In an unremarkable building in Arlington, Virginia, a group of hackers is trying to break into federal networks.
They are sending fake emails loaded with malware that, if launched by the unknowing recipient, would let the hacker take over the employee’s computer and steal their data.
The fake email is a spear-phishing attack, and it’s a good one. It’s not just your run-of-the-mill Nigerian lawyer scam. Rather it’s designed to trick an unsuspecting federal employee into giving up their passwords by installing a keystroke logger.
It’s the kind of attack nation states, organized criminals and advanced hacker groups use every day as part of the more than 33,000 cyber incidents agencies face every year.
The thing is, these hackers in Virginia are the good guys.
Their job is to educate agencies and protect federal networks by looking for the weaknesses and helping agency chief information officers and chief information security officers close the gaps to stop the bad guys.
The Homeland Security Department’s National Cybersecurity Assessments and Technical Services team (NCATS), in the National Cybersecurity and Communications Integration Center (NCCIC), has been building up its technical capabilities over the last seven-plus years to provide a service to civilian agencies like none before.
Rob Karas, the director of the NCATS team, said his organization has 615 federal, local and state government, and private-sector customers who receive reports on critical, high, medium and low vulnerabilities and how to close them from the 38 million scans of internet addresses the office does daily.
And as part of the current realignment of the NCCIC, the cyber assessment team’s role is expanding beyond just IT networks. It also will take on assessments of the nation’s critical infrastructure and operational technology (OT) — the systems that are controlling equipment on the power grid or other industrial control systems that enact physical changes in various sectors.
“If there were three different groups doing assessments, now they are realigned under NCATS. We are no longer just doing the risk and vulnerability assessments and cyber hygiene now. We are getting the industrial control systems, which do the design and architecture reviews, the Network Architecture Verification and Validation (NAVV) review and Industrial Control Systems-Computer Emergency Readiness Team (ICS-CERT) Cyber Security Evaluation Tool (CSET) assessments,” Karas said in an exclusive interview with Federal News Radio. “We will be able to take them and integrate what they have built with what we have built and have a better product for our customers and stakeholders.”
He said the ICS assessments have been around since 2009, and NCATS has been working with agencies on IT networks since 2010.
But by bringing them together, Karas’ white-hat hackers can take security a step further by providing a comprehensive assessment.
“Typically, IT and OT are separated, but are coming more closely together through command-and-control structures and the convergence of underlying network infrastructures to send those commands to the OT components,” said Don Benack, the cybersecurity assurance program manager for NCATS. “It doesn’t really make sense to have two different services segmented based on specialized skill sets. We want to leverage like capability in a consolidated, coordinated way and bring the right expertise on to the team that is doing the analysis, so that we can have a comprehensive architecture review.”
The Department of Homeland Security's National Cybersecurity Assessments and Technical Services team (NCATS) sends spear phishing attack to federal agencies to test and protect their networks. Here's a step-by-step demonstration of how they do it.
Benack said NCATS also can expand its other capabilities, such as risk and vulnerability assessments, remote penetration testing and cyber hygiene scanning, to cover a broader set of networks and systems.
NCATS is expanding its capabilities because these industrial control systems are relying more on networked capabilities and are connected to the internet for updates or to share data.
Over the last few years, cyber attacks against ICS systems increased by 110 percent, according to IBM Managed Security Services data from November 2016. In October, DHS’ US-CERT issued a technical alert with the FBI warning of advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation and critical manufacturing sectors. Working with U.S. and international partners, DHS and the FBI identified victims in these sectors.
“DHS assesses this activity as a multi-stage intrusion campaign by threat actors targeting low-security and small networks to gain access and move laterally to networks of major, high-value asset owners within the energy sector,” the alert stated. “Based on malware analysis and observed IOCs, DHS has confidence that this campaign is still ongoing, and threat actors are actively pursuing their ultimate objectives over a long-term campaign. The intent of this product is to educate network defenders and enable them to identify and reduce exposure to malicious activity.”
John Felker, the director of NCCIC, said the changes to NCATS are part of a bigger effort to realign his organization. He said NCCIC is organizing around tasks instead of by organization.
“Like functions at ICS-CERT and US-CERT are now under the same umbrella. We had four different groups that were doing production of quality cyber information in four different ways. It wasn’t effective or cost-effective,” he said. “A lot of the things revolve around how do we get our arms around resources and apply what we have in a more effective way. As a result of the realignment, some people are not working in the same organization, but are doing the same job because the work hasn’t changed. We’ve seen a lot more impetus to share with each other. I’ve made a big deal about the fact, and so has our senior staff, we have to cooperate with each other and the only way to do this is to make sure we are all on the same page.”
Felker said most of these changes are around the margins, but a final realignment plan is awaiting sign-off by NPPD officials.
“The biggest change is where you sit and how your organization is organized to do the work. I talked about four production shops, we will winnow it down to one. There will be a productions and communications boss who will manage that entire thing from start to finish,” he said. “People will move a little bit in the organization, but if you have a job now, you probably will have the same job, but you may be working for a different boss and differently organized.”
How much access can hackers get from federal networks, just through a spear phishing email? The team behind the Department of Homeland Security's National Cybersecurity Assessments and Technical Services (NCATS) shows us in part two of their demonstration.
On the seventh floor of that unremarkable building in Arlington, Virginia, about a dozen federal employees are focused on multiple screens, writing code and analyzing data from the assorted classified and unclassified feeds that scan for cyber threats.
The employees bring a mix of experience: millennials who started as interns, to Generation Xers, to the younger end of the Baby Boomer generation, who came to NCATS to help beat back the ever-increasing cyber threat.
The lab is what’d you expect — an assortment of cybergeek humor, energy drinks, coffee cups and employees wearing headphones to drown out the noise.
Karas led the first all-hands meeting, where about 50 newly reorganized employees gathered in October. They flew in from around the country — Pensacola, Florida and Idaho Falls, Idaho — to meet, greet and give an update on their efforts.
The meeting was a way to create the relationships of the IT and OT cyber experts, as well as discuss how their current and future collaboration and coordination will be critical to stemming the tide of cyber attacks.
After the rash of cyber attacks against the government and private sector over the last few years, the NCATS team has been busier than ever.
NCATS is on pace to do 30 federal agency penetration testing and risk assessments this year, up from a handful a few years ago. Karas said the assessments are helping to shine a light on longstanding problems and gives the CIO and CISO the data and power to enact changes to high-value assets.
“We create scorecards and have reporting for all 105 agencies who are meeting the metrics,” Karas said. “It gives agencies the power to fix things that they may not have had the power to fix before because it’s now mandated.”
Benack said one of the biggest successes with the federal cyber hygiene program since NCATS started scanning and trending progress of agencies is the reduction of the time to close critical vulnerabilities.
“It’s probably the most important metric in that program,” he said. “When we started scanning a number of years ago, there were hundreds of critical vulnerabilities present on federal systems, publicly accessible systems, and the average time to close those vulnerabilities was slightly over a year. Today, we have it down to a small handful of critical vulnerabilities and the average time has gone from just over a year down to 17 days. That is a dramatic improvement.”
Benack said agencies can’t control how many vulnerabilities exist or impact their network, but have the power to close them sooner once discovered.
He added that NCATS has been able to identify the vulnerabilities of high-valued systems, but also give data to key federal decision-makers and promote best practices and common challenges for the IT and cyber leadership.
Karas said agency customers are more accepting of having DHS analyze their cyber defenses.
Benack added NCATS brings the ground truth to agencies so they can reduce risk, mitigate vulnerabilities and understand the complexity of their networks.
“My vision is to be able to share the data within the NCCIC and make it a world-class leader in this curating industry,” he said. “IT changes in microseconds. We need to be able to adapt and get through the bureaucracy and be able to get the information and data out in a timely fashion.”