Geospatial TTPs Boost Cybersecurity
Written by Jim Youker
GIF 2010 Volume: 8 Issue: 7 (October)
.jpg)
Tools, techniques and procedures can define
and reduce the threat to critical infrastructure
and operating systems that support C4ISR.
The geospatial tradecraft has benefited from the development of tools, techniques and procedures (TTP) that play a major role in combating terrorism in the 21st century. These TTPs have improved the situational awareness of the operational environment, which is vital to understanding and mitigating threats.
The cyber-environment provides a new haven for those intending to act against U.S. national security interests. But threats can be reduced by using geospatial TTPs. A geospatial perspective of the cyber-environment increases situational awareness of computer network attacks and intelligence gathered from targeted hosts against command, control, computers and communications that drive intelligence, surveillance and reconnaissance. Geospatial TTPs will once again prove their value in helping to define and reduce the threat to critical infrastructure and operating systems that support C4ISR.
“The national security of the United States, our economic prosperity and the daily functioning of our government are dependent on a dynamic public and private information infrastructure, which includes telecommunications, computer networks and systems, and the information residing within. This critical infrastructure is severely threatened,” Admiral Dennis Blair (Ret.), then director of national intelligence, wrote in his February 2010 annual threat assessment.
Cyber-threats exist from adversaries operating outside official nation-state recognitions, such as cyber-criminals or terrorists, but may receive support and protection from nation-state actors who would sponsor, plan and execute network attacks and exploitations. An estimated 100 nations have offensive cyber-capability.
Network threats exist and may appear as malware worms and viruses, intrusions for denial of service or defacement, probing and scanning, network mapping, exfiltration, or data destruction. Attacks may be synchronized with kinetic actions linked to cross-border disputes similar to the 2008 Georgia-Russia crisis, or could extend over time as campaigns with phased operations and scaled resources.
Regardless of the attack type or attribution of the attacker, there are generally indications and warnings (I&W) and always a physical component that can be linked to the hostile action, attacker location or their supporting network and supply chain. Location of hostile servers, command and control nodes, and critical infrastructure that has been attacked can usually be tied to a map location. Attribution may be obtained from cyberforensics or fingerprints of the attack, or point to a particular pattern of life behavior or method of operations.
These behaviors may be useful as I&W to future attacks or escalations and assist in profiling those who intend to cause harm to national security interests. Actions, behaviors and consequences can be mapped as data layers with temporal and geospatial components to yield situational awareness in a 4-D environment (X, Y and Z, plus time or latitude, longitude, and elevation with temporal change).
Geospatial Linkages
Geographic and temporal information provides a greater understanding of critical infrastructure interdependencies, especially when assets are collocated for force protection purposes or require similar support infrastructure, such as command and control or power systems. Critical infrastructure such as transportation networks, banking, water supply, power grids and C4ISR assets and facilities are inherently vulnerable because they generally connect to and rely on unprotected information technology networks.
This infrastructure can be mapped with metadata and overlaid on image basemaps for improved situational awareness that may reduce response times once attacks occur. Risk assessments and mitigations can also be mapped according to criticality, threats and hazards, and vulnerabilities if they have a shared physical characteristic such as redundant server farm locations, power sources, access control or network linkage points. I&W of an impending attack can be developed to relate hostile methods and patterns of life, and mapped if the physical corresponding link to the hostile action is known.
These various information layers can be assembled into a shared perspective or common operating picture to distribute to organizations that defend and protect critical infrastructure. U.S. Cyber Command (USCYBERCOM) was recently established to plan, coordinate, synchronize and conduct operations to defend specified Department of Defense information networks, and when directed, conduct full-spectrum military cyberspace operations.
USCYBERCOM is commanded by General Keith Alexander, who also serves as director of the National Security Agency.
There are also elements in all four services—Army Forces Cyber Command, Marine Forces Cyber Command, Fleet Cyber Command-10th Fleet and the 24th Air Force. “We have no situational awareness, it’s very limited,” Alexander said recently. “We do not have a common operating picture for our networks. “We need real-time situational awareness on our networks,” Alexander said, adding, “We must share indications and warnings threat data at net speed.”
According to Wikipedia, “A common operational picture (COP) is a single identical display of relevant (operational) information (e.g., position of own troops and enemy troops, position and status of important infrastructure such as bridges and roads) shared by more than one command. A COP facilitates collaborative planning and assists all echelons to achieve situational awareness.”
Achieving a cyber COP, however, requires input from disparate sources and origins of intelligence, such as those derived from signals, geospatial information, measurements and signatures, and human sources. The “aha” moment occurs when all sources of available intelligence converge to create a COP that becomes the basis for discovery, definition and dialog.
COTS tools can be used to meet some of the USCYBERCOM mission needs. BAE Systems Geospatial eXploitation Products develops advanced GEOINT software to address the need for combining multi-sourced intelligence data into a geospatial environment that can then be exploited into GEOINT products. SOCET GXP with the new GXP Xplorer data library and search tool consolidates geospatial analysis, image processing and data management functionality in one cohesive package to develop a common operating picture and improve situational awareness.
The unique nature of the cyber-environment adds the virtual space of computer operations that often make it difficult to determine a physical location for cyber-operations. There must be a physical space for infrastructure that supports cyberoperations and the command and control authority that takes direct action to orchestrate cyber-operations.
Describing the cyber-environment in terms of infrastructure physical location (x, y, z or latitude, longitude, elevation) over an intended operating environment or area of interest within a known or expected timeframe establishes a baseline for a shared understanding. Predicting how this picture will change over time and comparing the original picture against changes allows those changes to be detected and analyzed against I&W or used in attribution, assessments and the decision- making process.
Projecting elements that constitute the COP needed to achieve a shared situational awareness into a simple format, combined with an easy-to-use software tool, is essential to mission success. Google Earth interfaces, geospatial database interoperability and dissemination of GEOINT products into formats such as GeoPDF and PowerPoint files ensure technically derived information is maintained in the conversion process. Once again, SOCET GXP software provides the tools to collate disparate sources of complex data and convert them into adaptable, user-defined products for dissemination to a broad audience.
Situational Awareness
SOCET GXP provides the many capabilities required by analysts within a single product, all accessible from an intuitive user interface. The user can work with a wide range of commercial and government image sources, both airborne and orbital, both still imagery and full motion video, and other materials, for example digital raster and vector maps, elevation data from LiDAR, IfSAR [Interferometric Synthetic Aperture Radar], photogrammetry or other sources, or even SIGINT results and HUMINT reports. Once an image basemap is created, it can be further enhanced by attributing features such as buildings, roads or parcel information obtained from geospatial databases.
The SOCET GXP Spatially Enabled Exploitation module interacts with Esri’s ArcGIS, allowing analysts with little or no photogrammetric experience to connect to and populate basemap features from Esri geodatabases. With SOCET GXP, analysts use familiar tools and techniques and universal file formats to create, collect, edit, store and retrieve geospatial features and their associated attributes to provide accurate and timely situational awareness.
Such tools enable the user to catalog imagery and other data and then discover useful files in that catalog and other catalogs across workgroups and federated libraries. The goal is to create a wide variety of informative products in an easy-touse fashion.
For example, the analyst may need to triangulate and fuse multiple image sources; perform remote sensing analyses, such as classification or anomaly detection on hyperspectral and multispectral (HSI and MSI) sources; extract elevation data; extract features; generate orthorectified mosaics of panchromatic, HSI, MSI, or pan-sharpened imagery; build terrain analyses, such as slope, aspect, viewshed, flood zones, helicopter landing zones, or fly-throughs; perform targeting; and place the analysis results in an established format, together with requisite metadata, then publish the result to PowerPoint, GeoPDF or other convenient output formats, perhaps disseminating these on Web services. Disseminating this information into easy-to-read formats and templates maximizes the value of the intelligence so it is quickly understood and can be used in threat assessments or included as a component of an operational plan.
The use of geospatial TTPs achieves situational awareness to the threats against cyber-networks, and should not be ignored. These TTPs create a common operating picture and contribute to the new USCYBERCOM mission. COTS tools that portray a common operating environment can be used to protect and defend U.S. national security cyber-interests. ♦
Jim Youker is with BAE Systems.
