From: redteam@all.net Reply-to: redteam@all.net Organization: Red Team Mailing List Subject: RedTeam Mailing List 1998-11-05
--------------------------------------------- [Thought this might interest some - FC] http://www.ppmi.com/reviews.html http://www.redteamjournal.com/ http://cst.lanl.gov/seals/ http://info.arl.army.mil/ARL-Info.Announce/APT/sei.html http://www.snc-inc.com/sncivas.htm http://www.srs.gov/train_cat/SECURITY/DCCTA241CR00.html http://www.aberdeen.com/research/abstract/97090164.htm http://www.srs.gov/train_cat/SECURITY/DCCTA140CR00.html http://membrane.com/opsec/opthreat.html http://www.sandia.gov/eqrc/e7vasoln.html http://www.walrus.com/~doc/opthreat.html http://www.netsafeinc.com/Services/vulassess.htm --------------------------------------------- and at: http://call.army.mil/call/exfor/ted/annexd2.htm ANNEX D, Part 3 8. DETAILED DATA COLLECTION AND VULNERABILITY ASSESSMENT PROCEDURES FOR TASK 3: OPERATIONAL SECURITY (OPSEC) ASSESSMENT WITH A COMPUTER SECURITY (COMPUSEC) FOCUS. (LEAD AGENCY: LIWA.) a. Objective/Issue: To determine what operational security protection features and vulnerabilities result from operations and emerging TTP in the digitized unit? b. What experimentation events will be accomplished to address this issue? A Red Team led by the LIWA will conduct a multidiscipline counter intelligence OPSEC assessment of the EXFOR. The assessment will include both operational security and information systems OPSEC. c. When will it be done? 1.During the EXFOR company and battalion/brigade training at Fort Hood (Oct - Dec 96). 2.During the EXFOR NTC rotation at Fort Irwin (Mar 97). d. Where will it be done? 1.Fort Hood for trainup. 2.Fort Irwin for NTC rotation. e. How will it be done? The Task 3 Red Team will conduct a traditional CI OPSEC and INFOSEC assessment of the EXFOR, targeting company, battalion, and brigade operations. f. Who will be involved to implement the evaluation events? Five (5) personnel from the 902d MI GP located on the installation outside the brigade maneuver area to conduct a traditional CI OPSEC and INFOSEC assessment of the EXFOR. g. Who is needed to observe and collect data? Only the SMEs listed in the previous paragraphs to observe and document procedures, operations, and activities in the vicinity of the training/exercise area. 9. DETAILED DATA COLLECTION AND VULNERABILITY ASSESSMENT PROCEDURES FOR TASK 4: SIGNALS INTELLIGENCE (SIGINT) AND MEASUREMENTS & SIGNATURES INTELLIGENCE (MASINT) CHARACTERIZATION. (LEAD AGENCY: LIWA.) a. Objective/Issue. Does the digital force present a unique electronic signature that an adversary can use for identification and targeting of friendly units/operations? b. What experimentation events will be accomplished to address this issue? 1.SIGINT operations will be conducted by PM SW assets and organic 104th MI Bn assets/sensors. 2.All source collection operations will be conducted. c. When will it be done? 1.Throughout the Company, & Battalion/Brigade Lanes training at Fort Hood, TX. 2.Throughout the duration of the Brigade Pre-AWE Exercise at NTC. (Negotiation with OPTEC/EXFOR for use of this timeframe is required.) 3.Throughout the AWE NTC Rotation 97-06. d. Where will it be done? 1.Fort Hood for the Company & Battalion/Brigade Lanes training. 2.Fort Irwin for the Brigade Pre-AWE Exercise and the actual AWE NTC Rotation. e. How will it be done? 1.Doctrinal SIGINT and MASINT operations (passive collection) that are transparent to the EXFOR. (Operations are strictly non-interference to the Brigade; Division MI assets are supporting both the Red Team and the Brigade on a non-interference basis.) 2.Necessary exercise observer/controller data collection technique will consist only of documenting the routine map graphic EXFOR situation on a continuous basis (at the STARWARS building at Fort Irwin and similar central control/collection facility at Fort Hood) to document "ground truth" for later analysis. 3.All data collected will be stored by 704th MI for further analysis as required. 4.At Ft. Hood, the 104th MI Bn division slice will be augmented as follows: - Personnel: 8-10 SME intelligence specialists from outside agencies to perform the Red Team role as an adjunct to the division's MI slice (ACE). - Equipment: During the second half of Company lanes (15-25 Oct 96) and during Battalion/Brigade lanes (03-17 Dec), PM SW assets will augment the 104 MI Bn at the division slice. 5.At the NTC Train-up (27 Feb - 05 Mar 97), the Red Team characterization concept is similar to that at Ft. Hood except for the addition of 525th MI Bde analysts supporting the EXFOR. These assets will provide Corps level and above intelligence support to the EXFOR (helping to win the intel war) but on a non-interference basis will also monitor blue activities for the Red Team. - Personnel: Same 8-10 intelligence specialists augmenting the 104th MI Bn division slice. In addition, 525 MI Bde analysts ( number to be determined) located outside NTC. - Equipment: 104th MI Bn organic assets augmented by PM SW. Additional Echelon Corps and Above collection assets (airborne, etc.) may be available for collection/characterization from outside the maneuver box in support of the Red Team. 6.During NTC Rotation 97-06, the 104th MI Bn slice will be dedicated to EXFOR support; there will therefore be no collection inside the maneuver box. - Personnel: Red Team comprised of personnel from the 525 MI Bde outside the NTC. - Equipment: Echelon Corps and Above collection assets (airborne, etc.) may be available for collection/characterization from outside the maneuver box in support of the Red Team. f. Who will be involved to implement the evaluation event? 1.The Task 4 Red Team made up of approximately 8-10 intelligence specialists located at the ACE and a stand-off location. 2.The 104th MI Bn in their normal "division-slice" support role for Brigade operations. This unit will support the Red Team during the Company and Battalion/Brigade Lanes training as well as Brigade training at Fort Irwin. Support from this unit at other times would have to be negotiated and would be non-interference only. g. Who is needed to observe and collect data? 1.Observers/collectors at a central control/collection facility (similar to the STARWARS facility at Ft Irwin) to determine "ground truth". 2.Observers/collectors at the STARWARS Building at Ft Irwin to determine "ground truth". 10. DETAILED DATA COLLECTION AND VULNERABILITY ASSESSMENT PROCEDURES FOR TASK 5: SECURITY POLICY EVALUATION. (LEAD AGENCY: HQDA ODCSINT.) a. Objective/Issue. To determine which of the current DoD/Army INFOSEC and information system security policies, if any, require modification to effectively support digital tactical operations? b. What experimentation events will be accomplished to address this issue? A Red Team led by the HQDA ODCSINT will conduct an assessment of the EXFOR's compliance with existing security policies for the AWE and the operational effectiveness of such compliance/ noncompliance. c. When will it be done? 1.During EXFOR battalion/brigade training at Fort Hood (Nov - Dec 96). 2.At completion of Task Force Lanes (Dec 96 - Feb 97). 3.During the EXFOR NTC rotation at Fort Irwin (Mar 97). 4.At the completion of the EXFOR NTC rotation (Mar 97) d. Where will it be done? 1.Fort Hood for trainup. 2.Fort Irwin for NTC rotation. e. How will it be done? 1.The Red Team consisting TEXCOM SMEs will observe and document EXFOR compliance with existing policies on physical security, communications security, personnel security, security training and awareness, administrative security, and information systems security during Task Force Lanes and EXFOR NTC rotations. At the completion of Task Forces lanes and EXFOR NTC rotation ODCSINT SMEs will interview selected members of the EXFOR to determine effectiveness of information system security 2.The task 2, task 3, and task 4 Red Teams (see paragraphs 7, 8, & 9 above) will provide input to this task 5 Red Team on OPSEC, SIGINT/MASINT, and INFOSEC observations. Ongoing reviews of information system security policy by DoD, Army, and AAA will also be used as input to this task. 3.This task 5 Red Team will analyze the operational effectiveness issues associated with the EXFOR's compliance/noncompliance with the security policies to develop security policy modification recommendations. f. Who will be involved to implement the evaluation events? ODCSINT SMEs will conduct the interview of seclected members of the EXFOR. TEXCOM SME's will be used to collected data during Task Force lanes and NTC Rotation. g. Who is needed to observe and collect data? The TEXCOM SMEs listed above will be located at brigade TOC, a representative battalion TOC, a SIV, and a representative appliqui platform are needed to observe security activities, document those activities according to a pre-arranged checklist from HQDA ODCSINT, and solicit survey data from operators/managers at those locations 11. DETAILED DATA COLLECTION AND VULNERABILITY ASSESSMENT PROCEDURES FOR TASK 6: ANALYSIS OF TACTICAL INTERNET COMPONENT VULNERABILITIES. (LEAD AGENCY: ARL SLAD.) a. Objective/Issue. How well do system components of the Tactical Internet (SINCGARS SIP, EPLRS VHSIC, MSE TPN) and the Force XXI Battle Command Brigade and Below (appliqui) system withstand specific EW and IW attacks, and what are their EW and IW vulnerabilities? b. What experimentation events will be accomplished to address this issue? The SLAD will conduct technical experiments and analyses to determine the unique technical vulnerabilities of the individual systems (and some interconnected systems) of the Tactical Internet, to analyze the extent of increased technical vulnerability due to the introduction of these digital systems (and interconnected systems), and to develop specific system improvement recommendations. c. When will it be done? 1.During pre-fielding tests. 2.During tests being accomplished commensurate with fielding. 3.During TF XXI train-up exercises. 4.During the TF XXI NTC rotation. 5.Initial analyses and reports for currently planned experiments will be completed by September 1996. d. Where will it be done? 1.Equipment contractor facilities, for pre-fielding and commensurate with fielding tests. 2.The Digital Integration Lab at Fort Monmouth, for pre-fielding and commensurate with fielding tests. 3.At Ft. Hood for train-up tests. 4.At Ft. Irwin for NTC rotation tests. e. How will it be done? 1.Electronic Warfare, Electronic Counter-countermeasures, and Information Warfare (EW/ECCM/IW) experiments will be conducted by technicians in a controlled laboratory environment and in the field environment with detailed and highly documented procedures and data collection. 2.Analysis will be based on technical data collected and will include operator procedures only to the extent of recommended operator actions necessary to offset technical vulnerabilities. 3.A high-level schedule is shown below: SYSTEM: EVENT: DATE: DATA COLLECTED: SINCGARS SIP EW/ECCM Experiments at Contract Site. Completed by 1 Sep 96. Performance Curves. Data Mode Characterization. EPLRS VHSIC EW/ECCM Experiments at Hughes. 10 Nov - 10 Dec 96. Performance Curves. Data Mode Characterization. MSE TPN EW/ECCM Experiments at DIL. Completed 10 May 96. Performance Thresholds. Signaling Curves. Operational Characteristics. Appliqui IW Experiments at DIL. Completed by 1 Sep 96. Access Vulnerabilities. Break-in Vulnerabilities. C2 Protect Options. Tactical Internet Experiments at DIL. Completed by 31 Aug 96. Common Tool Set Evaluationand TI analysis. Experiments at FortHood. Oct 96. Comm Sigs Coll & Analysis ICW 104th MI Bn Training. Experiments at Fort Irwin. Mar 97. Comm Sigs, Traffic Data, and Network Characteristics. f. Who will be involved to implement the evaluation event? 1.Contractor, SLAD, DIL, CECOM IEWD, Program Management Offices, and TECOM personnel as designated by the PM and SLAD for pre-fielding and commensurate with fielding tests. 2.IEWD will deploy a collection shelter on a tactical vehicle and will be co-located with one of the collection systems organic to the 104th MI Bn for train-up and NTC rotation. g. Who is needed to observe and collect data? 1.Only the subject matter experts listed in paragraph 11.f.(1) above are needed for pre-fielding and commensurate with fielding tests. 2.IEWD will have five (5) subject matter experts (SMEs) deployed with the collection shelter and the 104th MI Bn for train-up and NTC rotation. These people will be performing two tasks. The first will be assisting the collection operators in the field; the second is to collect anomalies that cannot be identified, if they are intercepted. SLAD will provide two (2) SMEs to assist and support IEWD SMEs in the data collection process. 3.No non-SME data collectors are needed for this task. 12. RESULTS, LESSONS LEARNED, AND FINAL REPORT. a. Individual Lead Agencies will conduct the Red Team tasks, collect the supporting data, conduct analysis, develop conclusions and lessons learned, provide recommendations on how to offset vulnerabilities identified, and produce a final report documenting all activities and results in accordance with guidance and timelines from ADO. b. The ADO will consolidate the individual Lead Agency final reports, develop a summary report on Red Team results and recommendations, and coordinate with OPSEC for incorporating the Red Team results into the overall AWE evaluation by OPTEC. c. Actual system vulnerability data for vulnerabilities identified during Red Team events will be classified in accordance with the TF XXI Security Classification Guide (yet to be published) and will be distributed under separate cover from or as a classified annex to the summary report. ---------------------------------------------