Existing Agency Threat Hunters Welcome CISA’s New Authorities 

For the Department of Education, proactive threat hunting means not just taking down questionable URLs but buying them up.

New authorities allowing the Cybersecurity and Infrastructure Security Agency to look for threats across federal agencies’ networks will boost work some departments have already been doing to spot and remove threats outside their perimeter, according to a leading chief information security officer.

“We're very excited about [CISA’s] threat hunting authorities, simply because it gives us more folks out in the wilderness looking for those bad actors,” Department of Education CISO Steve Hernandez said. “We see this as an absolute win, it's only going to supplement and help reinforce the work we're already doing.”

Hernandez spoke Tuesday along with James Saunders, senior adviser to the acting chief information officer for cybersecurity at the Office of Personnel Management, at an event hosted by cybersecurity firm ZeroFOX.

Hernandez, who co-chairs the Federal Chief Information Security Officers Council and Saunders, who was formerly the Small Business Administration’s CISO, detailed the agencies’ threat-hunting activities, which grew in response to fraudsters trying to take advantage of the pandemic.

“We always leverage a capability from [Department of Homeland Security] shared services which enables us to take down malicious urls, malicious websites. We built that into our processes where we get a malicious email, if it makes it to a user's mailbox, we analyze the email, submit it for a site takedown,” Saunders said.

The agency’s threat-hunting activities included taking down those URLs and also scouring social media websites for malicious actors impersonating the SBA.

“When [Paycheck Protection Program], and CARES Act implementation was ordered, it spiked tremendously,” Saunders said referring to loan and stimulus programs launched in response to the pandemic.

Hernandez said the Education Department’s threat-hunting program started well before COVID and was also well aligned with anti-fraud activity.

Any given year, there’s trillions of dollars flowing through the department, which makes it an attractive target, he said. The department noticed that the “watering holes” where nefarious elements gathered to discuss targets were starting to grow.

“Oftentimes that takes place in forums that are well outside of the department's control so the open web, social media, even platforms like Signal, Slack, etc. are becoming places where these conversations are taking place, and our hunt teams have had to expand beyond just the dark web, now into some of the more common places to understand how our attackers are operating and thinking,” he said.

Hernandez giggled noting some of the innovations his threat-hunting team has made for putting suspicious urls out of reach.

“We leveraged our procurement authorities and we went out and bought up a bunch of URLs that looked similar, or that we thought would be likely candidates for exploitation kind of preemptively going out and saying, you know, we're gonna solve these problems before they start,” he said.

He said the initiative to build out bolder threat-hunting programs comes with a shift in mentality around required authorities.

“[At] most federal agencies I've been at, there's a foundational premise that the law must say we can, and we started this conversation, just based on the pure necessity of saying actually hang on, stop, where does it say we can't?” he said. “If there's nothing out here saying we can't, and we've already checked our appropriations and defending our programs and maintaining our fiduciary responsibility for the taxpayer dollars is squarely within the authorities of our appropriations, then frankly we ought to be doing this.”

Hernandez said CISA playing a more active role in the threat-hunting space will be important for engaging the intelligence community.

“CISA often has better insights and in some cases, better and more frequent connectivity with the intelligence side and the counterintelligence side of the house and so when we start looking at all of that value that they're going to bring to the table with these new authorities, it's only going to amplify the work that we're already doing,” he said.