It took the Homeland Security Department three days to own the computer networks of three agencies.
Usually that’s a bad thing when an outside organization takes control over another’s systems and data so quickly.
But in this case, the hope is that DHS is serving up a harsh bit of reality before China, Russia or any of the other assorted hacker groups attacking agency networks daily do so with Ransomware or other malware.
John Felker, the director of the National Cybersecurity and Communications Integration Center (NCCIC) in DHS, said teams of “white hat” hackers are working with three agencies to improve their network security.
“We owned those agencies from top to bottom and side-to-side, and we could go anywhere we wanted to just like a bad guy,” Felker said during an April 19 speech at cybersecurity conference sponsored by AFCEA Bethesda in Washington. “Our guys are working now with those agencies on how to remediate those networks and systems.”
Felker wouldn’t name the specific agencies the NCCIC was working with, but did offer that one was small, one was medium and one was large.
“Our plan is for a duration of 90 days, but that will be adjusted based on how far we’ve gotten in the first two weeks,” Felker said. “Our objective for all of these assessments is to establish persistence in some way. I’m not sure how that is except for being in networks. We are working closely with the White House on scheduling and prioritization of how those things should go down. We are working on our methodology to make sure we can compare apples to apples in terms of results of agencies.”
Felker said the red team assessments only are one part of the DHS efforts. He said the second piece is helping to develop the agency’s cybersecurity talents so they can do similar internal reviews on a more regular basis.
Alan Paller, the director of research for the SANS Institute, said DHS moving to conduct penetration testing from just vulnerability testing is a big change.
Paller said for too long DHS and others have focused on vulnerability testing, which tends not to have a big impact on an organization.
“DHS will have a profoundly positive effect on agencies if the end game is a massive hygiene program that implements and continuously maintains strong defenses,” Paller said. “DHS will have no effect at all if the end game is a report on what it found and how it got in. DHS will get lots of kudos and the three things will get fixed, but next time will find three more problems. There is no value in doing something that doesn’t protect the organization. The value is getting management attention and put in foundation defenses to protect them.”
Paller said the key to any red team exercise is to ensure the organization continues to analyze and review its security controls every hour, every day.
DHS has been conducting red team exercises for several years, focused on vulnerability testing and lasting about two weeks.
This new effort is much more in-depth and tries to see if the agency’s chief information security officer and its staff notices their efforts.
Paller said the National Security Agency has been providing red teams to analyze Defense Department networks for years, but provided these services to civilian agencies a handful of times.
By DHS moving into this space, it is filling a critical need, but Paller warns that people with these white hacker skill sets remain in short supply.
“DHS has a small number of really good people, who actually know how to do this, and it will add real value to the agencies,” he said. “However, those skills don’t replicate easily, meaning bringing five people in and building a regular methodology may create a vulnerability tester, but rarely it creates a penetration tester. You need people with the underlying skills to know operating systems, networking, application development and programming and much more. If you don’t have those foundations, you can’t do the sophisticated penetration testing to replicate what bad guys do. You can’t find people inside government in any volume with those three foundations.”
Paller added the value of penetration testing to get management’s attention so they put these foundational elements in place to protect networks and systems on a real-time basis.
Felker said the red teaming effort is part of a broader collaborative where DHS is meeting regularly with agency security operations centers “to make sure we are operating on same page.” They are also having meetings with the FBI, the Defense Cyber Crime Center and others to analyze cyber incidents.
DHS probably could send a red team into every civilian agency and still not do enough. That’s why the training piece is so critical. But Paller is correct about the fact these skill sets are hard to find and even harder to retain the people who have them.
Give DHS credit for starting somewhere. What has to happen next is the White House and the Office of Personnel Management give agencies new authorities to find, hire and retain these cybersecurity experts.