3 Components in the Hunt for Cyber Threats
“Anyone trying to secure their networks must have some kind of hunt capability,” said John Hickey, cyber development director for the Defense Information Systems Agency (DISA), at a recent Federal Computer Week Security Summit in the District of Columbia.
Hunt capability is the ability to rapidly discover and eradicate threats that try to evade our defenses. Hickey described three components of DISA’s hunt capability, people – in the form of Cyber Protection Teams, security integrated in the cyber environment, and identity and access management.
Cyber Protection Teams
DISA and the Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN) focus on the hunt mission and put significant emphasis on training cyber protection teams (CPTs), whose job it is to maintain oversight of that mission.
“The tools available today have seams and gaps, and the enemy is vast, large and global with time and space [to plan and execute], just as in all military operations,” said Hickey. By training cyber warriors inside the environment, inside key terrain, DISA is reinforcing the skill sets needed to hunt down threats that evade existing tools.
The CPTs under DISA’s control receive extensive training, to include immersion training alongside red teams – whose mission is to find vulnerabilities - during exercises and deployments. All CPTs also receive enhanced training on tools and systems such as the Joint Regional Security Stacks (JRSS), Big Data Platform, Cyber Situational Awareness Analytic Capabilities, which provide the CPTs broad visibility from access points across the DODIN.
“It is key to have security early on in our environment, from the development of new technologies to knowing who we allow on our networks,” said Hickey.
Highlighting the recent milCloud 2.0 request for proposal (RFP), Hickey underscored that the emphasis on security and the agency’s need for industry to deliver those capabilities in an integrated manner were in the forefront.
He also said JRSS, and fielding it in a joint manner, is his priority, because the solution provides critical visibility all the way to the end points of the network.
“DISA is correlating all the information, coming in from both unclassified and classified [occurrences], to report where we are from a compliance standpoint in how we’ve configured our boxes, including servers and workstations,” Hickey said. “The other critical piece is how well we’re patching those [access points]. We need industry’s help to develop a more automated means to patch.”
Protecting networks largely rests on who is allowed to access them, said Hickey.
Public Key Infrastructure (PKI) is still one of the best defenses against adversaries because of the difficulty of breaking into a system requiring a strong credential. DISA is also working on derived credentials and form factor initiatives to support identity management for mobile devices, including tablets and laptops.
Insider threats exist, but learning and knowing user patterns, and key access controls, can help protect against them.
“If you’re not paying attention to your privileged users, you’re down the wrong path,” Hickey said.
Adversaries, regardless of their origin, are going after credentials, which gives them access to key information. Whether they gain entry through a phishing attempt, or as an insider, the credentials are the literal key. Once in, they will move laterally through the networks to seek out stronger credentials for further access.
Thwarting these attempts is done through heavy monitoring, from the inside, and is dependent upon knowing who has credentials and why, and which back-end tools are available to conduct monitoring.
Hickey concluded by challenging industry and mission partners to not rely on boundaries and barriers when it comes to network defense. Instead, he urges new views and perspectives, based on new technologies, and increased understanding of who has access to our developmental and operational environments.
“There are some really interesting developing technologies in this area that could allow us to view these threats and protections much differently,” said Hickey.
Published November 2, 2016