When it comes to cybersecurity, the good guys are always playing defense, but that doesn’t necessarily mean they have to always be reactive. The Homeland Security Department’s National Cybersecurity and Communications Integration Center is using new automation technologies to flip the script on script kiddies and black hat hackers by getting proactive about cyber defense.
“We want to get ahead of the adversary,” said John Felker, NCCIC director, on Using Automation to Prevent Cyber Attacks month. “And the thing that we can do to get ahead of them is to potentially stop them. But the second thing is even if we can’t stop them, we can make it more expensive, we can make it more resource intensive for bad guys to do what they want to do.”
It’s pretty likely that a determined adversary will get into a network if they want to; even air-gapped networks can be compromised. So it’s important to prioritize what information is most at risk, most valuable and most worth defending.
“Quite honestly, if you try to defend everything, I think you end up defending almost nothing because you get spread so thin,” Felker said.
But NCCIC is exploring ways in which automated cyber tools can help cyber personnel make these decisions and defend this data. One such tool is automated indicator sharing.
“The idea with AIS is when we come across something we think is an indicator of compromise that we have assessed is worth sharing, it gets plugged into the system and shared automatically on a machine-to-machine basis,” Felker said. “And those indicators can come from anywhere we’re connected to, and those indicators can provide potential actions for cyber defenders to take to defend their network. The big focus for us is operationalizing that and making it as useful as we can.”
He said that there are currently around 140 partners across both the public and private sectors engaged in AIS through continuous diagnostics and mitigation and the EINSTEIN program. These partners are constantly sharing cyber data back and forth to build a bigger database of indicators, bad actors and tactics, so that cyber defenders are aware of the threats they face.
But each of those partners needs to think through what they’re going to do with the information they get from AIS.
“That is a big cultural move that is still formative — the idea that a machine is going to send you something, and your machines are going to automatically do something. And if you haven’t thought through that, there’s a potential there to upset your mission or business,” Felker said.
NCCIC’s goal is to ensure that those indicators that come through the system are properly scored so that cyber defenders get the most reliable information and can make the best decisions about what to do with that information.
“We’re pursuing improvements across the board in automated analysis and threat hunting and the assessment systems,” Felker said. “I think those are coming together to be more effective than they were at the outset. At the NCCIC, we’re learning more about how to better use some of the information we get from those tools. And we’re also learning how to set up better interactions with our partners at agencies.”
DHS launched the Structured Threat Information Expression (STIX) and the Trusted Automated Exchange of Indicator Information (TAXII) projects in March 2016, which standardize how cyber information is shared between systems. Since that time, DHS has shared 277,000 unique threat indicators through AIS.
“We’ve just received study results, a comparative study, about the AIS feed compared to other feeds that are out there,” Felker said. “Although our numbers are much smaller, the general consensus of the study was that the quality was quite high and the timeliness was quite a bit better than other feeds.”
He said that other comparable systems have shared anywhere from 10 to 20 times as many indicators, but they aren’t as reliable.
“Numbers don’t necessarily mean goodness, but obviously we want to have more numbers, but we want to maintain the timeliness and the quality as well,” he said.