Intrusion Reaction: Recommendations for Obtaining Reaction Capabilities

The Command and Control C2 Protect Mission-Oriented Investigation Experimentation MOIE Project, sponsored by the Air Force, develops and promulgates resources to counter information warfare IW threats to military C2 computer networks. This report has been produced by the Intrusion Reaction task of the project. A growing threat to Air Force networks and computers is exploitative intrusion activity. One technological countermeasure to exploitative intrusion activity is intrusion reaction capability. But intrusion detection and reaction IDR systems in operation today do not provide a number of reaction features that might materially help the Air Force protect its networks and computers. This report recommends areas for effective Air Force investments in research, development, and investigation of reaction capabilities for defensive IDR systems. To develop its recommendations, the Intrusion Reaction task members compared the state of the art to an ideal set of capabilities. They based their ideal on their understanding of Air Force networks and current defensive information operations. In light of their review of pertinent facts and circumstances, the task members recommend that the Air Force research techniques and develop capabilities in three important areas where commercial coverage is not expected over the next several years Analysis, Investigation, and Decision Support Vulnerability Management and Damage Management. They encourage vendors to enhance their products by adding capabilities in the categories of developing forensic and other data, domain adjustment, information collection, and self-adjustment. They also encourage vendors to improve their products ability to provide alerts by developing the capability to correlate possible attacks and to discover unresolved attacks by review of logs.