Hunt Cyber Threats
By Lieutenant Raymond Dennis, U.S. Navy
A Quick Intelligence 101 Quiz
Q: How can an intelligence team help prepare a force for war?
A: Conduct intelligence preparation of the environment (IPOE).
Q: When war commences, how can that same force hunt the threat?
A: Target using the process of find, fix, finish, exploit, analyze, and disseminate (F3EAD).The answers to these questions have long applied in the physical battle space. Today, they apply in cyberspace.
U.S. Navy (Mark McDonald)
Back to Basics
IPOE and F3EAD are not new concepts. Both occur throughout the intelligence and special operations communities, and prolific use during the wars in Afghanistan and Iraq is well documented. Using IPOE and F3EAD to hunt cyber threats is an opportunity to use well-established concepts against new threats.
Applying IPOE
IPOE is a four-step process for delivering intelligence to decision makers and operators—even those working in cyber. The process is ongoing; it occurs as time, resources, and intelligence allow. Completing each step of intelligence preparation is key prior to targeting cyber threats through F3EAD.
Step 1: Define the operational environment. The process begins by defining where the threat operates, considering the town, province, or region for the planned area of operations (AO). In cyber, the AO is the network. It is the collection of workstations, servers, and network devices. The prosecution of threats requires knowledge of the AO’s scope, which means planners must consider the areas of influence (AI) that affect where operations may occur. For example, if U.S. forces operate in Iraq (the AO), how do events in Iran or Syria (the AI) influence threats in Iraq? Cloud-based services operated by external organizations fall in the AI. While an operation may not be able to control cloud services—such as Amazon Web Services or Akamai regional nodes—their availability and integrity are integral to an operation’s security.
Step 2: Describe the operational environment. Against normal threats, physical and human terrain would be factored in, as well the role landscape and weather may play during operations. In cyber, planners also need to describe network configurations and limitations, and explore the software and programmatic rules that run on the threat organization’s network as defined in Step 1. Like the physical space, there is a correlation between the size of the AO (or, network) and the complexity of describing the AO. For example, how do a Palo Alto firewall and Blue Coat proxy server interface with Proofpoint’s email protection capabilities?
Step 3: Evaluate the threat. Next, planners evaluate the threats that operate within the AO, considering how the AO described in Step 2 affects threat operations. In cyber, the threat is often mysterious. Much like today’s non-state actors, the next cyber threat may not follow a script or doctrine; multifaceted threats are the new norm. Regardless, a cyber-focused operations team needs to study previous threats to glean information and develop a holistic picture. Knowledge of the common threats—malware types, advanced persistent threats, botnets, and common attack vectors—improves the ability to identify potential threat courses of action.
Step 4: Determine threat courses of action. Planners must determine the threat’s most likely action and consider alternatives, including the threat’s most dangerous course of action and other potential attempts to achieve its goals. Like intelligence in other fields, cyber threat intelligence must be timely, accurate, relevant, and predictive. In cyber, planners use the information from Steps 1 through 3 to predict the threat.
Applying F3EAD
F3EAD is a targeting process. It is a methodical, efficient approach to hunt known threats and develop leads for emerging threats. Although F3EAD is most often associated with human targets, it also applies to hunting cyber threats.
Step 1: Find the threats. Cyber sensors—the hardware and software systems—require tuning to find threats and reduce time spent chasing false positives. Much like the intelligence community’s physical collection sensors (e.g., geospatial or signals intelligence satellites), cyber defense appliances, software applications, and custom-built detection scripts require maintenance. Cyber sensors’ ability to find complex malware will diminish without periodic review and refinement. By tuning sensors, operators extend their capabilities to find cyber threats and, in turn, create a fix on malicious potential.
Step 2: Identify and fix the threat. Once found, threat identification is key. Locating, understanding, and communicating a threat’s scope will improve the chances for a successful finish. Educate the force on past attacks if known. Like operating in the physical space, time is of the essence. Myriad commercially-procured tools and cybersecurity consortiums exist to exchange information. In the case where a cyber threat is previously unknown or has evolved, it is important to share—to the greatest extent possible—information on its modus operandi.
Step 3: Finish the threat. The next step is eliminating the threat. If a threat-affected network connection exists, so does the threat’s ability to operate. After isolation, finishing the threat requires understanding where it operates (likely acquired during the fix phase). For example, using antivirus software to delete an infected document may seem to finish a threat. But what if that same document could establish a connection with an adversary’s command-and-control server to exfiltrate sensitive data before deletion? Purging the initial document does not solve the long-term problem for future, similar threats. In this case, understanding the infected file’s connectivity through the network and taking mitigating action (e.g., altering firewall rules or updating antivirus software) is critical. Throughout the finish phase, consider the importance of the following phase—exploitation.
Step 4: Exploit the threat. Begin the exploitation phase by collecting all available information. For example, comb system logs to decipher the threat’s attack vector, malicious intent, scope across the network, and originating source. To the greatest extent possible, call on cybersecurity professionals to deconstruct the threat. Cyber threats are often buried in obfuscated code to further impede and confuse. While exploitation can prove difficult without cyber expertise, it is essential to threat analysis.
Step 5: Analyze the threat. Planners must review the collected information to adjust cyber defenses. Analysts use the same critical thinking skills that apply to traditional intelligence to assess cyber threats. Cyber analysts determine the relationship between comparable threats to help classify or assign attribution. Before completing the analyze phase, consider the consequences of threat persistence to the network and assess the finish phase’s success—danger lies in a lingering, undetected threat.
Step 6: Disseminate information on the threat. The learning curve in cyberspace is steep, making education essential in preventing threats from recurring. Standardizing the process, format, and delivery method for information dissemination reduces the learning curve for understanding future threats. Cyber professionals should educate their greater team and its trusted partners to the largest extent allowed, as a follow-on to those communications from the fix phase.
Facilitating both information push (distributing a routine email or holding a weekly meeting) and information pull (posting threat updates to a portal or discussion forum) increases dissemination reach. In the end, the dissemination of threat data is an opportunity to develop leads for new threats.
Where Cyber Diverges
General Stanley McChrystal, former commander of U.S. Special Operations Command, explained in his 2011 TED talk how a “team of teams” develops an in-depth understanding of the operational environment to target threats. Yet, F3EAD by itself can be counterproductive in the physical battle space. In Newsweek (September 2009), McChrystal said:
“If you encounter 10 Taliban members and kill two, you don’t have eight remaining enemies. You have more like 20: the friends and relatives of the two you killed.”
When it comes to applying IPOE and F3EAD in defensive cyber operations, the rules of physical space diverge from those of cyberspace. Finishing a cyber threat does not create yet another, more vindictive generation of advanced persistent threats, black hats, or script kiddies. Although cyber threats may be void of the emotions inherent in the physical space, they can persist in cyberspace long after the originating developer or isolating host systems are stopped.
For the foreseeable future, cyber is a target-rich environment. Intelligence preparation is the key to hunting these threats.
Decoding Cybersecurity Language
Advanced persistent threat is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intent of the attack is to steal data rather than to cause damage to the network or organization.
Akamai operates the world’s largest cloud-based platform for distributing and accelerating web content by using a network of data centers around the globe.
Amazon Web Services is a secure cloud-services platform, offering compute power, database storage, content delivery, and other functionalities that can scale and grow.
Attack vector is a path for gaining access to a computer or network to achieve a malicious and unauthorized outcome.
Black Hat describes someone who attempts to compromise or exploit computer systems for malicious purposes or personal gain (as opposed to a White Hat, who conducts authorized penetration testing to test and improve cybersecurity).
Blue Coat provides web security solutions for global enterprises. Its web proxy solution helps prevent web browsing to malicious sites by unsuspecting users.
Botnet is a group of computers set to forward malicious transmissions across a network without user knowledge.
Palo Alto Networks offers security tools that protect against cyberattacks. Its firewall capability can allow or deny access across networks based on customized rules, locations, or other technical attributes.
Proofpoint protects against advanced threats and compliance risks. Its email defense capabilities can protect against threats such as malicious attachments or phishing attempts.
Script kiddies lack cyber expertise but use existing scripts to conduct cyberattacks.
High End Threats Demand Cold War Deception
By Commander Bryan Leese, U.S. Navy
China’s rapid military modernization and buildup have been a wake-up call for the United States. We now realize that the past three decades of unfettered access to the global commons was an aberration, not our birthright. Chinese land-based antiship ballistic missiles (ASBMs), long-range antiship cruise missiles (ASCMs), blue-water-capable navy, and cyber operations have forced reflection back to the heady days of the Cold War.
China is not the only current challenger to the global commons, and a reemerging Russia may be a bigger threat. The Russian Navy’s increased operations in the Atlantic Ocean and the Mediterranean and Black seas—including with modern, capable submarines—have forced the West to reconsider the operational maritime environment.
Fortunately, we have relevant historical lessons to apply to today’s Chinese and Russian military challenges.
“Hiding in Plain Sight”
In his article “Hiding in Plain Sight,” Robert G. Angevine offers that the problems of long-range antiship threats and information warfare are not new.1 The Cold War forced the Navy to experiment with tactics, techniques, and procedures (TTP) focused on electronic emission control and deception to disrupt an adversary’s ability to identify, track, and target ships at sea. The TTPs developed in the Cold War were part of the Navy’s electromagnetic maneuver warfare concept. A series of experiments called Haystack and Uptide can help us develop a solution to our current problems.
Haystack looked for a way the Navy could hide its high-value units (HVUs)—like aircraft carriers and large-deck amphibious warships—from Soviet ASCM platforms. Uptide focused more specifically on dealing with the emerging Soviet submarine-launched ASCM threat.
Jonathan F. Solomon’s thesis, “Defending the Fleet from China’s Anti-Ship Ballistic Missile: Naval Deception’s Roles in Sea-Based Missile Defense,” fleshes out the Haystack and Uptide exercises, detailing the action, counteraction, and counter-counteraction of the targeting game played by the U.S. and Soviet navies. Solomon explains the Soviet Ocean Surveillance System (SOSS) and its co-emergence with Soviet missile developments.2 Soviet engineers developed longer and longer ranged missiles, but without the ability to target U.S. ships at long range, the utility of extended-range missiles was limited. So, the Soviets developed over-the-horizon targeting using terrestrial- and space-based systems. The U.S. Navy countered with decoys such as integrated cover and deception systems that could make a frigate appear electromagnetically to be an HVU. The U.S. and NATO navies practiced strict emissions control procedures, paid more than lip service to electronic warfare, and developed airborne early warning radars to detect Soviet bombers before they could detect us.
In the 1990s, after the fall of the Soviet Union and the success of Operation Desert Storm, the U.S. Navy forgot what it had learned from having to deal with Soviet long-range threats. Sea control became a given, and the Navy focused on power projection—until the emergence of China’s new antiaccess/area denial (A2/AD) weapons, tactics, and strategies.
Solomon writes of a U.S. Navy playing “catch up” during the Cold War, trying to thwart the Soviet ability to hold our ships at risk.3 It is unlikely, however, that U.S. efforts were solely in reaction to the Soviets, but rather were more a “ping-pong” game of offensive and defensive capability development. It is clear that once the Navy recognized the importance of operational security, electromagnetic maneuver, and countertargeting it brought to bear significant resources. The Fleet Composite Operational Readiness Group—created in 1970 and later renamed the Fleet Deception Group—demonstrated the Navy’s understanding that systematic deception practices were needed to prevail in combat against the peer adversary of the Soviet Navy.
Assessing Today’s Chinese Ocean Surveillance System
Sections of Solomon’s thesis take the antiaccess threat discussion further, comparing today’s Chinese system to the Soviet Cold War system. The Chinese DF-21D ASBM parallels the (Soviet) Backfire-C bomber combined with the AS-4/Kitchen missile in tactical reach and lethality relative to its target. Although the DF-21D has a degree of responsiveness and accuracy the Soviets could not achieve with their Cold War experimental antiship ballistic missile, the SS-NX-13, the architecture and doctrine of the Chinese ocean surveillance system (COSS) appear just as centralized and theoretically as vulnerable to electronic neutralization, physical destruction, and tactical deception as those of Soviet system.4
China, Solomon appears to offer, has advanced the Soviet reconnaissance and strike architecture to include the land-based ASBM capability the Soviets always wanted but geography and technology prevented them from having. The Chinese Communist Party’s centralized power bleeds into the COSS and may create opportunities for systematic deception to be effective. Solomon believes the Chinese may have initial success in the early salvo of a conflict, but U.S. joint forces and allies can be successful at neutralizing it in the end.5
Conclusion
History is best used to ignite discussions about the current environment, problems, and approaches to solve them. The Cold War at sea provides grist for the discussion. Many of the TTPs established by the Fleet Deception Group are likely still in the archives and could be updated to complicate our present day adversaries’ surveillance and targeting processes. Much can be done ashore through discussions, training, and war gaming. Eventually, we will need to test updated TTPs against opposition forces that closely replicate our real adversaries’ capabilities. Deception TTPs can be judged fully effective only when periodically tested against the adversary, like the Haystack and Uptide experiments against the Soviets. The Navy must bring back the Fleet Deception Group, creating a group of experts who can support integrated training and augment deployed strike groups. It must also expand its readiness model, known as the Optimized Fleet Response Plan, to include more electromagnetic maneuver and deception training at sea.
1. Robert G. Angevine, “Hiding In Plain Sight: The U.S. Navy and Dispersed Operations under EMCON,1956–1972,” Naval War College Review, vol. 64, 2 (Spring 2011), 79-80.
2. Jonathan F. Solomon, Defending the Fleet From China’s Anti-Ship Ballistic Missile: Naval Deception’s Roles In Sea-Based Missile Defense (Washington, DC: Georgetown University Press, 2011), 34-65.
3. Ibid., 58.
4. Ibid., 69.
5. Ibid., 73-75.
A perspective on the Cold War in the Mediterranean in the early 1970s comes from Admiral Isaac Kidd’s February 1972 Proceedings article, “View from the Bridge of the Sixth Fleet Flagship.” Kidd paints a picture of a congested Mediterranean and a declining U.S. Navy fleet. One could easily think, “Hey, that is happening today,” but the article provides for deeper thought. Kidd focused on sea control and the protection of logistics assets. Contrary to many thinkers at the time, he viewed oilers and ammunition ships, not just aircraft carriers, as high-value units. He did not lament the ASCM threat directly, but the Soviet Navy’s growing ability to affect sea lines of communication concerned him. Kidd’s article exposed the old adage “amateurs talk tactics, professionals talk logistics” to further discussion. He poignantly noted, “The United States can no longer with impunity allow its oilers and other support ships to steam unescorted. Sea protection and sea control is critical to such ships. Sea control must be earned.”
Put a Radar on the Sierra
By Commander Wayne McAuliffe, U.S. Navy (Retired)
Credit: U.S. Navy (Kelsey Adams)
As the United States deploys more assets to the Pacific, missions will change and multitasking will be the order of the day. The Surface Fleet is adapting to new threats by looking at how we use the assets we have. U.S. Navy Vice Admiral Thomas Rowden and Rear Admirals Peter Gumataotao and Peter Fanta proposed the concept of “distributed lethality,” in the January 2015 Proceedings, recommending a series of added capabilities the Navy should pursue. Their list ranged from new pod-mounted antisurface missiles to a network of sensors providing theater-wide, near-real-time situational awareness. One capability that quickly would improve the fleet’s recognized maritime picture would be adding a maritime radar to the MH-60 Sierra helicopter.
Over the past several years, the emergence of the blue-water Chinese Navy and the resurgence of the Russian Navy have presented new sea control challenges. Antisubmarine (ASW) and antisurface warfare (ASuW) are back.
Today the Navy’s operational helicopter fleet is organized into two communities—Helicopter Maritime Strike (HSM) Squadrons and Helicopter Sea Combat (HSC) Squadrons. The former fly the MH-60 “Romeo,” the latter the MH-60 “Sierra.” While there is considerable commonality between the aircraft and some mission overlap, the two communities have distinctly different primary missions. The Romeo’s primary missions are ASW and ASuW. The Sierra’s primary missions are vertical replenishment (VERTREP), search-and-rescue (SAR), armed helicopter support, and airborne mine countermeasures.
These mission differences are reflected in the sensor suites in each aircraft. The Romeo is a sensor-rich platform. The Sierra is a single sensor platform—it carries only the AAS-44C(V) multi- spectral (EO/IR) targeting system.
Deployed on aircraft carriers and escort ships, the Romeo is an integral part of a carrier strike group’s (CSG) intelligence, surveillance, and reconnaissance (ISR) team. It is key to surface surveillance in the immediate area around the carrier, and it contributes to the surface picture in the long-range surveillance area. Since its first deployment in 2009, the Romeo has been performing ISR, ASW, and ASuW to rave reviews.
Not to be outdone, the Sierra also has been performing well since its first deployment in 2003. In the VERTREP role it has replaced the formidable CH-46. As an armed helicopter, it has taken on the mission of defending the fleet from the surface threats presented by fast attack craft (FAC) and fast inshore attack craft (FIAC) while also supporting special operations forces.
CSGs generally deploy with 8 MH-60S and 11 MH-60R aircraft. They are based on the carrier, on escort ships, and on supply/support ships. This helo mix provides the CSG with assets to build and maintain the surface picture, fill in the ASW screen, move supplies, and cover contingencies—such as SAR, special warfare, and littoral operations.
Expeditionary strike groups (ESGs) often deploy with no surface combatants and only three Navy MH-60Ss. For dedicated surface surveillance, the ESG must rely on its own ships’ surface radars, which are limited by radar horizon. The Sierras assigned to the ESG are primarily for logistics and search-and-rescue (SAR); they can contribute to the surface picture only with their EO/IR sensor and their crew’s eyeballs. Even with proper training, the embarked Marine air wing is similarly ill-equipped for the surface surveillance mission.
ESGs are vulnerable to opposing surface ships with over-the-horizon sensor capabilities, as well as FAC/FIAC threats in the littorals. A quick answer to providing the ESG with better situational awareness is to provide escorts with MH?60 Romeos or radar-equipped MQ?8B and MQ-8C Fire Scout unmanned aerial vehicles. But demands to support carrier strike groups and the surface strike groups described in the new distributed lethality concept will only stress the inventory of surface combatants, Romeos, and Fire Scouts more.
Upgrading the Sierra to carry a multi-mode maritime radar would provide a surveillance solution to independent steaming surface combatants, ESGs, and logistics support vessels. Such a radar would have to be lightweight and small. Adding the APS-153 carried by the MH-60R would have negative consequences for VERTREP and armed helicopter missions. Space, weight, and power (SWaP) requirements would impact the ability of the Sierra to carry internal cargo and would limit its ability to operate from unprepared shore sites.
In 2016, the Navy selected Leonardo-Finmeccanica’s Airborne and Space Systems Osprey radar for the MQ-8C UAV. The Osprey is an X-band active electronically scanned array radar, and it has the capabilities a commander would want on the MH-60 Sierra. It provides maritime surveillance out to about 100 nautical miles and enables classification of surface contacts with the assistance of maritime classification aid software. The Osprey radar is small and light enough that it should be a good candidate for the Sierra.
Installation impact on the Sierra would be a consideration. Available space is limited in the nose avionics compartment as is space on the airframe for mounting antennas. A nose-mounted system would limit the system field of regard, and weapon pylons and missiles would limit a belly-mounted as well.
A nose mount would leave a 120-degree (+ 60-degree) “blind arc” behind the Sierra because the fuselage would block the radar’s view. International navies, however, developed a series of “blind arc clearing turns” to accommodate a search radar mounted behind the main rotor gear box on Westland Sea King helicopters. The Sierra community could develop similar procedures to accomplish the same 360-degree coverage, if required.
The Osprey radar could be installed on top of the current “diving board” that supports the EO/IR system. This is a flat, stable platform on the centerline of the aircraft, ideal for mounting an antenna. It may be possible to include some of the associated boxes in the same area or in a temporary avionics rack in the aft cabin.
Operator training would need to be addressed. The Sierra community does not currently operate a radar, but workload automation could help. The Minotaur program, currently being developed by PMA-290 for the Coast Guard, is an intuitive, operator-friendly system to which the video game generation will easily adapt. The basics of radar operation can be learned in an hour; and sophisticated use in a few days.
An engineering change proposal to integrate the Osprey radar on the Sierra would have to address a range of technical questions before an installation plan could be finalized. Radar integration with, and impact on, other systems, and electric power sufficiency are some of the questions that would need to be resolved.
Several of the Sierra’s armed missions are short-range events, like FAC/FIAC interdiction, that have to be cued by external sensors. A radar capable of providing long-range threat detection, vehicle movement ashore, or even weather to avoid would provide a game-changing improvement for the aircraft.
For the past several years, adding a radar to the Sierra has been an annual Naval Aviation Requirements Group (NARG) input to the resource sponsors in the Pentagon. Unfortunately, the requirement has not sustained a position at the top of the list long enough to merit careful attention or funding. One way to move the process faster would be to conduct an operational assessment of a radar installed on a Sierra.
The acquisition schedule for the Osprey radar with the MQ-8C Fire Scout is aggressive and the first systems have already been delivered. Osprey radars should be available in additional quantities to allow for a limited, rapid, operational demonstration on an MH-60 Sierra. Given the NARG requirement and support from the HSC community, it should not be hard to fund limited procurement and operational testing of this radar. If it works well, installing an Osprey radar on every MH-60 Sierra would put a lot more lethality in the Navy’s helicopter fleet.