By Bob Gourley
The Office of Inspector General for the Department of Homeland Security just released an important report for those seeking to understand or improve how the US government responds to cyber attacks. The report, titled DHS Efforts to Coordinate the Activities of Federal Cyber Operations Centers, provides a great executive level overview of key federal government cyber security centers and prioritizes several key issues aimed at improving the government’s ability to communicate, coordinate and defend internally against threats to federal networks and also to enhance activities designed to mitigate threats to cyber security incidents that may pose a threat to the nation. It is well worth a read.
As background, the report is discussing management of incident response at the five key federal cyber operations centers, which are:
- United States Cyber Command (CYBERCOM), operated by the Department of Defense (DoD), establishes and maintains situational awareness and directs the operations and defense of the “.mil” networks.
- Defense Cyber Crime Center (DC3), operated by DoD, sets standards for digital evidence processing, analysis, and diagnostics for DoD investigations that require computer forensic support to detect, enhance, or recover digital media, including audio and video.
- Intelligence Community – Incident Response Center (IC-IRC), operated by the Intelligence Community, provides attack sensing and warning capabilities to characterize cyber threats and attribution of attacks and anticipates future incidents.
- National Cyber Investigative Joint Task Force (NCIJTF), operated by the Department of Justice’s Federal Bureau of Investigation (FBI), serves as the multiagency national focal point for coordinating, integrating, and sharing pertinent information related to cyber threat investigations across all national security and criminal law enforcement programs.
- National Security Agency/Central Security Service Threat Operations Center (NTOC), operated by the National Security Agency, establishes real-time network awareness and threat characterization capabilities to forecast, alert, and attribute malicious activity.
The DHS’s National Cybersecurity and Communications Integration Center (NCCIC) is designed to help bring together the threat information from these five centers as well as others in government. It also provides a means to share information with other partners including key industry and public-private partnership groups. NCCIC is by all accounts a virtuous activity that enables enhanced collaboration and coordination between and among many independent players.
The report dives into many real issues associated with coordinating the activities of federal cyber operations centers, including issues with technologies. Here is what the report says about the need for better sharing tools:
- DHS must procure cyber tools and technologies to improve its situational awareness efforts.
- The NCCIC and Federal cyber operations centers collectively do not have a common tool suite that can provide shared situational awareness and enhance coordinated incident management capabilities among the centers during an incident. Specifically, Federal cyber operations centers do not have a common incident management system tool that tracks, updates, shares, and coordinates cyber information with each other.
- Without a common incident management tool suite and standardizing security incident categorization, NCCIC and other Federal cyber operations centers will face a constant challenge in sharing cyber incident information and coordinating an effective response.
- Currently, NCCIC relies on US-CERT’s ticketing system, which is designed primarily to track the status of information technology operations, to maintain cyber incident information. US-CERT’s ticketing system captures cyber incident information, such as incident occurrence and reporting dates, email correspondence between the reporting/affected agency and US-CERT, and phone conversations regarding the events. However, this ticketing system does not link situational awareness products (i.e., alerts and bulletins) that have been issued and are associated with a specific cyber incident, threat, or vulnerability. As such, incidents may not be consistently tracked, categorized, or managed seamlessly across other NCCIC components. Since NCCIC integrates cyber threat information from other Federal operations centers, having a common cyber tool will allow NCCIC to provide a comprehensive view of cyber activity across the intelligence, defense, civil, and law enforcement communities.
- Federal cyber operations centers often share their information with one another. However, no single entity combines all information available from these centers and other sources to provide a continuously updated, comprehensive picture of cyber threat and network status to provide indications and warning of imminent incidents, and to support a coordinated incident response. Specifically, NCCIC does not have the tools and technologies to support continuous updates, improve efficiencies and prevent duplicative efforts in information sharing. Potential solutions include tools and technologies for incident management, shared knowledge management database, automatic call distribution and media tracking systems, dashboards, and enterprise reports for analytics which should be consolidated by the NCCIC. According to NCCIC officials, both funding and technology are needed to improve information sharing.
- Further, having a common set of cyber tools will allow NCCIC to provide indicators and warning information to alert key organizations of emerging threats to the Nation’s cyber infrastructure. According to the NCCIC Director, there is no national system or common cyber tool currently in place for the Federal cyber centers to share information. Additionally, the NCCIC Director acknowledged that having a common cyber tool and technology could allow the centers to provide actionable information to prevent and reduce the harm from cyber threats and vulnerabilities electronically, on a real time basis.
The tool that immediately comes to mind here is RecordedFuture.
The capability there that has been engineered by Recorded Future was built to take in any data source on the web (currently over 350,000 data sources) and smartly parse, correlate and assess those dynamic sources and then enable analysts to relate with the data through very powerful visualization tools they can iterate over.
Yep, Recorded Future can handle more data sources than the US government cyber centers would ever need and can help deliver situational awareness between and among each other. And its cyber analytical tool can do that in a way that cyber security analysts find intuitive and incredibly useful.
Some unsolicited advice:
- For DHS: I know it is a hard environment to operate in there but now that you have your OIG saying you really have to fix this problem you should have some new ammunition to try to get this big thing done. Bring Recorded Future in for a demo and discussion and get your procurement guys to let you do a prototype and if that prototype shows promise get the money to buy it. The mission needs this approach. Also check out this paper for more insights: Web Intelligence and Analysis Support to Enterprise Cyber Operations
- For Recorded Future: The hardest thing to do in the US business world is to sell to the US government, and of all things to sell, smart solutions based on software are perhaps the hardest. But you need to do this hard work. Time to get your account team to start walking the halls of DHS. They need you guys badly. Strike that, the nation needs you guys badly.