Formalizing Cyber Threat Intelligence Planning: Part III
Part 3 of 10: Intelligence Preparation of the Environment (IPE): Step 1 by Chris Ruel, Full-Time Instructor at SecureSet Denver campus.
Define the Environment
When you think of “terrain,” what images come to mind? Mountains? Forests? Rivers, lakes, and valleys? When we in the military think about terrain, this is usually where we start as well. We also consider things like infrastructure (transportation networks, population centers, etc.) and populations (human terrain). This is because we mostly operate in the “physical domain” of land, sea, air, and space. Real Clear Defense notes: “Prior to the concept of domains, military operations were typically described in only three physical dimensions of land, sea, and air.” Cyberspace exists in the “Virtual Domain” along with Information. Even though the physical and virtual seem to exist at opposite ends of the spectrum, with only a small amount of abstraction, the same analysis of characteristics can be applied.
We can break down “defining the environment” into five sub steps:
- Identify significant characteristics.
- Identify the limits of the Area of Operations (AO) and Area of Interest (AI).
- Identify the amount and level of detail of information required and what is feasible based on the time that is available.
- Evaluate existing data/information/intelligence and identify gaps.
- Collect required intelligence and materials.
Identify Significant Characteristics
You can loosely define the characteristics as a set of properties that define or describe the environment in question. In cybersecurity, the environment in question is usually a network or a network of networks. Through Merriam-Webster’s definitions, we can define a network as a system of computers, peripherals, terminals, and databases connected by communication lines. Although we can develop a definition, networks don’t have an approved list of characteristics. To successfully perform the task at hand, an analyst should focus their efforts on the characteristics that are most applicable to the assignment.
Identify the limits of the AO and AI
The AO is the terrain that you have the authority to operate in. The AI is the terrain that you do not have authority to operate in, but that can affect your AO. Take the 2013 Target breach for example. ZDNet explains that “The attackers backed their way into Target’s corporate network by compromising a third-party vendor…Fazio Mechanical, a refrigeration contractor.” Fazio’s network (Area of Interest), which allegedly did not have adequate intrusion detection systems, was off limits to Target’s security personnel. Fazio’s network was the conduit into Target’s Area of Operations. The takeaway? Make sure to identify your exposure points and understand the limit of you authority to interact with them.
When looking at the AO/AI an analyst must always consider MATTAC, a deviation of METT-TC (Mission Enemy Terrain Troops — Time Civilians).
- Mission: What is the purpose/end state of the analysis?
- Adversary: Who is your adversary and what are their capabilities?
- Terrain: What does the cyber terrain look like?
- Time: How much time do you have?
- Assets: What assets (money, talent, equipment) do you have available?
- Customers: Who is your customer? What are their needs and idiosyncrasies?
These are variables that affect the analyst’s overall assessment of a situation. The same terrain can have radically different assessments because of MATTAC.
Identify the amount and level of detail of information required and what is feasible based on the time that is available
Time is the resource that we often forget to account for. It is as valuable as money or any other asset. You may not need to look at EVERY possible threat in the AO/AI based on MATTAC. Most people are uncomfortable with ambiguity or 75% solutions, but resource allocation is more often than not, a zero-sum game. Some steps may need to be eliminated or scaled back. Backwards plan and prioritize your efforts.
Evaluate existing data/information/intelligence and identify gaps
Networks are very dynamic; they are constantly in flux and as endpoints connect and drop off, software is updated and applications are added. Adversaries are constantly adapting and evolving. You are unlikely to have the information you need at your fingertips. Identify what gaps you have and then prioritize them for collection. Gaps that CANNOT be filled within the time limit need to be annotated. If a required piece of information/Intelligence is unavailable, make assumptions to fill those gaps.
If someone tells you that you should never make assumptions because “When you ASSUME you make an ASS of U and ME,” that person is either 1) omniscient, 2) supremely arrogant, or 3) an idiot. Unless you happen to work for a powerful deity, it’s some combination of 2 and 3. Assumptions are perfectly fine as long as they meet three criteria:
- Valid: Containing premises from which the conclusion may logically be derived, correctly inferred, or deduced.
- Necessary: Is the assumption required for planning purposes?
- Considered True: Assumptions are treated like facts until proven untrue or facts emerge.
If an assumption does not meet all three, discard it.
Collect required intelligence and materials
Now that you know a little more about what you don’t know, you can start assembling the pieces you need to develop a Common Operating Picture (COP). If you have well maintained running estimates, your job will be a lot easier. Running estimates could include, but are not limited to:
- List of approved network devices, software and applications
- Network maps/diagrams
- Users and their associated privileges
- Available resources
- Burn rate
- Known adversaries
- Vulnerabilities and exposures
After you gather the available information, review your assumptions for validation. Do they still meet all of the criteria? If your assumptions are denied (by leadership) re-examine the evaluations and decisions on which they are based. In the next post we’ll cover how to “describe the effects,” when we begin to develop the COP.
For further reading on this subject, you can take a look at some of the references that I used when writing this blogpost:
FM 3–38 — Cyber Electromagnetic Activities
Joint Publication 3–12 — Cyberspace Operations
ATP 2–01.3 — Intelligence Preparation of the Battlefield/Battlespace
SANS Institute — Use Offense to Inform Defense
FM 34–130 — Intelligence Preparation of the Battlefield
If you’re just joining us for this series, you can catch-up by reading Formalizing Cyber Threat Intelligence Planning: Part I and Part II.
Christopher Ruel is a Full-Time Instructor at the SecureSet Denver Campus. He teaches Cyber Threat Intelligence as well as Strategy and Analysis. Chris is an Army Special Forces Officer with years of operational experience overseas. He has also worked closely with the Intelligence Community in pursuit of US strategic objectives. He has earned a BA in history, as well as an MBA with a concentration in Business Analytics.