Cyberdefenders Protect Navy Networks

Navy Cyber Defense Operations Command Gets On the Offensive to Guard Information Operations

By Mark Kagan

Military Information Technology
December 2009

The July 2009 announcement by the Chief of Naval Operations that a new Fleet Cyber Command/ Tenth Fleet (FLTCYBERCOM) would be stood up by the end of the year signaled the profound importance and priority that the Navy is giving to the cyberwarfare domain. FLTCYBERCOM, which will also become the Navy component of the new U.S. Cyber Command, will bring together under one command the Navy’s information technology, intelligence and communications operations and will eventually comprise 45,000 personnel.

A key component of FLTCYBERCOM will be the Navy Cyber Defense Operations Command (NCDOC), which is responsible for coordinating, monitoring and overseeing the defense of the Navy’s computer networks and systems and their 700,000 users worldwide. NCDOC’s areas of responsibility encompass the Navy’s centrally managed NIPRNet and SIPRNet enclaves, which consist of the Navy Marine Corps Intranet, Integrated Shipboard Network System and OCONUS Navy Enterprise Network. These networks total approximately 350,000 seats.

NCDOC’s areas of responsibility also include legacy and “excepted” networks. Legacy networks are those networks that have not migrated into a centrally managed enclave or have not been designated as an excepted network. Excepted networks are networks that have been authorized by the Cyber Asset Reduction and Security Task Force to operate independently of a centrally managed network. Legacy and excepted networks comprise approximately 190,000 seats.

NCDOC executes computer network defense (CND) across the Navy through a group of operations centers that are aligned to the centrally managed enclaves. Command, control and coordination of the defense of legacy and excepted networks vary because of the unique nature of these networks. NCDOC also maintains close liaison with the Naval Criminal Investigative Service, which is the Navy’s cybercrime prosecution authority.

Based in Norfolk, Va., NCDOC reports to the Naval Network Warfare Command and is operationally aligned to the Joint Task Force-Global Network Operations, the lead Department of Defense organization designated to identify and mitigate threats to DoD information networks and to direct the defense of the Global Information Grid (GIG).

COMPUTER NETWORK DEFENSE

As the Navy’s designated computer network defense service provider, NCDOC provides CND services to Navy networks worldwide and executes all computer incident response team responsibilities. CND services include actions taken to protect, monitor, analyze, detect and defensively respond to unauthorized activities within DoD information systems and computer networks. Unauthorized activities may include disruption, denial, degradation, destruction, exploitation or access to computer networks, information systems or their contents, or theft of information.

“We detect and act upon all security incidents, and anyone else in the Navy doing any kind of security functions is required to report any incidents to us,” said Jim Granger, director of capabilities and readiness at NCDOC. “Whether we’re detecting them or they’re detecting them, it all comes to us.”

By comparison to computer network defense, information assurance covers measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection and reaction capabilities.

The Navy’s global CND strategy is fully integrated with DoD’s overarching defense-in-depth strategy, which is designed to ensure continued operation of the GIG, even in a degraded state. It covers people, technology and operations and is based on both a strong IA posture and CND unity of command.

The core of the Navy’s global CND strategy is its centrally managed sensors, which are operationally controlled by NCDOC and which aggregate the incoming data for attack sensing and warning.

“Our systems provide a tremendous capacity to process and export disparate data formats and present a global view of network activity to enable holistic fusion analysis, trending and normalization of network activity,” said Granger. “We fight in a terrain with no boundaries and with highly adaptive adversaries. That requires a global perspective and deliberate processes.”

Deliberate processes are important because they allow for consistent training and repeatable, standardized operations across multiple watch sections operating on a round-the-clock basis.

NCDOC was established in 2006, after performing similar functions as the Navy Computer Incident Response Team (NAVCIRT) since 1996, making it one of the oldest cybersecurity organizations in the federal government. It currently has about 200 personnel and is expected to grow significantly within the next four to five years if funding is approved, reflecting both the projected growth in cyberthreats and attacks and the importance that the Navy places upon cyberdefense.

“I think that the level of attention that the networks — we don’t have a single network, we have multiple networks — [is] garnering is what’s going to help us attain the realization across the Navy and joint organizations that cyber is another warfare area that has to be considered and treated like the other warfare areas,” said Captain Stephanie Keck, NCDOC’s commanding officer.

Keck assumed command of NCDOC this past summer after serving as the Multi- National Force-Iraq Information Operations Chief in Baghdad. She has spent much of her Navy career in information operations doing offensive cyberwarfare and exploitations. Like many users, she admits that she didn’t pay much attention to what was going on in the cyberdefense arena.

“Since taking command of NCDOC, I’ve learned quite a bit about how difficult it is to defend a multiplicity of networks when users typically aren’t paying attention to the things that they ought to be doing or not doing,” Keck said. “I’ve also learned it takes a holistic approach to defend the network and not just technical solutions.”

Regarding awareness across the Navy about cybersecurity and the threats and vulnerabilities it faces, Keck observed, “It depends on which part of the Navy you’re talking about. At most senior levels, I would say that awareness is very high. The lower you move down the chain, the lower the level of awareness.”

NETWORK AWARENESS

The heart of NCDOC is Prometheus, a system-of-systems that receives, aggregates, processes, correlates and fuses realtime and near-real-time information from multiple network sources to provide network domain awareness. “Network domain awareness” — a term that NCDOC coined and uses instead of situational awareness — provides commanders with the intelligence to make better-informed decisions about the directions in which they need to go, resource allocations and operations.

“We say ‘network domain awareness’ instead of ‘situational awareness’ because we’re not trying to tell where the ships are or what the weather is or anything of that nature,” Granger explained. “Network domain awareness is about what’s happening on the network and about the health of the network.”

A retired Navy commander, Granger joined NAVCIRT, which became NCDOC in 2006, as the first civilian in 1997.

The huge and growing number of security events was the stimulus for the creation of Prometheus in 2006, which was built upon an earlier system called Mobius. The problem at the time was two-fold, according to Granger.

“First, there was the data crush, which was only growing,” he explained. “We couldn’t handle all the alarms and we couldn’t aggregate and correlate them. At the same time, we needed analytical tools that could handle the massive amounts of data.”

Prometheus collects three primary data classes:

• Referential data: What does the network look like?

• Activity data: What’s happening on the network?

• Command and control information: Who owns that portion of the network on which activity is occurring?

The data is collected from hundreds of sensors on the Navy’s networks, as well as intrusion protection systems, compliance reporting databases, and every type of log, and combined by Prometheus to provide the network domain awareness.

“This capability provides the Navy with an exceptional ability to develop a deep understanding of the environment and to characterize network activity and continuously move toward earlier recognition of anomalous behavior requiring in-depth analysis,” Granger said.

Using customized filters for tracking information, Prometheus can automatically detect trends within its database and initiate further analysis when suspicious activity occurs. “The filters give our watch standers the flexibility to see the incidents and other data that they need and ideally see only information that is actionable,” Granger said. “I want my guys to see only something that they’re going to do something about.”

EVENT MANAGEMENT

Prometheus has two primary components: a Novell Sentinel front-end for security event management, and a data warehouse back-end based on SAS Institute’s Intelligence Platform components, including SAS Enterprise BI Server, SAS Data Integration Server and SAS Intelligence Storage. Sentinel alerts and prioritizes all security events in a centralized dashboard that is easily accessed by security operators in NCDOC’s operations center at any time. The SAS data warehouse integrates and stores the large volumes of computer network defense data for longterm storage and trend analysis.

“Prometheus gives us tremendous flexibility,” Granger said. “It enables us to visualize data and it also enables us to export data in a common standards-based format. Even when we change a data source, our operators on the watch floor don’t have to change operating procedures or have to be re-trained on a new piece of equipment. They keep looking at the same interface, but they can view more information in perhaps a different manner.”

The Sentinel component of Prometheus has been heavily customized by NCDOC to meet the organization’s requirements. For example, “We’ve driven a lot of developmental work to build what we call ‘rightclick functionality,’ which allows our watch operators on the floor to right-click to do a ‘who-is lookup’ or automatically generate a trouble ticket or input tasks into the workflow,” Granger said.

The Naval Research Lab, a key contributor to the evolution of Prometheus, has developed most of the agents that create the bridge between individual data sources and Sentinel.

“As far as the SAS backend goes, it’s met the requirements,” Granger noted. “We had to build the tables to meet the unique requirements of the individual data sources, but I would call that using the product, not specifically tailoring or modifying. I like being in a business where I can say that we haven’t come close to touching all the capabilities of the product. That’s where we are now.”

For the future, NCDOC is focused on what Keck contends is the biggest risk for the Navy’s networks. “I think it’s where the threats, vulnerabilities and impacts come together,” she said. “I want to be more proactive about the actions we can take to reduce that risk, because you’re never going to be able to take care of all the threats, and you’ll never be able to patch all the vulnerabilities.”

Mark Kagan is a Washington, D.C.- based consultant and writer on defense, intelligence and security.