Hoping to stymie cyber attacks, DoD’s cyber defense headquarters looks to predictive analytics

Leaders of the organization that handles much of the Defense Department’s day-to-day network defense believe that if there’s anything they can be rightly criticized for, it’s that DoD’s approach to date has been too reactive, only responding to cyber attacks after they’ve already begun.

So the Joint Force Headquarters-DoD Information Networks (JFHQ-DoDIN) believes it needs to become much more proactive, including by developing new capabilities to mount defenses against specific attacks while the attackers are still in the planning stages.

Since January, the JFHQ has been testing a new data analytics platform that’s meant to use automated data analytics techniques to spot the sorts of behavior adversaries have been known to engage in as they lay the groundwork for an attack.

The Integrated Cyber Intelligence Platform, for now, is using only commercially-provided threat data as DoD continues to prove out the use case, said Col. Casimir Carey, the organization’s intelligence chief.

Advertisement

“We’re going to be fusing that together and proving that it works from a behavioral analytics standpoint to give us some predictability,” he said at AFCEA’s annual Defensive Cyber Operations Symposium in Baltimore. “But once we do that, we’ll look at integrating it into the [Defense Information Systems Agency’s] Big Data Platform, and leverage it together with all with the government sensor data at the same time.”

The overall objective is to be able to “see the storm before the storm hits us,” said Col. Paul Craft, JFHQ-DoDIN’s director of operations. And with systems that can automatically detect what a cyber attack or its precursors look like, officials also want to add capabilities to automatically block attacks in their early stages, without necessarily requiring human intervention.

“When it comes to partnering to get more commercial threat intel, more is better,” Craft said. “From an artificial intelligence perspective, we need the ability to not have a person in the middle having to make all those decisions. If we set our models up properly, we will be able to actively defend minute-by-minute. We are doing that now. We load a lot of things in our sensors, and they’re able to make blocking decisions for us in a rapid fashion, about 4 minutes. But we’d like to be able to do that at more levels and more layers going forward.”

JFHQ-DoDIN is a new organization, having only reached its full operational capability in January, and protecting Defense networks at multiple levels is one of the reasons DoD officials created the headquarters in the first place.

While each military service has the responsibility to protect its own section of the DoDIN, the JFHQ, which is an operational component of U.S. Cyber Command, is supposed to see the big picture. To that end, it’s also in the process of creating the department’s first truly detailed map of the 15,000 networks that fall within the dot-mil domain and the 42 different organizations that operate them. That effort, called Operation Gladiator Shield, has been underway since last fall.

“We are organizing the DoD’s information battlespace, laying out what each organization’s network looks like, and who are the network operators and network security providers that we have to secure that battlespace,” Craft said. “What are the task-critical assets that we definitely have to defend? What is the mission-relevant cyber terrain? And then we’re asking the services, the combatant commands and the agencies to do an aggregate risk assessment for their portion of the network. We want them to be able to say, ‘I understand my battlespace, I understand who is operating and securing that battle space, I know what’s important that I need to defend.’”

Using that data, the JFHQ creates an aggregated risk assessment for the DoDIN as a whole. And Craft emphasized that the “battlespace” it’s trying to define includes not just traditional, legacy networks, but also the government and commercially-owned cloud computing services that make up an increasing share of DoD’s information environment.

“We still have the responsibility to command and control that and make sure that it is actively secured, either through contract, or through other means,” he said. “I don’t know if that was clearly understood on the front end when we began racing to the cloud, but it is key to the success of the Department of Defense. It’s part of our infrastructure, just like our backbone network, our industrial control systems, our program of record networks.”

DoD plans to use the understanding it gathers from Operation Gladiator Shield to help find any portions of its overall network that aren’t adequately secured, including where it might need to allocate additional cyber defense personnel.

But at part of the operation, the JFHQ has also been granted the authority to direct military services and other DoD organizations to fix cyber weaknesses it finds in six-month, 30-day and 24-hour increments.

The six-month cycle — called a Cyber Operations Directive — lays out DoD’s biggest cyber defense priorities, as defined by a board of three-star admirals and generals throughout the department. It’s updated every 90 days.

Using those broader operational objectives, the JFHQ then develops a Master Cyber Operations Plan once a month. Its main function, Craft said, is to assess whether DoD’s cyber protection forces are focused on the most active or concerning threats, and if not, reallocate them accordingly.

From there, every day, the JFHQ sends the Army, Navy, Marine Corps, Air Force and Coast Guard orders to patch any problems it’s found on the network, based on its current understanding of cyber threats and vulnerabilities.

“This is something we’ve done in just the last 90 days: we’ve taken DISA’s $24 billion network, which runs the majority of the DoD, and it’s now a $24 billion sensor grid. We’re taking all of the information off that grid and finding out, ‘Who’s scanning us right now? What vulnerabilities are they looking for? Who is being spear phished? What websites are they trying to look at, and what information are they trying to pull?’ That happens every single day to actively secure, operate and defend our networks. It’s a big change, and that’s why this organization was stood up: to synchronize and integrate and actively command and control all the DoD’s networks.”