Cyber defense strategies continue to rapidly evolve, with some organizations lagging and some chomping at the bit about new, shiny tools and technologies. Some of the nation’s best thinkers on this subject instead urge a strategy encompassing strong public-private cyber threat intelligence exchange, adaptive cyber defense leveraging automation and orchestration, and basic cyber hygiene implemented correctly and regularly.
On June 11, 2019, the Technology Association of Georgia (TAG) presented its first ever Cyber Alliance Forum in downtown Atlanta, featuring keynote speaker Jeanette Manfra, Assistant Director of Cybersecurity for the U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). She was also joined by Major General Patricia A. Frost (Ret.), Former Director of Cyber, Office of the Deputy Chief of Staff, U.S. Army; Geoff Hancock, Principal & CISO, Advanced Cyber Security Group; Kimberly Watson, Technical Director for Integrated Adaptive Cyber Defense, Johns Hopkins University Applied Physics Laboratory; Dr. Michael Farrell, co-executive director of the Institute for Information Security & Privacy (IISP) at Georgia Tech; and Vladimir Svidesskis, Information Security Director, Georgia Lottery Corporation.
The interactive event also featured a “live hack”—a fictional exercise that allowed participants to experience a live cyberattack and watch these leading experts react to it using real-time cyber defense techniques.
Beginning with her keynote speech, Manfra expanded upon a term she coined that has become part of the federal cybersecurity lexicon—“collective defense.” It’s the idea that both the public and private sectors must work together to help defend national security in cyberspace—a simple concept in hindsight but not always practiced. Back in 2001, 9/11 served as a wake-up call to the federal government by showing they needed to do a better job sharing and exchanging information with the private sector. While traditional counterterrorism improved since 9/11, “collective defense” presented more ambiguity because cyber information is much more complicated. When we spot a cyber threat, is it serious? We often don’t know immediately because the clues are not always obvious.
Additionally, the internet was not originally designed for security. Even today, consumers and businesses want all the things the internet offers but resist the security tradeoffs. During the past few years, cybersecurity has intruded upon everyone whether they like it or not—exponentially and glaringly growing in importance with threats to critical infrastructure, elections, and our economy. Previously known as the National Protection and Programs Directorate (NPPD), the now elevated and redesignated Cybersecurity and Infrastructure Security Agency (CISA) solely focuses on protecting critical infrastructure. A high correlation exists between threats to federal agencies and the private sector, and CISA understands that a bridge needs to strengthen between the federal government and private companies—especially those companies responsible for a part of our country’s critical infrastructure.
While cyber threat information exchange is great in theory and practiced by ISACs and other clearinghouses for years, DHS has only recently ramped up its own efforts to effectively exchange threat information with the private sector. The process is still problematic, as many efforts still don’t always protect against specific threats and threat actors. Part of it is psychological. We need to think like the adversary, as we often miss the forest through the trees. For example, to disrupt financial systems involves not only banks but also exploiting the trust of partners and other parties. When Russia recently targeted our energy sector, they got in through construction companies because they took time to map out and exploit business relationships. By getting in through business systems, an adversary has a greater chance of entering operational systems. Nation states are also patient—often performing reconnaissance, waiting, and grabbing an organization’s most important information when they least expect it.
We need to refine our collective understanding of threat data received and shared. Once a threat is understood, an organization such as CISA is in the position to block that threat. But it’s difficult to prevent cyberattacks through our current exchange of indicators and warnings. Many private companies often don’t want to share their information with the federal government for liability reasons or frustration lingering from years past, but we’ve seen better information sharing over the last 4-5 years—from DHS’s own improved efforts to organizations such as the Cyber Threat Alliance.
It’s important to note that CISA cannot accomplish its mission alone. It needs public-private partnerships, especially because the federal government has limited shared visibility into critical infrastructure mostly owned by the private sector. CISA recently published four national critical functions that thoroughly outline key areas of critical infrastructure with associated component parts:
Protecting these critical functions is important. Nation states now seek to hack into and hold critical infrastructure at risk for a geopolitical or military advantage—and the critical infrastructure attack surface spreads across all these critical functions in ways that are very complex. For example, what are the components and functions of a stable financial system? Because of this complexity, vulnerability researchers, vendors, and other experts from the private sector need to be part of the national conversation.
Considering these critical functions, how does the private sector help? How do they form part of our collective defense? It’s an ongoing conversation, especially at the federal level. Collective defense is a difficult idea for people to grasp in DC where they still see defense in traditional terms. We need to have this conversation because the federal government cannot get involved with every data breach and cyberattack. What’s the role of the government and military? A lot of conversation is occurring around national cybersecurity policy and data privacy, and more practitioners (such as through organizations like the NTSC) need to keep this policy conversation moving forward.
Collective defense involves several key aspects, especially when combatting the cyberattacks of nation states. Deterrence activities, such as those led by US Cyber Command, help militarily. Agencies such as CISA help protecting critical functions. Cyber threat intelligence exchange is maturing and improving, needing more participation. But, maybe most importantly, everyone in the public and private sector needs to do the cyber basics of their jobs. This means elemental cybersecurity and cyber hygiene such as patch management. For example, the Heartbleed bug affected the federal government a few years ago because they weren’t patching critical vulnerabilities. In the past few years, enforced 30-day mandates have fixed many of these problems at federal agencies, but external-facing risks are still a major factor in lessening our collective defense. It’s really a behavior and prioritization problem, and there should be easier, less expensive ways to fix these problems than currently exist.
It’s important to create bold contingency plans that delineate what we do if something happens. After the City of Atlanta’s ransomware attack, everyone wanted to help but the aftermath was chaotic when people lacked clear roles and responsibilities. Do you know who to call if you have an incident? Ongoing, proactive cybersecurity best practices combined with having a clear plan in case of a worst-case scenario both will go a long way toward helping our collective defense. And part of that plan includes adaptive cyber defense strategies.
One concept mentioned during the panel discussion was Integrated Adaptive Cyber Defense (IACD), defined on its website as “a strategy and framework to adopt an extensible, adaptive, commercial off-the-shelf (COTS)-based approach to cybersecurity operations. IACD increases the speed and scale of cyber defenses by leveraging automation to enhance the effectiveness of human defenders, moving them outside the response loop into a response planning and approval role ‘on the loop’ of cyber defense.”
Breaking apart the definition reveals some interesting insights about this approach:
A large part of the discussion focused on the consequences of automation on cybersecurity—both from a tactical perspective and from a human resource perspective. While some organizations may fear that automation takes people out of the loop, automation offers speed that is impossible for a human to accomplish. Currently, we put too many people on too many loops, which causes cybersecurity to suffer. When automation and orchestration is introduced, most operators are relieved and happy to move up to a different level of work. It resets what’s “easy” and we end up expecting more from Level 1 cyber engineers.
Several dozen SOAR (Security Orchestration, Automation and Response), automation framework, and TIP (Threat Intelligence Platform) products and tools exist on the market. However, thinking that a tool will serve as a magic bullet does not address the problem of cyber defense at its deepest roots. A practical application of cyber risk management involving automation, orchestration, and information exchange will require a change in perspective and behavior by many organizations. Typical business operations require processes to automate and assets to protect, and these businesses need to secure, automate, and expand the speed of their cyber defense to scale. However, companies get stuck and think a cyber defense strategy is about compliance. Instead, companies need to assess what they have, how they are securing it, and how they are automating it—and build from there.
Panelists decried a lack of cybersecurity education in our country that originates in K-12 and infects our thinking as adults when we see many businesses that often don’t build security into their operations. We need to communicate the value of cybersecurity to stakeholders in business terms. What’s the value of the business and specific assets, and how are they at risk with poor cyber defense? This problem becomes specifically acute with critical infrastructure. The value of the business at the plant level with operational technology requires a completely different discussion than how we traditionally talk about cybersecurity.
At an ICS, it’s better to talk to plant level employees about their world instead of trying to teach them cyber. Many organizations often fail at cybersecurity because they separate it from all other functions. Instead, everyone plays a part in cybersecurity. Good cyber hygiene is everyone’s responsibility. Everyone from the CFO to plant level employees need some kind of cybersecurity training related to their role. If everyone gets safety training, why not cyber training? This includes an awareness about security risks related to home networks and places outside an organization where employee may do work. And for executive leadership, tying business roles to cyber responsibility and risk can help incentivize the urgency of cybersecurity. Letting egos compete and shaming organizations into cyber hygiene (similar to how a sense of personal shame encourages personal hygiene) can also work.
Panelists touched on how AI fits into the cyber defense picture, generally agreeing that machine learning (not AI) is the most realistic near-term technology to watch mature. We need to integrate AI and machine learning into cybersecurity before they run off in completely different directions. Also, we need to understand that hackers are people too. They suffer from the same foibles and organizational challenges as legitimate organizations. Many strategies such as sanctions and naming/shaming of nation states and individual hackers do work. But to combat these adversaries, we need a true “collective defense” where public-private information exchange also involves partners throughout the supply chain. To be capitalists and make profit, we ultimately need a healthy public-private cyber threat intelligence exchange to support capitalism—and this exchange is an essential part of an integrated adaptive cyber defense.
During the live hack exercise, attendees discovered that employees of a company could not access computers, computers were restarting at odd times, employees were accessing information at unusual times, and problems began to migrate from server to server. The panelists and other cyber experts suspected malware or a keylogger, with a hacker using the server and computer issues as a distraction while the malware propagated. They discussed best practices around detecting, containing, declaring, and communicating about the incident.
One distinction they made was between bad behavior versus actual deployed malware or a system locked out from users. Depending on what the adversary was doing, the organization might monitor their activity to collect intelligence instead of stopping the activity right away. They pointed out that the organization should identify if this cyberattack was the result of a software vulnerability such as code flaws. Important questions should be asked such as “Where is the software utilized?” and “Are other business partners involved or impacted?” Also, communication becomes essential during such an incident—both internally and to the outside world.
Events like these demonstrate the importance of an incident response plan wrapped into a larger business continuity strategy. Best practices can also limit damage to systems such as prohibiting or severely limiting the use of thumb drives, providing soft tokens, and strengthening port security. The panelists talked about measures of performance that can involve benchmarking and adhering to widely used standards. All agreed, adapting a Navy phrase, that organizations need to build cyber defense from the hull up. Prioritization is important, as many organizations do not have the money to secure everything and a product will not serve as a magic bullet. What are the highest risk items and the low-hanging fruit? What needs to be achieved, how do you get there, and what actions are needed?