Insight by CyberArk

CISA’s Ware brings ‘fresh eyes’ to cyber threat sharing challenge

Bryan Ware, the assistant director for cybersecurity at CISA, said improving the Automated Indicator Sharing (AIS) program is one of several initiatives his office is leading to help agencies better deal with the ever-growing, ever-changing cyber risk.

Cyber Threat Intelligence Sharing

It has been incumbent on us and a real focus of ours to make sure that we have more two-way exchanges. A lot of times that really just means bringing people together so we have embedded within our threat hunting teams and analysts for each of the major threat intelligence providers.

Cybersecurity Trends

A number of the things we're doing right now are strategic in the sense that some of them are strategically removing parts of the attack surface, others of them are working with departments and agencies to rearchitect and rethink [the networks], and there's some number of things that we have in progress now that have the opportunity to make really substantial and meaningful changes across the dot gov.

The Shift in Risk Surface for Agencies and CDM

Balancing security and mission and balancing informing, educating and dialogue with this stronger requirement driven approach is a little bit of art and a little bit of science.

Shared Services and Cloud

There's a number of components of that long term strategy that focuses on what do we need to do to build more relevant organization and address our future risk posture.

For much of the last 15 years, there has been clarion call for cyber threat information sharing to be a two-way street between the Homeland Security Department and the private sector.

Industry experts have said the government takes, but rarely gives back.

While there has been some steps in the right direction over the last several years, the Cybersecurity and Infrastructure Security Agency (CISA) is about to reimagine the Automated Indicator Sharing (AIS) program—the central way DHS shares with the private sector and other partners.

“We are going to very soon free up a whole new evolution of AIS. Expect to see new AIS capabilities deployed later this year that I think will really bring up a richness to the kind of relationship that we’ve had,” said Bryan Ware, the assistant director for cybersecurity at CISA, on Ask the CIO, which was sponsored by CyberArk. “It has been incumbent on us and a real focus of ours to make sure that we have more two-way exchanges. A lot of times that really just means bringing people together so we have embedded within our threat hunting teams and analysts for each of the major threat intelligence providers.”

Ware said he is bringing a “fresh set of eyes” to the AIS, and more broadly to the cyber threat intelligence sharing challenge.

“There are some very frustrating aspects to AIS that our outcomes of some really good decisions and really kind of core fundamental to that was developing a STIX TAXII standard, and then transitioning it out of the government into a standards making body, which by the way sounds like the right kinds of and good decision,” Ware said. “However, the standard just kind of didn’t evolve, and it has really limited the number of technical requirements that need to be in place to really enable more context and more valuable two-way information sharing.”

Two-way sharing more important than ever

While Ware wouldn’t share too many specific details about what the reimagined AIS program would look like, he did say the goal is to make the information more useful and valuable to industry and other partners.

“When you publish in the volume that we do with the limited ability to provide context around why you should care about this or how it matters to you or where it came from, something that you can use to prioritize the information, then it makes that information really hard to use and things fall through the cracks,” he said. “I think one of the important things that we’re going to see here is just more ability to have additional contacts that will allow the information that we are providing through AIS to be a lot more useful and a lot more impactful. I think that’s probably something that we’ve long sought to do. I feel like the structural mechanics from the specifications are there to support that.”

Ware said CISA understands today more than ever the importance of two-way threat sharing, especially given the fact the private sector sees so much more on their networks than the government does.

“We rely on bi-directional systems that take the kinds of threat intelligence that we see from the full array of government visibility and we package that into a feed that is consumed by thousands of entities directly and many of them indirectly,” he said. “So almost all of almost all of the threat intelligence providers, software companies, ingest that feed and provide it to their customers kind of through their products and it’s consumed by international partners, by corporations directly. It’s a two-way street. We also receive back from them that technical information. When I think about sharing that information is really takes all of these things. It takes the human element so that we have contacts and relationship and we trust each other enough to share. And ultimately, it takes technology that can share the thousands of these things that there are on a continuous and an automated basis.”

With the volume, velocity and variability of cyber threats, it will take a collaborative effort by government and industry to secure data, systems and networks.

Surge in teleworkers, expanded attack surface

Ware said one level down across all agencies, CISA is convening with agency chief information officers and chief information security officers on a regular basis to discuss threats.

“Yes, there’s a lot of technical and automation needs to happen, but we need analysts to say ‘here’s why you really have to pay attention to this. And here’s what it means for some of the decisions you’re going to be making from a risk management perspective over the long term,’” he said. “In addition to that, there are things that we can do through automation at scale, taking indicators and deploying them in EINSTEIN, deploying them at the Trusted Internet Connection that the agencies have so that at a systemwide basis we are protecting against those malicious actors or protecting against those vulnerabilities.”

These tools and others are playing a bigger role than ever as agency threat surfaces have expanded with the coronavirus pandemic. With the surge in teleworkers, agencies have to focus protections on more mobile devices and on employees connecting from a wider assortment of locations.

Ware said email phishing attacks, ransomware and nation state attacks against the nation research and development institutions remain major concerns for CISA. But it’s the surge in remote working where the agency is spending a lot of time lately.

“We’ve also seen agencies that have had to rush to deploy things that have that have had misconfiguration errors,” he said. “I think the most important thing here is that most of the vulnerabilities that are being exploited have been around for a very long time are very well known and could be patched but have not yet been patched.”

Hackers going after VPN vulnerabilities

CISA published analysis three weeks ago around existing vulnerabilities most targeted by adversaries between 2017 and 2019.

Ware said many of those have been fixable for years, but adversaries continue to exploit them.

“It’s kind of the old tools that still work for the bad guys so they’re going to just keep on using those tools,” he said. “We also looked at this current period, what’s been going on in 2020 so far, and I think, while no surprise and it was confirmed in our data and our analysis, nation state adversaries, in particular, are targeting virtual private network vulnerabilities. These are vulnerabilities we have published more than a year now and there have been patches available for some period of time. But they’re not all patched and our adversaries know that. And those are the things they’re going after and harder, of course, for us to deal with now.”

Ware said these vulnerabilities became more important to fix as more agencies worked remotely and logged on through VPNs.

“Getting after those vulnerabilities and those risks is going to be a critical order of business really for every company and for every department agency,” he said. “There’s a variety of different strategies that we’re implementing that are not exclusive to mitigating spear phishing attempts, but certainly a major source of those attempted successes. We’re going after that as aggressively as we can on the dot gov side and we just need to find ways which are broader whole of government strategic implications to extend that out into state local governments and critical infrastructure as well.”

New CISA strategy

All of these efforts, Ware said, are trying to remove systemic parts of the risks agencies face.

“If we can do something on the protective domain name system (DNS) side that removes 80% of nuanced, unsophisticated potential for attacks, that would be a big win,” he said. “We’re still going to have those sophisticated adversaries. Those advanced persistent threats (APTs) that do come into the perimeter and are attempting to move from host-to-host. There’s a number of additional things that we have to do with network segmentation being a significant one. These are things that we can provide guidance, but these are things that really are done within departments and agencies.”

Ware added as agencies move more toward a zero trust framework and assumed their network perimeter is going to be breached, there are things they can do to reduce the attack surface. CISA is working with agencies to help them rearchitect to and rethink their networks.

Ware, who President Donald Trump appointed to the position in December, spent the first few months on the job learning and developing the Cybersecurity Directorate (CSD) 2025 Strategy.

“Our adversaries have grown more and more sophisticated. We’re losing that perimeter as agencies have moved to the cloud and software-as-a-service. So much more of the traffic on the network today is encrypted than it was years ago. And when I take a lot of these things and I put them together, in many of the ways that we’ve kind of traditionally thought of our job, where we put sensors, what those sensors look like and how we secure things and is not as aligned with the way that enterprise IT and the mission are moving in the future,” he said. “There’s a number of components of that long term strategy that focuses on what do we need to do to build more relevant organization and address our future risk posture.”