A Department of Homeland Security cybersecurity Red Team was recently asked to evaluate an unidentified federal agency's systems.
The agency had indicated they believed they had in the neighborhood of three-thousand computers on the specific network they wanted the DHS team to examine.
The team found more than nine-thousand connected units before they ceased the scan, highlighting the fact that the systems administrators had little knowledge of the vastness of the networks they manage.
"We worked with them and helped them identify why they had so many hosts on their network and how they could architect and design it better. We worked with them to remove hosts or close off networks that shouldn't have been there," DHS's risk evaluation program manager Rob Karas said in an interview with Federal News Radio.
The DHS Red Team is one part of the agency's Federal Network Security (FNS) division, operating under the National Protection and Programs Directorate, which is working with other federal agencies to shore up the government's overall network security posture.
"Ideally, our Red and Blue team services is designed to be a proactive engagement with agencies to improve their posture. We provide free specialized access to skills and services that are not readily available or are in high demand across the dot-gov to promote a healthy and resilient cyber infrastructure. That's the goal to do risk-based analysis and gap analysis of capabilities and drive improvements," Don Benack, DHS's program manager for the FNS cybersecurity assurance program explained.
Congress earmarked thirty-five million in funding for the FNS program, with nearly twenty-percent of the resources directed at the Red Team analysis function.
"The Red Teams rather than focusing on system compromise, focus on risk evaluation, which allows us to optimize the process a little bit. Instead of spending time breaking into the system and then using that as proof to an agency that they have a problem, the idea is to identify threats and vulnerabilities actively working against their agencies. What are the threat vectors they have to worry about? What are the active actionable vulnerabilities on their network? We then marry that together with an agency specific point of view so they can address those risks first and foremost," Benack said.
In addition to the Red Team operations, the FNS program also offers Blue Team services which are geared more at evaluating the policies and procedures an agency has in place, as well as looking at proactive defenses, continuous monitoring efforts, and incident response planning.
"Our Blue Teams take a proactive look at the capabilities in place. Do you have the foundational elements to your program to defend against an attack, to respond and recover from an attack, and hopefully prevent an attack up front? They also assess and validate agency implementation of technical controls, tools and technologies-people, processes and program maturity," Benack continued.
As the FNS program currently is designed, it is up to the federal agencies themselves to determine if they want the FNS teams to conduct an evaluation of their network security, as the vulnerability assessments are not mandatory.
"Right now, it's up to an agency's chief information security officer or chief information officer to determine if they want or need Red Team services. We work with them to determine the system or group of systems that are most important to look at," Benack explained.
Much like private penetration testing consultants who provide similar evaluations for private sector enterprises and organizations, the FNS teams operate under strict confidentiality arrangements with the agencies who solicit their services, and the findings from the network analysis are only shared with the contracting agency's designated personnel.
While other government initiatives seek to better share information regarding security and vulnerabilities, for better or worse, the FNS program currently is structured to promote a trust relationship with other federal agencies by not sharing findings from their analysis with other departments.
"The trust relationship is working really good. By keeping the risk evaluation optional and at their discretion to engage with us — and we hope they do choose to engage with us because we get maximum benefit when we can get cross sampling of data from across the government that we can anonymize and do national level trending to identify what are the emerging threats affecting all agencies, what are the common vulnerabilities so we can help prioritize and shift resources to address the definable and quantifiable problems across dot-gov — we get a big win," Benack concluded.