Agencies applying threat intelligence to stem tide of cyber attacks

Thursday - 4/25/2013, 5:39am EDT

Agencies are taking a deeper dive to understand not only how their computers are being attacked but the pattern of the attacker.

Cyber threat intelligence is a growing trend across the government. It's more than just knowing that one's computer network is under attack, and it's more than knowing even who or what kind of attacker is going after your data—whether a nation state actor or a cyber criminal group or even just a run-of-the-mill nuisance hacker.

The idea behind cyber threat intelligence is to understand more about the attack and the attacker than ever before by matching up patterns, anomalies and other characteristics of the bad guys.

"One of the challenges that offers the most promise for cybersecurity is figuring out faster ways to do analytics on this rich set of data that we already have," said Gil Vega, the Energy Department's chief information security officer, at the McAfee Public Sector Summit in Arlington, Va. Tuesday. "We had a zero day attack the other day that we orchestrated a really good response to, but it was clear in the postmortem that we had breadcrumbs of this event a lot earlier than this detection. We had that on disk ready to be exploited in our defense of our systems."

He said those signs, or breadcrumbs, weren't brought to the forefront to use in Energy's defense as quickly as they could be.

"That's where a big focus of our efforts, budget and energies are on right now," Vega said. "We have the data, how do we exploit it quicker? How do we share the information quicker with our cyber defenders around the cyber complex?"

Asking different questions

Dave Marcus, McAfee's director of threat research and intelligence and chief architect, said five years ago customers were not asking for this type of information. Now the questions McAfee gets are much different as customers want more detailed information about the threat, the attack, the attack pattern and other things.

Vega said Energy has advanced capabilities to detect and review cyber data so their goal is continue to improve information sharing capabilities. He said Energy wants to construct an information sharing fabric that provides real time all-to-all collaboration across the department with little to no latency in getting the information from the network to the collaboration website.

A common theme around threat intelligence is information sharing.

Alma Cole, the chief system security officer at the Customs and Border Protection directorate within the Homeland Security Department, said threat intelligence is important today because current security such as firewalls or antivirus software can't stop all the vulnerabilities agencies face.

"There remains today a gap, and it's a significant gap between when something actually happens to you and when the traditional security vendors would actually tell you something has happened to you, if they tell you at all," Cole said.

"Organizations who are serious about cybersecurity need to implement tools, processes, procedures and teams to be able to close that security gap between what's being protected and what's not being protected in their environment."

He added the gap is about having the wherewithal to see the attacks when they are really happening, instead of discovering them late in the event when the malware or virus could have already morphed to hide inside the network where detection becomes much harder.

Cole said threat intelligence helps give agencies real-time information about their networks or the ability to do retroactive analysis on what has happened but in such a way it shines the line on potential problems.

Internal, external sharing must happen

Over at the Defense Department, cyber threat intelligence comes from several avenues.

Teri Takai, the DoD chief information officer, said information sharing inside the Pentagon and around the government ranks in her top seven priorities.

Takai said sharing threat intelligence with the private sector and other agencies is becoming more important.

"Many of you know we have the Defense Industrial Base information sharing, information assurance effort, but there are efforts such as the Committee on National Security Systems, Takai said. "Many of you in the room work with us on CNSS and you will see and have seen that become much more active, much more aggressive, working together with DHS to be able to get the information shared, to get us to a more uniformed architecture, really across the U.S. government."

Internally, she said DoD must make sure they are not collecting the same information, and the military needs to have a more effective way of using the information they collect.