By Master Sgt. Eric M. Grill
Defense Media Activity-San Antonio
NELLIS AIR FORCE BASE, Nev. (AFNS) -- A little known unit here, working
in a bank of trailers hidden from the public, performs a unique mission
for the Air Force: hacking into the vast Air Force computer networks to
help protect those networks from an enemy's attack.
The Air Force hackers from the 57th Information Aggressor Squadron here
and the Kansas Air National Guard's 177th Information Aggressor
Squadron, known collectively as the Aggressors, help prepare Air Force,
joint and allied personnel by replicating current and emerging threats
as a professional information operations opposition force.
Gen. Stephen R. Lorenz, Air Education and Training Command commander,
wrote in a commentary about cyberspace printed in December, that, "Our
enemies are attacking our network, the same network (people) use to send
e-mails, share documents and access the Internet. They are using stealth
and surprise to insert malicious code into our network in order to gain
intelligence. What is our enemy's intention? We don't know, but it's not
Most of the time these attacks are considered benign, basically scans,
said Lt. Col. Reb Butler, the 57th IAS commander. But he said, each day
the Air Force and the Department of Defense receive thousands of
computer attacks against its computer networks.
"We want to make friendly forces better," Colonel Butler said. "The way
to do that is to show them the threats that they're facing today and the
ones that they will face tomorrow. So when they go out and face the
threats in the real world, they actually feel it is a lot easier to
conduct their operations."
The Aggressors, Colonel Butler said, operate on three basic principals:
knowing the threat, teaching the threat, replicating the threat.
To get to know the threat, they partner with the intelligence
organizations like the National Security Agency, Central Intelligence
Agency, the National Air and Space Intelligence Center and other key
intelligence organizations to study and characterize the threats that
are out there.
Once they know the threat, they teach the threat.
"Once you understand what the threats are doing and how they're doing
it, we take that information and teach people about the threat," Colonel
Butler said. "We try to tailor to our training audience. In our case,
every person who works on a DOD installation or touches a DOD network is
part of our training audience because (they) face this threat everyday
when they go to work. (The threats) may not be obvious to you and they
not be known to you ... but they are out there and you need to be
prepared as a user, as a consumer, and more importantly, as a network
defender or an information defender, your role in doing that."
Finally the Aggressors will replicate those threats.
"We can see if our friendly tactics techniques and procedures, and in
this area, policies, are effective to either mitigate or defeat those
threats," Colonel Butler said. "Where they are not effective, we
identify those shortfalls and gaps so that friendly forces can either
build new tactics, write new policies or acquire new systems to defeat
those threats or assume that they are acceptable risks."
One of the tools the men and women of the 57th IAS and 177th IAS use to
teach network security to users at individual bases is called the
Information Operations Road Show, a three-phased process.
The first phase is done remotely from dot-com means and open source
information; Aggressors then go to the installation itself; and finally
through replication of the attack, they train the network control
centers and individual users on their responsibilities of securing the
During the remote phase the Aggressors figure out what the key units,
key functions and the key parts of that base are that contribute to the
Air Force and Department of Defense.
"It helps us define our 'red' objectives, what we as an adversary would
want to know about that installation," Colonel Butler said.
It's also where the Aggressors will infiltrate the network and basically
establish their presence.
"That strategy is very simple. We gain access to the network, usually
through phishing attacks by attacking the human user (for their
information) and making them a victim by gaining their privileges," he
said. "Once we get into the network, we'll establish footholds into the
network and then map the network."
The Aggressors will continue to try to escalate their privileges in that
network and will try to "own" the entire base network and go beyond that
installation to multiple installations and in some cases to multiple
major commands, Colonel Butler said.
"Finally we'll exploit that network by data-mining it to find that key
information about their mission or their key contributions to the DOD,"
Colonel Butler said. They use this information for phase three.
During phase two, a team is sent to the installation and starts from
outside the gate. They'll defeat the layers of defense for the
information and gain access through the installation's gate, the
physical security of the buildings, the offices and the desks.
Then they will go after the more sensitive areas where work is being
accomplished, whether that is the flightline or secure work areas, so
they can see how far they can infiltrate to getting access -- long-term,
unhindered access -- to that installations' information, Colonel Butler
"Phase three, the most important part of this form of threat
replication, is where we put the uniform back on and provide training
and feedback, not just for the commander, but for as many people as that
commander makes available to us, so that we can improve friendly
forces," Colonel Butler said.
"Up until phase three, it really is just an assessment," he said.
"Friendly forces behavior doesn't change until we provide the feedback,
both good and bad, and specialize the academics for those layers of
defense, whether they are on the network, whether they are physical or
whether there are other concerns so that friendly forces are better
prepared to meet or defeat the information operations threats."
Based on the information from law enforcement and intelligence agencies,
Colonel Butler said the current trend for hackers, whether they are
criminal, nation-state or terrorist in nature, is not to attack the
advancing technology being used, but attack the individual user to gain
access to the networks.
The threats out there basically are trying to take advantage of the
human interface, Colonel Butler said.
"Our Airmen are our first line of network defense, he said. "Ultimately
they are the risk manager for all of our networks. Whether they knew
that or not, they should now. We need to educate and train them so that
they understand the types of threats they face and why we have certain
policies and procedures in place. They are there to defeat those
As an example, Colonel Butler said that the least educated Airman here
at Nellis, whether it be a civilian employee or an airman basic, is the
risk manager for the network at Langley Air Force Base, Va.; at
Barksdale AFB, La.; and Davis Monthan AFB, Ariz. As Air Force officials
consolidate the network operations centers into key centers of
excellence, (those users) also will be the risk managers for Aviano Air
Base, Italy, Ramstein AB, Germany and Royal Air Force Lakenheath in the
"That tells you how widespread and how important it is to educate every
user on their role and their responsibility for defending our networks,"
Colonel Butler said.
"If the individual is not prepared to understand the threat and know
what to do when those threats happen to be successful, that is, mitigate
those threats, the adversary wins and we lose," Colonel Butler said.
"Part of educating our Airmen about the threats is so they understand
what (those threats) look like, so they can recognize them and identify
them, and then activate the rest of the layers of defense to defeat or
mitigate those threats," he said.
Best Selling Security Books and More!