Mandiant published a white paper on “How Government Agencies are Facing Cyber Security Challenges”. Essentially they do with 4 strategies
The US Federal Agencies are preventing and responding to the new cyber security challenges, as destructive cyber attacks and data breaches, with 4 new strategies. The goal is to secure their sensitive informations and protect vital infrastructures. They have been analyzed in the last Mandiant white paper “How Government Agencies are Facing Cyber Security Challenges”. The strategies are Proactive cyber threat hunting, Increased use and sharing of cyber intelligence data, Continuous security monitoring, with an emphasis on boundary protection and security event lifecycle management and Automation and orchestration of security operations.
From the Proactive cyber threat hunting to the Increased use and sharing of cyber intelligence data
For the first two points, the Fireeye company explains that “the federal government is turning to cyber threat hunting as a proactive means of identifying dormant threats because traditional prevention and response measures are often ineffective against determined adversaries. Mandiant, a FireEye company, has observed significant value and reduction in cyber risks from proactive threat hunting versus sifting through a wide range of time consuming data logs and feeds. Intelligence gleaned from information sharing is now proactively incorporated into indicators of compromise (IOCs) to search for other signs of malicious activity, such as nefarious users who may be harvesting data and performing privilege escalation. Such activity likely stems from threats that have not been appropriately categorized or that include previously unknown malware. This gives analysts the ability to examine various system artifacts for IOCs linked to nation-state threat actors”.
New hunting techniques include the use of advanced detection technology to search for specific IOCs and perform sweeps specifically associated with advanced threat actors targeting federal agencies
“New hunting techniques include the use of advanced detection technology to search for specific IOCs and perform sweeps specifically associated with advanced threat actors targeting federal agencies.” Mandian stated. “This technology allow analysts to examine various system artifacts for IOCs linked to nation-state, criminal, and other sophisticated threat actors. In addition to the automated IOC sweeps, analysts collect and analyze data using frequency of occurrence analysis to better discover anomalies that might have gone undetected with previous measures. This technique enables analysts to focus on finding deviations in the environment that IOCs did not detect. Intelligence garnered from these hunting techniques is easily codified into the IOCs used to search for other signs of malicious activity, such as data harvesting and privilege escalation by unauthorized users. These techniques also enable proactive searching for other evidence of malicious activity such as non-targeted and commodity-based malware, which can often present damaging consequences.”
The US Department of Homeland Security (DHS) created a new federal Continuous Diagnostics and Mitigation program (CDM)
On the Continuos Management and Monitoring, the report reminds that “In 2013, the Office of Management and Budget (OMB) created a sweeping cross-agency objective to enable continuous management and monitoring of all federal information technology systems. This shift marked the initial acknowledgement of the shortfalls of a rigid, decade-old periodic assessment and authorization strategy hosted within a complex and interconnected information infrastructure. It also acknowledged the limitations of the government’s ability to defend against the more significant threats arrayed against these systems. To support this widespread change in the government’s approach to the protection of sensitive systems and data, the Department of Homeland Security (DHS) was authorized to create a new federal Continuous Diagnostics and Mitigation program (CDM)”.
The CDM program enables government departments and agencies to expand their continuous monitoring and diagnostic capabilities
“The CDM program – underlines Mandiant – enables government departments and agencies to expand their continuous monitoring and diagnostic capabilities by increasing their sensor capacity, automating data collection, and prioritizing risks. The program was designed to integrate commercial technology with government networks and systems. The first two program phases focused on the foundational capabilities of asset and vulnerability management as well as identity, credentialing and access management. Phase three, which began in 2017 and will continue for several years to come, is dedicated to boundary protection and event management”.
Mandiant: phase three of the CDM program will result in significant and rapid advances of cyber security maturity
Mandiant believes phase three of the CDM program “will result in significant and rapid advances of security maturity — most notably accelerating capabilities aligned closely to the National Institute of Standards and Technology (NIST) cyber security framework in the incident response areas of detection, analysis, response, containment and recovery. Phase three is challenged by the federal government’s rapid adoption of cloud services. Government agencies are currently evaluating how the legacy Trusted Internet Connection framework adapts to newer network monitoring controls and requirements paired with constant governance changes and IT consolidation efforts. DHS and their technology partners are working closely with these agencies to address cloud-related operational challenges, which include visibility into cloud platforms and infrastructure as well as access to critical security event data for monitoring and response”.
Security Orchestration can help to reduce the 4 worst limitations for the federal agencies defending the critical infrastructure with existing tools and capabilities
Finally, on the Security Orchestration, the Fireeye company added that “Agencies that must defend the federal government’s critical infrastructure with existing tools and capabilities, face four major limitations: Lack of skilled staff to analyze the growing number of incidents; Slow incident remediation time Error-prone and inconsistent manual remediation processes, and Inexperienced staff spending less time hunting for new threats and more time remediating false alerts. Security orchestration can help combat these limitations through the process of connecting security tools and integrating disparate security systems to drive automation and reduce human analysis and interactions. It requires that the organization have a mature security environment and appropriately classify actionable incidents”.
Mandiant: A mature security environment provides a holistic and accurate view of events that are occurring in the network at any given time, while limiting the amount of noise (false alerts)
In this framework, Mandiant believes that “a mature security environment provides a holistic and accurate view of events that are occurring in the network at any given time, while limiting the amount of noise (false alerts). It lets analysts know what is on the network, controls access to it, and watches it. Its functions relate directly to the first two phases of the CDM program”.
Orchestration can reduce the overall security workload for a very specific subset of cyber security challenges
“Orchestration can reduce the overall security workload for a very specific subset of cyber security challenges.” is written in the white paper -. “It will not replace manual review of specific incidents that require closer analysis and instinct or human intuition. When incidents that should be analyzed manually are auto-remediated, the incident may not be successfully or fully resolved. Before orchestration and automation protocols are implemented, incidents must first be categorized into one of two classes: an actionable event that can be automated or a non-actionable event that requires manual analysis. Event categorization requires the application of two criteria: reliability and confidence, and accepted risk of automated action”.
After an incident has been detected, the accepted risk of automated action must be assessed based on the severity and impact of it, along with the possibility of the mitigation causing added harm
“Reliability and confidence is established when the type of incident, along with the totality of supporting logs and third- party intelligence, supports a single confirming story.” the white paper reported. “After an incident has been reliably detected, the accepted risk of automated action must be assessed based on the severity and impact of the incident, along with the possibility of the mitigation causing added harm. Potential mitigation actions can be as benign as notifying a system administrator, escalating to perimeter filtering or automatic isolation and reimaging of systems. Mandiant recommends common orchestration techniques to its clients, including government agency customers, such as alert enrichment, automatic blocking of high-confidence detected threats, spam or malware submission mailbox enrichment and ticket generation and prioritization”.
The Mandiant conclusions
Changes to the federal government’s security program capabilities in 2017 are primary elements of a paradigm shift from a previously federated, decentralized and reactive cyber defense footing, to a consolidated, centralized and proactive approach to defending critical network infrastructure and cyber threat data. This represents a significant transformation in how departments and agencies at all levels are ensuring the security and operational readiness of their information networks. FireEye anticipates that over time, these changes will result in amplified coverage of defensive capabilities and an improved ability to adapt and enhance those capabilities to meet the government’s evolving threat landscape. The benefits of proactive hunting and information sharing include a significant reduction in detection time, manpower and costs associated with the incident response process. Mandiant forensic investigations show that the most meaningful cyber security enhancements reported by the federal government are those which improve the speed of response and minimize the attack surface to reduce the overall risks and impacts of cyber attacks and data breaches.