Insights by Raytheon

Building a nation-scale quick cyber reaction force

It’s been almost three years since the White House issued Presidential Policy Directive 41 (PPD-21) and the corresponding cyber incident response plan.

PPD-41 outlined some key concepts around defining what a cyber incident and a major cyber incident meant, while also providing guiding principles for incident response.

From that PPD, the Homeland Security Department developed a national cyber incident response plan (NCIR), providing even more details about the activities and the lead agencies for each activity.

But PPD-41 and the NCIR are reactive documents and plans that come after being victimized by a cyber attack. What is missing is how agencies can get ahead of the attack through proactive threat hunting and a more strategic response.

The evolution of cyber tools and capabilities over the last few years, most notably the sharing of threat intelligence, has enabled agencies to do more to get ahead of the cyber threats.

In the 2018 national cybersecurity strategy, the White House specifically called out the use of cyber threat hunting capabilities, saying the government “will be able to assess the security of its data by reviewing contractor risk management practices and adequately testing, hunting, sensoring and responding to incidents on contractor systems. Contracts with federal departments and agencies will be drafted to authorize such activities for the purpose of improving cybersecurity.”

There are several benefits from this proactive stance agencies are starting to take, including reducing damage to the organization and improving the speed to response.

Agencies need to consider several factors as they move more toward this proactive model.

Threat Hunting and Incident Response

To see more is to know more. If you take the threat intelligence data and then you apply it to a forensics process that has visibility on every single aspect of what’s going on an endpoint then you are able to ascertain if those threats do exist inside of your environment. The trick to that is to do that in a timely fashion so that you are looking simultaneously across all of your end points and you are not focused on a narrow lane where you miss those threats that exist on other endpoints or other parts of your network.

The Use of Data

You might as well as look at those things that are most relevant to how your security operations work, the threats that you want to look for or be alerted on and bring the data down. So if it doesn’t fit into the use case of I can use this data to either detect this threat automatically or it will not be useful from an incident response perspective, then don’t collect it.

The Cloud Impact

It’s all about diversity of thought, diversity of perspective. One of the areas we see that most often is we’ve been very involved in the National Collegiate Cyber Defense Competition. That’s something we see every year there, not only really great diversity of thought, but also a lack of bias. It’s really great to see the creativity people bring and the lack of bias frees them up to think outside the box.

Listen to the full show:

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.