DHS teams hunt for weaknesses in federal cyber networks

Wednesday - 7/11/2012, 5:16am EDT

Rob Karas and Don Benack, Department of Homeland Security

Download mp3

The Homeland Security Department is going into agency networks to find the soft spots-places where cybersecurity defenses are weakest and pose the greatest risks.

DHS' Federal Network Security branch, under the National Protection and Programs Directorate, is having little trouble finding agencies' soft cyber underbelly.

Take one agency who asked DHS to perform a "Red Team" exercise, it thought it had 2,000 to 3,000 computers on a specific network, but Homeland Security's team stopped counting at 9,000. Rob Karas, the program manager of the risk evaluation program, or Red Teaming initiative, at DHS, said until the agency understood its network better it wasn't worth continuing.

"We worked with them and helped them identify why they had so many hosts on their network and how they could architect and design it better," he said in an interview with Federal News Radio. "We worked with them to remove hosts or close off networks that shouldn't have been there."

Another agency had 500 public-facing Web servers, and through DHS' analysis, it is reducing that number to about 100 and thus shrinking its attack surface.

These are but two examples of a growing list of how DHS Federal Network Security (FNS) branch is helping agencies harden systems and networks.

"Ideally, our Red and Blue team services is designed to be a proactive engagement with agencies to improve their posture," said Don Benack, the program manager for DHS' cybersecurity assurance program within FNS. "We provide free specialized access to skills and services that are not readily available or are in high demand across the dot-gov to promote a healthy and resilient cyber infrastructure. That's the goal to do risk-based analysis and gap analysis of capabilities and drive improvements."

DHS taking different Red Team approach

Congress appropriated $35 million for the FNS branch, of which about $7.6 million can be used for these red team analyses. In 2013, Congress so far has appropriated a little less for these Red Team efforts.

Typically Red Teams try to hack into a network to highlight its vulnerabilities. But Benack said DHS is taking a different tact that gets to the heart of the problem more quickly.

"The Red Teams rather than focusing on system compromise, focus on risk evaluation, which allows us to optimize the process a little bit," he said. "Instead of spending time breaking into the system and then using that as proof to an agency that they have a problem, the idea is to identify threats and vulnerabilities actively working against their agencies. What are the threat vectors they have to worry about? What are the active actionable vulnerabilities on their network? We then marry that together with an agency specific point of view so they can address those risks first and foremost."

DHS FNS also provides Blue Teaming exercises, which have been going on for a few years.

Benack said the Blue Teams look at how agencies are meeting the requirements under the Trusted Internet Connections (TIC) initiative to consolidate public Web gateways.

"Our Blue Teams take a proactive look at the capabilities in place. Do you have the foundational elements to your program to defend against an attack, to respond and recover from an attack, and hopefully prevent an attack up front?" he said. "They also assess and validate agency implementation of technical controls, tools and technologies-people, processes and program maturity."

DHS also is expanding the Blue Teaming efforts beyond TIC to ensure agencies' cyber capabilities are aligned with requirements established by the Obama administration's cross agency priority goal for cybersecurity and continuous monitoring efforts.

New service for agencies

The branch launched the Red Teaming exercise in late February after Congress approved the fiscal 2012 budget. Over the last four months, DHS has conducted five Red Team evaluations and has five more scheduled for the rest of the year.

Karas said the goal is to perform 26-to-30 Red Team engagements annually.

DHS also has done 28 Blue Team assessments with six more agencies on tap.

The Red Team exercises take about two weeks for the average agency. Karas said the five-person team, which is usually made up of a federal manager and four contractors, spends a week doing external analysis of the customer agency's system and a week doing internal analysis.

"Right now, it's up to an agency's chief information security officer or chief information officer to determine if they want or need Red Team services," Benack said. "We work with them to determine the system or group of systems that are most important to look at."