Aggressors prowl for Air Force information

  • Published
  • By Master Sgt. Eric M. Grill
  • Defense Media Activity-San Antonio
A little known unit here, working in a bank of trailers hidden from the public, performs a unique mission for the Air Force: hacking into the vast Air Force computer networks to help protect those networks from an enemy's attack.

The Air Force hackers from the 57th Information Aggressor Squadron here and the Kansas Air National Guard's 177th Information Aggressor Squadron, known collectively as the Aggressors, help prepare Air Force, joint and allied personnel by replicating current and emerging threats as a professional information operations opposition force.

Gen. Stephen R. Lorenz, Air Education and Training Command commander, wrote in a commentary about cyberspace printed in December, that, "Our enemies are attacking our network, the same network (people) use to send e-mails, share documents and access the Internet. They are using stealth and surprise to insert malicious code into our network in order to gain intelligence. What is our enemy's intention? We don't know, but it's not friendly."

Most of the time these attacks are considered benign, basically scans, said Lt. Col. Reb Butler, the 57th IAS commander. But he said, each day the Air Force and the Department of Defense receive thousands of computer attacks against its computer networks. 

"We want to make friendly forces better," Colonel Butler said. "The way to do that is to show them the threats that they're facing today and the ones that they will face tomorrow. So when they go out and face the threats in the real world, they actually feel it is a lot easier to conduct their operations."

The Aggressors, Colonel Butler said, operate on three basic principals: knowing the threat, teaching the threat, replicating the threat.

To get to know the threat, they partner with the intelligence organizations like the National Security Agency, Central Intelligence Agency, the National Air and Space Intelligence Center and other key intelligence organizations to study and characterize the threats that are out there.

Once they know the threat, they teach the threat.

"Once you understand what the threats are doing and how they're doing it, we take that information and teach people about the threat," Colonel Butler said. "We try to tailor to our training audience. In our case, every person who works on a DOD installation or touches a DOD network is part of our training audience because (they) face this threat everyday when they go to work. (The threats) may not be obvious to you and they not be known to you ... but they are out there and you need to be prepared as a user, as a consumer, and more importantly, as a network defender or an information defender, your role in doing that."

Finally the Aggressors will replicate those threats.

"We can see if our friendly tactics techniques and procedures, and in this area, policies, are effective to either mitigate or defeat those threats," Colonel Butler said. "Where they are not effective, we identify those shortfalls and gaps so that friendly forces can either build new tactics, write new policies or acquire new systems to defeat those threats or assume that they are acceptable risks."

One of the tools the men and women of the 57th IAS and 177th IAS use to teach network security to users at individual bases is called the Information Operations Road Show, a three-phased process. 

The first phase is done remotely from dot-com means and open source information; Aggressors then go to the installation itself; and finally through replication of the attack, they train the network control centers and individual users on their responsibilities of securing the computer networks.

During the remote phase the Aggressors figure out what the key units, key functions and the key parts of that base are that contribute to the Air Force and Department of Defense.

"It helps us define our 'red' objectives, what we as an adversary would want to know about that installation," Colonel Butler said.

It's also where the Aggressors will infiltrate the network and basically establish their presence.

"That strategy is very simple.  We gain access to the network, usually through phishing attacks by attacking the human user (for their information) and making them a victim by gaining their privileges," he said. "Once we get into the network, we'll establish footholds into the network and then map the network."

The Aggressors will continue to try to escalate their privileges in that network and will try to "own" the entire base network and go beyond that installation to multiple installations and in some cases to multiple major commands, Colonel Butler said.

"Finally we'll exploit that network by data-mining it to find that key information about their mission or their key contributions to the DOD," Colonel Butler said. They use this information for phase three.

During phase two, a team is sent to the installation and starts from outside the gate. They'll defeat the layers of defense for the information and gain access through the installation's gate, the physical security of the buildings, the offices and the desks. 

Then they will go after the more sensitive areas where work is being accomplished, whether that is the flightline or secure work areas, so they can see how far they can infiltrate to getting access -- long-term, unhindered access -- to that installations' information, Colonel Butler said.

"Phase three, the most important part of this form of threat replication, is where we put the uniform back on and provide training and feedback, not just for the commander, but for as many people as that commander makes available to us, so that we can improve friendly forces," Colonel Butler said. 

"Up until phase three, it really is just an assessment," he said. "Friendly forces behavior doesn't change until we provide the feedback, both good and bad, and specialize the academics for those layers of defense, whether they are on the network, whether they are physical or whether there are other concerns so that friendly forces are better prepared to meet or defeat the information operations threats."

Based on the information from law enforcement and intelligence agencies, Colonel Butler said the current trend for hackers, whether they are criminal, nation-state or terrorist in nature, is not to attack the advancing technology being used, but attack the individual user to gain access to the networks.

The threats out there basically are trying to take advantage of the human interface, Colonel Butler said.

"Our Airmen are our first line of network defense, he said. "Ultimately they are the risk manager for all of our networks. Whether they knew that or not, they should now. We need to educate and train them so that they understand the types of threats they face and why we have certain policies and procedures in place.  They are there to defeat those threats."

As an example, Colonel Butler said that the least educated Airman here at Nellis, whether it be a civilian employee or an airman basic, is the risk manager for the network at Langley Air Force Base, Va.; at Barksdale AFB, La.; and Davis Monthan AFB, Ariz.  As Air Force officials consolidate the network operations centers into key centers of excellence, (those users) also will be the risk managers for Aviano Air Base, Italy, Ramstein AB, Germany and Royal Air Force Lakenheath in the United Kingdom.

"That tells you how widespread and how important it is to educate every user on their role and their responsibility for defending our networks," Colonel Butler said.

"If the individual is not prepared to understand the threat and know what to do when those threats happen to be successful, that is, mitigate those threats, the adversary wins and we lose," Colonel Butler said.

"Part of educating our Airmen about the threats is so they understand what (those threats) look like, so they can recognize them and identify them, and then activate the rest of the layers of defense to defeat or mitigate those threats," he said. 

Comment on this story   (comments may be published on Air Force Link)

View the comments/letters page