Security Experts:

Cyber Intelligence: Identifying the Threat and Understanding the Terrain in Cyberspace

Situational Awareness in Cyber Space

Successful conduct of military operations requires a unit’s clear understanding of the battle space it controls and its “area of operations”. This includes not only the terrain of the battlefield but also the capabilities, motives, and determination of the enemy they face.

Sun Tzu, the famous Chinese Military General assumed to be the author of The Art of War, once stated: “If you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.” This same philosophy translates to the cyber defense world.

Why use the term enemy in cyber defense? It is only natural to label those attempting to gain access or infiltrate information systems in efforts to cause harm, disruption, or unintentional release of information as enemies. So, how do we prepare for these enemies?

Regardless of whether the current state of affairs in cyberspace includes acts of war, espionage, crime or just malfeasance, the principle concept of “know your enemy” and the terrain of your area of operations are key components to applying limited resources to greatest affect. But how do you achieve the operational framework to provide this awareness?

The US military uses the term intelligence preparation of the operational environment (IPOE). In Joint Publication (JP) 1-02 amended July 2012, it is defined as: “The analytical process used by joint intelligence organizations to produce intelligence estimates and other intelligence products in support of the joint force commander’s decision-making process. It is a continuous process that includes defining the operational environment; describing the impact of the operational environment; evaluating the adversary; and determining adversary courses of action.”

When a commander is assigned a geographical area to defend, his first action is to gain an understanding of his operational environment. Using a variety of means including maps, aerial photos, satellite imagery, scout reports and walking the terrain, his staff then develops a staff estimate. This estimate identifies avenues of enemy approach, natural and man made obstacles, choke points and places in which to engage the enemy to bring the full brunt of all weapons systems to bear.

The meat of IPOE lies in an assessment of the enemy. Usually this starts with his composition, disposition and strength. Understanding the composition of the enemy is crucial, as a commander needs to determine what type of enemy he is facing. The composition of enemy depicts the type of forces such as airborne, armor, artillery, infantry, etc. In turn, each type of force will determine what weapon systems they have available, the capabilities of those weapons and the associated tactics they employ.

Cyber Defense PlanningA commander facing an enemy comprised of armor and artillery will need to know if his available weapon systems can defeat the enemy or if he will require some outside help. He also needs to understand the enemy composition to know where to focus his operations. Understanding the types of forces is important because they all require different terrain characteristics to operate. Armor forces move along different avenues of approach than infantry and require mobility corridors that support weight and speed of their vehicles. Both need concealment to mask their movement until ready to strike, but Infantry can go places armor cannot. Mechanized infantry needs less cover than light infantry, and move much faster like armored forces. And Airborne forces require large open areas to accommodate insertion.

Disposition of enemy forces is probably the most critical aspect of knowing your enemy. If you can find the enemy, you can likely kill him. Disposition, normally based on a combination of doctrine and terrain, is the knowledge of where your enemy is located and how they are arrayed.

And strength goes without saying – it’s the knowledge of how big an enemy is in not just personnel but weapon systems as well. In other words, an infantry battalion with four hundred soldiers armed with AK-47s does not have the same destructive power as the same battalion with mechanized support from forty armored personnel carriers with automatic cannons and machine guns.

The value of IPOE is the bringing the elements of the enemy forces (composition, disposition and strength) together with understanding of the terrain to determine how to defeat that enemy. Using IPOE, the commander and his staff work an operational plan that they can lay over the situational template. Based on the situational template, the commander determines his decisive point – that is the point where he gains an advantage over the enemy to ensure he wins. In warfare, a commander must not lose – to lose is to die. This breeds a sense of commitment unequalled in any other human endeavor… similar commitment to the mission is needed in cyberspace operations.

After understanding the operational plan and the enemy situation, the next technique implemented is the collection plan. This method aligns all IPOE products with operational plans and leverages all intelligence assets and operational forces to confirm or deny the enemy’s plan. The collection plan uses Commander’s Priority Intelligence Requirements (PIR) to focus the effort. PIR are the elements of information required in order to make decisions. They consist of identifying indicators that will confirm or deny enemy action.

For example, in the days of the Soviet Union, the Combat Reconnaissance Patrol (CRP) was the hallmark of the Advanced Guard, which indicated where the main attack would take place. If a CRP was discovered, it would indicate where a Soviet attack was focused. However, the Soviets were masters of deception and would field multiple units that looked like a CRP. Adversaries were left without the ability to confirm or deny the enemy plan? Once PIRs are determined, they then are broken down into Specific Information Requirements (SIR). These SIRs then focus intelligence, surveillance and reconnaissance assets. Normally those assets would be assigned tasks based on Named Areas of Interests (NAIs) or areas on the battlefield that assets had to cover. In the case of the CRP, an SIR would be a specific chemical reconnaissance vehicle. If that was located, all the other pieces fell into place.

How does this apply to cyberspace?

In cyberspace, organizations have network and system administrators or engineers who have built, manage and run their physical and logical topology and services that comprise their infrastructure. They know what services they run. But do they understand the vulnerabilities to those specific services, ports, protocols, operating systems, etc.? Do they know and understand where their critical data is located and what are the key elements of their infrastructure that provide core business functions? Do they understand how this infrastructure supports their lines of operation and communication or how the organization interacts with its service providers, partners and vendors? These are essential to “know yourself” from Sun Tzu’s point of view.

If your organization has push services or data to the cloud, you may have a more daunting task to determine the threat activity against you. This changes your event horizon to be able to set up your collection tools beyond your line of sight – over the horizon. Using cloud services provides great advantages in scale, cost and resiliency. However, security to your business infrastructure and operations is a greater challenge. In this case, you must set your collection plan to include assets that can look over the horizon into your area of interest and work with your service providers, partners and different threat intelligence capabilities to provide the visibility you need to confirm or deny enemy courses of action.

Once they have a good understanding of themselves, they must understand the composition, disposition and strength of their adversary. As an example, take online businesses that rely on transactions with a web based database. The organizations first must understand what type of threats will target them. Each type of threat actor uses different techniques, tactics, and procedures (TTPs) and some are related to a very specific type of business enterprise such as crime ware. Organizations must understand what TTPs their enemy will use against them. Will it be organized crime, recreational or nation state hackers? Is there data available about other members of their industry or users of the technology? These questions are fundamentally PIRs. An organization must set up a collection plan to answer these types of questions. This will ensure that they receive the latest intelligence on vulnerabilities to affecting their business.

The understanding of threats against an organization’s infrastructure and operations will help guide their decisions about what to log, where to place sensors or a better design for the security of the enterprise architecture. If an organization has limited resources, it may have to shrink its security perimeter to focus solely on vulnerabilities to specific ports, protocols or services affecting core business operations. Looking at the cyber terrain in these terms of topology and ports, protocols and services, an organization can channel the enemy into an engagement area it controls, limit its attack surface and increases effectiveness.

Using a technique such as the Cyber Kill Chain* concept developed by Lockheed Martin is a good methodology for identifying SIRs that refine a specific PIR. For example, is there an expected behavior in network flow analysis that is indicative of a threat TTP related to a vulnerability that meets a PIR?

Once the PIR and SIR are established, identify NAIs inside the network / area of operations to watch for indicators and warnings of a specific threat. Each NAI must be given an assigned task and someone must be assigned the responsibility to ensure it is collected and reported. That may be a system such as an intrusion detection system (IDS), an analyst checking network flow or log file collectors, or a system administrator looking at processes running on a server. In any case, they have to know what they are looking for and what to do when they see it. If an indicator triggers fulfills an SIR at an NAI and a PIR is met, pre-planned response actions, mitigations and contingencies are executed without delay. This process is predetermined and the decision is already made. Decisions are made at the beginning of this process with clear minds and forethought. They are not made in the midst of crisis, confusion or misunderstanding.

The reader must remember that if he defends against everything, he defends nothing. It is not possible to stop all the badness.

Organizations should determine what is critical to their business operations. In other words, what systems must be secured versus just observed. Some systems must be expendable with an understanding that they will be best efforts to secure but not essential. Security professionals must get used to the idea that there are casualties in cyberspace. They must focus their efforts on securing critical business operations in cyberspace and use IPOE to focus their efforts to that end.

Reference:  * Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains; Lockheed Martin Corporation, Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D.,

Subscribe to the SecurityWeek Email Briefing
view counter
Matthew Stern
 is Senior Vice President, Strategy & Analysis
 at Lookingglass. Prior to joining Lookingglass, Stern served three years with General Dynamics Advanced Information System as Program Director for US-CERT. Previously, he served as Director of Cyber Accounts for General Dynamics Advanced Information Systems. He spent 22 years in the U.S. Army culminating with command of 2d Battalion, 1st Information Operations Command, overseeing the Army Computer Emergency Response Team (ACERT) and Regional Computer Emergency Response Teams (RCERTs). He holds a master’s degree in Information Systems and Computer Resource Management from Webster University and a bachelor’s degree in Political Science from Northern Illinois University.