Disciplined analysis drives comprehensive cyber defense
By Brian Gunn, DISA Operations, Plans and Readiness, J-3,5,7
Aug. 20, 2025
The Defense Information Systems Agency’s Cybersecurity Service Provider Defensive Cyberspace Operations analysts augment vendor analytics with tailored capabilities to proactively defend more than 2.4 million Defense Information Systems Network users and nearly 600 CSSP-aligned mission partners. These analytics track unique information parameters from network traffic, endpoint and system logs, event alerts, intelligence and other data sources. When deployed to Security Information and Event Management systems, analytics generate indicators of compromising cyber activity or potential vulnerabilities.
Searching for advanced threats
Analysts create analytics supporting local or collaborative Enterprise Hunt and Discovery and Counter Infiltration operations, targeting advanced persistent cyber threats not previously detected. Teams use threat frameworks such as the MITRE Adversarial Tactics, Techniques, and Common Knowledge Framework to identify tactics and techniques of malicious cyber actors. Using this framework and various agency search tools across large volumes of security-relevant data, teams spot potentially nefarious behavior.
A significant outcome of ongoing Enterprise Hunt and Discovery and Counter Infiltration operations is continual development of new analytics and tuning of existing ones. The frequently updated analytics more effectively target network traffic and behavioral patterns indicative of specific cyber threats or weaknesses.
A significant outcome of ongoing Enterprise Hunt and Discovery and Counter Infiltration operations is continual development of new analytics and tuning of existing ones. The frequently updated analytics more effectively target network traffic and behavioral patterns indicative of specific cyber threats or weaknesses.
It's all in the tagging
A cornerstone of DISA CSSP analytics development is disciplined metadata tagging, enabling analysts to search for advanced threat indicators across multiple platforms. Analysts input standard descriptive information so they can effectively deploy those capabilities against large datasets with multiple formats. The tagging allows the team to comprehensively review the corpus of analytics in support of defender decision-making.
Most analytics have basic title and author fields, but they are far more valuable when aligned with targeted malware or intrusion sets.
The DISA CSSP team is expanding tagging with a common metadata schema of up to 24 fields enumerating the threat the analytic aims to detect. This schema makes analytics easier to deploy across multiple formats and platforms. It also enables sharing, tracking and reconfiguring for future use across the agency.
Most analytics have basic title and author fields, but they are far more valuable when aligned with targeted malware or intrusion sets.
The DISA CSSP team is expanding tagging with a common metadata schema of up to 24 fields enumerating the threat the analytic aims to detect. This schema makes analytics easier to deploy across multiple formats and platforms. It also enables sharing, tracking and reconfiguring for future use across the agency.
The CAUG: Collaborating to deploy the best analytics
Key to this analytic-sharing effort is DISA’s Cyber Analytics Users' Group, led by the DISA CSSP team. It enables the agency’s geographically dispersed defender teams to brief newly created analytics, troubleshoot issues, share ideas and plan future threat hunts.
The CAUG shares, baselines and updates threat detection analytics so analysts maximize coverage without duplicating efforts. The group oversees a centralized repository of analytics that can be configured, scaled and deployed with automation to target SIEMs.
The CAUG shares, baselines and updates threat detection analytics so analysts maximize coverage without duplicating efforts. The group oversees a centralized repository of analytics that can be configured, scaled and deployed with automation to target SIEMs.
Continuous improvement
CAUG’s disciplined tagging processes enable continuous creation of baseline analytics tied to specific mission sets, fortifying DISN and mission partner cyber terrain defense. To maintain focus and optimize development efforts, the team has built the MITRE ATT&CK Detection Capability Analysis Tool Power BI solution. Teams use MADCAT to identify DISA CSSP analytics across SIEMs that address specific threat coverage gaps. The DISA CSSP team continues to innovate and move forward with dynamic analytics to stay ahead of malicious cyber threats.