Military Cyber Incident Response: Containing and Recovering from Attacks on Defense Systems

Military cyber incident response operates under constraints that have no equivalent in commercial IR. Classification handling requirements mean that every artifact generated during the investigation — memory dumps, log exports, network captures, analyst notes — must be handled as classified material if it originates from a classified network. Operational continuity requirements mean that the default commercial response action of "isolate immediately" is frequently unavailable: a compromised system that is actively supporting a mission cannot simply be pulled offline. And chain of command reporting requirements mean that the incident must be escalated through defined military command channels on defined timelines, not communicated informally to a CISO and a legal team.

This article provides a full IR playbook for military and defense environments — from alert triage and initial containment through forensic collection, threat attribution, recovery, and mandatory reporting. It covers the specific tools and techniques that apply in classified OT/ICS and IT network contexts, and the procedural and legal requirements that shape every step.

Military IR constraints: classification, continuity, and command

The three constraints that define military cyber incident response — and distinguish it from commercial practice — are classification handling, operational continuity, and chain of command reporting.

Classification handling means that forensic artifacts from a classified network are classified at the level of the source system. A memory dump from a SECRET workstation is a SECRET artifact. It must be stored on SECRET-accredited media, analyzed on a SECRET-accredited workstation, transmitted only through SECRET-approved channels, and disposed of according to classification destruction requirements. The incident response team itself must hold appropriate clearances for the classification level of the affected systems. This constraint creates real friction: IR tools that work fine in a commercial environment may not be approved for use on classified systems; IOC sharing with external partners requires a sanitization and downgrade process; and incident timeline documentation must be written, stored, and distributed as classified material.

Operational continuity means that the IR team cannot unilaterally decide to take systems offline. The command authority — the officer or official responsible for the operational mission the system supports — must be part of the containment decision. The IR team's role is to present technical options (passive isolation, traffic shaping, mirroring, parallel rerouting) with honest assessments of residual risk, and to support whatever decision the command authority makes. This is not a limitation of the IR team's authority; it is the correct model for a context where the cost of operational disruption may be measured in mission success, not just availability SLAs.

Chain of command reporting requires that cyber incidents on military networks be reported through defined channels on defined timelines. In the US DoD, this means reporting to the relevant Cyber Protection Team (CPT), the chain of command, and (for contractor networks) to DC3 within 72 hours. For NATO networks, incidents are reported to NCIRC. These reporting requirements exist alongside — not instead of — operational decisions: the command authority receives incident reports and uses them to inform both tactical decisions and higher-level escalation.

Detection: SIEM alert triage for military networks

Effective detection in military network environments depends on tuned SIEM correlation rules that account for the specific traffic patterns of military systems — and that treat OT/ICS protocol anomalies as first-class indicators alongside IT intrusion signals.

High-fidelity intrusion indicators for military IT networks include lateral movement signatures (Pass-the-Hash generating Event ID 4624 with logon type 3 and NTLM authentication from non-standard hosts; Kerberoasting generating unusually large numbers of Event ID 4769 with encryption type 0x17), beaconing patterns in proxy and DNS logs (regular-interval queries to newly registered or low-reputation domains, consistent request sizes indicative of C2 check-ins), and privilege escalation via service creation (Event ID 7045 on non-standard hosts).

OT/ICS intrusion indicators require monitoring at the protocol level. Unexpected Modbus function code 5 (Write Single Coil) or function code 16 (Write Multiple Registers) commands from IT-network source addresses indicate either IT-OT boundary crossing or an attacker who has reached the OT network from the IT side. DNP3 unauthorized function codes, unexpected BACnet write operations, and EtherNet/IP explicit messaging to PLC outputs from non-engineering workstation sources are all high-fidelity indicators of OT intrusion.

Covert channel detection is an advanced detection requirement specific to military environments where nation-state actors use legitimate protocols to hide C2 traffic. DNS tunneling (anomalously long DNS query names, high query volumes to single domains, TXT/NULL record abuse) and HTTPS C2 (certificate details inconsistent with claimed service, irregular connection timing, large data transfers to rarely-visited cloud endpoints) are the most common patterns. SIEM correlation rules for covert channels require network flow data (NetFlow or Zeek logs) in addition to endpoint log sources.

Initial response: isolation without disrupting mission-critical systems

The initial response phase begins when a detection event is triaged and confirmed as a true positive. The immediate objectives are to understand the scope of the compromise (which systems are affected, what data may have been accessed or exfiltrated, what attacker actions are ongoing) and to begin containment while preserving operational continuity and forensic evidence.

Scope assessment proceeds through SIEM pivot analysis: starting from the confirmed indicator (a beaconing host, a credential-dumping event, a lateral movement alert), the analyst pivots to authentication logs to identify accounts used by the attacker, to network flow data to identify which other hosts communicated with the confirmed compromised host, and to DNS/proxy logs to identify the C2 infrastructure and scope of external communication. This pivot chain establishes the attacker's footprint before any containment action is taken — critical because premature containment alerts sophisticated attackers who then accelerate exfiltration or activate destructive payloads.

Containment options for mission-critical systems that cannot be taken offline include: VLAN reassignment (moves the compromised host to an isolated segment while preserving its IP address and active connections, allowing the mission function to continue while blocking attacker lateral movement); firewall ACL modification (permits only the specific ports and destination addresses required for the mission function, blocking all other traffic including the identified C2 channels); and traffic shaping or rate limiting (degrades attacker channel throughput below useful levels while preserving mission-critical bandwidth). For OT/ICS systems, unidirectional security gateways (data diodes) can enforce outbound-only data flows from sensitive control networks, preventing attacker read-back of control system state.

Evidence preservation during initial response requires that any action that modifies a system state be documented before it is taken. Network packet capture should be started on affected network segments before any containment action changes traffic patterns. If live forensic collection is feasible before isolation, it should be performed first — volatile data (RAM, network connections, process tables) is lost when containment changes the system's network state.

Forensic collection: chain of custody for classified systems

Forensic collection in a classified environment must satisfy both evidentiary standards (for potential prosecution or attribution reporting) and classification handling requirements. The two requirements are not in conflict, but they require explicit procedural compliance at every step.

Chain of custody documentation begins at the moment of collection and must record: the identity of the collector (name, clearance level, role), the date and time of collection (in UTC, synchronized to an authoritative time source), the specific tool and version used for collection, the hash value of each collected artifact (SHA-256 minimum) computed at time of collection and verified at time of transfer, and every subsequent handoff of the evidence — who received it, when, and where it was stored.

Memory acquisition for classified systems requires tools approved for use at the appropriate classification level. WinPmem (for Windows) and AVML (for Linux) operate via the OS's own memory access interfaces and are generally more likely to be approvable than techniques requiring kernel driver installation. The memory image must be hashed immediately after acquisition, stored on accredited media, and transferred to an accredited analysis workstation — not a commercial forensic workstation that processes unclassified evidence.

Network traffic capture for classified networks must be performed using approved network analysis tools. PCAP files from a SECRET-network capture are SECRET artifacts and must be handled accordingly. The capture point should be upstream of any containment action so that pre-containment traffic is preserved, and should include both the local network segment of the compromised host and any traffic to identified C2 infrastructure.

Threat attribution: APT TTPs and MITRE ATT&CK for ICS

Threat attribution connects observed forensic evidence to a specific threat actor or group. In a military IR context, attribution has operational significance: it informs command authority decisions about response, partner sharing, and counterintelligence action. This means attribution evidence must be documented with rigorous chain-of-evidence standards, not informal analyst judgment.

The three APT groups most relevant to military network defenders are APT28 (Fancy Bear, attributed to Russian GRU), APT29 (Cozy Bear, attributed to Russian SVR), and APT41 (a dual-espionage/criminal group attributed to Chinese state direction). APT28 is characterized by spearphishing with credential-harvesting documents, living-off-the-land execution via PowerShell and WMI (avoiding custom malware that triggers AV), and VPN credential abuse for persistent access. APT29 is notable for supply-chain compromise (exemplified by the SolarWinds intrusion), low-and-slow persistence via legitimate cloud services (Microsoft 365, Dropbox), and stealthy LDAP reconnaissance that mimics normal IT administration patterns. APT41 combines nation-state espionage objectives with financially motivated intrusions and is specifically known for firmware-level persistence on network devices — a technique that survives operating system reimaging.

MITRE ATT&CK for ICS extends the Enterprise matrix with techniques specific to operational technology environments. Key ICS-specific techniques that military IR teams must be able to detect and attribute include: Inhibit Response Function (T0838, disabling safety systems), Manipulate Control (T0831, altering setpoints), and Damage to Property (T0879). ATT&CK for ICS also includes the technique Impact category covering Loss of Availability (T0826), Loss of Control (T0827), Loss of Productivity and Revenue (T0828), and Loss of Safety (T0880) — consequences that have no equivalent in IT incident response and that directly affect military mission capability.

Attribution methodology maps each forensically observed technique to its ATT&CK ID, building a behavioral profile of the attacker across the matrix. This profile is compared against published group profiles (available in ATT&CK Groups and threat intelligence platforms such as MISP). When the observed technique set closely matches a known group's profile, it constitutes an attribution indicator — though convergence with infrastructure data (IP ranges, TLS certificates, registrar patterns), malware code similarities, and SIGINT intelligence is required for high-confidence attribution at the command-authority level.

Containment strategies: segmentation, credential rotation, firmware re-flash

Full containment — verified isolation of all attacker footholds — requires addressing three categories of attacker presence: network access channels (C2 infrastructure, compromised accounts used for remote access), lateral movement paths (trust relationships between compromised and uncompromised systems), and persistence mechanisms (malware, scheduled tasks, firmware implants).

Network segmentation for containment goes beyond isolating the initially identified compromised host. All hosts that authenticated to the compromised host, or that the compromised host authenticated to, are potential lateral movement targets and should be treated as potentially compromised until cleared by forensic analysis. Segment boundaries should be enforced at the network layer (firewall rules, VLAN isolation) rather than relying on host-based controls on potentially compromised endpoints.

Emergency credential rotation is required when evidence indicates that credentials have been stolen — specifically, when LSASS memory access is confirmed (Event ID 10 from Sysmon, or EDR telemetry), when ntds.dit exfiltration is detected, or when a domain controller is confirmed compromised. The rotation sequence is: reset the krbtgt account password twice (with a delay between resets to ensure all Kerberos tickets in flight expire), rotate all service account and privileged account passwords, invalidate all active sessions, and force re-authentication for all users. In a military environment, certificate-based credentials require coordination with the PKI authority for certificate revocation and reissuance.

Firmware re-flash is required for embedded systems (routers, switches, ICS controllers, HSMs) where firmware-level persistence is confirmed or suspected. This is the most operationally disruptive containment action — it requires taking the device offline, flashing from a verified clean firmware image (stored offline and hash-verified), and re-provisioning device configuration from a clean baseline. The clean firmware image must come from a verified supply chain (manufacturer-signed firmware with validated hash, not a downloaded image from an unverified source) to avoid re-introducing a supply-chain implant.

Recovery and hardening: clean reimaging and STIG re-validation

Recovery begins when containment is verified — all attacker access channels are closed, all identified persistence mechanisms are removed, and the scope of compromise is fully characterized. Verified containment is a precondition for reimaging: reimaging a system while the attacker still has access to the environment results in reinfection.

Clean reimaging uses verified baseline images — OS images hash-verified against known-good references, with software installed from approved repositories, hardened to STIG baselines before deployment. The baseline images themselves must come from a supply chain that has not been compromised: images stored offline on write-protected, hash-verified media, with the hash verified at time of use. For classified systems, the baseline images are stored and managed by the accrediting authority.

STIG re-validation after reimaging uses DISA's SCAP Compliance Checker (SCC) or an equivalent approved tool to verify that the recovered system conforms to its applicable STIG benchmarks. Any open findings (deviations from STIG controls) must be remediated and documented before the system is returned to production. Post-incident STIG re-validation typically also triggers a review of the system's Authority to Operate (ATO): the accrediting official must confirm that the recovered system's risk posture is acceptable before authorizing reconnection to the operational network.

Lessons learned integration is the final step of the IR lifecycle and the mechanism by which each incident improves future response capability. The lessons learned process documents what detection controls identified the incident (and what controls should have identified it earlier), what IR playbook steps worked as written and what required improvisation, what tools or capabilities were missing, and what hardening actions would have reduced the impact of the incident. In a military context, lessons learned are typically classified at the level of the incident and distributed to peer organizations through established intelligence-sharing channels.

Reporting: CISA, NATO NCIRC, and public disclosure

Mandatory reporting timelines for cyber incidents on defense and government networks are defined by statute, regulation, and alliance policy. Meeting these timelines is a legal obligation, not optional — failure to report within required windows creates contract, regulatory, and security liability.

US DoD contractors are required by DFARS clause 252.204-7012 to report cyber incidents to DC3 (Defense Cyber Crime Center) within 72 hours of discovery. The report must include a description of the incident, an identification of the covered defense information that may have been compromised, and the contractor's assessment of the impact. Contractors must also submit forensic images of compromised systems to DC3 on request — a requirement that intersects directly with the forensic collection procedures described above.

US federal agencies report major cyber incidents to CISA under FISMA and the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). CIRCIA, enacted in 2022 and with implementing regulations phased in through 2026, requires covered entities (including defense contractors and critical infrastructure operators) to report covered cyber incidents within 72 hours and ransomware payments within 24 hours. Reports to CISA are not automatically shared with other agencies or the public — CISA has statutory authority to protect reported information from FOIA disclosure.

NATO incidents affecting NATO CIS (Communications and Information Systems) are reported to NCIRC (NATO Communications and Information Agency's NCIRC Technical Centre) under the NATO CIS Incident Management Policy. Member nations are responsible for reporting incidents on national CIS that affect NATO operations or information. NCIRC coordinates response across member nations and maintains situational awareness of threats to NATO networks.

Public disclosure is a separate policy decision from mandatory regulatory reporting. Most military cyber incidents are classified and will not be publicly disclosed. Where disclosure does occur — for contractor incidents that become public, or for incidents affecting critical infrastructure with public-facing impact — it is coordinated with public affairs, legal counsel, and the relevant oversight authorities. Publicly traded defense contractors have additional disclosure obligations under SEC rules for material cybersecurity incidents, which may require 8-K filings within four business days of determining that an incident is material.