Agencies are taking a deeper dive to understand not only how their computers are being attacked but the pattern of the attacker.
Cyber threat intelligence is a growing trend across the government. It’s more than just knowing that one’s computer network is under attack, and it’s more than knowing even who or what kind of attacker is going after your data—whether a nation state actor or a cyber criminal group or even just a run-of-the-mill nuisance hacker.
The idea behind cyber threat intelligence is to understand more about the attack and the attacker than ever before by matching up patterns, anomalies and other characteristics of the bad guys.
“One of the challenges that offers the most promise for cybersecurity is figuring out faster ways to do analytics on this rich set of data that we already have,” said Gil Vega, the Energy Department’s chief information security officer, at the McAfee Public Sector Summit in Arlington, Va. Tuesday. “We had a zero day attack the other day that we orchestrated a really good response to, but it was clear in the postmortem that we had breadcrumbs of this event a lot earlier than this detection. We had that on disk ready to be exploited in our defense of our systems.”
He said those signs, or breadcrumbs, weren’t brought to the forefront to use in Energy’s defense as quickly as they could be.
“That’s where a big focus of our efforts, budget and energies are on right now,” Vega said. “We have the data, how do we exploit it quicker? How do we share the information quicker with our cyber defenders around the cyber complex?”
Asking different questions
Dave Marcus, McAfee’s director of threat research and intelligence and chief architect, said five years ago customers were not asking for this type of information. Now the questions McAfee gets are much different as customers want more detailed information about the threat, the attack, the attack pattern and other things.
Vega said Energy has advanced capabilities to detect and review cyber data so their goal is continue to improve information sharing capabilities. He said Energy wants to construct an information sharing fabric that provides real time all-to-all collaboration across the department with little to no latency in getting the information from the network to the collaboration website.
A common theme around threat intelligence is information sharing.
Alma Cole, the chief system security officer at the Customs and Border Protection directorate within the Homeland Security Department, said threat intelligence is important today because current security such as firewalls or antivirus software can’t stop all the vulnerabilities agencies face.
“There remains today a gap, and it’s a significant gap between when something actually happens to you and when the traditional security vendors would actually tell you something has happened to you, if they tell you at all,” Cole said.
“Organizations who are serious about cybersecurity need to implement tools, processes, procedures and teams to be able to close that security gap between what’s being protected and what’s not being protected in their environment.”
He added the gap is about having the wherewithal to see the attacks when they are really happening, instead of discovering them late in the event when the malware or virus could have already morphed to hide inside the network where detection becomes much harder.
Cole said threat intelligence helps give agencies real-time information about their networks or the ability to do retroactive analysis on what has happened but in such a way it shines the line on potential problems.
Internal, external sharing must happen
Over at the Defense Department, cyber threat intelligence comes from several avenues.
Teri Takai, the DoD chief information officer, said information sharing inside the Pentagon and around the government ranks in her top seven priorities.
“Many of you know we have the Defense Industrial Base information sharing, information assurance effort, but there are efforts such as the Committee on National Security Systems, Takai said. “Many of you in the room work with us on CNSS and you will see and have seen that become much more active, much more aggressive, working together with DHS to be able to get the information shared, to get us to a more uniformed architecture, really across the U.S. government.”
Internally, she said DoD must make sure they are not collecting the same information, and the military needs to have a more effective way of using the information they collect.
Takai also said DoD must figure out how best to share threat intelligence with their mission partners who have different levels of security, which could mean separating the data into enclaves and depending more on attribute-based access controls.
“We are definitely focusing a lot more on continuous monitoring, getting away from the three-year cycle of building three-ring binders to assess your security, and looking at near real-time situational awareness, and not just doing it at the system level or bureau level, but all the way at the department level,” he said.
“We are in the process this year of rolling out a departmentwide continuous monitoring system that will, for the first time, give us real-time situational awareness at the department level, not just at the local level. It will allow us to have more information for correlating what’s going on across the department.”
Szykman said Commerce will feed that departmentwide information to DHS’s U.S. Computer Emergency Response Team through the cyberscope tool to help create the governmentwide view.
He added he’s hopeful all of these efforts to update Commerce’s cyber tools will be merged into a departmentwide security operations center in 2014 and beyond.
Even with all the latest and greatest tools and information sharing across government, agencies continue to struggle to recognize an attack is underway or just how much damage it’s done.
CBP’s Cole said agencies need to pay closer attention to what is commonly referred to as an intrusion lifecycle.
“The attacker is going to go through particular phases when they come in,” he said. “They’re going to have the initial exploit. They’re going to do command and control. They are going to be getting privileges and moving around your enterprise. At each phase of that, that offers an opportunity to detect an attacker while they are in your environment.”
Not everything will be different
Cole added agencies need to realize that when an attacker comes back at time and again, many things will change, but not everything about their tactics.
“If you can orient on those various different phases and the things you see from each attack across each of those different phases, it give you many, many more opportunities to be able to detect an ongoing intrusion in your enterprise instead of having an approach that looks at one aspect of an attack or intrusion,” he said.
Cole added agencies must approach an attack in multiple phases. The first is the initial triage that there’s an attack and what’s exactly happening and where.
Secondly, the agency should focus on the back end of the network where a team looks for that threat intelligence and map out all systems that could be impacted by the attack.
Cole said understanding everything that is happening on your network before you act to mitigate the intrusion is critical. He said if you just take down the initial system with a problem, then you may narrow your view of the attack and that could hurt the ability to stop it.
“We want the first tier of response to always be the same—to detect and respond and mitigate as quick as possible,” he said. “On the back end, if, based on what we are seeing, it’s someone who is more determined, more resourced and seeking more specific objectives inside DHS, there is another team that would be engaged.
They would take a much deeper dive analysis in this activity to make sure all the loose ends are tied up and, if there is other activity like lateral movement and privilege escalation, it’s very important to map out and understand everything that is happening with that intrusion before you take any action.”
Tom Temin is the host of The Federal Drive, 6 a.m.-10 a.m. on 1500 AM in the Washington, D.C. region and online everywhere.
Tom also writes a weekly commentary. Subscribe to Federal Drive's daily audio interviews on iTunes or PodcastOne