Overcoming Obstacles to Cyberspace Threat Intelligence
By Chief Warrant Officer 2 Travis M. Whitesel and Mr.Joseph Rudell
Article published on: December 1, 2024 in the Military Intelligence July–December 2024 Issue
Read Time: < 9 mins
Discussion of the commercial products and services in this article does not imply any endorsement by the
U.S. Army, the U.S. Army Intelligence Center of Excellence, or any U.S. government agency.
This article is primarily relevant to intelligence professionals supporting cyberspace operations at the
U.S. Army Cyber Command and the U.S. Army Network Enterprise Technology Command. However, with the
intelligence profession's continuing expansion and overlap into the cyberspace domain, the article
will serve as a primer for discussion about obstacles facing those in the digital fight.
Introduction
The U.S. Army Network Enterprise Technology Command (NETCOM) G-2 is developing and implementing cyberspace
threat intelligence (CTI) techniques to protect the Department of Defense Information Network-Army
(DoDIN-A). However, current challenges with the incident management and reporting processes hinder the
intelligence community's ability to provide relevant and predictive intelligence to drive operations.
This article captures the lessons learned and obstacles identified by NETCOM G-2 while implementing new
tactics, techniques, and procedures. The article also conveys recommendations assisting the signal community
with enabling CTI for improved threat visibility within the cyberspace domain.
Issues of the Cyberspace Domain
Current challenges with the cyberspace domain's incident management process include:
- Lack of investment in a unified toolset for incident management.
- Lack of standardization in the reporting process.
- Misunderstanding of the role of intelligence within the process.
These obstacles significantly hinder predictive analysis and an in-depth examination of the domain's
problem sets. Resolving these problems will enable better protection and sustainment of the DoDIN-A.
Lack of Investment in a Unified Toolset. This failure to invest in a unified toolset for
incident management significantly affects reporting procedures because the incident management instrument is
different for each network provider.Government Accountability Office reporting highlights the problem,
indicating that in spite of investing $100 billion annually into information technology and
cyberspace-related infrastructure, the federal government has yet to achieve effective results.1 This failure
to produce practical outcomes is partially a product of not learning from past mistakes. Each incident on
the DoDIN is an opportunity to understand our visibility gaps, process failures, and configuration
requirements. The approximate 12,000 cyberspace attacks against the Department of Defense (DoD) and defense
industrial base since 2015 compound the issue, emphasizing the adversary's intent and capability.2 (NETCOM G-2
assesses this number to be significantly higher.) A unified incident management toolset would provide
insight into the process failures and the threat's intent and capability, which would further improve
the Army's response through subsequent analysis. The incident management toolset is the primary entry
point to capture information about cyberspace attacks. Both industry and the various service components have
proposed unified toolsets; however, to date they have not captured requirements to collect the relevant
information to enable future analysis and data sharing.
Lack of Standardization in the Reporting Process. This failure to standardize incident
management reporting requires analysts to apply more strenuous analytic rigor to identify factors for
creating relevant and timely intelligence. Additionally, employing multiple toolsets coupled with the
required fields and descriptions of incidents varies across the DoDIN-A enterprise. These problems degrade
the ability to diagnose an incident with structured analytic techniques.
The 12,000 documented cyberspace attacks since 2015 should serve as a foundation for understanding cyberspace
threat capabilities, common targets, and trends in threat avenues of approach. However, the information
available in official repositories about these attacks is principally limited to incident response actions
and status without addressing the attack's techniques, targets, and key indicators. When an attack
occurs in the physical domain, the operational report includes all available information, including the
number of enemy personnel, potential descriptions, their capabilities, when and how the attack occurred, and
descriptions of any related artifacts. To be effective in the cyberspace domain, operatives must capture the
same level of detail about cyberspace attacks. Through standardization of the incident management reporting
process, CTI will improve the defense of the DoDIN-A.
Misunderstanding of the Role of Intelligence. Integrating intelligence into incident
management processes is essential, and the Army must actively implement procedures to include it. One
critical obstacle to implementation is the inability of intelligence professionals to access and complete
incident records in a timely manner. This is attributable to a misunderstanding of the role of intelligence
in the incident management process. The incident management and intelligence processes overlap and have
similar activities intended for different purposes. (See figure on the next page.) The main difference is
that, while incident management in cyberspace operations aims to respond to and eradicate the current
threat, intelligence personnel want to exploit and analyze the information to answer intelligence
requirements and reduce futurethreats. Concerns about impacting ongoing cyberspace operations or
intelligence oversight lead to hesitation in allowing intelligence analysts to view DoDIN-A data. However,
the areas of operations are friendly networks and incident management data, which have limited risk of
exposing identifying information, with regulations and processes for handling evidence involving U.S.
persons or operational requirements.
Incident response operations narrowly focus on resolving the immediate incident. Often, the process merges
into the next incident without anyone conducting a structured analysis to capture details or create an
understanding of the incident in a broader context relating to the DoDIN-A. Integrating intelligence into
the incident management process allows the information obtained during an investigation to be stored,
contextualized, and exploited without the time constraints of preparing for the next operational response.
By design, the intelligence process will capture information and identify data gaps overlooked in the
initial operational response and provide a more detailed understanding of the Army's visibility gaps in
context with DoDIN-A threats. In conjunction with the incident management process, this analysis will help
prioritize defensive measures for the DoDIN-A while making educated risk decisions.
Successes in the Commercial Environment
CTI's successes in the commercial domain provide lessons learned and operating guidelines for the Army to
consider when developing its own CTI organizations and techniques. Commercial environment CTI teams often
include individuals with a variety of skill sets who perform multiple roles simultaneously. In 2018,
Microsoft Corporation revealed that their CTI team included, among other professionals, a lawyer, a
traditional intelligence analyst, an experienced cyberspace analyst, and a technical writer. Other
organizations incorporate unique skill sets within their CTI teams tailored to their work environments. The
Army has well-defined incident management processes, but a variety of specific laws and regulations impose
unique constraints. Collaboration within the limits of those constraints, however, can expedite CTI and
speed implementation of commercial processes. Based on the NETCOM G-2's experience, when choosing the
correct commercial process to adopt, one that nests CTI into a security operations center can overcome the
need for individual analysts with multiple roles or individuals with specialized skill sets.
Another commercial CTI advantage is access to multiple data sets for analysis and enemy detection. This
allows commercial CTI analysts to corroborate data sets, which delivers significantly more context to
incidents and can shorten the time to understand the complex environment.3 Access to operational data
is a key enabler for commercial CTI operations and provides better defenses for protecting their respective
networks. The commercial sector successfully highlights the importance of incident management data for
completing CTI tasks, which the Army can leverage for success.
The commercial CTI sector has access to functional toolsets that assist in discerning complex information.
Often, one incident management service provides the data. The commercial sector's capability to
standardize incident management data and conform it to a singular toolset provides CTI professionals with
familiarity and superior functionality.4 This allows the commercial sector
to calibrate toolsets to their mission, taking advantage of professionals with longevity within the company.
These commercial successes emphasize the DoD's need to adopt a unified incident management system. They
also underscore the necessity of employing a toolset and environment that allows the analyst to access,
manipulate, and move information to support their mission.
Overlap of the Intelligence and Incident Management Processes.5
Integrating Cyber Threat Intelligence
Although many of the analytical techniques and processes used in commercial CTI originated with military
intelligence, the Army can benefit from leveraging commercial processes because of that sector's
sustained and documented successes. Several companies offer CTI techniques to deter adversaries operating on
a network and improve sensors for hardening a network. The Army can successfully integrate commercial CTI
structures without completely reworking current organizational structures. A dedicated effort by the Army to
unify toolsets and standardize processes can significantly impact the visibility and security of the
cyberspace domain. One way to accomplish this is to introduce and apply structured analytic techniques.
Intelligence professionals are already familiar with structured analysis. They use cognitive processes and
analytic tools and techniques to solve intelligence problems. Multiple cybersecurity structured analytic
techniques exist that can serve as a common language between the cyberspace and the intelligence
communities. These include the MITRE ATT&CK Matrix, the Cyber Kill Chain, and the Diamond Model. These
frameworks and techniques provide a baseline for communication and improve how intelligence professionals
and cyberspace defenders approach cyberspace incidents.
Mapping an attack through the MITRE ATT&CK Matrix framework empowers analysts to communicate how an
adversary attempts to penetrate the network. 6 provide the intelligence community with a
way to structure adversary capabilities quickly, identify how they apply to friendly networks, and present
that information to cyberspace defenders. Implementing a common language between incident management and
intelligence will result in a better understanding of attacks against the DoDIN-A and provide data in a
structure that analysts can leverage to prioritize network defense, identify future capability requirements,
and enable proactive decisions by leadership.
An integral component of Lockheed Martin's Intelligence Driven Defense model, the Cyber Kill Chain
provides intelligence analysts with a method to examine cyberspace attacks and advise cyberspace operators
on adversarial actions targeting friendly networks. It is a framework that deconstructs a cyberspace attack
into seven steps to understand the adversary's actions and objectives.7 Viewing intrusions through
the lens of the kill chain ensures cyberspace defenders capture all relevant information about an attack. A
detailed kill chain allows intelligence analysts to use the same information to conduct trend analysis on
successful threat techniques and friendly visibility gaps. Mapping an attack to gain visibility of flaws is
critical for enabling the Army to prevent future attacks.
The Center for Cyber Threat Intelligence and Threat Research created the Diamond Model of Intrusion Analysis
to depict cyberspace attacks. 8 The tool relies on four different subsets
of an attack: infrastructure, victim, capability, and adversary. Viewing an intrusion through this framework
allows analysts to provide context to an attack through behavioral and technical choices. This strategy
reveals similarities between attacks and enables intelligence professionals to identify related incidents,
differentiate possible threat relationships, and identify unique traits. These capabilities are especially
important because a sizable proportion of intrusions remain unattributed. The Diamond Model, when coupled
with the Cyber Kill Chain, enables in-depth questioning of incident data, which can support operational and
strategic requirements.
Combining these three structured analytical techniques—the MITRE ATT&CK Matrix, the Cyber Kill
Chain, and the Diamond Model—provides a foundational process to gain an advantage in the cyberspace
domain and capture quantifiable data to which analysts can apply analytical methods, an approach that is
currently missing from DoDIN-A operations and the intelligence enterprise. These commercial techniques can
help address a CTI shortfall left by a gap in regulations, training, and doctrine. The Army intelligence
community can benefit from using these additional structured analytic techniques to expand the incident
management and reporting processes, thereby enriching data with threat context as operations in the
cyberspace domain are further developed. Integrating structured analytic techniques into cyberspace and
intelligence operations sets the stage for defining requirements for a unified toolset and serves as the
basis for standards.
Conclusion
The Army faces continuous competition and conflict in the cyberspace domain; the need for unified reporting
structures and processes further challenges the Army to gain an information advantage. By implementing and
enforcing structured analytic techniques, the Army can better exploit the information from the cyberspace
domain to achieve strategic, operational, and tactical results. Using structured analytic techniques will
also drive requirements for architectural and procedural standards needed to implement viable solutions.
NETCOM G-2 is currently conducting training and implementing analytic techniques to improve network defenses
and enhance incident management and reporting processes. NETCOM G-2 plans to capture their CTI tactics,
techniques, and procedures and share them with the intelligence community. Developing and implementing CTI
techniques will significantly improve the Army's defenses in the cyberspace domain because they enable a
more proactive posture.
Endnotes
1
Government Accountability Office, Information Technology and Cybersecurity: Significant
Attention Is Needed to Address High-Risk Areas, GAO-21-422T (Washington, DC, 2021), 1, https://www.gao.gov/products/gao-21-422t.
2
Government Accountability Office, DoD Cybersecurity: Enhanced Attention Needed to Ensure
Cyber Incidents Are Appropriately Reported and Shared, GAO-23-105084 (Washington, DC, 2022),
highlights, https://www.gao.gov/products/gao-23-105084.
3 Larry G.
Wlosinski, “Cyberthreat Intelligence as a Proactive Extension to Incident Response,”
ISACA Journal 6 (Online Exclusive, November 2, 2021), https://www.isaca.org/resources/isaca-journal/issues/2021/volume-6/cyberthreat-intelligence-as-a-proactive-extension-to-incident-response.
4 Adam
Zibak, Clemens Sauerwien, and Andrew Simpson, “A Success Model for Cyber Threat Intelligence
Management Platforms,” Computers & Security 111 (December 2021), https://doi.org/10.1016/j.cose.2021.102466.
5 Figure
adapted from original by author,Joseph Rudell.
6
“ATT&CK,” The MITRE Corporation, accessed June 27, 2023, https://attack.mitre.org/. An open knowledge base of adversary
tactics and techniques based on real-world observations used for developing threat models and
methodologies.
7
“Cyber Kill Chain,” Cyber, Lockheed Martin, accessed June 27, 2023,
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html. A framework for
understanding an adversary's cyber-attack tactics, techniques, and procedures.
8 Sergio
Caltagirone, Andrew Pendergast, and Christopher Betz, The Diamond Model of Intrusion Analysis
(Hanover, MD: Center for Cyber Intelligence Analysis and Threat Research, 2013), https://apps.dtic.mil/sti/citations/ADA586960.
Authors
CW2 Travis M. Whitesel is the U.S. Army Network Enterprise Technology Command (NETCOM)
G-2 Regional Cyber Center Coordinator. He received his appointment as a warrant officer in February 2019
and served as an all-source intelligence technician for Delta Company, 65th Brigade Engineer Battalion,
2nd Infantry Brigade Combat Team, 25th Infantry Division. He holds a bachelor’s degree from
American Military University.
Mr. Joseph S. Rudell is a former Department of the Army Civilian Cyber Threat
Intelligence Analyst. He led the NETCOM G-26 Cyber Threat Intelligence Team. He began his Army career in
2008 as a defense contractor with the Theater Network Operations and Security Center Continental United
States (CONUS) performing intrusion analysis and later overseeing the U.S. Army CONUS sensor grid. He is
currently a solutions integration engineer at the University of Arizona's College of Applied Science
and Technology Cyber Convergence Center.
Contributors
LTC Brian J. Lenzmeier, NETCOM G-2 Analysis and Control Element Chief
CPT Jason L. Scaglione, NETCOM G-2 Analysis and Control Element Deputy Chief
CW2 John W. Becker, Regional Cyber Center-Pacific Intelligence Support Element
CW2 Jeff B. Newsome, Regional Cyber Center-Europe Intelligence Support Element
SFC Trestan Savoy, Regional Cyber Center-Pacific Intelligence Support Element