Army cyber ops faces forensic backlog
- By Wyatt Kash
- Aug 20, 2008
As the number of potential assaults on military information technology networks continues to escalate, so does the challenge of conducting forensic and attribution analysis in order to respond appropriately, said Col. Barry Hensley at the 2008 LandWarNet conference in Fort Lauderdale, Fla., this week.
'There are 360 million scans or attempted scans [per day] across the [Defense Department] network,' said Hensley, director of the Army Global Network Operations and Security Center. But those scans are merely part of the noise that Army security specialists must deal with in analyzing a variety of incidents and potential assaults on military networks.
The difficulty, he said, is recognizing when an incident, like the accidental severing of undersea fiber optic cables in the Mediterranean Sea last year, is a disruption, a cyber attack or something more than a cyber attack.
One step toward improving responsiveness is 'to know your network,' Hensley said. He noted that 90 percent of the Army's LandWarNet network relies on undersea cable. But local land connections also present vulnerabilities, he said. He cited an incident where a garbage truck severed an overhead fiber cable knocking out service for the Army's southern and northern continental command centers for nine hours.
Network infrastructure disruptions are only one part of the problem, Hensley said.
'A tough piece of this business is a thing called attribution,' he said. 'How do you know if it's a nation that's doing the attacking?' he said. That's especially true in an age where non-nation states are often behind such attacks.
'Before you run after some nation, you really need to know where the cyber attack is coming from,' Hensley warned.
Hensley noted that the Russian military invasion of Georgia this month marked the first time an attack in cyber space occurred in parallel with physical attacks, suggesting that importance for U.S. military cyber specialists to be able to identify and respond to such incidents quickly.
Another key factor is deciphering the nature of attacks, and the growing demand for forensics work.
'People don't realize the forensics handling process involved with identifying malicious code,' Hensley said. It can take weeks or months, he said. 'In many cases we have to mail a hard drive to a central facility, to begin the forensics process,' he said.
Based on classified activities he said he has observed over the past two years, he warned that the threats are serious, and the difficulties of staying current with them remain daunting.
One tell-tale sign of that, he said, is his observation of how the leading anti-virus vendors are moving away from signature based solutions and toward more of a white-list model in defending against cyber assaults.
Suffice it to say, 'I do not bank online anymore,' he said.
Wyatt Kash served as chief editor of GCN (October 2004 to August 2010) and also of Defense Systems (January 2009 to August 2010). He currently serves as Content Director and Editor at Large of 1105 Media.