INFOCON Decision Matrix

Leve o! Ris" to C4 assets Critica it# o! C4 s#ste$s %ein& tar&ete' A'versar# Activit#(Intent De&ree to )*ic* activit# is 'e$onstrate' to %e a coor'inate' net)or" attac" A'versar# Co$+,ter Net)or" Attac" -CNA. Ca+a%i it# A'versar# Co$+,ter Net)or" Ex+ oitation -CNE. Ca+a%i it# /r,ste' Environ$ent Activit# -0&ov1 0$i . Net)or" Mana&er Actions (typical…other actions will be situation dependent) 5 Minimal/Acceptable - UNCLASS networks - Non-Mission Critical - !" !ternal #eb page defacement No specific target identified Low 4 Increased - UNCLASS Networks - $perationall% significant C& Limited network reconnaissance Low Moderate - UNCLASS and/or CLASSI'I ( network)s* - $perationall% significant C& (emonstrated intent to ca+se denial, disr+ption, degradation, or destr+ction of C- s%stems Ambig+o+s e.idence of coordinated attack - Moderate indigeno+s CNA threat e!ists - Intent of s+pport from others 'oc+sed e!ploitation of Cs%stems to s+pport ad.ersar% C$A Some pattern of attack e!ists - Implement /roced+res called for in A'I 34-534 IN'$C$N < - /ossible =1$, limit network ser.ices, minim+m to accomplish mission operations9 3 High - UNCLASS and CLASSI'I ( network)s* - $perationall% significant C& (emonstrated abilit% to ca+se denial, disr+ption, degradation, or destr+ction of C- s%stems Clear e.idence of coordinated attacks - High access to Indigeno+s CNA threat - Clear e.idence of ad.ersar% intent to emplo% CNA 'oc+sed e!ploitation of Cs%stems to s+pport ad.ersar% C$A 'oc+sed attacks against tr+sted C- s%stems - Implement /roced+res called for in A'I 34-534 IN'$C$N & - /ossible =1$, limit SI/1N = access to C& > Intel - Increase ph%sical sec+rit% on critical infrastr+ct+re 2 Significant - UNCLASS and CLASSI'I ( network)s* - $perationall% significant C& 'oc+sed attack on Cs%stems Clearl% coordinated attacks ha.e occ+rred - (emonstrated CNA threat - High le.el of CNA threat 1

Low threat

An !ploitation threat e!ists 1andom or transient e.ents - Implement /roced+res called for in A'I 34-534 IN'$C$N 6 - Identif% and prioriti7e network s%stems and their elements 8 +sers, infrastr+ct+re, etc9

- Limited indigeno+s CNA threat e!ists - /otential S+pport from others )No known intent to pro.ide s+pport* 0road e!ploitation capabilit% e!ists or is likel% present across C2eneral acti.it% - Implement /roced+res called for in A'I 34-534 IN'$C$N - Increase fre:+enc% );4 da% c%cle* of a+dit log re.iews and s%stem back+ps

'oc+sed e!ploitation of Cs%stems to s+pport ad.ersar% C$A 'oc+sed attacks against tr+sted C- s%stems - Implement /roced+res called for in A'I 34-534 IN'$C$N 3 - /ossible =1$, disconnect ALL s%stems not re:+ired for mission e!ec+tion

Net)or" User Actions (typical…other actions will be situation dependent)

- Sit+ational awareness" report network/s%stem anomalies to #orkgro+p Manager - 1espond as directed to e!pected incremental losses of network capabilities s+ch as web access )to all b+t 9mil and 9go.*, e-mail, modem connections, 1AS, ?/N, and/or other f+nctional s%stems

FOR OFFICIAL USE ONLY

INFOCON Decision Matrix
5 Net)or" User Actions -cont0. 4 3 2 1 - Change +ser passwords - Limit net +sage to official b+siness onl% - ?ir+s Scan desktops and back-+p critical files - Set higher sec+rit% settings in Internet 0rowsers as directed b% #orkgro+p Manager/Net Administrator - (o not open, b+t delete e-mails from +nknown so+rces - 1estrict network +sage/access to onl% that re:+ired for C& and network reconstit+tion - Attacks not coordinated - Ad.ersar%Es hostile intent - Mission essential C-=hreat to CLASS networks to attack (o( networks s%stems reconstit+ted eliminated or ne+trali7ed red+ced - C- s%stemsE capabilit% to - Ad.ersar% CNA/CN - Ad.ersar% threat to attack s+pport mission operations threat or hostile intent ne+trali7e restored ne+trali7e Updated" &; C+ne &44A

Exit Criteria

N/A

=hreat to UNCLASS Cs%stems has been effecti.el% ne+trali7ed

$/1" H@ A'MC/AA$$ (SN" 5B5-34A6

INFOCON 5 8 Normal acti.it%9 A general threat of possible information attack e!ists, b+t warrants onl% a ro+tine sec+rit% post+re9 IN'$C$N 6 is alwa%s in effect +nless a more specific threat or incident warrants the transition to a higher IN'$C$N9 INFOCON 4 8 Increased, +npredictable risk of attack9 A heightened threat of possible information attack e!ists, to incl+de an increased n+mber of probes, which might indicate patterned s+r.eillance/reconnaissance9 Circ+mstances do not D+stif% f+ll implementation of IN'$C$N < meas+res, b+t certain meas+res from higher IN'$C$Ns ma% be necessar% based on intelligence reports, or as a deterrent9 Installation Commander m+st be able to maintain this IN'$C$N indefinitel%9 Under INFOCON 2 expect increased vigilance over work areas/facilities 9 INFOCON 3 8 Specific increased and more predictable risk of attack e!ists9 A demonstrated, increased, and patterned set of intr+sion acti.ities e!ists, to incl+de a compromise of s%stem reso+rces9 !amples of acti.ities in IN'$C$N < are dedicated comp+ter sweeps, scans, or probes and a significant increase of detected .ir+ses, n+isances, and (enial of Ser.ice attacks9 =he meas+res in this IN'$C$N m+st be capable of being maintained for weeks witho+t ca+sing +nd+e hardship affecting operations capabilit%9 Under INFOCON 3 expect to see increased network security and be prepared to co ply wit! instructions" #lso expect tig!tening of network usage policies $e"g" restricted web surfing% &oss of e' ail% s!ut down public web servers( INFOCON 2 8 Limited attack)s*9 An act+al information attack has occ+rred or intelligence indicates an imminent information warfare attack9 !amples incl+de" attempts to access C- s%stems, databases, and comm+nications media for the p+rpose of data destr+ction, dela%, denial, deception, etc9 N$= " An% collection efforts targeted against classified s%stems warrant implementation of IN'$C$N &9 Implementation of this meas+re for more than a short period has a high probabilit% to create hardship and affect the peacetime acti.ities of the installation and its personnel9 Under INFOCON 2 expect furt!er tig!tening of network usage policies $e"g"% restricted web surfing% &oss of e' ail% s!ut down public web servers( INFOCON 1 8 2eneral attack)s*999when the se.erit% of an information attack has significantl% degraded mission capabilit%9 /rimar% efforts d+ring IN'$C$N 3 are reco.er% and reconstit+tion9 Under IN'$C$N 3 e!pect disconnection of non-mission essential C- s%stems De!initions2 Co$+,ter Net)or" Attac" -CNA. vs0 Co$+,ter Net)or" Ex+ oitation -CNE." CN is information gathering and probing, while CNA is deliberate acts taken to disr+pt or destro% network capabilities9

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY
FROM AFI 134513 -13 A,& 36. 50 INFOCON 7roce',res0 5939 Updates9 Initial proced+res o+tlined in Attac*$ent 2, are fl+id in nat+re, and not all-incl+si.e9 Changes/additions/deletions to the =ailored 1eadiness $ptions, to incl+de the addition of directi.e meas+res for non-#indows-based platforms, will be disseminated .ia the A'Net$ps Special Instr+ctions for Comm+nications )S/IN-C* or A'N$C Network =asking $rder )N=$*9 59&9 Non-se:+ential IN'$C$N changes9 #hen a non-se:+ential increase in IN'$C$N occ+rs )i9e9, from 6 to &*, the meas+res from the skipped IN'$C$N le.el)s* will be accomplished after the declared IN'$C$N actions ha.e been initiated9 INFOCON 51 Nor$a Rea'iness 7roce',res0 -FOUO. INFOCON 5 7roce',res0 5410 )'$U$* 2lobal IN'$C$N Meas+res, IN'$C$N 6, N$1MAL Condition, a proced+re directing a periodic re-establishment of the Fsec+re baselineE in conD+nction with a check for +na+thori7ed changes on a semi-ann+al )3B4-da%* c%cle9 =his sho+ld in.ol.e mirroring the hard-dri.es for s+bse:+ent e!amination, prior to re-loading the sec+re config+ration9 If e!amination of the hard-dri.es indicates +na+thori7ed changes, first determine if the changes were act+all% a+thori7ed, %et improperl% recorded9 =his ma% re.eal the need for a re.iew of the proced+res for +pdating the database )or e:+i.alent tracking s%stem* of a+thori7ed changes9 If the change)s* is )are* +na+thori7ed, it )the%* ma% indicate the need for a =1$ to remed% the problem)s*, or e.en temporaril% increasing to a higher IN'$C$N le.el, depending on what +na+thori7ed changes are disco.ered9 5420 )'$U$* ns+re all A' Information S%stems are compliant with policies and g+idance o+tlined within A' Comm+nications and Information instr+ctions, man+als and speciali7ed p+blications9 )also see (o(I $-B6<49& and CCCSM A634943, )efense'in' )ept!* Infor ation #ssurance $I#( and Co puter Network )efense $CN)(9* 542019 )'$U$* Update and maintain anti-.ir+s, firewall, and Access Control Lists )ACL* config+rations IA# A'I <<-&4&, ?ol+me 3, Network and Co puter +ecurityG A'I <<3<5, ,orts% ,rotocols and +ervice -anage entG A'I <<-336, ?ol+me 3, Network OperationsG and A'I <<-3<B, .nterprise Network Operations Notification and /racking9H ns+re compliance with =ime Compliance Network $rders )=CN$s*, Information Ass+rance ?+lnerabilit% Alerts )IA?A*9 542020 )'$U$* ns+re comple!it% and periodicit% of passwords IA# A'MAN <<-&&<, Identification and#ut!entication" 5430 )'$U$* #hen mo.ing into/from a higher IN'$C$N le.el, acknowledge receipt and report entr% into IN'$C$N Le.el acti.ities .ia operational channels to the declaring command9 Sample reports can be fo+nd in paragraph -9

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY
5440 )'$U$* =hro+gh a+tomated and proced+ral means, +pdate and maintain a c+rrent database of the following characteristics of all critical network infrastr+ct+re e:+ipment +sed to maintain the network )i9e9, ro+ters, firewalls, ser.ers, etc9* and a representati.e sampling of workstations )hereafter called Icritical e:+ipmentH*9 Instit+te appropriate proced+res to ens+re the baseline is contin+o+sl% +pdated to reflect a+thori7ed modifications9 544010 )'$U$* User Acco+nts 544020 )'$U$* 2ro+ps 544030 )'$U$* Users in 2ro+ps 544040 )'$U$* User/Admin/2ro+p /ermissions 544050 )'$U$* !ec+table files )9e!e 9com 9cmd 9.bs 9.be 9Ds 9Dse 9wsf 9wsh 9dll* 544060 )'$U$* 1+nning Ser.ices/$pen /orts 544050 )'$U$* 1egistr% ke%s - JLMachineKSoftware/Microsoft/#indows/C+rrent?ersion/1+nH - JLMachineKSoftware/Microsoft/#indows/C+rrent?ersion/1+n$nceJ - JLMachineKSoftware/Microsoft/#indows/C+rrent?ersion/1+nSer.icesJ - JLMachineKSoftware/Microsoft/#indows/C+rrent?ersion/1+nSer.ice$nceJ - JCUserKSoftware/Microsoft/#indows/C+rrent?ersion/1+n$nceJ - JCUserKSoftware/Microsoft/#indows/C+rrent?ersion/1+nH - ILmachineKS%stem/C+rrentControlSet/Ser.icesH 5450 )'$U$* ns+re a+diting/logging to record, at a minim+m" s+ccessf+l and +ns+ccessf+l login attemptsG file s%stem modificationsG and pri.ilege changes9 ns+re weekl% log re.iew for e.idence of abnormal or malicio+s acti.it% IA# A'MAN <<-&&<, Identification and #ut!entication" 5460 )'$U$* stablish proced+res, training, e:+ipment, and administrator certification for the rapid and consistent reestablishment of software baselines for critical e:+ipment9 5450 )'$U$* /erform operational impact assessment on all mission critical, mission s+pport, and administrati.e information s%stems and networks9 )Assessing the impact of Comp+ter Network Attack )CNA* on o+r abilit% to cond+ct militar% operations is ke% to cond+cting damage assessment, prioriti7ing response actions, and assisting in identif%ing possible ad.ersaries9 Identif% all critical information s%stems9* 5480 )'$U$* Cond+ct ro+tine .+lnerabilit% assessments with A' appro.ed tool)s* for e!ample, ISS, SCC?I9

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY
INFOCON 41 Increase' Mi itar# 9i&i ance 7roce',res0 -FOUO. INFOCON 4 7roce',res0 4410 )'$U$* Acknowledge receipt/entr% into IN'$C$N - and report again +pon completion of the first IN'$C$N - c%cle9 4420 )'$U$* Confirm completion of directi.e meas+res at pre.io+s IN'$C$N le.els9 4430 )'$U$* stablish e!it criteria9 )(eclaring Command* 4440 )'$U$* Implement =1$s as specified in the implementing message or b% regional/local commanders9 4450 )'$U$* $n a ;4 da% c%cle" Upon notification immediatel% complete the following acti.ities and then e.er% ;4 da%s thereafter9 Using man+al methods or a.ailable a+tomated tools, identif% and .erif% all changes to the s%stem parameters tracked +sing the database created at IN'$C$N 6 )step 6--9*9 In.estigate all +na+thori7ed changes and remo.e or terminate as appropriate9 If this is being cond+cted a+tomaticall%, appl% the comparison to all ser.ers and workstations9 If man+al, appl% the comparison to critical e:+ipment and a representati.e sample of workstations9 4460 )'$U$* If e!plicit permissions are +sed on folders or files also check to ens+re permissions ha.e not been modified9 4450 )'$U$* ?erif% ser.ice acco+nts ha.ing administrati.e pri.ileges on critical e:+ipment and ens+re the% cannot log on remotel%9 4480 )'$U$* (isable LanMan Hash from all critical e:+ipment if technicall% feasible9 44:0 )'$U$* Cond+ct offline rehearsals for the rapid and consistent reestablishment of baselines for SI/1N = and NI/1N = critical e:+ipment as called for in IN'$C$N < /roced+res

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY
INFOCON 31 En*ance' Rea'iness 7roce',res0 -FOUO. INFOCON 3 7roce',res0 3410 )'$U$* Acknowledge receipt and entr% into IN'$C$N < and report again +pon completion of the first IN'$C$N < c%cle9 3420 )'$U$* Confirm completion of directi.e meas+res at pre.io+s IN'$C$N le.els to the declaring Command9 3430 )'$U$* stablish e!it criteria for c+rrent IN'$C$N le.el9 )(eclaring Command* 3440 )'$U$* Implement =1$s as specified b% implementing message or regional/local commanders9 3450 )'$U$* 1e-establish a sec+re baseline on a A4-da% c%cle9 3460 )'$U$* Cond+ct offline rehearsals for the rapid and consistent reestablishment of baselines for SI/1N = and NI/1N = critical e:+ipment as called for in IN'$C$N & /roced+res9 INFOCON 21 ;reater Rea'iness 7roce',res0 -FOUO. INFOCON 2 7roce',res0 2410 )'$U$* Acknowledge receipt and entr% into IN'$C$N & and report again +pon completion of the first IN'$C$N & c%cle9 2420 )'$U$* Confirm completion of directi.e meas+res at pre.io+s IN'$C$N le.els to the declaring Command9 2430 )'$U$* stablish e!it criteria for c+rrent IN'$C$N le.el9 )(eclaring Command* 2440 )'$U$* Implement =1$s as specified b% implementing message or regional/local commanders9 2450 )'$U$* 1e-establish a sec+re baseline on a <4-da% c%cle9 2460 )'$U$* 1eestablish known good software baselines on the following ser.ers, (omain Controllers/(NS/#eb ser.er9 As stated abo.e, this step is intended to address the intr+sion techni:+es that cannot be identified or defeated b% other means9 =hese modifications to the ser.ers ma% be accomplished an%where within the established operational rh%thm period, at the local commanderEs discretion to red+ce impact on operations or reso+rces9 2450 )'$U$* Cond+ct offline rehearsals for the rapid and consistent reestablishment of baselines for SI/1N = and NI/1N = critical e:+ipment as called for in IN'$C$N 3 /roced+res9

FOR OFFICIAL USE ONLY

FOR OFFICIAL USE ONLY
INFOCON 11 Maxi$,$ Rea'iness 7roce',res0 -FOUO. INFOCON 1 7roce',res0 1410 )'$U$* Acknowledge receipt and entr% into IN'$C$N 3 and report again +pon completion of the first IN'$C$N 3 c%cle9 1420 )'$U$* Confirm completion of directi.e meas+res at pre.io+s IN'$C$N le.els to the declaring Command9 1430 )'$U$* stablish e!it criteria for c+rrent IN'$C$N le.el9 )(eclaring Command* 1440 )'$U$* Implement =1$s as specified b% implementing message or regional/local commanders9 1450 )'$U$* 1e-establish a sec+re baseline on a 36-da% c%cle9

FOR OFFICIAL USE ONLY