IRS needs better documentation for its cyber threat hunts, watchdog says

A new report found that the IRS lacks established policies and procedures in its cyber threat hunt operations.

A new report found that the IRS lacks established policies and procedures in its cyber threat hunt operations. TEK IMAGE/SCIENCE PHOTO LIBRARY/ Getty Images

A new report noted that a lack of “established policies and procedures” could prevent the tax agency from meeting federal requirements.

An Internal Revenue Service watchdog released a new audit last week that highlights necessary changes for the agency’s current cyber threat analysis procedures, including more thorough threat hunt documentation and formal review processes for device and program blocks. 

Cyber threat hunting involved “proactively searching organizational systems, networks and infrastructure for advanced threats,” according to the report.

The Treasury Inspector General for Tax Administration examined the IRS’s current cyber threat hunting process, noting that a successful cyberattack on IRS systems could result in compromised tax data and possible national security fallout. 

“By not having established policies and procedures, the IRS risks its employees not meeting federal requirements for cyber threat hunting,” the report says. “As the nation’s tax agency, the Internal Revenue Service collects and stores substantial amounts of personally identifiable information, including all tax records for individuals and corporations.”

The audit also noted that documentation chronicling cyber hunts was insufficient and incomplete. It specified that 10% of a sample of 25 threat intelligence tickets issued internally lacked the necessary information regarding the hunt process and results.

This is partially due to the fact that the IRS’ desk guide — a series of instructions that describe procedures for analysts to follow when conducting cyber hunts — lacks specifics for documenting threat landscape reports.

“The desk guide does not specify what should be included, such as actions taken to address the potential threat,” the audit says. TIGTA officials noted that the IRS updated its desk guide during the audit process.

Ultimately, the report issued two recommendations for the IRS: update the Internal Revenue Manual with current best practices for threat hunts as issued by the National Institute of Standards and Technology, and develop and deploy a formal process to review and approve proposed device or program block removals.

In response to the audit, the IRS agreed that it needs to both update its formal manual with NIST best practices and that a formal procedure for removing category blocks that alter access to agency network destinations needs to be implemented. 

“Malicious cyber actors intent on disrupting U.S. government operations remain a persistent threat,” Jeffrey King, acting chief information officer at the IRS, said in a response letter. “The IRS has made significant progress in continuously adapting and adjusting its processes, procedures and capabilities.”