The Homeland Security Department is going into agency networks to find the soft spots-places where cybersecurity defenses are weakest and pose the greatest risks.
DHS’ Federal Network Security branch, under the National Protection and Programs Directorate, is having little trouble finding agencies’ soft cyber underbelly.
Take one agency who asked DHS to perform a “Red Team” exercise, it thought it had 2,000 to 3,000 computers on a specific network, but Homeland Security’s team stopped counting at 9,000. Rob Karas, the program manager of the risk evaluation program, or Red Teaming initiative, at DHS, said until the agency understood its network better it wasn’t worth continuing.
“We worked with them and helped them identify why they had so many hosts on their network and how they could architect and design it better,” he said in an interview with Federal News Radio. “We worked with them to remove hosts or close off networks that shouldn’t have been there.”
Another agency had 500 public-facing Web servers, and through DHS’ analysis, it is reducing that number to about 100 and thus shrinking its attack surface.
These are but two examples of a growing list of how DHS Federal Network Security (FNS) branch is helping agencies harden systems and networks.
“Ideally, our Red and Blue team services is designed to be a proactive engagement with agencies to improve their posture,” said Don Benack, the program manager for DHS’ cybersecurity assurance program within FNS. “We provide free specialized access to skills and services that are not readily available or are in high demand across the dot-gov to promote a healthy and resilient cyber infrastructure. That’s the goal to do risk-based analysis and gap analysis of capabilities and drive improvements.”
DHS taking different Red Team approach
Congress appropriated $35 million for the FNS branch, of which about $7.6 million can be used for these red team analyses. In 2013, Congress so far has appropriated a little less for these Red Team efforts.
Typically Red Teams try to hack into a network to highlight its vulnerabilities. But Benack said DHS is taking a different tact that gets to the heart of the problem more quickly.
“The Red Teams rather than focusing on system compromise, focus on risk evaluation, which allows us to optimize the process a little bit,” he said. “Instead of spending time breaking into the system and then using that as proof to an agency that they have a problem, the idea is to identify threats and vulnerabilities actively working against their agencies. What are the threat vectors they have to worry about? What are the active actionable vulnerabilities on their network? We then marry that together with an agency specific point of view so they can address those risks first and foremost.”
DHS FNS also provides Blue Teaming exercises, which have been going on for a few years.
Benack said the Blue Teams look at how agencies are meeting the requirements under the Trusted Internet Connections (TIC) initiative to consolidate public Web gateways.
“Our Blue Teams take a proactive look at the capabilities in place. Do you have the foundational elements to your program to defend against an attack, to respond and recover from an attack, and hopefully prevent an attack up front?” he said. “They also assess and validate agency implementation of technical controls, tools and technologies-people, processes and program maturity.”
DHS also is expanding the Blue Teaming efforts beyond TIC to ensure agencies’ cyber capabilities are aligned with requirements established by the Obama administration’s cross agency priority goal for cybersecurity and continuous monitoring efforts.
New service for agencies
The branch launched the Red Teaming exercise in late February after Congress approved the fiscal 2012 budget. Over the last four months, DHS has conducted five Red Team evaluations and has five more scheduled for the rest of the year.
Karas said the goal is to perform 26-to-30 Red Team engagements annually.
DHS also has done 28 Blue Team assessments with six more agencies on tap.
The Red Team exercises take about two weeks for the average agency. Karas said the five-person team, which is usually made up of a federal manager and four contractors, spends a week doing external analysis of the customer agency’s system and a week doing internal analysis.
“Right now, it’s up to an agency’s chief information security officer or chief information officer to determine if they want or need Red Team services,” Benack said. “We work with them to determine the system or group of systems that are most important to look at.”
He said DHS also promotes the service if an agency comes to the U.S. Computer Emergency Response Team (U.S. CERT) for help with an immediate attack or threat. U.S. CERT helps the agency address the pressing risk, and then FNS offers the follow-on Red Team service.
“We have rules of engagement that our Office of General Counsel worked with us and we created,” Karas said. “We sit down with the agency, they select the services and get it signed by CIO, CISO and legal counsel. Then we have a scoping meeting.”
Under the Red Team services, FNS offers a variety of services:
Network vulnerability scanning for wired and wireless
Social engineering where it sends spear phishing attacks
Web applications tests
Operating system testing.
Karas said DHS also brings in experts depending on the agency’s services. For instance, the branch would have a database expert looking at the cybersecurity of such a system or an expert on Linux or Windows to look at specific operating systems.
The end result of these exercises is making recommendations categorized as critical, high, medium and low.
Benefits from Red Teaming are clear
The branch can point to real results from the Red Teaming efforts because of the two-pronged approach they are taking. The first method is typical network scans, but FNS also lets its experts poke around inside the network.
Karas said they have found holes in one agency’s Virtual Private Network thanks to the expert reviewing its set up.
Benack said it’s up to the agency to implement the recommendations, and the branch does not share the recommendations with anyone but their agency contact.
“The trust relationship is working really good,” he said. “By keeping the risk evaluation optional and at their discretion to engage with us — and we hope they do choose to engage with us because we get maximum benefit when we can get cross sampling of data from across the government that we can anonymize and do national level trending to identify what are the emerging threats affecting all agencies, what are the common vulnerabilities so we can help prioritize and shift resources to address the definable and quantifiable problems across dot-gov — we get a big win.”