In the world of defensive cyber operations, it’s well known that support from intelligence is critical, yet difficult. Many officials in the national security realm have noted that the Department of Defense’s main defensive cyber teams ― the cyber protection teams that serve as SWAT teams during network incidents ― need more intelligence.
The same is true for Cyber Command’s global defensive arm Joint Force Headquarters-DoD Information Networks, which last year went as far as to set up an intel/ops fusion cell, now known as the J34. Officials have noted that this cell has made great progress.
“We discovered about a year ago that we were missing that ops/intel fusion so we dedicated some of our best and brightest people ... to really look at specific things the adversary was doing and our countermeasures to mitigate our adversary’s capabilities,” Ignatius Liberto, JFHQ-DoDIN chief of staff, told Fifth Domain at the AFCEA Defensive Cyber Operations Symposium May 16 in Baltimore, Maryland.
The key is providing context of what is collected from the sensors on that exist on the network.
“The sensor data is just the ‘what’ of what’s going on and the intel tells us the so what, the why, the who and putting that together is of great value as we give that to combatant commands, to service and to agencies,” Col. Paul Craft, director of operations, J3 at JFHQ-DoDIN told Fifth Domain. “We will lay down what we see off every sensor, what’s going on. That goes in the daily report, then we do a deep dive on Thursdays and our larger commander update brief on what exactly is going down and where, down to who is being spearphished, who’s being whaled, what tunnels are opening up in what counties, what our concerns are.”
Liberto said the initial capability of the cell was recognized immediately by Cyber Command and “within their battle rhythm we briefed them specifically on those countermeasures and internal defensive measures to protect the DoDIN.”
The cell, he added, is still maturing a year in.
Craft explained that the intelligence directorate within JFHQ-DoDIN is working to gain expertise from the active duty side and the reserves to bolster the information coming in. The intelligence personnel are also working to build partnerships with the intelligence agencies to provide real-time information through the 24 hour cyber tasking orders JFHQ-DoDIN passes out.
JFHQ-DoDIN is also working with its Cyber Command and other elements.
Since JFHQ-DoDIN only operates within the boundaries of DoD networks, it passes information of note to Cyber Command to potentially act in gray or red space.
This is also done for the purpose of what is known as intelligence equities or intelligence gain/loss.
When potential malicious activity is observed on the network, “it’s a balance between operational gain/loss and intel gain/loss. We have to make a conscious decision, human in the loop, on if we do block this activity, then we will lose the ability to gain intelligence on it if we stop it,” Craft told Fifth Domain.
Craft added that every attack makes the team better and smarter as it provides valuable insights into adversarial tactics.
“We are capturing what the enemy is doing, how they’re doing it, their behaviors, so that we can prevent the next attack. That is much different than just stopping the attack from a whack-a-mole perspective,” he said. “Actually gaining information on what the enemy just did, why they did it, where they came from, home many nodes did they light up at that particular time and then using that to our advantage.”