Geospatial TTPs Contribute To Cyber Security

November 12, 2010

The Geospatial tradecraft has benefited from the development of tactics, techniques and procedures (TTP) that have played a major role in combating terrorism in the 21st century. These TTPs have improved the situational awareness of the operational environment, vital to understanding and mitigating threats to U.S. National Security. The cyber environment provides a new haven for those intending to act against U.S. National Security interests but that threat can also be reduced through the use of geospatial TTPs. A geospatial perspective of the cyber environment can create an increased situational awareness of computer network attacks and exploitations against Command & Control, Computers & Communications that drive Intelligence, Surveillance and Reconnaissance (C4ISR) in support of U.S. National Security interests. Geospatial TTPs will once again prove their value in helping to define and reduce the threat to critical infrastructure and operating systems that support C4ISR.

“The national security of the United States, our economic prosperity, and the daily functioning of our government are dependent on a dynamic public and private information infrastructure, which includes telecommunications, computer networks and systems, and the information residing within. This critical infrastructure is severely threatened”, according to Dennis Blair, recently the DNI, on his Annual Threat Assessment of the Intelligence Community for the Senate Select Committee on Intelligence, Feb 2010. Cyber threats exist from adversaries who operate outside the boundaries of official nation state recognitions such as cyber criminals or terrorists, but may enjoy some support and protection from nation state actors who would typically be involved in sponsoring, planning and executing network attacks and exploitations. There are approximately 100 nations that have offensive cyber capability (FBI Amit Yoran).

Cyber Threats
Threats to networks exist and may appear as malware worms and viruses, intrusions for denial of service or defacement, probing and scanning, network mapping, exfiltration or destruction of data. Attacks may be synchronized with kinetic actions linked to cross-border disputes similar to the 2008 Georgia-Russia crisis or could be extended over long time frames and resemble campaigns with operations phases and scaled resources. Regardless of the attack type or attribution of the attacker, there are generally indications and warnings (I&W) and always a physical component that can be linked to the hostile action, attacker location or their supporting network and supply chain. Location of hostile servers, command and control nodes and critical infrastructure that has been attacked can usually be tied to a map location. Attribution of the attack may be obtained from cyber forensics or fingerprints of the attack or point to a particular pattern of life behavior or modus operandi. These behaviors may be useful as I&W to future attacks or escalations and assist in creating a profile of those who intend to cause harm to National Security interests. Actions, behaviors and consequences can be mapped as layers of data that have temporal and geospatial components and when portrayed together yield a situational awareness in a 4D environment (X, Y, Z + time or lat/long and elevation with temporal change).

Geospatial linkages
Use of geographic and temporal information can provide a greater understanding of critical infrastructure interdependencies especially when assets are collocated together for force protection purposes or require similar support infrastructure, such as command and control or power systems. Critical infrastructure such as transportation networks, banking, water supply, power grids and C4ISR assets and facilities are inherently vulnerable because they are generally connected to and rely on unprotected information technology networks. This infrastructure can be mapped with metadata and overlaid to image basemaps for a better situational awareness that may reduce response times once attacks occur. Risk assessments and mitigations can also be mapped according to criticality, threats and hazards and vulnerabilities if they have a shared physical characteristic such as redundant server farm locations, power sources, access control or network linkage points. I&W of an impending attack can be developed that relate to hostile methods and patterns of life and can also be mapped if the physical corresponding link to the hostile action is known.

These various layers of information can be assembled into a shared perspective or common operating picture (COP) that can be distributed amongst organizations engaged in defending and protecting critical infrastructure. A new organization that has recently been established to protect and defend DoD IT infrastructure is the U.S. Cyber Command (CYBERCOM) whose mission is to plan, coordinate, synchronize and conduct operations in the defense of specified DoD information networks, and when directed conduct full-spectrum military cyberspace operations. CYBERCOM is commanded by the current head of the National Security Agency (NSA) and includes elements of all four services; ARFORCYBER, MARFORCYBER, FLTCYBERCOM–10th Fleet and 24th USAF, collocated with NSA at Ft. Meade, MD. In recent remarks, General Keith Alexander, as commander CYBERCOM, said, “We have no situational awareness, it’s very limited … we do not have a common operating picture for our networks … we need real-time situational awareness on our networks … we must share indications and warnings threat data at net speed”, ( According to Wikipedia “A common operational picture (COP) is a single identical display of relevant (operational) information (e.g. position of own troops and enemy troops, position and status of important infrastructure such as bridges, roads, etc.) shared by more than one Command. A COP facilitates collaborative planning and assists all echelons to achieve situational awareness.” However, achieving a cyber COP requires input from disparate sources and origins of intelligence such as those derived from signals, geospatial information, measurements and signatures and human sources. The “ah ha” moment is achieved when all sources of available intelligence are combined to achieve a COP and that shared situational awareness becomes the basis for discovery, definition and dialog.

There are commercial off-the-shelf (COTS) tools that exist now that may be used to meet some of the CYBERCOM mission needs. BAE Systems Geospatial eXploitation Products® develops advanced geospatial-intelligence software to address the need for combining multi-sourced intelligence data into a geospatial environment that can then be exploited into geospatial intelligence (GEOINT) products. SOCET GXP® (SGXP) with the new GXP Xplorer™ data library and search tool, consolidates geospatial analysis, image processing, and data management functionality in one cohesive package to develop a COP and improve situational awareness.

CYBER Situational Awareness
The unique nature of the cyber environment adds the virtual space of computer operations that often make it difficult to ascertain a physical location for cyber operations. However, there must be a physical space for infrastructure that supports cyber operations as well as the command and control authority that takes direct action to orchestrate cyber operations. Describing the cyber environment in terms of infrastructure physical location (x, y, z or lat/long/elevation) over an intended operating environment or area of interest within a known or expected timeframe establishes a baseline for a shared understanding. Predicting how this picture will change over time and comparing the original picture against changes will allow those changes to be detected and analyzed against I&W or used in attribution, assessments and the decision-making process. Projecting elements that make up the COP needed to achieve a shared situational awareness into an easy to understand format, easy to use software tool is essential to mission success. Google Earth™ interfaces, geospatial database interoperability and dissemination of GEOINT products into formats like GeoPDF and PowerPoint ensure that technically derived information is not lost in the conversion process. Once again, SOCET GXP software provides the proper tools necessary to collate disparate sources of complex data and convert them into easy to use, user defined products that are easily disseminated to a broad audience in an uncomplicated manner.

Geospatial TTPs described
A modern software tool such as SGXP has been designed to provide as many of the capabilities required by analysts within a single product, all accessible from an easy-to-use, intuitive, ergonomic user interface. The user should be able to work with a wide range of commercial and government image sources, both airborne and orbital, both still and full motion video (FMV), as well as other materials, for example digital raster and vector maps, elevation data from LiDAR, IfSAR, photogrammetry or other sources, or even SIGINT results and HUMINT reports. Once an image basemap is created from available source data, it can be further enhanced by attributing features such as buildings, roads or parcel information obtained from geospatial data bases. The SGXP Spatially Enabled Exploitation (SEE) module interacts with ESRI® ArcGIS and allows analysts with little or no photogrammetry experience to connect to and populate basemap features from ESRI geodatabases. With SGXP, analysts use familiar tools and techniques and universal file formats to create, collect, edit, store, and retrieve geospatial features and their associated attributes that provide accurate and timely situational awareness.

New tools such as GXP Xplorer enable the user to catalog imagery and other data and products, and then discover useful files in that catalog and other catalogs across workgroups and federated libraries. The goal is to create a wide variety of informative products in an easy-to-use fashion. For example, the analyst may need to triangulate and fuse multiple image sources; perform remote sensing analyses, such as classification or anomaly detection on HSI/MSI sources; extract elevation data; extract features; generate orthorectified mosaics of panchromatic, MSI, HSI or pan-sharpened imagery; terrain analyses, such as slope, aspect, viewshed, flood zones, Helicopter Landing Zones (HLZ) or fly-throughs; targeting; and place the results of the analysis in an established format, together with requisite metadata, and publish the result to PowerPoint, GeoPDF or other convenient output formats, perhaps disseminating these on web services. The dissemination of this information into easy to read formats and templates that maximizes the value of the intelligence to be quickly understood and used in threat assessments or included as a component in an operational plan.

Cyber Scenario
November 2010 – As South Korea hosts the G20 Summit in Seoul, the US, Japan and South Korean cyber defense organizations have anticipated that an attack on IT networks is likely. An increased number of PDF documents sent over email containing malware viruses have been intercepted in the weeks leading up to the summit. Unfortunately, it is suspected that a number of these infected documents have been opened, allowing unprotected host computers to become infected with botnet applications that are intended to harm G20 member countries’ C4ISR networks. Alternate web sites and redundant C2 networks were established for high value assets that control the travel and safety of G20 member officials to the G20 Summit in Seoul. As predicted by the US National Cyber Response Coordinating Group, a coalition of federal and civilian agencies tasked with coordination and response to computer network attacks (CNA) against the US, a denial of service attack is launched days prior to the summit intended to overwhelm targeted C2 networks, with minimal effect.

I&W were developed as a tip-off to an attack, which allowed preemptive actions to be directed that mitigated the threats to targeted networks. Appropriate InfoCon or CyberCon levels were increased to warrant closer inspections of networks and electronic files with increased security measures installed. Targeted IP addresses are collated and analyzed for similarities and mapped revealing a link to G20 member nations. Commercial unclassified high-resolution satellite imagery was obtained from GeoEye® that could be distributed to G20 member nations for their use in understanding the geospatial context of the attack and response. Damaged networks were assessed and at-risk networks were mapped to supporting critical infrastructure with additional protections deployed. Computer forensics were used to determine attribution for the attack with aggressor’s locations and actions portrayed in a 4D overlay on Google Earth for situational awareness. Offensive US operations, where authorized, benefited from a COP, developed over time and comprised of many disparate sources of intelligence and disseminated in easy to read understandable formats displaying actionable geospatial information.

The use of geospatial TTPs are necessary to achieve a situational awareness to the threats against cyber networks and should not be ignored. These TTPs are necessary to create a common operating picture and provide a valuable contribution to the new USCYBERCOM mission. There are COTS tools such as SOCET GXP and GXP Xplorer that analysts use to achieve situational awareness. These are proven tools in portraying a common operating environment that can continue to be used to protect and defend US National Security cyber interests


.Editor note: Jim Youker of BAE Systems first published this piece in the Geospatial Intelligence Forum, it it is being republished here with the author’s permission.