercriminal main goal/intent is profit based. Hacktivists - promoting, or bringing awareness to their social, ethical or political cause, or achieving notoriety for their cause. Ideological Terrorist/Extremist Groups and Organizations - achieve political or ideological gains through threat, influence coercion, intimidation. Amateur Thrill Seekers "script kiddies" - Amateur thrill seekers are motivated by money, fame, notoriety, bragging rights, status, anger and/or pure curiosity. Internal cyber threat intentions Malicious Intent Insider Threats - abuse authorized access rights. They are often motivated by grievances, personal gain, ideological reasons or profit. Non-Malicious Intent Insider Threats - negligence, carelessness, mistakes or other non-intentional actions inadvertently opening up avenues of attack into systems or causing compromise.
MSB 2.2: Identify common threat modeling frameworks and methodologies. (A)
Adversary Lifecycle Analysis (ALA) MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) Model and Framework. The Cyber Kill Chain Diamond Model of Intrusion Analysis
MSB 1.5: Identify the purpose of Air Force Agency Boundaries (A)
Air Force NIPRNet Gateways (AFNGWs) - a suite of network and security equipment that serves as the legacy AF agency level security boundary. Joint Regional Security Stacks are Defense Information Systems Agency (DISA) provided network security stacks that protect the enterprise network as part of the Joint Information Environment (JIE) single security architecture. JRSS permits the DoDs Combatant Commands, Services, and Agencies subscribers to move their existing, Base, Post, Camp, and Station (B/P/C/S) local perimeter security infrastructure responsibilities to a regional site. JRSS enable streamlined network security based on logical Communities of Interest (COIs) rather than location-based or component or service unique security. Air Force SIPRNet Gateways (AFSGWs) - SIPRNet Gateways are security stacks implemented between the base SIPRNet SDPs and the DoD SIPRNet. SIPRNet Gateways provide the majority of IPS/IDS capabilities at the AF SIPRNet agency boundary.
MSB 2.1: Describe the purpose of cyber threat modeling. (B)
Allows us to effectively analyze the massive amount of data and information. Process all the information/ proper context to make fast, confident decisions. Threat intelligence frameworks provide structures for thinking about attacks and adversaries. They promote a broad understanding of how attackers think, the methods they use, and where in an attack lifecycle specific events occur. This knowledge allows defenders to take decisive action faster and stop attackers sooner. Ensure threats have been fully removed and prevent future intrusion.
Group 5. Specially Designated Units
Any force designated by the President or the Secretary of Defense as part of the DoD COF for the purpose of conducting activities in support of specific cyberspace operations.
Group 4. Special Capability Providers:
Any force purposely organized to execute OCO or DCO response actions.
MSB 1.3 Distinguish between the key capabilities of cyber weapon systems. (B) JCC2 Key Capabilities
C2 of Cyber Forces: Establishes, directs, coordinates and assess full spectrum cyberspace ops (OCO, DCO, and DODIN operations) supporting CCMD air, space, land, and sea operations. Orders Development & Dissemination: Creates, tasks, and tracks completion of orders to assigned and attached AF cyber forces, and Cyber Mission Forces
Special Access Programs (SAP) - Need-to-know
Classified with special safeguarding and access requirements (need-to- know) Must be assigned an unclassified nickname ▪ Programs are in acquisitions, intelligence, and operations & support categories
Group 2. USCYBERCOM Subordinate
Command Elements. The subordinate headquarters (HQ) of USCYBERCOM execute Command and Control (C2) of the Cyber Mission Forces (CMF) and other cyberspace forces, including the Cyber National Mission Force-Headquarters (CNMF-HQ), the Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN), the Joint Force Headquarters-Cyberspace (JFHQ-C), the Service Component Commands (SCC) HQs, Cyberspace Operations-Integrated Planning Elements (CO-IPEs), and those Service-retained forces. 16 AF Units = 616th Operations Center, 854th Cyberspace Operations Squadron, 119th Cyberspace Operations Squadron
AF Network Secure (AFNET-S) - (SIPR)
Comprised of multiple secret level domains (i.e., AREA42, AMC SIPR, PACAF SIPR) Much more difficult to administer (Management historically based on MAJCOM HQ location) Architecture and funding vary by MAJCOMs/bases No separate base network (traffic traverses existing NIPR transmission lines) Network traffic encrypted by TACLANES
MSB 1.2: Describe the purpose of the Cyber-Tactical Operations Center (C-TOC). (B)
Conduct Mission Management support for assigned CMTs Maintains situational awareness and tracking of all Cyber operations performed by assigned CMTs Manage offensive cyberspace operations, C-ISR, C-S&R, and C-OPE of the JFHQ-C assigned CMTs/CSTs Provide situational awareness of current CO to the JFHQ-Cs Current Operations Cell Tracking/Scheduling assigned CMTs
Air Force Intranet Control (AFINC)
Controls the flow of all external and inter-base traffic through centrally managed NIPR/SIPR gateways, Joint Regional Security Stacks (JRSS) and an inter- base Virtual Private Network (VPN) mesh. AFINC WS is operated by the 26 Network Operations Squadron (26 NOS).
Air Force Cyberspace Defense (ACD)
Defensive Counter Cyberspace Pursuit (DCC-P) DMZ Vulnerability Assessment Host Sensor Monitoring Network Sensor Monitoring Incident Response - Cat Events Forensic and Malware Analysis IDS/IPS Signature creation
Cyber Security and Control System (CSCS)
Directory Services Messaging Monitoring Host System Storage and Virtualization
MSB 3.1: Identify the purpose of the Intelligence Community Security Coordination Center (ICSCC). (A)
It serves as the Federal Cyber Center for the integrated defense of the IC Information Environment (IC IE). The IC SCC provides tools and services that facilitate situational awareness during steady state operations and coordinates the integrated community response for the IC IE during significant cyber events.Sharing of IC cyber indicators to improve cybersecurity Sharing of IC cyber indicators to improve cybersecurity
IW-310 CYBER WEAPON SYSTEMS LO 1 Comprehend Cyber Weapon Systems and the Air Force units that employ them. (B) MSB 1.1 Distinguish between active-duty Air Force units employing cyber weapon systems. (B)
Joint Cyber Command and Control (JCC2) Network Attack System (NAS) Cyberspace Vulnerability Assessment/Hunter (CVA/H) Air Force Cyberspace Defense (ACD) Air Force Cyberspace Defense (ACD) Air Force Intranet Control (AFINC) Cyber Security and Control System (CSCS)
Likelihood of occurrence based on an analysis of the probability
Mission Impact Level. The degree and duration of the impact on the commander's missions. Scope. The extent and breadth of the impact on the commander's missions.
Air Force Intranet Control (AFINC)
Network Management Wide Area Network (WAN) Management and Analysis AF Agency Boundary Protection Base Boundary Protection Domain Name Services (DNS) Management Email Hygiene
IW-330 OFFENSIVE CYBERSPACE OPERATIONS LO 1 Comprehend Joint Force Headquarters-Cyber (JFHQ-C) Air Force responsibilities for Offensive Cyber Operations (OCO). (Proficiency Level: B) MSB 1.1: Identify the forces performing JFHQ-C (AF) OCO. (A)
OPCON AFCYBER 91 COS(001CMT) / 390 COS / 375 COS /ARCYBER/FLTCYBER
IW-320 DODIN OPERATION LO 1 Comprehend Air Forces Cyber (AFCYBER) responsibilities for Department of Defense Information Network (DODIN) Operations. (Proficiency Level: B) MSB 1.1: Define DODIN Operations (A)
Operations to secure, configure, operate, extend, maintain, and sustain Department of Defense (DOD) cyberspace to create and preserve the confidentiality, availability, and integrity of the DODIN
Cyberspace Defense Analysis (CDA)
Provides constant monitoring for the collection, analysis and reporting of unsecured and unprotected telecommunications systems to determine if they are being used to transmit sensitive or classified information. OPSEC and communications security (COMSEC) CDA WS is operated by one Active-Duty unit, the 33d Cyber Operations Squadron (33 COS)
MSB 1.3: Describe the approval process used by JFHQ-C (AF) to plan and execute OCO. (B)
Review and Approval Process for Cyber Operations (RAPCO) is the formal process for President of the U.S. (POTUS) or Secretary of Defense (SECDEF) approval of deployment and initial and ongoing employment of OCO and DCO-RA operations.
Platform Information Technology (PIT)
Special purpose DOD systems Long tech refresh cycles Doesn't reside on the AFNET/AFNET‐S Includes AFIN type 1 and AFIN Type 2 systems
Cyberspace Defense Analysis (CDA)
Telephony Radio Frequency (RF) Email Internet-based Communications (IbC) Monitoring Cyber Web Risk Assessment
MSB 1.4: Distinguish between the processes and tools used to integrate, plan and direct OCO missions. (B) first process
Telephony missions is the 616 OC Cyber Tasking Cycle (CTC) that produces an AF Cyber Tasking Order (CTO)
Network Attack System (NAS)
The 91 COS is the USAF's premiere OCO unit operating the NAS WS and infrastructure Executes network attack planning and operations to Deny, Degrade, Disrupt and Destroy or Manipulate (D4M) adversary information and information systems in support of influence operations for Component, Joint and Allied forces
Air Force Cyberspace Defense (ACD)
The Air Force Cyberspace Defense (ACD) WS mission focus is defensive cyber operations that prevent, detect, respond to, and provide forensics of intrusions into AFIN NIPR/SIPR networks. ACD is operated by the 33d Cyber Operations Squadron (33 COS) ACD Roles and Responsibilities Incident Prevention Incident Detection Computer Forensics Incident Response
Cyberspace Vulnerability Assessment/Hunter (CVA/H)
The Cyberspace Vulnerability and Hunter (CVA/H) Air Force weapon system (WS) is an approved USCYBERCOM Deployable Mission Support System (DMSS) adaptation used by the Air Force to execute Air Force Service Cyber Protection Team (CPT) missions. 92d Cyber Operations Squadron (92 COS)/ 835th Cyber Operations Squardon (835 COS)
IW-335 CYBER MISSION FORCES LO 1 Comprehend the composition of the Department of Defense (DoD) Cyber Operations Forces (COF). (B) MSB 1.1: Describe the five operational groups of the DoD COF. (B) Group 1. Cyber Mission Forces (CMF).
The three elements of the CMF and mission support functions are Cyber Protection Force (CPF), the Cyber National Mission Force (CNMF), and the Cyber Combat Mission Force (CCMF). These three elements will be broken down a little further later in the lesson.
IW-300 CYBERSPACE THREATS MSB 1.1: Distinguish between the components of risk as defined by the DODIN-RAM. (B)
Threats, vulnerabilities, likelihood of occurrence and mission impact
AF Joint Worldwide Intelligence Communications Systems (AFJWICS)
Top Secret/ Sensitive Compartmented Information (TS/SCI) Network (flat domain design) DIA controlled Part of the greater Air Force Intelligence Community Information Environment (AF IC IE) Used primarily by members of the Intelligence Community and Department of Justice (FBI) Network traffic encrypted by TACLANES
IW-305 AFIN OVERVIEW MSB 1.1: Distinguish between the components of the AFIN. (B) AF Network Non-Secure (AFNET-N) - (NIPR)
Unclassified flat domain design (Area52) Enterprise level administrative privileges Standardized design & composition Enterprise funded by one major command (MAJCOM), Air Combat
Group 3. DoD Component Network Operations Centers and Cyber Security Service Providers (CSSP).
Units designated by the Secretaries of Military Departments, in coordination with other DoD Component Heads, to conduct cyberspace operations in support of DOD IN Operations, including DCO and internal defensive measures. 16 AF AD Units = 26th Network Operations Squadron, 33d Cyberspace Operations Squadron, 83d Network Operations Squadron, 561st Network Operations Squadron, 690th Cyberspace Operations Squadron, 691st Cyberspace Operations Squadron
The AFIN Mission Assurance Center (AMAC)
a C2 element subordinate to the 616 OC, exercises Tactical Command and Control (TAC-C2) of routine DODIN Ops missions on the AFIN.
MSB 1.3: Identify the purpose of the Base Boundary (A)
a security perimeter that connects the Base Network to the AFNET. The AF base boundaries' primary function is to protect the base network from external threats and to segregate publicly accessible networks from the rest of the base architecture.
Threats are made up of
adversary intent and adversary capability
MSB 1.2: Identify the purpose of the Base Network (A)
all NIPRNet network service and connectivity inside the base boundary to locations on base property. Provides for the necessary connections from user assets positioned in various nodes and transfer buildings across the base to be then aggregated at the Base Boundary.
IW-315 AFIN Architecture LO 1 Know facts and principles about the Air Force Information Network (AFIN) architecture (A) MSB 1.1: Identify the purpose of Host Systems (A)
an endpoint on a network, which provides services to users or other computers on that network.
DCO-RA
are the form of DCO missions where actions are taken external to the defended network or portion of cyberspace without the permission of the owner of the affected system.
IW-325 DEFENSIVE CYBERSPACE OPERATIONS LO 1 Comprehend 16th Air Force, Air Forces Cyber (AFCYBER) and Joint Force Headquarters-Cyber (JFHQ-C) Air Force (AF) responsibilities for Defensive Cyberspace Operations (DCO). (B) MSB 1.1: Distinguish between the two types of Defensive Cyberspace Operations. (B) DCO-IDM
are the form of DCO missions where authorized defense actions occur within the defended network or portion of cyberspace
Attack Vectors
attack or threat vector generally refers to a delivery mechanism used by threat actors to exploit vulnerabilities in hardware, software or people to gain unwelcomed access to information systems Common attack vectors: o Spear Phishing o Whaling o Social Networking o Drive-By Attacks o Watering Holes o Cross-Site Scripting (XSS) o Fake Login Pages o SQL Injections o Supply Chain o Zero-Day/N-Day
Contest
comprises cyber activities and actions in and through cyberspace and the information environment to degrade, disrupt, or manipulate the targeted system or data resident thereon
Defend forward
comprises cyber activities and actions in and through cyberspace, outside of U.S. military networks, at or as close as practicable to the source of adversary activity to provide or enhance warning and mitigation
CCMD CPTs
defend geographic/functional CCMD cyberspace and have a unique command relationship based on ACO 8500-24. The majority of C-CPTs are OPCON'd to their respective JFHQ-Cs (AF, Army, Navy and USMC) and "one" C-CPT is OPCON'd to JFHQ-DODIN. In addition to the OPCON COMREL, each C-CPT is in a "direct support" COMREL with their respective CCMD.
Service CPTs
defend service specific terrain and are OPCON'd to the Service Cyber Component (AFCYBER, ARCYBER, FLEETCYBER and MARFORCYBER).
DODIN CPTs
defends the DODIN core and boundary and are OPCON'd to Joint Force Headquarters-DODIN (JFHQ-DODIN).
MAJCOM Communication Coordination Centers (MCCC)
do not fall under 16 AF command authority, but MCCCs prioritize subordinate unit cyberspace support requirements by greatest need and risk to base operations under the respective MAJCOM.
Vulnerabilities are a function of
exposure, exploitability, and effectiveness of security controls. (weaknesses) Effectiveness is the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system Common Vulnerabilities and Exposures (CVE) - CVE is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities and exposures. Common Weakness Enumeration (CWE) - A formal list or dictionary of common software and hardware weaknesses. Common Vulnerability Scoring System (CVSS) - An open framework for communicating the characteristics and severity of software vulnerabilities.
MSB 1.3: Distinguish between the operating concepts required for persistent engagement on the DODIN (B) Anticipatory resilience
is an operational posture seeking to continuously anticipate, identify, withstand, recover from, and adapt to adverse cyber-enabled positions that could threaten the DODIN, counterintelligence, National Security Systems, and Defense Industrial Base (DIB), or other designated friendly systems or networks
MSB 1.2 Distinguish between the mission, roles, and responsibilities of cyber weapon systems. JCC2 Mission :
joint weapon system (WS) providing overarching, interoperable, integrated 24/7/365 situational awareness (SA), cyber battle management and command and control (C2) of the DOD portion of the cyberspace domain for users at all joint cyber C2 organizational levels. 616th Operations Center (616 OC)
Cyberspace Vulnerability Assessment/Hunter (CVA/H)
mobile, precision capability heuristic behavioral analysis. Discovery and Counter Infiltration (D&CI) Cyber Threat Emulation (CTE) Threat Mitigation
Malware
o Virus o Network Worm o Trojan Horse o Backdoor o Remote Access Trojan (RAT) o Information Stealer o Downloader/Dropper o Ransomware o Scareware Denial of Service (DoS) and Distributed DoS (DDoS) Attacks - unavailable to intended users Botnet - group of computers infected with the same malware Command and Control (C2 or C&C) - centralized machines/computers controlled by an attacker that are able to send commands and receive outputs of compromised machines
Service CPTs
operate across Service owned and operated cyber terrain with a focus on protecting key terrain supporting unit-specific missions.
CCMD CPTs
operate across assigned geographic/functional CCMD cyberspace with a focus on Key Terrain-Cyber (KT-C) designated by the Combatant Commander (CCDR). These CPTs may augment other CCMDs as required.
DODIN CPTs
operate across the DODIN with a focus on DODIN core and boundary, and some Service network KT-C as required.
MSB 1.2: Distinguish between the Areas of Operation (AO) for the four CPT mission areas. (B) National CPTs
operate across the DODIN with a strategic-level and/or specific adversary focus, and may be tasked to protect sectors of U.S. Critical Infrastructure and Key Resources (CIKR) outside of the DODIN. On or OFF DODIN
Cyber Security and Control System (CSCS)
provide 24/7 DODIN Ops and management functions and enable key (core) enterprise services within Air Force unclassified and classified networks. CSCS is operated by four Active Duty (AD) Network Operations Squadrons (NOS), The 83 NOS,561 NOS, 690 COS, 691 COS
MSB 1.4: Identify the purpose of the Area Processing Centers (A)
regional data centers that house the core enterprise services equipment. It's where data processing and information storage occur. The establishment of APCs provide the capability to manage all core services and other unique mission system application resources for the AFCYBER Commander from a centralized location.
Subordinate Wing Commanders, via their Command Post
submit Operational Reports (OPREP) to report AFIN contingencies and articulate risk to mission operations.
second OCO tasking process
utilized for internet protocol (IP) missions is USCYBERCOM's CTC using the Project IKE or IKE planning website to generate CTOs for CMTs assigned to JFHQ-C (AF) to provide OCO support for CCMDs
MSB 1.3: Identify the Operational Control (OPCON) alignment for each Cyber Protection Team (CPT) by mission area (A) National CPTs
with a strategic and national-level focus are OPCON'd to Cyber National Mission Force Headquarters (CNMF-HQ).