Industry representatives say DHS efforts to help improve industry's cybersecurity have grown and become more sophisticated, but the department still needs to pivot more quickly to threats like “counter incident response” in which adversaries are already thinking several moves ahead of the defender.
“DHS is 100 percent better than it used to be, but not as agile as industry would like to see,” said Mitchell Jukanovich, the vice president for federal at Tripwire, a security services provider. “The emerging threats are often community-specific, but one constant thing rings true: Have situational awareness across networks, and don't lose sight of the basics.”
That seems to be a space where DHS can play a major role -- and is doing so, on an operational basis, through the National Cybersecurity and Communications Integration Center, according to some industry sources. NCCIC is “giving us what they get,” said one source from a critical-infrastructure sector. “NCCIC is the most regular contact we have and they're very helpful.”
DHS' Jeannette Manfra on Tuesday referenced NCCIC's work in asserting the department's authority to share information it is able to digest from a variety of sources with the private sector.
But the question of agility and responsiveness to evolving threats is still prevalent in cyber circles.
“DHS has stepped up its game in both notifying and protecting American corporations,” said Tom Kellermann of the security firm Carbon Black. “That being said, American cyberspace is a free-fire zone with a multiplicity of actors. DHS should look to issue an alert on the increased prevalence of both ‘counter incident response’ and ‘integrity attacks,’ which have exploded in recent months."
A spokesperson for Carbon Black added, “One example where we can see an increase in counter incident response and integrity attacks is within the financial sector. In May of this year, Carbon Black published a survey around the 'Modern Bank Heist' which details the changes and increase in cyber attacks within the financial industry.”
The firm found that “46% of [incident response] engagements have experienced counter-incident response measures making it more difficult to eradicate an attacker and their footholds."
Speakers at a recent conference also cited data destruction -- as an emerging means of attackers covering their tracks -- and credential theft for unknown purposes as two growing areas of concern.
Some industry speakers at the conference suggested private-sector sharing on threat trends was moving beyond what DHS has to offer. But representatives of key critical-infrastructure groups were quick to stand up for the department’s efforts in subsequent interviews.
On specific advanced threats, a DHS official cited several alerts issued by the department on related topics. For instance, DHS issued an alert Oct. 3 on credential theft and a couple of 2017 reports on data destruction, including one on NotPetya and another on the Petya ransomware.
Some observers said such offerings fall short of what's needed -- and needed quickly -- in this threat environment. But whether the information and tools provided by DHS are adequate for confronting the most current threats is not such a straightforward question as it may seem, commented Vikram Phatak, CEO of NSS Labs, which tests cyber products.
Phatak said in an email: “There is an ecosystem of 'bad guys' -- exploit developers + malware developers + attackers who compromise watering hole websites + fast flux exploit / malware hosting websites + spear phishers that lure people to exploit/malware websites + command and control backend, etc.”
That means, he said, “the single biggest problem is the number of infections that are dormant or at least staying hidden under the radar that can be co-opted for an alternate purpose. Just because an employee is infected with a cryptocurrency mining malware today doesn’t mean someone won’t purchase access to that employee's computer for a more nefarious purpose tomorrow. … Analogy: When you go into the hospital, the first thing they do is stick you with an intravenous injection so that they can give you whatever drugs they want later on."
Phatak said, “I think DHS, FBI, and other agencies have a lot of visibility into that ecosystem and who is infected. The challenge becomes competing priorities. Is it worth it to break up a criminal cryptomining enterprise when they also have ties to terrorists? Or is it better to gain intel? It is a complicated problem that doesn’t have an easy answer."
Phatak suggested three measurements “that need to be considered together and with context: number of alerts, how much of the malicious activity are we seeing; alert/detection quality, how specific and actionable is the data; and time to detect, how quickly are we identifying malicious activity.”
He said that from his perspective “time to detect is the most important metric,” but that this can differ for various organizations. -- Charlie Mitchell (cmitchell@iwpnews.com)