John Hickey, the cyber development director for the Defense Information Systems Agency (DISA), at a recent Federal Computer Week Security Summit in the District of Columbia, said, “Anyone trying to secure their networks must have some kind of hunt capability."
Hunt capability is the ability to rapidly discover and eradicate threats that try to evade defenses. Hickey described three components of DISA’s hunt capability, people—in the form of Cyber Protection Teams, security integrated in the cyber environment, and identity and access management.
Cyber Protection Teams
DISA and the Joint Force Headquarters-Department of Defense Information Networks (JFHQ-DODIN) focus on the hunt mission and put significant emphasis on training cyber protection teams (CPTs), whose job it is to maintain oversight of that mission.
“The tools available today have seams and gaps, and the enemy is vast, large and global with time and space [to plan and execute], just as in all military operations,” said Hickey.
By training cyber warriors inside the environment, inside key terrain, DISA is reinforcing the skill sets needed to hunt down threats that evade existing tools.
The CPTs under DISA’s control receive extensive training, to include immersion training alongside red teams—whose mission is to find vulnerabilities—during exercises and deployments.
All CPTs also receive enhanced training on tools and systems such as the Joint Regional Security Stacks (JRSS), Big Data Platform, Cyber Situational Awareness Analytic Capabilities, which provide the CPTs broad visibility from access points across the DODIN.
“It is key to have security early on in our environment, from the development of new technologies to knowing who we allow on our networks,” said Hickey.
Highlighting the recent milCloud 2.0 request for proposal (RFP), Hickey underscored that the emphasis on security and the agency’s need for industry to deliver those capabilities in an integrated manner were in the forefront.
He also said JRSS, and fielding it in a joint manner, is his priority, because the solution provides critical visibility all the way to the end points of the network.
“DISA is correlating all the information, coming in from both unclassified and classified [occurrences], to report where we are from a compliance standpoint in how we’ve configured our boxes, including servers and workstations,” Hickey said. “The other critical piece is how well we’re patching those [access points]. We need industry’s help to develop a more automated means to patch.”
Protecting networks largely rests on who is allowed to access them, said Hickey.
Public Key Infrastructure (PKI) is still one of the best defenses against adversaries because of the difficulty of breaking into a system requiring a strong credential. DISA is also working on derived credentials and form factor initiatives to support identity management for mobile devices, including tablets and laptops.
Insider threats exist, but learning and knowing user patterns, and key access controls, can help protect against them.
“If you’re not paying attention to your privileged users, you’re down the wrong path,” Hickey said.
Adversaries, regardless of their origin, are going after credentials, which gives them access to key information. Whether they gain entry through a phishing attempt, or as an insider, the credentials are the literal key. Once in, they will move laterally through the networks to seek out stronger credentials for further access.
Thwarting these attempts is done through heavy monitoring, from the inside and is dependent upon knowing who has credentials and why, and which back-end tools are available to conduct monitoring.
Hickey concluded by challenging industry and mission partners to not rely on boundaries and barriers when it comes to network defense. Instead, he urges new views and perspectives, based on new technologies, and increased understanding of who has access to our developmental and operational environments.
“There are some really interesting developing technologies in this area that could allow us to view these threats and protections much differently,” said Hickey.
About DISA's JIMS Structure
The Joint Incident Management System (JIMS) is an application on the Secret Internet Protocol Router Network (SIPRNet) that provides information assurance computer network defense incident management.
JIMS is available for data entry via a SIPRNet website and/or service/capability for users (United States Cyber Command and Tier 2 computer network defense service JIMS unified Web services providers (CNDSPs)) to report, track, and search for incident tickets. In addition, JIMS provides the visualization and information sharing of incident ticket information along with the ability to enter and query data, track incidents, and generate reports via the web.
JIMS is mandated by Chairman of the Joint Chiefs of Staff Memorandum 6510.01B, The Incident Handling Program, to be used by USCYBERCOM to monitor and Tier 2 CNDSPs to enter reportable Department of Defense (DoD) information assurance computer network defense (IA/CND) incidents.
Through JIMS, mission partners have the ability to gain situational awareness regarding reportable cyber incidents across the DoD.
JIMS is the only system mandated for use, in accordance with CJCSM 6510.01B by USCYBERCOM to monitor/search cyber incidents and for Tier 2 CNDSPs to enter reportable DoD cyber incidents.
JIMS is a robust, scalable incident management system that leverages best-of-breed open source commercial off the shelf and computer network defense CND data standards. It provides the incident management community with:
• Enhanced control, consolidation, and coordination of analysis activities
• Improved collaboration
• Better data fidelity
• Improved automation and data access