From: FederalNewsRadio.com 1500AM

By Jason Miller

The Homeland Security Department is going into agency networks to find the soft  spots-places where cybersecurity defenses are weakest and pose the greatest risks.

DHS’ Federal Network Security branch, under the National Protection and Programs  Directorate, is having little trouble finding agencies’ soft cyber underbelly.

Take one agency who asked DHS to perform a “Red Team” exercise, it thought it had  2,000 to 3,000 computers on a specific network, but Homeland Security’s team  stopped counting at 9,000. Rob Karas, the program manager of the risk evaluation  program, or Red Teaming initiative, at DHS, said until the agency understood its  network better it wasn’t worth continuing.

“We worked with them and helped them identify why they had so many hosts on their  network and how they could architect and design it better,” he said in an  interview with Federal News Radio. “We worked with them to remove hosts or close  off networks that shouldn’t have been there.”

Another agency had 500 public-facing Web servers, and through DHS’ analysis, it is  reducing that number to about 100 and thus shrinking its attack surface.

These are but two examples of a growing list of how DHS Federal Network Security(FNS) branch is helping agencies  harden systems and networks.

“Ideally, our Red and Blue team services is designed to be a proactive engagement  with agencies to improve their posture,” said Don Benack, the program manager for  DHS’ cybersecurity assurance program within FNS. “We provide free specialized  access to skills and services that are not readily available or are in high demand  across the dot-gov to promote a healthy and resilient cyber infrastructure. That’s  the goal to do risk-based analysis and gap analysis of capabilities and drive  improvements.”

DHS taking different Red Team approach

Congress appropriated $35 million for the FNS branch, of which about $7.6 million  can be used for these red team analyses. In 2013, Congress so far has appropriateda little less for these Red Team efforts.

Typically Red Teams try to hack into a network to highlight its vulnerabilities.  But Benack said DHS is taking a different tact that gets to the heart of the  problem more quickly.

“The Red Teams rather than focusing on system compromise, focus on risk  evaluation, which allows us to optimize the process a little bit,” he said.  “Instead of spending time breaking into the system and then using that as proof to  an agency that they have a problem, the idea is to identify threats and  vulnerabilities actively working against their agencies. What are the threat  vectors they have to worry about? What are the active actionable vulnerabilities  on their network? We then marry that together with an agency specific point of  view so they can address those risks first and foremost.”

DHS FNS also provides Blue Teaming exercises, which have been going on for a few  years.

Benack said the Blue Teams look at how agencies are meeting the requirements under  the Trusted Internet Connections (TIC) initiative to consolidate public Web  gateways.

“Our Blue Teams take a proactive look at the capabilities in place. Do you have  the foundational elements to your program to defend against an attack, to respond  and recover from an attack, and hopefully prevent an attack up front?” he said.  “They also assess and validate agency implementation of technical controls, tools  and technologies-people, processes and program maturity.”

DHS also is expanding the Blue Teaming efforts beyond TIC to ensure agencies’  cyber capabilities are aligned with requirements established by the Obama  administration’s cross agency priority goal for cybersecurity and continuous monitoring efforts.

New service for agencies

The branch launched the Red Teaming exercise in late February after Congress  approved the fiscal 2012 budget. Over the last four months, DHS has conducted five  Red Team evaluations and has five more scheduled for the rest of the year.

Karas said the goal is to perform 26-to-30 Red Team engagements annually.

DHS also has done 28 Blue Team assessments with six more agencies on tap.

The Red Team exercises take about two weeks for the average agency. Karas said the  five-person team, which is usually made up of a federal manager and four  contractors, spends a week doing external analysis of the customer agency’s system  and a week doing internal analysis.

“Right now, it’s up to an agency’s chief information security officer or chief  information officer to determine if they want or need Red Team services,” Benack  said. “We work with them to determine the system or group of systems that are most  important to look at.”

He said DHS also promotes the service if an agency comes to the U.S. Computer  Emergency Response Team (U.S. CERT) for help with an immediate attack or threat.  U.S. CERT helps the agency address the pressing risk, and then FNS offers the  follow-on Red Team service.

“We have rules of engagement that our Office of General Counsel worked with us and  we created,” Karas said. “We sit down with the agency, they select the services  and get it signed by CIO, CISO and legal counsel. Then we have a scoping meeting.”

Under the Red Team services, FNS offers a variety of services:

  • Network mapping
  • Network vulnerability scanning for wired and wireless
  • Threat identification
  • Social engineering where it sends spear phishing attacks
  • Web applications tests
  • Databases testing
  • Operating system testing.

Karas said DHS also brings in experts depending on the agency’s services. For  instance, the branch would have a database expert looking at the cybersecurity of  such a system or an expert on Linux or Windows to look at specific operating  systems.

The end result of these exercises is making recommendations categorized as  critical, high, medium and low.

Benefits from Red Teaming are clear

The branch can point to real results from the Red Teaming efforts because of the  two-pronged approach they are taking. The first method is typical network scans,  but FNS also lets its experts poke around inside the network.

Karas said they have found holes in one agency’s Virtual Private Network thanks to  the expert reviewing its set up.

Benack said it’s up to the agency to implement the recommendations, and the branch  does not share the recommendations with anyone but their agency contact.

“The trust relationship is working really good,” he said. “By keeping the risk  evaluation optional and at their discretion to engage with us — and we hope  they do choose to engage with us because we get maximum benefit when we can get  cross sampling of data from across the government that we can anonymize and do  national level trending to identify what are the emerging threats affecting all  agencies, what are the common vulnerabilities so we can help prioritize and shift  resources to address the definable and quantifiable problems across dot-gov — we get a big win.”