The biggest threat to cybersecurity is not enough info sharing

Even the Department of Defense is working hard to keep pace with the changing landscape of cybersecurity threats. The key, by most estimates, is information sharing. But whether the DOD and other agencies are ready for the level of sharing required is another matter.

At the Defensive Cyber Operations Symposium held this past June, Justin Ball, technical director for the Department of Defense Information Network’s Operations and Defensive Planning Division, spoke about some of the challenges faced by the agency in the face of new and increased security threats.

The Department of Defense Information Network (DoDIN) is a globally interconnected, end-to-end set of information capabilities for collecting, processing, storing, disseminating and managing information on-demand to warfighters, policy makers and support personnel.

Ball acknowledged that considerable attention has been given recently to the standing up of cyber mission teams in the DOD, and the importance of cyber workforces throughout all levels of government. For these teams and workforces to succeed, however, he noted that threat information must be shared broadly and systematically.

Cybersecurity is defensive and offensive

A successful cybersecurity program must not only be defensive but offensive, Ball explained. It’s important to know against whom you should initiate proactive countermeasures, rather than just reacting to the latest advanced threat.

And advanced threats themselves are on the increase, with network compromises more insidious and harder to detect than ever before. One of the lessons driven home after the colossal security breach of the Office of Personnel Management in 2015 was how long it can actually take for a threat to be detected. The average lag time is a shocking 205 days, and even 250 days is not unheard of.

Because of the interconnectedness of communications, new mobile vulnerabilities and new malware variants are being continually introduced. It’s becoming nearly impossible for any agency to keep up all by itself.

Ball used DoDIN as an example. While DoDIN’s priority is operations, it is also tasked with “freedom of action” in cyberspace while denying that same freedom to adversaries. System operators must conduct full spectrum cyberspace operations (computer network defense, computer network attack and computer network exploitation.) Cyberspace operations are informed by intel and threat indicators from traditional and advanced sensors, sharing vulnerability information from both DOD and non-DOD sources.

How can you achieve this goal of cyber freedom of action, Ball asked, without knowing the threats that are out there?

Current information sharing efforts

DOD is using a variety of systems to gather threat information, Ball said. These include Host Based Security Systems, web content filters, an enterprise email security gateway and the Joint Regional Security Stack for the military’s Joint Information Environment. Another tool is SharkSeer, a National Security Agency project that aims to detect and mitigate web-based Zero-Day malware and Advanced Persistent Threats using commercial-off-the-shelf technology.

DOD is also using privately sourced threat intel, such as McAfee Global Threat Intelligence; the Red Seal Threat Resource Library; and the Tenable Nessus Scanner and Passive Vulnerability Scanner.

While commercial sources of threat identification are important for DOD, so too is threat information shared by America’s partners in the so-called Five Eyes intelligence alliance that includes Australia, Canada, New Zealand and the United Kingdom. Ball noted, however, that the agency is behind the curve on information sharing, and is challenged as to how to ingest reporting information.

Automated event and incident management tools are where threat feeds really come into play, Ball noted. Analytics is required to process that much information, so automation needs to be a bigger part of any information-sharing regime.

Within the DOD, information security and continuous monitoring efforts such as risk scoring help identify “defense in depth” gaps. Defense in depth is the principle of having multiple layers of security mechanisms to increase the security of the system. If attacks cause one mechanism to fail, other layers are in place to protect the system.

Currently missing from the risk scoring, however, is what Ball called “mission dependence” – namely, what commanders need for mission completion.

Trust as an impediment to sharing

To get real solutions to today’s cybersecurity problems, the biggest challenge is trust. Ball noted that it’s essential to establish trust with intelligence community partners to get to true interoperability and automation and to accurately evaluate the quality of information received.

Some areas of DOD are building out their own knowledge base of threat intel. Elsewhere, information-sharing strategies are being built at the state level.

Unfortunately, analysts don’t necessarily trust the information they receive because it’s stripped from info to the point of becoming meaningless. It’s challenging for analysts to draw actionable conclusions when the context is removed, Ball pointed out.

The solutions are far from clear. Ball underscored the need to expand trust with commercial entities. With a concentrated effort at relationship building, a two-way flow of information may be possible.

Another workaround may be in the packaging; Ball suggested that the name “threat information” rather than “threat Intel” may make it more palatable to be shared among community stakeholders.

One thing is certain: Unless all agencies find a way to exchange threat information, there will always be some holes in security defenses. Those holes will be the way in for determined bad actors.