Given the obfuscation afforded to actors in cyberspace and the low barrier of entry, cyber protection teams within the U.S. Central Command area of responsibility were conducting no more than two missions a year, as they were becoming bogged down in preparatory intelligence for defensive operations.
In turn, CENTCOM developed a cyberthreat prioritization model to resolve the issues surrounding intelligence preparation of the environment, otherwise known as IPE, which is the work that comes before a cyber protection team, or CPT, heads out on a defensive mission.
A threat prioritization model serves as an analysis tool, combining information from cyber defenders and managers, said to Marlene Kovacic, a cyberspace branch senior intelligence analyst at CENTCOM and defensive cyber operations team lead, who spoke at the DoDIIS Worldwide Conference on Tuesday.
Moreover, these models are an “intelligence driven analytical matrix from a structured data model to characterize and prioritize adversary groups,” according to a slide from her presentation. “It is used in order to determine the weight of each intrusion set, enabling defensive operations to make planning decision on how to protect critical infrastructure with defensive cyberspace operations.”
“The model came to be mainly because our cyber protection teams ... the ones that are assigned for Central Command [from Cyber Command] … were asked to speed up their IPE development process because the analysts were taking so long developing IPE because the threat space is really big,” Kovacic said. “The CPTs were limited to one, maybe two missions a year, which is not really using the CPTs efficiently.”
CPTs of U.S. Cyber Command act as cyber swat teams, responding to breaches for a short amount of time to make recommendations and get networks back online. They are also organized by task based on assets directed by the commander.
The defensive missions themselves are done by the commander’s priorities, Kovacic said. Whatever the commander’s priorities are for that theater, CPTs perform the defensive mission and bring back an assessment. This was the case when the CPTs were tasked to protect a Terminal High Altitude Area Defense battery in South Korea.
The analysts, she said, were taking a long time to look at what threat indicators to concentrate on, what threat actors are most important and so on.
The model they ended up developing was adopted and modified from a similar prioritization model devised by the Army’s intelligence directorate. However, the Army’s traditional model did not fit the bill for the CPTs because within nation-states there are a plethora of unique tactics, techniques and sophistication levels by other threat actors, and because the CPTs would try to cover that every time there was mission, which wasn’t working out, she noted.
The model, referred to as A.C.A.R.E., was a great foundation to work with and modify to fit the bill of CPTs. It has seven categories to evaluate an intrusion or threat actor, each of which has a score of 1-5:
- Activity: number of reported incidents in a given time frame.
- Capability: technical ability.
- Access: ability to gain and maintain access to a network of interest.
- Resources: available assets.
- Expertise: ability to implement/create solutions.
- Intent: Intent 1: desire to conduct offensive operations; Intent 2: desire for data.
Kovacic described the “intent” portion as the biggest change from the traditional A.C.A.R.E. model, given that intent is a huge driver in cyberspace. Intent 1 involves offensive operations, or the desire to conduct, disrupt, deny and degrade, while Intent 2 would be the desire for intelligence collection and information gathering.
Intent was to be the big balancer, she said, noting that if the intrusion actor scored high on the A.C.A.R.E. but the intent was low, that actor would make it on the list but it would cue the analyst to perhaps just watch for a change in intent going forward.
Conversely, if the A.C.A.R.E score was low for the threat actor, but the intent was high, it cues the analyst to watch for developing techniques in the data. That would drive the score higher.
Intelligence support to cyber defense is difficult, Kovacic said, adding that they’re basically just putting out finders with the CPTs identifying a problem, and the team trying to develop a fix.
Greater intelligence support is something CPTs have been requesting for some time.
Kovacic says the CPT A.C.A.R.E. model has been a success because it decreases IPE time by 85 percent. Whereas CPTs in CENTCOM were only able to conduct one or two missions per year, they now conduct three missions in less than six months.
The model has been adopted by U.S. Northern Command and U.S. Africa Command. Because CPT personnel in CENTCOM liked the model, other CPTs supporting NORTHCOM and AFRICOM jumped on board, Kovacic said.
While Cyber Command was invited to participate with the CENTCOM A.C.A.R.E. model, it did not attend.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.