By Capt Daniel Votipka USAF; TSgt Danielle Dye, USAF Maj Trevor Stutting, USAF Capt Jamie Blummer, USAF Ms. Tiffany Harbour, DAF Capt Laura LeFevre, USAF Capt Thomas Shew, USAF
/ Published July 06, 2017
The Air Force conducts its core mission of global integrated intelligence, surveillance, and reconnaissance (ISR) in and through cyberspace. This new domain represents an ever-expanding source of intelligence data vital to the full range of joint military operations. At the same time, cyberspace represents new avenues to apply force against adversaries and increasing vulnerabilities for them to do likewise. ISR is a critical enabler of the offensive and defensive operations the Air Force conducts in cyberspace. This chapter will explore ISR in cyberspace and those ISR actions that enable cyberspace operations.
Chairman of the Joint Chiefs of Staff Joint Publication 3-12 (R), Cyberspace Operations, defines cyberspace ISR as:
ISR activities in cyberspace conducted to gather intelligence that may be required to support future operations, including offensive cyber operations (OCO) or defensive cyber operations (DCO). These activities synchronize and integrate the planning and operation of cyberspace systems, in direct support of current and future operations. Cyberspace ISR focuses on tactical and operational intelligence and on mapping adversary cyberspace to support military planning.1
This definition provides only a limited description. A complete discussion of cyberspace and ISR must examine those surveillance and reconnaissance operations to collect intelligence in cyberspace, as well as those ISR activities that enable cyberspace operations.
Consider cyberspace ISR as a three-legged stool. The three legs are exploit, attack, and defend. Cyberspace ISR activities exploit cyberspace to collect intelligence about adversaries from the information that transits and is stored on their digital networks. Cyberspace ISR activities also enable cyberspace attack on adversary computer networks as well as activities that allow us to defend our own networks. Underpinning these three legs is the foundation laid by cyberspace intelligence preparation of the operating environment (C-IPOE), which provides a thorough understanding of the cyber battlespace. The remainder of this chapter will describe in further detail these cyberspace ISR activities.
There are a few foundational points that help inform the discussions that follow. First, intelligence collected from cyberspace informs the full range of joint operations, not only cyberspace operations. Second, the preponderance of cyberspace activities involves the collection of intelligence. Third, cyberspace operations are critically dependent upon ISR to characterize the operating environment, determine access points, develop avenues of attack, and identify threat vectors. Last, cyberspace operations rely on all intelligence disciplines, not just intelligence collected in cyberspace.
Cyberspace Intelligence Preparation
of the Operating Environment
A critical first step for any joint operation is defining and understanding the operating environment.2 This is no different for cyberspace operations.Cyberspace intelligence preparation of the operating environment characterizes adversary cyberspace by providing a detailed understanding of the cyber terrain through extensive network mapping utilizing all intelligence disciplines.
As shown in figure 1, cyberspace can be deconstructed into five layers—the identity, cyber-persona, logical, physical, and geographical layers—each with its own unique characteristics.3 It is the objective of C-IPOE to understand each of these layers to enable collection or OCO/DCO. Many times the initial vector to map adversary networks begins with the identity and cyber-persona layers. The identity layer describes the person/group acting in cyberspace, and the cyber-persona layer describes the "digital representation of an individual or entity."4 Characterizing the identity layer of cyberspace involves naming the actual people, state/nonstate groups, and their affiliations as well as describing their capabilities and patterns of behavior as it relates to the physical world. Mapping the cyber-persona layer includes tying these named person(s)/group(s) to their associated e-mail addresses, Internet protocol (IP) addresses, handheld devices, and/or computers to name a few. Cyber-persona layer mapping also includes linking identities to signatures in nonmalicious or malicious code, detailing individuals' search histories and noting websites where individuals visit or contribute.5
Figure 1. Levels of cyberspace; cyber-persona layer graphic differs from Joint Publication 3-12 (R) to highlight the human aspect of the layer. (Chairman of the Joint Chiefs of Staff, JP 3-12 (R), Cyberspace Operations, I–3, 5 February 2013.)
The identity and persona layers tell us who is operating in cyberspace. The logical and physical layers tell us how they are operating in cyberspace. Protocols in the logical layer tell the digital information where and how to flow through a network architecture. The logical layer also describes abstract entities "not tied to an individual, specific path, or node. A simple example is any website that is hosted on servers in multiple physical locations where all content can be accessed through a single uniform resource locator (URL)."6
Analyzing the logical layer is similar to reading the postmarks on the outside of an envelope. Cyberspace ISR analysts investigate this layer by analyzing and unwrapping packets of information traversing the network and tracing the routes on which they flow in order to develop a comprehensive understanding of the network. Physical layer analysis complements this by determining the hardware through which this information flows. A logical network map can be developed to graphically represent this data, detailing information flow paths (links) and network devices used for routing and storing digital information (nodes).
Mapping the physical layers and geographic layers of the network links the abstract portion of the cyberspace domain to its physical manifestation in the natural domains. The physical layer refers to actual network elements, for example the infrastructure. This network infrastructure includes the links, wired links (cable), and wireless links (satellite ground stations and/or terrestrial relay towers) as well as the intermediate connectors and nodes, "routers, switches, servers and computers."7 The geographic layer represents the specific location of the elements of the network in the natural domains of land, sea, air, or space.8
The order with which these five layers are presented in this chapter should not imply that mapping the cyberspace terrain necessarily proceeds sequentially or linearly to a finite point. Information collected in any one of these layers can provide a linkage to one layer to enable further mapping of another layer. This mapping process is an iterative, cross-feeding analytical process. Further, cyberspace is constantly changing, often rapidly and erratically. Thus C-IPOE must be constantly refreshed. It is a continual activity of first establishing an adversary network baseline map and then continually updating this network map through a process of identifying distinct, relevant changes to an adversary's tactical and/or strategic network state. Any network changes are characterized for the purpose of making the appropriate adjustments to friendly strategy and tactics to maintain access and freedom of movement and maneuver in adversary networks.9 C-IPOE characterization efforts must be dynamic, using broad systematic tools such as high-speed logical sensors and advanced automated analytical support systems.10 With these sensors and systems, analysts are equipped to characterize the rapidly evolving cyberspace terrain.
C-IPOE is reliant on the full range of intelligence disciplines. Signals intelligence (SIGINT) may identify a signal or communication in an area of interest vital for C-IPOE. For example, an intercept from voice communications may provide network login credentials needed to enable further cyberspace mapping. Geospatial intelligence (GEOINT) can detail locations and types of various telecommunications cables, radio/cellular relay towers, satellite ground stations, and large data storage centers.11 Intelligence collection from human sources (HUMINT) such as debriefings (interrogations) and document exploitation can provide information relevant to C-IPOE, such as network administrator names and daily routines (identity layer); e-mail, phone numbers, and passwords (cyber-persona layer); and network design plans (logical and physical layers). Similarly, intelligence collection from open sources (OSINT) such as social media websites or other various websites can detail cyber-persona, logical, and/or physical layers. Website IP addresses as well as other metadata from open sources assist in detailing logical layer information as well as information useful in identifying and geolocating physical elements of such adversary networks. Pictures and video from open sources can show buildings or other distinct physical terrain landmarks that support geographic layer mapping. Ultimately, C-IPOE activities require a planning, collection, and analysis process integrated with all relevant intelligence disciplines to successfully synchronize and optimize ISR support for cyberspace.12 C-IPOE is a critical precursor to all other cyberspace operations, and it is often the most difficult and time consuming. It can take months and years of detailed investigative and analytic work.
Using the foundation laid by C-IPOE, network elements as well as access vectors can be identified to enable focused collection of intelligence data from cyberspace. In digital networks, this data exists in one of two states: "in motion" transiting between two devices in the network or "at rest" stored on one of the devices in the network. Therefore, cyberspace data collection activities can be divided based on the state of the data. Passive collection activities target and collect data that transits the wired or wireless links between computers for analysis. Active collection, computer network exploitation, targets dormant data on individual computers and servers. This section will describe each type of collection in detail.
An analogy to HUMINT can be useful to better understand passive collection in cyberspace. During a HUMINT collection activity, an agent might go to a location where two targets are known to meet and listen in on their conversation. Doing likewise in cyberspace can be more complicated. Eavesdropping on this conversation through passive collection as it transits in cyberspace on links between computers can be difficult due to the volume of data transiting. A conversation can easily be "buried" due to the link being saturated with messages back and forth between the multiple applications running in the background emanating from multiple computers sending and receiving information on the Internet. This situation would be akin to the HUMINT collector trying to hear that same conversation standing in a busy subway stop at rush hour. Additionally, with the use of modern encryption techniques, communicants often encode the message into a language only discernible by the sender and receiver who hold the key to decrypt the information. Passive collection can be relatively easy to execute with little operations-security risk given it is hard to identify the listener in a crowd, but it is inherently limited in the data that can be collected based on what the targets are willing to communicate within earshot. This limitation requires the second type of collection: active collection, for example computer network exploitation (CNE). It is very common to see passively collected information used to inform subsequent active exploitation. Conversely, CNE operations typically gain the initial accesses on links as a precursor to passive collection operations.
CNE describes both "enabling operations and intelligence collection capabilities to gather data from target computer systems."13 CNE takes advantage of flaws in network infrastructure and/or individual computer systems to gain access and actively collect information stored "at rest" in the computer systems. Using the previous HUMINT example, CNE would be like an agent dressing like an employee and getting a fake office ID to get into a closed office space or sneaking in at night past all the security cameras by moving through all the spots not covered by the cameras' view. However, whenever collection is enabled by vulnerabilities in the network, if discovered by the target, software can quickly be corrected closing not only that network to future collection but also in every other network using that software, once a fix is published.
The data obtained through passive and active cyberspace collection, processed, and then analyzed becomes an analytical product called digital network intelligence (DNI). The production of DNI to satisfy intelligence requirements is a SIGINT function conducted under Title 50, United States Code by the National Security Agency/Central Security Service (NSA/CSS).14 DNI can also be produced by units under the command of a joint force commander when authorized by an executive order or when delegated temporary SIGINT operational tasking authority by NSA/CSS.15 DNI may be used to focus further collection as well as used to satisfy strategic, operational, or tactical intelligence requirements to support operations in any domain. An example of a strategic intelligence requirement satisfied by DNI could be a product resulting from the exploitation of digital information describing an adversary nation's political leadership's intent to develop nuclear weapons. An operational example can be digital information collected from an adversary's military command, control, communications, computers, and intelligence (C4I) systems that outlines impending troop, weapon system, and/or munitions movements. Finally, a DNI product satisfying tactical intelligence requirements can include an increase in C4I system network traffic, as indicated from passive collection, indicating changes to enemy alert levels such as integrated air defense system activations. DNI production specifically for cyberspace operations describes cyberspace ISR activities that enable OCO and DCO. The following sections will explain these activities in greater detail.
The ability to deliver cyberspace effects requires three critical elements: target identification/characterization, access to that target, and tools to deliver the intended effects. Cyberspace targeting enables all three. Cyberspace targeting links desired effects with adversary cyberspace vulnerabilities to deny, disrupt, or destroy adversary capabilities. Cyberspace targeting relies on intelligence detailing system vulnerabilities to identify where and how to direct cyberspace fires by answering the question of whether current characteristics or changes to the adversary system topography opens up a path for generating fires effects or closes off a path being used previously. Cyberspace targeting must consider an update to a computer's operating system, the connection to a supervisory control and data acquisition (SCADA) system, a change to system security policies, and/or the addition of antivirus or other security products. In most cases, this data is collected by actively probing adversary networks regularly with messages specifically crafted to elicit responses that provide information about the topography of the network and running programs on each machine in the network. This is commonly referred to as scanning the network. Additionally, exploitation may be required to identify changes that are intentionally hidden from active scanning, like the list of installed antivirus tools or attached physical devices. Finally, for the target computer system, analysts compare current network characteristics or any changes to offensive cyberspace tools to determine whether these current characteristics or changes gives the opportunity to use an offensive tool, takes a tool off the table, or changes the risk decisions associated with specific techniques used by the tool.
Once the cyberspace "target folder" (i.e., detailed targeting solution) has been developed, cyberspace ISR analysts and operators develop the mission plan. Mission planning takes mission objectives and translates these into tactical tasks for execution. In addition to targeting information, ISR input to mission planning will include expected threats, neutral actors, and/or other friendly forces operating in the target network space. ISR analysts will identify potential vulnerabilities to offensive tools as a result of these expected threats and/or other actors operating in the space. ISR analysts will provide detailed timing as well as approach vectors discovered during the analysis of the target adversary network to help choreograph mission execution. ISR analysts also assist in the development of contingency options should automated network responses, adversary actions, and/or other actor actions precipitate the need for an alternate course of action. During mission execution, cyberspace ISR analysts provide real-time situational awareness and threat warning. Finally, after the completion of a mission, ISR analysts will support mission debriefing and lessons learned. ISR analysts will characterize adversary tactics, techniques, and procedures (TTP) employed in response to friendly actions as well as any other adversary network intelligence gathered as a result of the operation in order to improve future cyberspace missions.
The joint targeting process incorporates intelligence gain/loss (IGL) assessments to weigh the risk targeting operations have on future intelligence collection activities. In striking a particular target in the natural domains, future collection may be denied as a result of the loss of that target which had been providing lucrative intelligence collection. This is particularly critical for cyberspace operations. Whereas in the natural domains the elimination of a target (e.g., radio communication tower) can prevent future collection in a localized area of operations due to the absence of the target, in cyberspace, the use of a cyberspace tool to create effects on a C4I target can eliminate the future use of the cyberspace tool for future intelligence collection or attack missions, globally. A cyberspace operation (OCO or CNE) utilizes specialized tools that require extensive resources, time, and tradecraft to develop and depend on specific network vulnerabilities to ensure undetected and continual access to deliver effects or collect information. Thus, a cyberspace operation could "potentially compromise (future) intelligence collection activities" and future use of an offensive tool by exposing this sensitive technology and tipping adversaries to their network vulnerabilities that allowed the cyberspace tool to penetrate and then attack or collect.16 When such network vulnerabilities are patched to counter a cyberspace tool, the patches can be made available worldwide. Thus, many cyberspace tools carry the risk of having utility for only a few uses or just one use before adversary countermeasures eliminate its use worldwide. Therefore, IGL assessments within the cyberspace domain take into account the extreme perishable nature those cyberspace capabilities suffer when exposed. The assessment must weigh whether or not the cyberspace tool might have utility for a potentially higher priority operation or intelligence collection effort where subsequent loss of the capability is acceptable.
While friendly actors attempt to exploit and attack adversary networks, adversaries are doing likewise to friendly networks. Defending against exploitation and attacks requires a detailed understanding of adversary cyber actors and their capabilities and constant vigilance. Cyberspace indications and warning (I&W) focus on predicting, detecting, analyzing, and alerting of adversary cyberspace actions and threats. Joint and National Intelligence Support to Military Operations (JP 2-01) defines I&W, in general, as a process that analyzes and integrates operations and intelligence information to assess the probability of hostile actions and provide sufficient warning to preempt, counter, or otherwise moderate their outcome.17 Due to anonymity and relative freedom to maneuver our adversaries enjoy in cyberspace, cyberspace I&W may only recognize adversary cyberspace operations triggers with relatively short windows of opportunity to respond.
Cyberspace I&W data can be organized into two types of observations: those that occur in real time at network speed, and the fusion of all other sources of information prior to a predicted attack or espionage event. Those observations of enemy activity prior to a delivered cyberspace effect follow what is termed the cyberattack kill chain. This chain of adversary actions produces many potentially observable events that may start with adversaries conducting initial target research (e.g., probing network systems) followed by attempts to gain increasing accesses through testing. Adversaries then use this gained knowledge to tailor (weaponize) code specific to the target system. Finally, the adversary selects a delivery methodology (e.g., e-mail with link or attachment) that installs the malicious attack code as well as any command and control code intended to manage exfiltration of data if the intent is also espionage.18 Unlike the physical domain, the transition from delivery to attack/exploitation can transpire in seconds. However, prior to weapon delivery, initial phases of adversary cyberspace targeting development generate observable warning data over an extended period of time to enable friendly forces the ability to alert of an impending adversary network penetration seeking to create adverse network effects or espionage. For example, increases in adversary research into military organizational structures, personnel, network infrastructure, and workplace procedures, followed by network probing, spear-phishing e-mails, or social engineering attempts, may occur days, weeks, or even months before any network-level adverse effects exist. Furthermore, as the attack moves into the intermediate phases of gaining and expanding accesses, observations will include those that occur at network speed. For this reason, one of the most crucial elements of a cyberspace-warning system is the capability to recognize, collect, and profile network anomalies related to all the phases of a potential network attack to facilitate the systematic identification of suspected and actual malicious activity.19 Cyberspace I&W systems provide support to DCO through the monitoring, detecting, analyzing, and alerting of threats to both the Department of Defense Information Network (DODIN) and national critical infrastructure.
If cyberspace ISR is not able to predict an attack to enable proactive defense, it can play a critical role in determining key information after an attack. Attribution consists of "determining the identity or location of an attacker or an attacker's intermediary."20 Attribution of cyber-personas is an extremely difficult endeavor due to the size, composition, and governance of the Internet. In addition, determining the intent/motive behind an attack is an equally important part of attribution because it allows leaders to determine possible trends or issues that need to be addressed from a defensive standpoint to predict/prevent future attacks.
Through the analysis phase following an attack, defenders can often discover adversary tactics, techniques, and procedures, new attack vectors, and unknown network vulnerabilities to support mitigation, recovery from the current attack, and actions necessary to prevent future attacks. The intelligence gathered during this analysis enables the development of new countermeasures (e.g., security patches or updated policies) to prevent future successful attacks. In the cases where attribution of major attacks is achieved, the intelligence can be used to inform DCO response actions: information gathered about the source, method, or purpose of an attack to develop counterattack cyberspace tools to create proportional effects outside the DODIN on the adversary's networks.21 Analysis leading to successful network countermeasures (e.g., vulnerability patching) and/or responsive actions on adversary networks helps achieve deterrence through communication of network resiliency (denial of future benefits from attack) and fear of retribution.
Communications have transitioned from a radio frequency-dominated paradigm to an IP-dominated paradigm. Further, information has shifted from being stored in hardcopy print form to being stored digitally. As a result, cyberspace presents an ever-increasing source of intelligence about our adversaries as well as an increasing area of vulnerability to our own operations. Cyberspace ISR activities are described via three primary missions: exploit, attack, and defend, all of which require the foundation laid by C-IPOE. Exploitation activities enable access to and intelligence collection from adversary information networks. Data collected from cyberspace that is processed and analyzed results in the production of what is called digital network intelligence. DNI supports the full range of military operations, not just cyberspace operations. When conducting offensive cyberspace operations, ISR operations are critical for target development and mission planning as well as weighing costs versus benefits of using extremely perishable cyberspace tools. Adversaries also seek to exploit and attack friendly networks. Thus, cyberspace ISR activities detect, predict, and/or mitigate enemy intrusions into our networks. Finally, ISR for cyberspace operations requires a multi-intelligence planning, collection, and analysis approach to synchronize and optimize intelligence support for cyberspace.
1. Chairman of the Joint Chiefs of Staff (JCS), Joint Publication (JP) 3-12 (R), Cyberspace Operations, 5 February 2013, II-4–II-5, http://dtic.mil/doctrine/new_pubs/jp3_12R.pdf.
2. JCS, JP 2-0, Joint Intelligence, 22 October 2013, I-17, http://www.dtic.mil/doctrine/new_pubs/jp2_0.pdf.
3. Ibid., I-2, but extended from three layers to five layers for clarity.
4. Ibid., I-3.
5. Ibid., I-4.
6. Ibid., I-3.
7. Ibid., I-3.
8. Ibid., I-2–I-3.
9. Rewording of the JP 3-12 definition of event detection and characterization on pages II-8 and II-9 to give the topic more clarity.
10. William J. Lynn III, "Defending a New Domain: The Pentagon's Cyberstrategy," Foreign Affairs (September/October 2010), accessed 10 August 2015, 15, https://www.foreignaffairs.com/modal_forms/nojs/link-form/pdf/1113238.
11. JP 3-12, Cyberspace Operations, IV-3.
12. John C. Koziol, "Contesting the Information Battlespace," Joint Force Quarterly 46 (3rd Quarter 2007), 71, http://dtic.mil/doctrine/jfq/jfq-46.pdf.
13. Department of Defense, JP 1-02, Department of Defense Dictionary of Military and Associated Terms, 31 January 2011, http://www.dtic.mil/doctrine/dod_dictionary/data/c/18166.html.
14. Air Force Annex 3-12, Cyberspace Operations, 30 November 2011, 23, https://www.doctrine.af.mil/download.jsp?filename=3-12-Annex-CYBERSPACE-OPS.pdf.
15. JP 3-12, Cyberspace Operations, II-4–II-5.
16. Ibid., II-9.
17. JP 2-01, Joint and National Intelligence Support to Military Operations, 5 January 2012, III-44, http://dtic.mil/doctrine/new_pubs/jp2_01.pdf.
18. Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, "The Diamond Model of Intrusion Analysis," 7 May 2013, accessed 21 August 2015, 31–32, www.dtic.mil/get-tr-doc/pdf?AD=ADA586960.
19. Brian Fuller, "Federal Intrusion Detection, Cyber Early Warning and the Federal Response," SANS Institute Reading Room, 2003, 7, accessed 15 August 2015, http://www.sans.org/reading-room/whitepapers/warfare/federal-intrusion-detection-cyber-early-warning-federal-response-1095.
20. Jeffery Hunker, Bob Hutchinson, and Jonathan Margulies, "Roles and Challenges for Sufficient Attack Attribution," Institute for Information Infrastructure Protection, 2008, 5, accessed 10 August 2015, http://www.theip3.org/docs/publications/350.pdf.
21. JP 3-12, Cyberspace Operations, II-2, II-3.
Maj Robert Johnson, USAF, graduated in 2015 from Air Command Staff College, where he focused on cyber defensive maneuver, and has a background in pattern recognition and applied statistics. He is the director of operations for the 659th ISR Group, the parent group for all Air Combat Command Cyber ISR forces.
Capt Daniel Votipka, USAF, worked as the National Security Agency (NSA) mobile technologies lead in the 7th Intelligence Squadron and was responsible for ensuring the security of all mobile devices attached to the Department of Defense Information Network (DODIN). He is pursuing his PhD in computer science at the University of Maryland.
TSgt Danielle H. Dye, USAF, is a network intelligence analyst serving the 7th Intelligence Squadron, Air Force Special Support Group (AFSSG). She is the noncommissioned officer in charge of the emerging targets team. The AFSSG provides digital network intelligence support to high-priority projects directed by the chief of staff of the Air Force.
Maj Trevor Stutting, USAF, graduated from the NSA Computer Network Operations Development Program in 2016 while working at the 7th Intelligence Squadron. He is supporting special operations forces at Fort Bragg, North Carolina.
Capt Jamie Blummer, USAF, graduated from the NSA Computer Network Operations Development Program in 2016 while working at the 7th Intelligence Squadron. He is serving as a member of the cyber operations officer assignment team at the Air Force Personnel Center.
Ms. Tiffany Harbour, Department of the Air Force, served as a cyber intelligence analyst at the National Air and Space Intelligence Center.
Capt Laura LeFevre, USAF, is a counterterrorism branch chief in the 7th Intelligence Squadron, overseeing time-sensitive operations against global terrorist threats to US national security and advocating for cyber ISR integration to Air Force leaders.
Capt Thomas Shew, USAF, leads the NSA's Eurasia and Western Hemisphere malware analysis branch in the 7th Intelligence Squadron, focused on defending the DODIN from foreign malware threats.
This chapter was compiled jointly by the members of the 659th Intelligence, Surveillance, and Reconnaissance (ISR) Group, the USAF's cyber ISR Airmen.
60 Schumacher Ave.
Maxwell AFB, AL 36112