CISA Shares Specs for Threat-Hunting Solution

The Cybersecurity and Infrastructure Security Agency wants to know whether industry can meet certain performance and security features to support a threat-hunting system.

The 2021 National Defense Authorization Act gives CISA the power to deploy technology, including information collection tools, on federal agency networks and applications and to hunt for threats and vulnerabilities on those systems without notifying agencies in advance. It also calls for the Homeland Security secretary to submit to Congress a review of CISA’s ability to conduct such threat hunting given its resources within a year of enactment. 

“CISA Threat Hunting requires a solution that provides data resiliency for the incident management system,” according to a request for information the agency issued Friday. “The desired solution should have redundancy, failover, load balancing, rate limiting, and the option to scale to the cloud. The desired system should meet the minimum level of encryption 140-2. The system should handle full account logging (successful/unsuccessful) to all assets in the system and integrate with existing [security information event management] architecture.”

After reports of breaches at federal agencies started rolling in—hackers who compromised the software development environment of the ubiquitous IT management company SolarWinds were likely roaming federal networks for many months undetected—congressional cybersecurity leaders emphasized the importance of the threat-hunting provisions in the NDAA. 

Then-President Donald Trump had promised to veto the bill—and did. But Congress overrode him, and now the congressionally mandated Cyberspace Solarium Commission is pushing the new administration to go further than the NDAA by requiring the same sort of threat hunting within the defense industrial base. A new white paper from the commission recommends priorities for the administration, referencing the SolarWinds hack throughout.

“The FY2021 NDAA mandates a report from the Secretary of Defense on the feasibility and suitability of a program requiring threat hunting on DIB networks,” the paper reads. “The Biden-Harris administration should go beyond a report and pass a policy directive requiring companies that make up the Defense Industrial Base, as part of the terms of their contract with DoD, to create a mechanism that allows mandatory threat hunting on DIB networks.”

One concern voiced by industry about the collection and sharing of threat information relates to security.

While CISA stressed that the RFI does not equate to a promise to issue a request for proposals or quotations, questions included in the document indicate what the agency is looking for in a task management system for its threat-hunting efforts.

CISA wants those responding to share how experienced they are with data encryption; details of their multifactor authentication use; if customers are allowed to review and approve security controls and whether the provider works with them to monitor the hosted infrastructure; whether any virtualization used is on dedicated hardware not shared with other tenants; if full monitoring of the host system can be integrated with existing customer systems at the operating system and network levels; and how regularly they verify connections between the systems of customers, providers, and other clients.

Responses to the RFI are due Feb. 2. It is set to become inactive 15 days after that.