ACE & IT Fundamentals

What is Agile Combat Employment?

A proactive and reactive operational scheme of maneuver executed within threat timelines to increase survivability while generating combat power.

Key Elements of ACE

1. Expeditionary and Multi-capable Airmen

2. Tailored Force Packages

3. Resilient Distributed Logistics

4. Assured and Interoperable C2

Expeditionary and Multi-Capable Airmen

Airmen accomplishing tasks outside their core AFSC. Personnel are trained as a cross-functional team to meet and provide combat support to aviation force elements.

Tailored Force Packages

Tailoring deployment lines for emerging missions. Forces packages need to be flexible in regard to what, who, and how forces are deployed.

Resilient/Distributed Logistics

Pull and push system that maximizes distributed mission effectiveness.

Assured and Interoperable C2

Centralized command, distributed control, and decentralized execution. Translating C2 into action at the speed of and scale of relevance.

Agile Combat Functions

1. Posture and Preparation

2. Movement and Maneuver

3. Sustainment

4. Protection

5. Information

6. C2

7. Fires

8. Intel

Posture and Preparation

Plans, Agreements, and prepositioned equipment that array sustainable forces with effective reach

Movement and maneuver

Direct and execute proactive and reactive dispersal within CCMD timelines of acceptable risk.

Sustainment

Generate, project, and sustain combat power for required mission profiles from dispersed operating locations

Protection

Organic/relocatable airbase defense at forward locations with joint/coalition integration

Information

Integrate and synchronize the full range of information capabilities into ACE CONEMPs

C2

Assured C2 of dispersed forces despite kinetic and non-kinetic attacks

Fires

Synchronize and mass all-domain fires with dispersed locations

Intelligence

Sense, assess, and communicate threats to dispersed locations for defense of joint/coalition forces and to support mission generation.

The Air Force’s Dependence on the Cyber Domain

Most Air Force weapons and support systems were designed to operate within a cyberspace environment and that environment is a domain contested by a maneuvering adversary.

Operating System (OS)

Most important software that runs on a computer.

Manages memory, process, and the hardware that supports it.

Graphic User Interface (GUI)

Provides a point and click interface where you’re using a mouse and/or a touch screen to interact with a computer.

(example: Microsoft Windows)

Command Line Interface (CLI)

Depends on commands and code being entered into a shell that interacts with the computer

(Example: Linux)

Microsoft Windows

• Most popular Operating System for desktops

• Uses a GUI

• Registry uses New Technology File System (NTFS)

  • Registry uses keys and values (HKEY)

Dynamic Link Library (DLL)

A collection of small programs that larger programs can load when needed to complete specific tasks. This file contains instructions that help the larger program handle what may not be a core function of the original program

Types of DLL files

Static Link

Dynamic Link

MAC OS

Second most used OS

Based off of Unix

More secure than Windows

Linux/Unix

Derived from Unix

Uses a Command-Line Interface instead of a GUI

Free and open source

More popular as the OS for embedded systems

Physical Address

Address unique to the network interface card in the computer. Is hardwired into the physical computer by the manufacturer.

(Example: A Media Access Control or MAC Address

Logical address

Address assigned by the computer or network device itself enabling it to communicate with other computer/network devices.

Example - IP Address

Private vs Public IP

• One address is internal to the local area network (LAN)

  • The other address is unique to a specific network and reachable on the internet. Can be used to identify and document malicious activity.

Router

Sits at the edge of a local area network, and connects them to the internet. Smart enough to direct your information to other (this thing) on the internet efficiently)

Some are capable of deep packet inspection

Deep Packet Inspection

Type of data processing that insects in detail the data being sent over a network, and usually takes action by blocking, re-routing, or logging it accordingly.

Switch

Connects multiple devices on the same network. Like computers, printers, and servers.

Firewall

A network security device that monitors incoming and outgoing network traffic and permits or blocks data packets based on a set of security rules.

Proxy server

A _________’s primary responsibility is to act as an intermediary for the client making a request outside of their organization

Content Filtering

Administrative control of user internet activity

Whitelist

Allows specific websites and denies all others

Blacklist

Allows all websites and denies specific websites

Caching Proxy

Implemented for improved network performance and the reduction of bandwidth usage.

Anonymizing Proxy

Obfuscates activity of the user making it difficult to track nefarious behavior. Many are open to the public and free to use.

Tunneling Proxy

Utilized to bypass content filtering proxy servers or other security appliances

Hostile proxy

Open to the public and used to eavesdrop on any user utilizing the proxy server

Cloud Systems (or Cloud Computing)

Services and applications that use remote servers to store and manage data, and deliver content and services over the internet.

Key Aspects of Cloud Architecture

• Virtualization

  • Physical hardware is divided in multiple virtual machines

• Resource Pooling

  • The ability to dynamically allocate computing resources across multiple users based on demand

• Scalability

  • The capacity to easily scale up or down computing resources as needed without significant infrastructure changes

• Elasticity

  • The ability to rapidly provision and release resources based on real-time requirements

Types of clouds

Public, Private, and Hybrid

Important Considerations for Cloud Computing

Data Ownership - A provider manages the infrastructure. The data stored on the ____ usually belongs to the consumer.

Compliance and Security - Providers are responsible for maintaining the security of their _____ infrastructure. But the consumer is still responsible for securing their data and applications

Packet

A basic unit of information that is transferred across a network

Port 22

Secure Shell (SSH)

• Primary method used to remotely manage network devices

Port 80

Hypertext Transfer Protocol (HTTP)

• Used by web browsers (so you can visit websites)

Port 443

HTTP over SSL/TLS (HTTPS)

• Used in conjunction with HTTP to provide the same service, but doing it using a secure encryption with either SSL or TLS

Packet Capture (PCAP)

A networking practice involving the interception of data packets traveling over a network

Access Control List (ACL)

A list of rules that control access to a system’s resources, such as a computer or network

Industrial Control System/Supervisory Control and Data Acquisition (ICS/SCADA)

Highly distributed systems used to control geographically disperse assets often scattered over thousands of square miles, where centralized data acquisition and control are critical to system operation.

• Computers that control critical infrastructure

  • Water distribution and wastewater collection systems

  • Power grids

  • Railway transportation systems

  • HVAC

  • Traffic control

Why are ICS/SCADA systems so vulnerable?

• Risk of the component being so unique that an update/patch may disrupt its operational behavior

• Component is too costly to fix or replace

• Component is too difficult to physically access

Human Machine Interface (HMI)

A software and hardware that allows human operators to monitor the state of a process under control, modify control settings to change the control objective, and manually override automatic control operations in the event of an emergency.

Data Historian

Centralized database for logging all process information within an ICS.

Engineering Workstation

A high-end, very reliable computing platform designed for configuration maintenance and diagnostics of the control system applications and other control system equipment.

Control server

Hosts the Distributed Control System (DCS) or PLC supervisory control software that communicates with lower-level control devices. Accesses subordinate control modules over an ICS network.

Master Terminal Unit

The device that acts as the master in a SCADA system.

Programmable Logic Controller (PLC)

A small industrial computer originally designed to perform the logic and functions executed by electrical hardware (relayed, switches, and mechanical timer/counters).

Intelligence Electronic Device (IED)

A “Smart” sensor/actuator containing the intelligence required to acquire data, communicate to other devices and perform local processing and control.

Remote Terminal Unit (RTU)

A special purpose data acquisition and control unit designed to support SCADA remote stations.

Encryption

The conversion of plaintext to cipher text. A method of obscuring and obfuscating data so that only authorized individuals or systems can interpret it.

Symmetric Encryption

A method of encryption in which both the sender and receiver use the same encryption key.

Asymmetric Encryption

Uses two different but mathematically related keys for encryption and decryption.

The two keys are the public key and the private key.

Brute Force

Trying every possible combination of keys to break an encryption

Cryptanalysis

Method of attacking the characteristics of an encryption algorithm.

Quantum computers

Biggest threat to asymmetric encryption

Hashing

A mathematical process that turns data into a unique, unreadable string of characters to protect sensitive information.

Purpose of hashing

• Data Integrity - Data cannot be tampered with or accessed

• Password security

• Digital signatures

• File management

  • Detecting threats

Vulnerabilities

Unintended flaws found in software programs or operating systems.

• Can be the result of improper computer or security configurations and programming errors.

• If left unaddressed: Can create security holes that adversaries can exploit

Zero Day (0-Day)

A vulnerability or exploit in a software that the manufacturer is unaware of. Requires the creation of a security patch to mitigate.

• There are an infinite number

• Require significant costs, time, and expertise to develop

  • Advanced adversaries make their own versions

Vulnerability Scanner

Assesses computers, computer systems, networks, or applications for known weaknesses.

Credentialed scan

When valid credentials are given to the scanner in order to have administrative rights on the targets. Allows for a complete scan of the entire system.

Non-credentialed scan

A scan performed without any credentials given and allows an assessment to be performed from the perspective of a cyber attacker.

Demilitarized Zone (DMZ)

A physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet.

Network Segmentation

A network security technique that divides a network into smaller, distinct sub-networks that enable network teams to compartmentalize the sub-networks and deliver unique security controls and services to each sub-network.

• Minimizes the impact of cyber intruder by slowing their ability to affect larger parts of a network

Intrusion Detection System (IDS) vs Intrusion Prevention System (IPS)

• One is a passive device that ALERTS an analyst that something noteworthy has happened on the network.

  • Alerts an analyst

• The other is an active solution that automatically responds to activity deemed nefarious.

  • Blocks cyber adversary from taking action and then alerts analyst.

Signatured-based IDS/IPS

Tools that identify threats based their known attack methods (aka signatures). Then the tool either notifies a user, or blocks access to the threat actor.

• Helpful but flawed due to its focus on pre-defined signatures (similar to anti-virus signatures needing updates)

Anomaly (or behavioral) Based IDS

Tool that alerts cyber analysts whenever something outside of normal behavior is detected regardless of whether or not signatures for the behavior exist.

• Powerful but can generate false positives

Security Information and Event Management (SIEM)

A data aggregation, search, and report system that pulls all of the different kind of logs together and allows the incident responders to visualize and access all the data in a readable format in one location.

SIEM Log Sources

• Perimeter device logs

• Windows event logs

• Endpoint logs

• Application logs

• Proxy logs

• Internet of Things (IoT) logs

• Firewall Logs

• Key Server Logs

• IDS and Antivirus Logs

• Web Server Logs

Secure Enclave

A computing environment under the control of a single authority with personnel and physical security measures.

Methods of wireless communication

Wi-Fi, Cellular, Bluetooth, Microwave, Infrared, Satellite

Radio Frequency (RF) Signal

A wireless electromagnetic signal used as a form of communication.

Wi-Fi

Used for wireless internet connectivity. Uses 2.4GHZ, 5 GHz, and 6 GHz frequencies.

Defense-in-Depth

The concept that ensures there are defensive security strategies at each layer.

Defense-in-depth layers

Physical

Network Boundary

Internal Network

Host

Application

Data