Ever since the launch of comprehensive data sharing more than a decade ago, the Intelligence Community has continuously updated its techniques and technologies for disseminating cyber threat intelligence. This can be for both virtual and physical dangers to agency networks and infrastructure.
La’Naia Jones, deputy chief information officer of the Intelligence Community, said the intel originates from multiple places, such as an agency within the community or one of its centers. She said the Security Coordination Center is a cross-cutting agency which serves the entire IC, propagating out threat intelligence and malware instances so that the community is better positioned to respond.
It is more of an operational center than a research-type agency, she explained.
“So they work with all of the agencies to coordinate threats to work on malware signatures to prevent attacks and threats, to ensure that everyone has the same information from a threat posturing, and the security perspective,” she said on Federal Monthly Insights — Strategic Threat Intelligence. “They coordinate, whether it be general information or upcoming or anything that came out, they really are charged with ensuring that everyone is aware and tracking and knows of the most current status information mitigation techniques, and everything that’s included with that.”
The SCC came about after the Intelligence Community Incident Response Center expanded five years ago to be able to posture to coordinate mitigation, shared services and infrastructure, Jones said. She said it is directly connected to the IC and other sensitive departments of the government. All of this generates substantial data, especially considering threat intelligence is propagated both on the IC’s classified network and to lower security classifications, Jones said.
Deciding what a higher risk is involves multiple factors. Aside from the Security Coordination Center, Jones said all IC agencies have a security or cyber center, or a computer incident security officer who provides annual reports and assessment testing.
“With that, I would say that the Security Coordination Center is looking at the ongoing active threat and mitigation, malware, that type of thing that’s going on,” she said on Federal Drive with Tom Temin. “But then there’s also other processes to ensure the readiness from overall perspective. Each agency is charged with looking at what would be most vulnerable and how to protect their assets.”
Jones said her office would like to automate as much as possible and leverage cloud technology to share threat information, but that’s not to say staff cannot still simply make a call from one agency to another. The IC has been working on greater collaboration for several years.
“I would say that now, more so with the increase in data and the cyber threat and the propagation of malware, the commoditization of malware, that it’s become more of a higher priority. Because whereas before you could say threats were primarily performed by nation state actors, now, with the commoditization, it’s much easier for anyone to provide, or to obtain an exploit, or malware or something to disrupt the network.”
With the increase in data, the challenge arises to get threat intelligence to the right domain or fabric as quickly as possible. Unfortunately, she said, technology evolves so rapidly that new updates are constantly needed.
Open source products are also being used in the IC but Jones said it’s important to ensure those products are up to date. Sometimes an agency will match open source technology with commercial products to provide the necessary security enhancements.
“So continuous monitoring automation … leveraging newer technologies is absolutely the direction that we’re moving towards,” she said. “Because of those challenges, as well as the partnerships that we have with vendors and other service providers that we are depending on.”