Using AI/ML Tools To Bolster Cyber Threat Intelligence

Subject matter experts with the Defense Information Systems Agency (DISA) are striving to use new artificial intelligence and machine learning (AI/ML) innovations to strengthen their cyber threat intelligence framework. This objective may help warfighters understand and detect enemy campaigns more effectively and efficiently, which can lead to more prepared soldiers while also providing them with a safer, more secure digital environment. 

Understanding the enemy’s campaign is one of DISA’s main areas of focus, according to Col. Richard Leach, director of intelligence at DISA. And mastering this critical facet of the fight can allow soldiers in the U.S. military to have greater foresight and better predict the adversary’s plans for the battle. 

“It’s understanding how the adversary is looking at us, understanding their intent, their capabilities and what’s driving them to do the things that they do,” Leach said during a panel at TechNet Cyber 2025 in Baltimore. “Because we all have limited resources, so the utilization of intelligence to understand the adversary, but also integrated with understanding our own operations and our own acquisitions, really will help focus those limited resources we have on the hard problem sets that have to be prioritized to give us the gains as well as to keep the adversary out of the most critical systems that we have as we go in, both in competition and as we go into conflict.”

This shift can help propel and solidify the U.S. Department of Defense’s (DOD's) new practice of being more proactive rather than reactive, according to Esteban Banda, technical director at the Program Executive Office Cyber, DISA. Furthermore, defense officials must be more effective at tracking threats and where they are coming from, according to subject matter experts with DISA.  

“We’ve shifted from being reactive to now [being] proactive,” Banda said as part of the same panel. “So, we’re talking about finding and disrupting or deterring those campaigns, as opposed to waiting for the campaign to happen and then react, trying to be proactive about doing some threat hunting to get after those things.” 

“And then I would say the threat intelligence from industry, like yourselves, helps us do a better job with threat attribution, and when we can do that, and we can do that in a quasi-public way, maybe the FBI prosecutes some folks that we catch,” Banda added. “I think that helps with deterrence for us long term.” 

During the same panel, one specific member of the private sector echoed Banda’s observations about the DOD’s proactive approach. The industry worker is seeing this change occur firsthand, and it’s a shift that he called “the biggest change that I’ve seen.” 

“We’ve seen a significant shift over the last several years where it’s less about bringing us in at the time of the incident and more about bringing us in in these proactive circles [and asking], where do we think the adversary is going to go?” Michael Davis, principal engineer at CrowdStrike, said. “What do we need to harden? And going more into a truer representation of what the intelligence cycle should really look like. So, I would absolutely echo that. I think the biggest change that I’ve seen is that shift from reactive to proactive.” 

TechNet Cyber is organized by AFCEA International. SIGNAL Media is the official media of AFCEA International.