F3EAD – Infusing Real Time Intel Into the Operational Flow

Introduction

From CoPilot:

“The F3EAD framework is an alternative intelligence cycle commonly used within Western militaries for operations that typically result in lethal action, such as drone strikes and special forces operations¹². F3EAD stands for Find, Fix, Finish, Exploit, Analyze and Disseminate. It is a combination of the cyber threat intelligence cycle and the security operations cycle³. The first three steps (Find, Fix, Finish) are part of the security operations cycle, and the last three steps (Exploit, Analyze, Disseminate) are part of the intelligence cycle. The F3EAD framework enables the dynamic tasking process required at the tactical targeting level in support of full spectrum operations“

Not a bad description of F3EAD. However, F3EAD can be more generalized across a wider problem space to provide solutions that are more effective. The solutions are more effective because the solutions automatically adapt to the surrounding environment.

The Idea

There are multiple data/process flows that illustrate the flow of data in an F3EAD implementation. One shows two horizontal flows. Usually, the upper flow is tagged as operations and the bottom is tagged as Intel. Operations feeds Intel and Intel feeds Operations.

Another flow is the fusion of Operations and Intel with Find, Fix, Finish, Exploit, Analyze and Disseminate, each connected to a point of fusion. Find, Fix, and Finish remain in the Operations flow, and Exploit, Analyze, and Disseminate remain in the Intel flow.

CoPilot defines the processes as:

“

• Find: Identify and locate the enemy or threat using various sources of intelligence and information.
• Fix: Confirm and track the enemy or threat using persistent surveillance and reconnaissance assets.
• Finish: Neutralize or eliminate the enemy or threat using kinetic or non-kinetic means, such as drone strikes, special forces raids, or cyber-attacks.
• Exploit: Collect and secure any intelligence or evidence from the target site, such as documents, devices, weapons, or biometrics.
• Analyze: Process and evaluate the collected intelligence or evidence to generate actionable insights and intelligence products.
• Disseminate: Share and distribute the intelligence or evidence to relevant stakeholders and consumers, such as commanders, analysts, or partner forces.”

To apply the framework to a larger problem set, the definitions need to be modified, what is being done but not the flow.

• Find: Identify and locate various sources of intelligence and raw data.
• Fix: Fuse the intelligence data with the raw data. Translate both intelligence data and raw data to information.
• Finish: Process the information and produce a solution.
• Exploit: Apply OSINT to collect current applicable intelligence..
• Analyze: Process and evaluate the collected intelligence or evidence to generate actionable insights and prepare intelligence to be consumed by the Find process.
• Disseminate: Share and distribute the intelligence or evidence to relevant stakeholders and consumers, and the Find process.

Conclusion

Applications delivered and controlled by MLOps, directing a self-driving car, aiding a successful breach by police or the military, responding to an intrusion by a hacker, etc. are made more effective by infusing real time intelligence into the operational flow of the application.