EXECUTIVE BRIEFING SERIES: Cyber Threat Hunting Sponsored by Comply with Federal Security Mandates Carbon Black solutions help enable agencies to rapidly meet federal standards and implement the NIST Cybersecurity Framework to secure and protect government IT. Z Protect critical infrastructure Z Identify and close security gaps Z Respond & recover rapidly from incidents carbonblack.com/federal CYBERSECURITY: ‘We’re all on the front lines now’ BY TOM TEMIN M anaging today’s cybersecurity risks takes the agility and reach of an octopus. Organizations need to watch endpoints, network infrastructure, e-mail, and applications for a variety of hacking, malware, phishing, and user (and administrator) error. The vectors of danger and the specific types of threats multiply fast. Threat hunting is emerging as a powerful tool for agency security managers. Think of it as using cybersecurity data analysis to identify threats before they become problematic. Threat hunting calls for gathering telemetric levels of data coming from end points and other network traffic and combining it with data from other relevant sources. Then, having a strategy for storing the data, and analysis tools to reveal malicious activity while the danger is still potential. The result: More time to react. The data gathering and analysis dovetails with agencies’ continuous diagnostics and mitigation programs. It enables a more comprehensive view of their cyber space and what’s occurring in it. For a look into current best practices for threat hunting, compliance and cyber data analytics, Federal News Network and Carbon Black convened a panel of high level federal cybersecurity practitioners. Two major takeaways from the conversation: 1. Cyber threat intelligence is greatly enhanced when security staff takes a wide aperture view of data sources they include in their analytic regimes. The more the sources of data, the 3 EXECUTIVE BRIEFING SERIES: CYBER THREAT HUNTING PANEL OF EXPERTS amon Cabanillas, Vice D President, U.S. Federal Sales and Operations, Carbon Black Inc. lma Cole, Chief A Information Security Officer and Executive Director, Cybersecurity Directorate, Customs and Border Protection reg Hall, Assistant Director G and Chief Information Security Officer, Executive Office for the United States Attorneys, Department of Justice teven Hernandez, Chief S Information Security Officer, Department of Education om Kellermann, Chief T Cybersecurity Officer, Carbon Black Inc. illiam Rogers, Deputy W Director for Compliance, National Oceanic and Atmospheric Administration ary Stevens, Deputy Chief G Information Security Officer, Executive Director for Information Security Policy and Strategy, Department of Veterans Affairs more effective the threat hunting, the sooner staff will become aware of a threat. Said one participant, “We’re leveraging tools to shorten the chain of getting to where we can make a decision or take action.” 2. A risk management approach, rather than a compliance strategy, is the more effective way to mitigate the ever-changing cyber threat. Tom Kellermann, Carbon Black’s chief cybersecurity officer, described a threat environment in which he said, “We’re all on the front lines now.” The environment is characterized by hackers who are fighting to maintain persistence. Hackers who enact counter incident response 56 percent of the time. They neutralize agency incident response teams to retain a foothold. They commandeer agency e-mail servers via Reverse Business Email Compromise (RBEC). Such activities can let adversaries undermine the basic trust customers and constituents have in online systems — this as agencies push to deploy more digital services. Of the threat environment, Kellermann said, “Its escalating from a burglary to a home invasion.” Agency initiatives, as-is and to-be Agencies take a variety of approaches to cyber, but some themes emerge. For Gary Stevens, the deputy chief information officer at the Veterans Affairs Department, digital transformation provides fresh impetus to ensuring compliance (or alignment) with federal cyber initiatives including the risk management 4 and cybersecurity frameworks. And it has an active, threat hunting posture. As it develops new applications such as telehealth, he said, VA wants to ensure the security is programmed in right along with the rest of the logic — the socalled “baked-in” approach. He noted VA has been a participant in the Homeland Security Department’s continuous diagnostics and mitigation (CDM) program since 2013 as part of its enterprise cybersecurity program. And it applies the .govCAR — government cybersecurity architecture review framework — as promulgated by the National Institute of Standards and Technology. One goal, he said, is “to create the ability to visualize what’s happening within the environment, so that through various feeds we have enhanced visibility on our overall cyber state. Then use deep dive analytics, penetration testing … [to] understand what’s in the realm of possibility for understanding cyber threats.” For William Rogers, deputy director for compliance at the National Oceanic and Atmospheric Administration, the goal is to advance cyber activities from compliance to risk management. Operationally, he said, that entails moving from a security operations center (SOC) mindset to cyber intelligence. That, in turn, means including threat data coming from outside NOAA’s own networks. “We want to start looking at the all-source indicators that are coming in,” including those from the classified sector, Rogers said, “and how we integrate that into those pictures we’re painting every day.” EXECUTIVE BRIEFING SERIES: CYBER THREAT HUNTING For NOAA, the all-source data approach brings what Rogers called an internal risk mitigation strategy. “Instead of insider threat, how do we look not at the people but at the data?” He added, “NOAA has a large amount of scientific data that scientists feel belongs to them and not to the government.” The issue is “how we stop that getting to the outside.” Rogers said an important motivation for NOAA, in addition to the usual ones of preventing data exfiltration or financial theft, is the need to protect data from deliberate corruption. NOAA’s weather data, for example, is crucial to the basic economic functioning and safety of the nation. The Justice Department’s Greg Hall, chief information security officer for the U.S. Attorneys office, described six cyber program components. They are the security operations center, risk management practice, security architecture engineering, insider threats, cybersecurity lines of business, and forensics and investigations. Hall said each activity both produces and consumes data, adding, “These data sets are important by themselves, but in aggregate they paint a bigger picture.” He said he’s aggregating the six programs’ data with feeds from a variety of other Justice and non-Justice sources. To that superset of data, Hall said his staff is applying analytic algorithms “to really parse the data and derive intelligence from it.” Above what he called commodity SOC services, Hall said these second and third tier analytics — what he termed “fusion cells” — is where the threat hunting takes place. He said it not 5 only brings disparate data sets together but also a range of people with expertise in cyber categories such as penetration testing, insider threat, and endpoint security. Moving detection to the left Implicit in these approaches is that a threathunting strategy based on diverse data and analytics can give knowledge of dangers sooner than when only analyzing the data from a single network, which is sometimes called “moving detection to the left.” “You may not be able to tell a [malicious] campaign is happening by analyzing one particular event,” Hall said. “But if you correlate events and you can see things more from an enterprise perspective, then it may be more intuited that there’s a cyber attack or a campaign happening.” For the Education Department, updated cyber activities align with three elements of the President’s Management Agenda. That’s according to Steven Hernandez, Education’s CISO. The three elements are workforce, data and accountability, and IT modernization. Hernandez said his shop is specifically looking for people who know how to hunt cyber threats and have the statistical capabilities “to be able to sort through data and separate the gold from the slag.” That skillset he said, is “remarkably difficult” to find and recruit. He said use of the federal reskilling academy, with its three-month intensive cyber training, is one way of finding or developing such people. EXECUTIVE BRIEFING SERIES: CYBER THREAT HUNTING Like Stevens of Veterans Affairs, Hernandez says IT modernization at Education is partly matter of developing new applications that are secure from the outset. He added his shop requires cloud services providers to feed cyber-related data in their clouds back to the department. On the data front, Hernandez said, “Everything we do from this point forward is data driven in terms of how we find threats in the organization.” He noted the potential financial exposure Education has, given its $1.5 trillion student loan portfolio and its hundreds of billions of yearly grants and financial aid dollars. Complicating its own cyber efforts, he said, is that Education’s financial sector partners are sometimes more vulnerable than the department. “What we’ve discovered through our own threat intelligence is that our attackers have figured out it’s actually a royal pain to attack the government. So what we’re seeing is the attackers have gone down the chain” to institutions receiving Education aid and data, and targeting them. Outreach to partners and sharing information with them forms the fourth part of Education’s cyber strategy, Hernandez said. Industry offerings can enhance agencies’ strategies of data analytics for threat hunting. Damon Cabanillas, the vice president for U.S. federal sales and operations at Carbon Black, said one way is what he called the positive security model. An element of that is application whitelisting in conjunction with the 6 CDM program. This approach derives from the theory that agencies are most vulnerable at the point where data is within applications at users’ desktops or mobile devices, and where the transmission of data is unencrypted. Endpoint protection is coupled with “shrinking the dwell time through big data analytics — using data to look for threats,” Cabanillas said. Carbon Black technology can detect endpoint anomalies and issue alerts. Continuous monitoring and analytics, he said, can give operators the chance to respond short of wiping devices. Carbon Black’s Kellermann described a strategy of using telemetry to inform analytics. He said it’s also important for practitioners to update their view of security from a linear kill chain viewing it as a cyclical phenomenon. He cited the tendency of attacks to “island hop” from one system to another, meaning a “kill” in one location doesn’t mean the threat is over. He advised agencies to take advantage of wide area telemetry — the monitoring of data from across the Internet — as conducted by Carbon Black. Telemetry coupled with analytics shows emerging patterns, Kellermann said, such as a Russian attack technique migrating to Iran and North Korea. Comprehensive strategies needed Alma Cole, CISO of U.S. Customs and Border Protection, promulgates a strategy that puts it all together. He said that when many are thinking in terms of exotic cyber issues like EXECUTIVE BRIEFING SERIES: CYBER THREAT HUNTING quantum encryption, it’s important to realize basic cyber hygiene like monitoring and patching is “the best thing you can do to keep yourself out in front of cyber adversaries.” CPB, Cole said, has a program emphasizing vulnerability management with penetration testing, bug bounty programs, and a security operations center aimed at informing analysts of what’s going on. At the DHS level, he described a strategy of machine-to-machine orchestration of threat detection and mitigation. “We also have future initiatives to further improve our indicators of compromise data sharing and management of that data,” Cole said, to replace swapping of spreadsheets. Kellermann said the holy grail is the ability to “detect, deceive, divert, contain, and hunt an adversary unbeknownst to the adversary.” Agencies have a ways to go, Cole said, in adapting CDM to forward-looking threat hunting. 7 “A lot of the discussion about CDM initially was talking about its applicability to threat hunting and flowing up information to the dashboard that would provide that data. Phase one of CDM is not that,” Cole said. Rather it’s simply understanding your own environment and its current posture. That helps with compliance on patching and tracking inventories of IT assets. Phase two of CDM, covering identity management, still lives in compliance. “But Phase three and four, that’s when you start to get into more of the controls that might affect your ability to deal with threats and your ability to do hunting,” Cole said. Ultimately, agencies will combine their own data gathering with that of other agencies and vendors like Carbon Black to get full pictures of their environment and what might impinge on it. NOAA’s Rogers said agencies must work toward to the goal of “merging compliance, risk management and operations into a single unit.” EXECUTIVE BRIEFING SERIES: CYBER THREAT HUNTING
