An Introduction to Cyber Analysis and Targeting

The goal of this book is to describe cyber analysis and targeting for defensive applications. One objective of developing a cyber analysis and targeting methodology is to add information technology (IT) considerations into traditional military operations research (OR). For example, we will include cyber threats, cyber terrain, IT architectures, and other information-related capabilities (IRCs) in a developing cyber analysis and targeting methodology, accounting for the steady ingress of cyber into military operations through IT-based improvements in weapons systems, telecommunications, and online media. In developing this cyber analysis and targeting methodology, we will leverage use cases that span from analysis to modeling and simulation. This includes a look at assessment, for resilient systems development, along with using novel modeling and simulation approaches to describe the target as a discrete event process that we will use to estimate the effects from a cyber attack.

Policy is the key tool for framing and shaping the response to the often uncharted terrain of cyber attacks. For example, on the international front, the European Union is using the General Data Protection Regulation (GDPR) as an overarching law on data protection and privacy. Similarly, Department of Defense (DoD) Cyber Strategy provides policy guidance to several Joint Publications (JP) as doctrinal guidance for cyber operations. JP 3-12, Cyber Operations, is complimented by JP 3-13, Information Operations (IO), where a broader view of potential cyber applications is considered for operations. This includes using military information support operations (MISO) to prosecute a military target using information-related capabilities (IRCs). And JP 3-60, Joint Targeting, provides the overall process for any targeting operation, including cyber. Additional policy implications in the pursuit of malicious cyber actors (MCAs) include the delegation of authorities. This challenge is currently being met through National Security Presidential Memorandum 13 (NSPM 13) in the delegation of authorities to cyber defenders for persistent engagement.

Cyber threats span the attack cycle, and include both offensive and defensive elements. Several conceptual models help with describing the attack process and associated entities, in developing a taxonomy of cyber threats. For Example, the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) helps to describe a system to manage cyber security risk. In addition, the Structured Threat Information Expression (STIX) and the Trusted Automated eXchange of Indicator Information (TAXII) are used to standardize indicator information into a form that will make the data sharable. This helps to structure the cyber threat intelligence (CTI) information in order to use it in defensive approaches (e.g., DREAD: damage/reproducibility/exploitability/affected users/discoverability; STRIDE: spoofing/tampering/repudiation/information disclosure/denial of service/elevation of privilege; CVSS: Common Vulnerability Scoring System) along with more advanced approaches that emulate offensive steps. Sharing cyber data is performed by government agencies (e.g., US Department of Homeland Security) along with information analysis centers (e.g., Multi-State Information Sharing and Analysis Center [MS-ISAC]). In addition to managing known threat data across an attack process, threat evaluation is performed via methodological evaluation of system-level vulnerabilities using model/architecture descriptions (e.g., system modeling language [SysML]) and rolling up developing threat descriptions through techniques like the US Department of Defense (DoD) Cyber Analytics Repository (DoDCAR).

Influence operations (IO) date from time immemorial as strategic and tactical tools that are used to complement diplomacy. More recently, strategic communications have become a common element for almost any organization, with a military counterpart in Information Operations (IO). In addition, the Internet provides a new venue for the rapid development of fake news, and even fake people, via manufactured personas that provide opinions, editorials, and news reporting. For example, during the 2016 US presidential election, Guccifer 2.0, an alleged Romanian blogger, turned out to be a multi-person Russian cell that gained access to the Democratic National Committee (DNC) computer network and then leaked its contents to the media, namely Wikileaks. While the content of an IO operations provides strategic effects (e.g., swaying opinion), these effects can be directly compared to technical cyber effects in the abstract via structures like the cyber Joint Munitions Effectiveness Manual (JMEM), which attempts to quantify the type of effects from either an IO or technical cyber operation. Estimating technical and IO cyber effects helps with evaluating the effectiveness of point or area targeting via cyber means.

The traditional intelligence cycle of tasking, collection, processing, exploitation, and dissemination (T(C)PED) always included open-source elements to complement technical collections. The rise of the Internet, followed within a decade by the war in Iraq, resulted in a lethal combination of improvised explosive devices (IEDs) and online media. For example, real-time, online, reporting of IED effects in social media resulted in an extension of open-source intelligence (OSINT) to a more evolved cyber intelligence, surveillance, and reconnaissance (ISR). Cyber ISR therefore includes both traditional computer network exploitation (CNE) and social network analysis (SNA), OSINT on the Internet, to track IED groups, from their Internet presence, in countering the insurgencies in Iraq and Afghanistan. Similar uses of cyber ISR included the Bellingcat Team’s 2014 open-source identification of Russian 53rd anti-aircraft personnel that shot down the Dutch MH-17 airliner transiting Ukrainian airspace. Static databases can also be military-grade targets for special operations. For example, a key target in the 2015 Abu Sayyaf raid at the Al-Omar oil fields against Islamic State of Iraq and Syria (ISIS) was the Census Database (DB) that ISIS has repurposed from a Coalition biometric database. Cyber ISR, whether collected by active or passive means, is a key intelligence source for adversary analysis.

The overlay of technical solutions onto cyber terrain is influenced by traditional security models (e.g., layered defense). However, simple layering of orthogonal defense technologies does not ensure a successful cyber defense. For example, zero-day exploits and private key compromise are examples of vulnerabilities that defeat strong technical solutions. Cyber analysis is therefore key to providing network defenders with a clear structuring of how a system is protected at each phase of an attack cycle. In addition, a coordinated implementation of defensive policies (e.g., deception), represented by secure processes and technology solutions, provides a holistic approach for architecting a Security Operations Center (SOC) that is designed to protect modern enterprise computing frameworks.

The cyber process evaluator is introduced here from a combination of known kinetic target processes and best practices. For example, target system analysis is generally covered in US DoD Joint Publication (JP) 3-60. The addition of cyber operations is the subject of JP 3-12, with complimentary intelligence discussion covered by JP 2-0; JP 3-13 covering the more general information operations. Combining the JP-3-60 target structuring with the elements of cyber includes using the CARVER (i.e., criticality, accessibility, recuperability, vulnerability, effect, reconstitution) method for upfront target determination and the Lockheed Martin attack cycle for resolving key elements in a determined target. Time and cost examples are provided for a spectrum of malicious cyber actors (MCAs), from nation states to hackers, with follow-on discussion of the effects of cyber vs. information operations, as examples of the use of information-related capabilities (IRCs) for the achievement of policy objectives.

The increasing interconnectivity of information and operational technologies, including shared use of memory and processing components, is key elements of cyber systems design. While systems theory predates the widespread use of personal computing devices, systems design tools are a relatively recent arrival for the design of computing devices. For example, the Department of Defense Architecture Framework (DoDAF) arrived in the early 2000s and continues to both be used and to influence follow on enterprise architecture (EA) system description approaches. We will therefore look at an example of cyber architecture in the form of Wikileaks, as it was used to exploit the US Democratic National Committee (DNC) in 2016 and provide strategic effects in the real world through an information operation (IO).

Cyber and aerial operations are both founded in intelligence collection. World War I (WW I) scout planes provide an analog cyber’s initial use computer network exploitation (CNE). Other similarities include the challenges in measuring operational effectiveness of aerial munitions delivery. Solved by the Joint Munitions Effectiveness Manual (JMEM) for aerial operations, challenges remain for measuring the effectiveness of cyber operations. We will therefore develop an example that looks at cyber, in terms of effects, as a possible next step in the current precision guided munitions (PGM) continuum. This includes a look at key performance parameters (KPPs), measures of performance (MOPs) and measures of effectiveness (MOEs) for both aerial and cyber delivery of effects. In addition, we will review the standard Joint Munitions Effectiveness Manual (JMEM) for evaluating munitions effects, and compare this to the more recently developed measure—the cyber operations lethality and effectiveness (COLE) model. While we start with a point targeting example, we will also look at cyber as an area weapon, evaluating stealthier incapacitating techniques (e.g., Soviet active measures as an IO effect).

Cyber modeling and simulation, depending on the targeting application, leverages a mosaic of tools across the people, policy, process, and technology threads that compose a cyber target. While higher-level models are often used to look at the life cycle of a cyber threat (e.g., Cyber Risk Bow-Tie, Cyber Threat Framework (CTF)), cyber ranges are commonly used to evaluate actual systems for development and operational testing. This includes using the correct combination of Live-Virtual-Constructive modeling to evaluate a system across the application, networking, and physical layers to estimate the effects from a cyber event. In addition, with the use of standard phasing of a cyber event, as provided in the Cyber Threat Framework (CTF), the effects of candidate defenses can be estimated to provide “what if” analyses using collected data (e.g., Cohen Effect) or detailed process models (e.g., Cyber Operations Lethality Effectiveness (COLE)).

Cyber operations are sometimes characterized as a “space between” policy and kinetic operations. The Schmitt Criteria is therefore suited to evaluate and to provide context concerning whether a cyber attack constitutes a state’s use of force. In addition, the Tallinn Manual helps normalize cyber attacks in the spectrum military operations, providing decision makers with an ability to estimate whether a line has been crossed that requires a conventional military response. Cyber policy descriptions are complimented by attack process understanding (e.g., Cyber Threat Framework [CTF]) for clearly communicating cyber threat information. Structuring this cyber information results in communicating cyber engagements (e.g., technical or information operations [IO]), missions or campaigns in terms of key performance parameters (KPPs), measures of performance (MOPs) and measures of effectiveness (MOEs) in similar fashion to traditional measures of aerial munitions effects.

This book describes the role of analysis and targeting in cyberspace operations. We began, in Chap. 2, with a review of current policy, doctrine and TTPs, which gave us background on the resilience focus of both United States and International executive level cyber policy. In addition, we reviewed published doctrine (e.g., Joint Publication 3–12), along with best practices, employed as tactics, techniques and procedures (TTPs) (e.g., critical security controls [CSCs]), by the Information Assurance (IA) community.