Federal agencies were in the crosshairs of hackers like never before in 2014: The Nuclear Regulatory Commission, the National Oceanic and Atmospheric Administration, the U.S. Postal Service, the White House and the State Department all copped to breaches over the past year.
Agency chief information officers and other data security officials say it’s time to begin thinking about new approaches to rooting out and responding to cyber incidents.
For the Office of Personnel Management, one of the agencies on that dubious "hall of fame” for the hacked, the constant game of “whack-a-mole,” is growing tiresome, said Jeff Wagner, the agency’s security operations officer.
“JPMorgan, Target, Home Depot, any federal agency: How many times do we have to fail before we go, 'You know what? What we're doing isn't working,” Wagner said in a speech at a cybersecurity summit hosted by AFCEA Bethesda on Wednesday.
In July, news reports indicated Chinese hackers had infiltrated OPM's databases, potentially in pursuit of the personnel files of security clearance holders. Later in the summer, the private company that performs a majority of those background investigations was also breached by hackers.
The so-called “defense in depth” model -- continuing to build in ever more layers of security, such as firewalls and antivirus protection in a bid to better lock down networks -- is “dead,” Wagner said.
In its place is a concept Wagner calls “auditing by visibility,” leveraging a real-time view of the agency’s networks and its various endpoints -- essentially continuous monitoring on steroids.
Agencies have finally begun to take more concrete steps toward continuous monitoring, thanks to the Department of Homeland Security’s continuous diagnostics and mitigation program, or CDM. Under the $6 billion, DHS-managed CDM contract, agencies can opt in to various free cyber-monitoring tools and services to continuously scan their systems and note anomalies.
"If I don't have to do reporting because CDM's doing it for me, think of all the time I can spend doing the important stuff like finding the bad guys, stopping the bad guys, seeing what's out there,” Wagner said.
Congress recently codified DHS’ continuous monitoring efforts into law, rewriting the 12-year-old Federal Information Security Management Act, which required only static checklist-type audits of cyber vulnerabilities.
Lessons Learned from US-CERT
Federal agencies, to be sure, were far from the only entities affected this year. The U.S.-Computer Emergency Response Team, an elite squad within DHS that responds to government and private-sector breaches alike, responded to numerous incidents in 2014.
A targeted spear-phishing campaign pried its way into JPMorgan’s networks in September. Malware wriggled its way into the credit-card processors of Home Depot, Dairy Queen and UPS. Kmart, Neiman Marcus and restaurant P.F. Changs also announced breaches.
In the wake of the wave of data breaches, CERT has spotted a few notable trends, not always in the attacks themselves but in the security measures -- or lack thereof -- of the affected entities.
"A couple things that we saw consistently, organization to organization that, in many cases, makes your jaw sort of hit the floor,” said Brad Nix, US-CERT’s deputy director.
A key takeaway? The importance of segmenting networks.
When the CERT team members arrived on the scene, they thought they would be analyzing a defined portion of the hacked organization’s network. Instead, they found networks were not generally segmented, meaning hundreds of sub-networks were also potentially infected.
"When you're called into an organization, and you're there to help sort of identify what the issue and help mitigate that issue, you have to be sort of careful about your reaction to situation when you first walk in,” Nix said. “You can't walk in and say, 'Oh my gosh, you're kidding me -- you didn't segment your networks?'"
Another lesson learned: General user accounts -- not just administrative account holders -- are increasingly the target of hackers.
Cyber Response: At the ‘Speed of Pregnant Turtles’?
With all the recent hacks, there’s also been a notable shift in the way agencies have responded at mitigating them once they are breached.
There are two ways to handle incident response, said Wagner, the OPM cyber official.
“There's turn it off, make it go away, which your management will completely agree with, because they want it gone,” he said. “They don't want to be in the news; they want to completely get rid of it.”
The other approach is first, of course, contain the malicious activity, but then see what the hackers do. That can actually help make sure the threat is eradicated.
“Let's figure out what's going on,” Wagner said. “Let's make sure that it's gone. Because if you don't do that, I guarantee if you turn off that box, they're just going to wait a month and come in somewhere else."
A handful of agencies, including the U.S. Postal Service, appear to have taken the so-called “honeypot” approach in recent months. That is, delaying booting hackers from their networks -- after malicious activity is detected, to understand the hackers’ behavior and what they’re seeking.
Still, not all delays -- or even most -- are strategic. Agencies are often challenged at responding to incidents because of a lack of relatively basic cyber hygiene, including configuration management, which describes the process of documenting updates and other changes to software and systems.
“We run into these issues when a vulnerability pops up, or a cyberattack occurs,” said David Bennett, chief information officer for the Defense Information Systems Agency, which operates the Defense Department’s computing centers. “You're scrambling trying to figure out who's affected, who's not affected."
Bennett added: "If you don't have a good configuration management database that is accurate, up-to-date and all-inclusive, every time you run into a cyber issue, you're going to spend -- I'm going to make this up -- the first five days of the issue doing nothing but trying to figure out who shot who and what's going to be impacted? And do you have five days? No, because the attack is happening at the speed of electrons and we're moving at the speed of pregnant turtles.”