Overcoming Obstacles to Cyberspace Threat Intelligence

By Chief Warrant Officer 2 Travis M. Whitesel and Mr.Joseph Rudell

Article published on: July 2024 in the Engineer 2024 Annual issue

Read Time: < 9 mins

Discussion of the commercial products and services in this article does not imply any endorsement by the U.S. Army, the U.S. Army Intelligence Center of Excellence, or any U.S. government agency.

This article is primarily relevant to intelligence professionals supporting cyberspace operations at the U.S. Army Cyber Command and the U.S. Army Network Enterprise Technology Command. However, with the intelligence profession's continuing expansion and overlap into the cyberspace domain, the article will serve as a primer for discussion about obstacles facing those in the digital fight.

Introduction

The U.S. Army Network Enterprise Technology Command (NETCOM) G-2 is developing and implementing cyberspace threat intelligence (CTI) techniques to protect the Department of Defense Information Network-Army (DoDIN-A). However, current challenges with the incident management and reporting processes hinder the intelligence community's ability to provide relevant and predictive intelligence to drive operations. This article captures the lessons learned and obstacles identified by NETCOM G-2 while implementing new tactics, techniques, and procedures. The article also conveys recommendations assisting the signal community with enabling CTI for improved threat visibility within the cyberspace domain.

Issues of the Cyberspace Domain

Current challenges with the cyberspace domain's incident management process include:

  • Lack of investment in a unified toolset for incident management.
  • Lack of standardization in the reporting process.
  • Misunderstanding of the role of intelligence within the process.

These obstacles significantly hinder predictive analysis and an in-depth examination of the domain's problem sets. Resolving these problems will enable better protection and sustainment of the DoDIN-A.

Lack of Investment in a Unified Toolset. This failure to invest in a unified toolset for incident management significantly affects reporting procedures because the incident management instrument is different for each network provider.Government Accountability Office reporting highlights the problem, indicating that in spite of investing $100 billion annually into information technology and cyberspace-related infrastructure, the federal government has yet to achieve effective results.1 This failure to produce practical outcomes is partially a product of not learning from past mistakes. Each incident on the DoDIN is an opportunity to understand our visibility gaps, process failures, and configuration requirements. The approximate 12,000 cyberspace attacks against the Department of Defense (DoD) and defense industrial base since 2015 compound the issue, emphasizing the adversary's intent and capability.2 (NETCOM G-2 assesses this number to be significantly higher.) A unified incident management toolset would provide insight into the process failures and the threat's intent and capability, which would further improve the Army's response through subsequent analysis. The incident management toolset is the primary entry point to capture information about cyberspace attacks. Both industry and the various service components have proposed unified toolsets; however, to date they have not captured requirements to collect the relevant information to enable future analysis and data sharing.

Lack of Standardization in the Reporting Process. This failure to standardize incident management reporting requires analysts to apply more strenuous analytic rigor to identify factors for creating relevant and timely intelligence. Additionally, employing multiple toolsets coupled with the required fields and descriptions of incidents varies across the DoDIN-A enterprise. These problems degrade the ability to diagnose an incident with structured analytic techniques.

The 12,000 documented cyberspace attacks since 2015 should serve as a foundation for understanding cyberspace threat capabilities, common targets, and trends in threat avenues of approach. However, the information available in official repositories about these attacks is principally limited to incident response actions and status without addressing the attack's techniques, targets, and key indicators. When an attack occurs in the physical domain, the operational report includes all available information, including the number of enemy personnel, potential descriptions, their capabilities, when and how the attack occurred, and descriptions of any related artifacts. To be effective in the cyberspace domain, operatives must capture the same level of detail about cyberspace attacks. Through standardization of the incident management reporting process, CTI will improve the defense of the DoDIN-A.

Misunderstanding of the Role of Intelligence. Integrating intelligence into incident management processes is essential, and the Army must actively implement procedures to include it. One critical obstacle to implementation is the inability of intelligence professionals to access and complete incident records in a timely manner. This is attributable to a misunderstanding of the role of intelligence in the incident management process. The incident management and intelligence processes overlap and have similar activities intended for different purposes. (See figure on the next page.) The main difference is that, while incident management in cyberspace operations aims to respond to and eradicate the current threat, intelligence personnel want to exploit and analyze the information to answer intelligence requirements and reduce futurethreats. Concerns about impacting ongoing cyberspace operations or intelligence oversight lead to hesitation in allowing intelligence analysts to view DoDIN-A data. However, the areas of operations are friendly networks and incident management data, which have limited risk of exposing identifying information, with regulations and processes for handling evidence involving U.S. persons or operational requirements.

Incident response operations narrowly focus on resolving the immediate incident. Often, the process merges into the next incident without anyone conducting a structured analysis to capture details or create an understanding of the incident in a broader context relating to the DoDIN-A. Integrating intelligence into the incident management process allows the information obtained during an investigation to be stored, contextualized, and exploited without the time constraints of preparing for the next operational response. By design, the intelligence process will capture information and identify data gaps overlooked in the initial operational response and provide a more detailed understanding of the Army's visibility gaps in context with DoDIN-A threats. In conjunction with the incident management process, this analysis will help prioritize defensive measures for the DoDIN-A while making educated risk decisions.

Successes in the Commercial Environment

CTI's successes in the commercial domain provide lessons learned and operating guidelines for the Army to consider when developing its own CTI organizations and techniques. Commercial environment CTI teams often include individuals with a variety of skill sets who perform multiple roles simultaneously. In 2018, Microsoft Corporation revealed that their CTI team included, among other professionals, a lawyer, a traditional intelligence analyst, an experienced cyberspace analyst, and a technical writer. Other organizations incorporate unique skill sets within their CTI teams tailored to their work environments. The Army has well-defined incident management processes, but a variety of specific laws and regulations impose unique constraints. Collaboration within the limits of those constraints, however, can expedite CTI and speed implementation of commercial processes. Based on the NETCOM G-2's experience, when choosing the correct commercial process to adopt, one that nests CTI into a security operations center can overcome the need for individual analysts with multiple roles or individuals with specialized skill sets.

Another commercial CTI advantage is access to multiple data sets for analysis and enemy detection. This allows commercial CTI analysts to corroborate data sets, which delivers significantly more context to incidents and can shorten the time to understand the complex environment.3 Access to operational data is a key enabler for commercial CTI operations and provides better defenses for protecting their respective networks. The commercial sector successfully highlights the importance of incident management data for completing CTI tasks, which the Army can leverage for success.

The commercial CTI sector has access to functional toolsets that assist in discerning complex information. Often, one incident management service provides the data. The commercial sector's capability to standardize incident management data and conform it to a singular toolset provides CTI professionals with familiarity and superior functionality.4 This allows the commercial sector to calibrate toolsets to their mission, taking advantage of professionals with longevity within the company. These commercial successes emphasize the DoD's need to adopt a unified incident management system. They also underscore the necessity of employing a toolset and environment that allows the analyst to access, manipulate, and move information to support their mission.

Overlap of the Intelligence and Incident Management Processes.5

Integrating Cyber Threat Intelligence

Although many of the analytical techniques and processes used in commercial CTI originated with military intelligence, the Army can benefit from leveraging commercial processes because of that sector's sustained and documented successes. Several companies offer CTI techniques to deter adversaries operating on a network and improve sensors for hardening a network. The Army can successfully integrate commercial CTI structures without completely reworking current organizational structures. A dedicated effort by the Army to unify toolsets and standardize processes can significantly impact the visibility and security of the cyberspace domain. One way to accomplish this is to introduce and apply structured analytic techniques.

Intelligence professionals are already familiar with structured analysis. They use cognitive processes and analytic tools and techniques to solve intelligence problems. Multiple cybersecurity structured analytic techniques exist that can serve as a common language between the cyberspace and the intelligence communities. These include the MITRE ATT&CK Matrix, the Cyber Kill Chain, and the Diamond Model. These frameworks and techniques provide a baseline for communication and improve how intelligence professionals and cyberspace defenders approach cyberspace incidents.

Mapping an attack through the MITRE ATT&CK Matrix framework empowers analysts to communicate how an adversary attempts to penetrate the network. 6 provide the intelligence community with a way to structure adversary capabilities quickly, identify how they apply to friendly networks, and present that information to cyberspace defenders. Implementing a common language between incident management and intelligence will result in a better understanding of attacks against the DoDIN-A and provide data in a structure that analysts can leverage to prioritize network defense, identify future capability requirements, and enable proactive decisions by leadership.

An integral component of Lockheed Martin's Intelligence Driven Defense model, the Cyber Kill Chain provides intelligence analysts with a method to examine cyberspace attacks and advise cyberspace operators on adversarial actions targeting friendly networks. It is a framework that deconstructs a cyberspace attack into seven steps to understand the adversary's actions and objectives.7 Viewing intrusions through the lens of the kill chain ensures cyberspace defenders capture all relevant information about an attack. A detailed kill chain allows intelligence analysts to use the same information to conduct trend analysis on successful threat techniques and friendly visibility gaps. Mapping an attack to gain visibility of flaws is critical for enabling the Army to prevent future attacks.

The Center for Cyber Threat Intelligence and Threat Research created the Diamond Model of Intrusion Analysis to depict cyberspace attacks. 8 The tool relies on four different subsets of an attack: infrastructure, victim, capability, and adversary. Viewing an intrusion through this framework allows analysts to provide context to an attack through behavioral and technical choices. This strategy reveals similarities between attacks and enables intelligence professionals to identify related incidents, differentiate possible threat relationships, and identify unique traits. These capabilities are especially important because a sizable proportion of intrusions remain unattributed. The Diamond Model, when coupled with the Cyber Kill Chain, enables in-depth questioning of incident data, which can support operational and strategic requirements.

Combining these three structured analytical techniques—the MITRE ATT&CK Matrix, the Cyber Kill Chain, and the Diamond Model—provides a foundational process to gain an advantage in the cyberspace domain and capture quantifiable data to which analysts can apply analytical methods, an approach that is currently missing from DoDIN-A operations and the intelligence enterprise. These commercial techniques can help address a CTI shortfall left by a gap in regulations, training, and doctrine. The Army intelligence community can benefit from using these additional structured analytic techniques to expand the incident management and reporting processes, thereby enriching data with threat context as operations in the cyberspace domain are further developed. Integrating structured analytic techniques into cyberspace and intelligence operations sets the stage for defining requirements for a unified toolset and serves as the basis for standards.

Conclusion

The Army faces continuous competition and conflict in the cyberspace domain; the need for unified reporting structures and processes further challenges the Army to gain an information advantage. By implementing and enforcing structured analytic techniques, the Army can better exploit the information from the cyberspace domain to achieve strategic, operational, and tactical results. Using structured analytic techniques will also drive requirements for architectural and procedural standards needed to implement viable solutions. NETCOM G-2 is currently conducting training and implementing analytic techniques to improve network defenses and enhance incident management and reporting processes. NETCOM G-2 plans to capture their CTI tactics, techniques, and procedures and share them with the intelligence community. Developing and implementing CTI techniques will significantly improve the Army's defenses in the cyberspace domain because they enable a more proactive posture.

Endnotes

1 Government Accountability Office, Information Technology and Cybersecurity: Significant Attention Is Needed to Address High-Risk Areas, GAO-21-422T (Washington, DC, 2021), 1, https://www.gao.gov/products/gao-21-422t.

2 Government Accountability Office, DoD Cybersecurity: Enhanced Attention Needed to Ensure Cyber Incidents Are Appropriately Reported and Shared, GAO-23-105084 (Washington, DC, 2022), highlights, https://www.gao.gov/products/gao-23-105084.

3 Larry G. Wlosinski, “Cyberthreat Intelligence as a Proactive Extension to Incident Response,” ISACA Journal 6 (Online Exclusive, November 2, 2021), https://www.isaca.org/resources/isaca-journal/issues/2021/volume-6/cyberthreat-intelligence-as-a-proactive-extension-to-incident-response.

4 Adam Zibak, Clemens Sauerwien, and Andrew Simpson, “A Success Model for Cyber Threat Intelligence Management Platforms,” Computers & Security 111 (December 2021), https://doi.org/10.1016/j.cose.2021.102466.

5 Figure adapted from original by author,Joseph Rudell.

6 “ATT&CK,” The MITRE Corporation, accessed June 27, 2023, https://attack.mitre.org/. An open knowledge base of adversary tactics and techniques based on real-world observations used for developing threat models and methodologies.

7 “Cyber Kill Chain,” Cyber, Lockheed Martin, accessed June 27, 2023, https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html. A framework for understanding an adversary's cyber-attack tactics, techniques, and procedures.

8 Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, The Diamond Model of Intrusion Analysis (Hanover, MD: Center for Cyber Intelligence Analysis and Threat Research, 2013), https://apps.dtic.mil/sti/citations/ADA586960.

Authors

CW2 Travis M. Whitesel is the U.S. Army Network Enterprise Technology Command (NETCOM) G-2 Regional Cyber Center Coordinator. He received his appointment as a warrant officer in February 2019 and served as an all-source intelligence technician for Delta Company, 65th Brigade Engineer Battalion, 2nd Infantry Brigade Combat Team, 25th Infantry Division. He holds a bachelor’s degree from American Military University.

Mr. Joseph S. Rudell is a former Department of the Army Civilian Cyber Threat Intelligence Analyst. He led the NETCOM G-26 Cyber Threat Intelligence Team. He began his Army career in 2008 as a defense contractor with the Theater Network Operations and Security Center Continental United States (CONUS) performing intrusion analysis and later overseeing the U.S. Army CONUS sensor grid. He is currently a solutions integration engineer at the University of Arizona's College of Applied Science and Technology Cyber Convergence Center.

Contributors

LTC Brian J. Lenzmeier, NETCOM G-2 Analysis and Control Element Chief

CPT Jason L. Scaglione, NETCOM G-2 Analysis and Control Element Deputy Chief

CW2 John W. Becker, Regional Cyber Center-Pacific Intelligence Support Element

CW2 Jeff B. Newsome, Regional Cyber Center-Europe Intelligence Support Element

SFC Trestan Savoy, Regional Cyber Center-Pacific Intelligence Support Element