DHS Hacker Warnings Will Soon Carry Reputation Scores
A reflection of the Department of Homeland Security logo is seen reflected in the glasses of a cyber security analyst in the watch and warning center at the Department of Homeland Security's secretive cyber defense facility. Mark J. Terrill/AP File Photo
Essentially, the ranking would tell companies and agencies, with a certain degree of confidence, the reliability of a threat warning.
The Homeland Security Department will soon rate the trustworthiness of tip-offs about hacking groups it receives from outside sources before sharing them with other agencies and industry.
A cybersecurity information-sharing law passed six months ago requires DHS to disseminate threat "indicators" -- hallmarks of a particular attack, like a certain malicious attachment.
Some internet service providers, agencies, companies and others on the receiving end have set their servers to automatically feed the data points into anti-malware scanners.
But what if the intelligence you've just instantly entered into your network is flawed, or downright malicious?
"There's a quality piece, as things are moving through” the Automated Indicator Sharing system, said Matt Shabat, strategist and performance manager for the DHS Office of Cybersecurity and Communications. "What gets shared in, gets shared out."
As indicators pass through the sharing system, "we want to be able to add a reputation score" sometime in the near term, he said.
Shabat on June 15 briefed the U.S. Information Security and Privacy Advisory Board on execution of the 2015 Cybersecurity Information Sharing Act.
Essentially, the ranking would tell companies and agencies, with a certain degree of confidence, the reliability of a threat warning.
To derive a score, DHS will analyze the indicator it receives from an outsider with intelligence it already has from federal partners and other materials involving the reputation of that notifier.
A user might, for example, choose only to accept from DHS threat intelligence graded above a six on a 10-point scale, Shabat said. Other participating agencies or businesses with more vulnerable IT networks may decide they only want their systems to take action if the intelligence scores a 10.
Uploading any and all data points about hack attacks could actually be counterproductive, some security experts say.
"If a source you aren't sure of sends bad code," and your computer is configured to automatically ingest the information, "you could [inadvertently] tell your computer to ignore the things that it should be looking for," said Rob Bagnall, founder of defense contractor Maverick Cyber Defense. "With an automated program, you have to trust, at a certain level, what you're receiving or it's useless and or dangerous."
The DHS Privacy Police
The whole information-sharing initiative is aimed at ferrying large volumes of threat intelligence, in near real-time, among organizations that volunteer to participate, as well as across the federal government.
The program has attracted scrutiny partly because private information -- like email data -- could be caught up in the information flows.
For all indicators, "there are a set of use limitations on what the information can be used for in the government and it could be considered quite broad," Jocelyn Aqua, senior component official for privacy for the Justice Department's National Security Division, told the privacy board. The information collected from ISPs and others can be used to counter threats to physical harm, trade secret theft and terrorism, among other cybersecurity, national security and law enforcement purposes, she said.
Shabat said the intelligence community, Pentagon and civilian government have agreed to delay sharing data, until scrubbing out identifying information.
"We're obligated in real-time to share whatever we receive through the automated process," with that one exception, he said. First, "we apply an automated scrub,” but because “it's not perfect, and there will be certain fields that the automated scrub won't take care of, those we'll flag for human review."
A DHS Computer Emergency Readiness Team analyst will examine those records manually, Shabat said.
The rest of the data is pushed out immediately to agencies and the private sector, he added. "Any of the fields that didn't flag for human review, continue on in real time," Shabat said.
It remains to be seen how popular the cyber information-sharing program will become.
Roughly 30 organizations nationwide are receiving the Automated Indicator Sharing feeds. About 100 have signed up to do so at some point, according to testimony heard by the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies on June 15.