The head of America’s cyber rapid-response team explains how it learns valuable lessons from devastating breaches.
US-CERT, as it is known, protects the country’s computer networks by analyzing malware samples, intrusion patterns, and other digital residue left over by hackers, and then packaging those insights into guidance for federal agencies and critical-infrastructure sectors (the nation’s most sensitive shared resources, like power plants and hospitals).
It deploys incident-response teams to the sites of massive cyberattacks (it worked with Sony in 2014 and the Office of Personnel Management in 2015), and it coordinates international cybersecurity efforts with other nations’ CERTs.
“We’re not the Geek Squad.”
The mission of US-CERT, a Department of Homeland Security unit established in 2003, is to study active intrusions for lessons that can inform the design of more robust security systems. “One person’s detection can be another person’s mitigation,” Ann Barron-DiCamillo, director of US-CERT, told the Daily Dot.
Barron-DiCamillo has led US-CERT for almost three years. Before arriving at DHS, she served in senior roles at the Commerce Department and the military’s Defense Information Systems Agency. She has been working to make U.S. computer networks more resilient against hackers for almost a decade.
In an interview with the Daily Dot, Barron-DiCamillo described US-CERT’s structure, its incident-response activities, and its partnerships with frequently targeted industries like the financial sector. She discussed the role that recent legislation like the Cybersecurity Information Sharing Act (CISA) could play in her team’s cyberdefense work and explained the importance of strong encryption, a hotly debated political topic with significant security ramifications. And she described the evolution of cyber threats over the past decade, as determined hackers have shifted focus from brute-force network penetrations to savvier, more indirect attacks.
If you told the average American that the U.S. has a Computer Emergency Readiness Team, they’d probably picture a bunch of technicians in a room filled with monitors, watching a map of cyberattacks flooding into the U.S. How does that picture compare to what a day at US-CERT is really like?
Ann Barron-DiCamillo: We get that question quite often. We are a 24/7 cyber operations center. Our focus is to strive for a safer, stronger Internet for all Americans by responding to incidents. We analyze threats … [and] exchange any applicable information that we derive from that information with our trusted partners around the world.
What you would see if you were to come into our watch floor is different types of analytical-focused work, from malware analysis to forensic analysis to network analysis, incident response, analysis that comes back from activities, and then we send out our incident response teams. We have a large organization specifically focused to the communications associated with all of that data, ensuring that we’re sharing that information in a timely fashion to our constituents and our partners, and ensuring that it’s fully accurate and vetted information.
We’re trying to ensure that, as we share that information, that we also have an ability to receive feedback associated with that and have that open dialog. It’s all about timely and actionable information-sharing in cyber, and the analysis work that we do really helps [us] collaborate with our partners in focusing on trying to mitigate the risks associated with cyber.
We do a lot of work with [the] international community. We always say that cyber has no borders. It’s really important for us to maintain relationships around the globe, because things that can trend in the U.K. can quickly start to trend within the domestic market in the U.S. hours after that. Having those kinds of relationships and partnerships help us be actionable in information-sharing that we do, and helps … one person’s detection can be another person’s mitigation. That’s a focus area for the kind of work that we do here.
But like I said, we are [a] 24/7 operations center, so that work is going on around the clock. Those teams are focusing on activity that’s happening both in the wild as well as activity that is being reported to us by our trusted partners.
What is the process for a company to report an incident to you and get assistance from US-CERT personnel? What criteria does it have to meet for you to devote resources to it?
So there’s a number of different types of resources we can devote to requests that we get. Are you referring to incident-response-type resources or just validation of information, or “Oh, I have a spearphishing email that I received” kind of activity? We do response around all three of those kind of scenarios and even more. Depending on what information is sent to us, is going to [determine] what kind of action we would provide back.
Incident response is what I was thinking of specifically.
We’re focused on incident response for the federal civilian network. That’s our primary constituent that we would do incident response investigations with. And then critical infrastructure partners domestically. We’re not the Geek Squad. We can’t do incident response for every single entity that has an event. So we have to prioritize our limited resources to those entities. We also try to prioritize or incident-response engagements to those that we [determine] from information that we’ve gained from initial conversations, that it’s going to be what we consider to be more of an advanced persistent threat. We provide mitigations for things that can do themselves.
But if it’s an advanced persistent threat, we’re going to want to send a team on-site, because that means that you can’t just reimage a box and get rid of the actor within your network. You’re going to need to do more of a long-term assessment. Probably whatever you found could just be the tipping point of where the adversary is within those networks.
We try to focus on, like I said, the more sophisticated actor sets, and we focus our attention toward our main constituency, which is the federal civilian networks, as well as our critical infrastructure partners.
What is the division of labor like at US-CERT. Do you have personnel split into teams for individual major cyber incidents, do you have people who specialize in working with different industries?
Yes, we do. We have network analysis that is looking at the federal civilian networks, and then we also have partnerships with different critical-infrastructure partners. But I think we’re more functionally matrixed than sector-specific, if that makes sense. We’re focusing our analysis on the functionality of that [threat environment]. A network analyst’s going to do a different type of job than maybe a forensic analyst, although that information can benefit both the government as well as a critical infrastructure partner.
“About 80 to 85 percent of the incidents we respond to would be mitigated if these controls were implemented as well as monitored on a regular basis.”
We’ve aligned ourselves more to the functional aspect, or the capability, of the analytical role, versus specific to a sector. Although we do have some analysts that, the majority of their time within that functional aspect is taken up with .gov, or critical infrastructure, or state and local [governments]—because we do a lot of work with state and local [governments] as well. That’s how we’ve arrived [at a setup].
From an incident-response perspective, those teams are made up of any number of analysts with specific skills based on what the event is, what happened. Depending on what kind of environment, if it’s a Linux environment or if it’s a Windows-based environment or if it’s a network issue associated with hardware and the routing systems associated with that—we’re going to send in a team with the right skill set to address that. It’s very dependent upon the event, if that makes sense, versus “We always send these five players out for every single event.” We send the right resources to address the specific event. And then we’ll also bring in additional resources as we uncover additional aspects of the event that need those kinds of specific resources that maybe weren’t part of the original team.
What kinds of information do you get from your partners in critical infrastructure sectors, and how do you change the way you look for attacks using that information?
That’s the focus of our effort, to try to identify that cyber activity and then share that both in a timely and actionable format with our partners around all of our constituents. We derive information from the on-site incident-response teams’ endeavors as well as things that are sent to us. We get malware reports every day that our analysts are doing here, and that information is derived from those original samples or sources, and then it is put into our [research] products, which we share across our portals as well as on our website.
We also then help create those kinds of signatures around indicators of compromise that are derived from those events. We’ve put them into the EINSTEIN system for protection of the .gov [space]. And then we share those IOCs, or indicators of compromise, through our [research] products more broadly, both domestically and internationally. One of the things we’re always emphasizing is the top-five controls. About 80 to 85 percent of the incidents we respond to would be mitigated if these controls were implemented as well as monitored on a regular basis.
We’re continuing to look at that list of five controls and ensure that, as things shift and change, based on what we’re seeing from an incident-response perspective, that we’re making those modifications.
It used to be four, and we added one this year, which was network segmentation, because we’ve seen so many incidents where the networks were very flat, there was no network segmentation, and so the adversary, once they got a hook, was able to go far and wide across that network. We’ve added that in as a basic control that we want to see leveraged across the communities that we serve. And the other four are reducing admin privileges, patching of both operating systems as well as applications, and then leveraging application whitelisting tools.
Tell me about the difference between cyber incidents that exploit sophisticated industrial-grade technology—for example, something that’s custom-built for an enterprise IT environment—versus cyber incidents that exploit common consumer products like Google Chrome, which I see mentioned in many US-CERT alert emails. How does incident response differ based on the sophistication of the exploited product?
That was what I was getting to at the beginning when I talked about the kinds of things that we would send an on-site [team] to engage in. [We send teams when we see] activity that means that the adversary … has long-term horizons and is well-funded and they’re going to have multiple imprints around your environment that you can’t just detect with a fast sweep or a scan. They’re going to have built-in backdoors to get back into the environment even after you’ve mitigated the things that you found. Those are the engagements that we’re going to send teams to assist the victim in.
Like you said, there’s vulnerabilities that are announced every day about a number of capabilities or software or hardware that we all use on a daily basis. We continue to encourage the patching of those systems. It’s important to make sure that your patching is up to date and that it’s a process that is constantly monitored. I think we see, a lot of times, out-of-cycle patching that is not applied appropriately and is sometimes even overlooked, and that’s also led to events where different adversaries can leverage those kinds of activities as a foot into an environment.
As we see certain things trending, certain vulnerabilities—we put out a paper, I believe it was around this time last year, or maybe in the spring; I have to go back and look—and we partnered with our Five Eyes partners—so with CERT-UK, Public Safety Canada, Australia CERT, as well as the New Zealand CERT—and we looked across our domestic markets at what common vulnerabilities were we constantly seeing as far as incident-response activities and engagements, not only in our government space but also in our critical infrastructure and just general space of the Internet within our domestic markets. We came up with about 31 different CVEs, which are common vulnerability exploits. Those CVEs, some of them have had a patch available since 2008, 2009. We put together a [research] product, again, informing our community [about] the importance of patching, and specifically these patches, because we continue to see adversaries successfully leverage these CVEs to get into environments that we work to protect.
We look across all different kinds of constituencies to try to partner on those kinds of messages as we see a trend around a certain vulnerability that’s being exploited, be it, like you said, something that’s more obscure, or if it’s something that is in the general market—that’s where we would put that broader work together with our partners to get something out there. The more obscure ones, obviously, don’t have the population usage, but we still put out [research] products around the importance of patching those systems, as well, as we see them being exploited.
Can you give me an example of a cyber incident that US-CERT investigated and tell me what the process was like—the timetable, the resources, the entities you consulted with?
We typically don’t name the types of entities that we do specific response to. Is that what you’re asking?
Yeah. There have been some public breaches and—
Right, that’s what I was going to say. The most public one that you would be aware of, the one where I testified this summer, was [the] OPM [hack]. The one previous to that was last year, that I also testified, with healthcare.gov.
Those are two very different cases. The healthcare.gov [case] was a test server that had a default credential that was Internet-accessible, within one of the servers that were being used as part of that program. That server was scanned, the credential was found. Because it was contained within a test network, it wasn’t an exposure into the rest of the network. But in that role, we worked with [the Department of Health and Human Services] and [the Centers for Medicare and Medicaid Services] around that activity. We reviewed the server that was targeted, the credentials there. We worked in concert with them. I believe our FBI partners were also engaged to see if there was any criminal activity associated with that. And then we helped them work on a mitigation plan, a post-assessment of that activity.
“We actually put out a product last April specifically around the encouragement of the community to adopt encryption, and the importance of that.”
With the other example, the OPM example, we worked with our interagency partners as well as with the OPM resources around that activity. [We were] able to do an assessment of their environment in multiple locations over a period of time, bringing those results back not only to our environment here for further evaluation but also to do a lot of that assessment on-site and provide tactical results [to OPM] as those findings were being made. The larger goal for us is really helping them contain any kind of adversarial activity and then help[ing] them mitigate it and then help[ing] them build resiliency back into their network.
After we do each one of these types of incident-response engagements, we provide them an engagement report in which they can then build better security practices based on, maybe, potential gaps that were found during the assessment.
Were you involved in the response to the Sony Pictures Entertainment hack?
We were involved, from the perspective that we received copies of the malware. We worked with our interagency partners. That one was led by the FBI, as you’re aware from the public reporting. Our focus—you know, we’re not law enforcement, so we focus on trying to help build the resiliency, [after] an event like that, back into networks. Helping them look at the mitigation measures that they have in place and identify any gaps. And then also doing evaluation [of] the malware and sharing any associated indicators of compromise so that, again, one person’s activity can be another person’s protection mechanisms.
Sharing, broadly, the malware analysis that we had done associated with that across our constituencies, that’s how we approach these kinds of cases. That’s [an illustration of] the different components and parts and how we partner with our law-enforcement partners, who are there from a perspective of collecting evidence for a criminal case. We’re there to help mitigate and to help build resiliency back into these networks.
You mentioned resiliency. There’s a big debate right now about whether tech companies should put backdoors in their encryption. That’s partly a political issue, but it’s also a security issue. Backdooring encryption would have an impact on resiliency. Does that worry you? Does that make your job harder?
We actually put out a product last April specifically around the encouragement of the community to adopt encryption, and the importance of that. From our perspective, I can reference that technical alert that we put out last April. It was around the time of [the] RSA [hack]. … [It] kind of goes over our perspective on encryption, and the importance of enterprises [using] encryption of communications, and how that can be a mitigating factor for adversaries to gain access. Our position is in support of that.
What would you tell lawmakers who are debating whether to require encryption backdoors?
I would probably not state anything specifically on that for this article, outside of just a reference to the encryption technical alert that we put in April. … What we were recommending to the broader community—this is a global community that we work in, we’re computer network defenders, and we want to ensure the defense of those networks, and that includes the usage of encryption end-to-end capabilities.
How valuable do you anticipate CISA will be in identifying cybersecurity threats? What is your sense of the scale of its impact? How valuable will information sharing be to protecting networks?
Well, I think that’s definitely the goal from our perspective. We want to ensure that both [Information Sharing and Analysis Centers] and [Information Sharing and Analysis Organizations] have access to cybersecurity information sharing, and that that’s done from government to private sector. DHS is the front door for sharing of that information across our government partners with our private-sector constituents. We have had success in information sharing with critical-infrastructure sectors [and] small businesses. And [we] continue to establish those kinds of communities of interest, where we can continue to push executive-order-type things and other applicable legislation associated with that.
It’s all about timeliness of information sharing and ensuring that you have machine-to-machine executable information-sharing environments, that you’re talking in a common format. Our focus is on leveraging the right formatting for information sharing of this kind of technical data, as well as the right transport mechanisms to get that to them in a timely fashion, and continuing to broader and grow those communities for further inclusion of partners in this space.
How else can Congress help you do your job? Should they mandate compliance with the five major security controls that you mentioned earlier?
I wouldn’t like … I think I get hesitant to stipulate those five controls in a legislative-type proposal, because if you legislate something today, it doesn’t have the opportunity to evolve as the cyber space evolves. I think we encourage our partnerships with different committees to adopt language that would incorporate the larger adoption of controls in this space. But we wouldn’t want to stipulate the specific controls. Last year we were recommending four; this year we’ve upped it to five. Next year, it could be a different level of things that we’re seeing.
As the cyber space evolves, we want to make sure that any legislation that comes out around this can evolve as the cyber space evolves, to evolve with those evolving threats. There’s an ability to work with our partners on the Hill to make sure that they understand what the typical threats are that we’re seeing today, and ensure that the language has the ability to evolve with that evolving space.
What changes have you seen in the nature of cyber threats over the past decade—the behavior of threat actors, their choice of targets, etc.?
I think you’re seeing an increased focus on endpoints today. Years ago, it was really networks, and I think you’ve seen a huge amount of investment into network security from enterprise levels. And that’s important. But I think we’re seeing more and more success associated with adversaries when they target endpoints. That’s everything from spearphishing campaigns to other kinds of focused tactics, techniques, and procedures on the endpoints. We’re continuing to see success not only targeting more privileged users, but also regular users. As you continue to see those successes, you’ll continue to see adversaries pivot and change to those targets.
“[I]f you legislate something today, it doesn’t have the opportunity to evolve as the cyber space evolves.”
They’re always looking for the easiest way into an environment, and we’ve seen, over the last 18 months, a resurgence of adversaries targeting third-party partners. That was evidenced by both the Target threat as well as even the OPM activity. Those third-party partners have trusted access into your environment, and you need to treat them as you would a regular employee. That’s something we’re continuing to emphasize to our constituents: ensuring that you have the same access controls around third-party trusted partners in your environment that you do for your own users, and ensuring that that meets the security standards.
What are the business sectors that have been models for how to handle cybersecurity, and what are the sectors that you think present the most room for improvement?
I think you’re going to see a lot of success in addressing cybersecurity issues in sectors that have funding to ensure that they have the appropriate mechanisms in place—or sectors that have specifically been targeted. During 2012 and 2013, the financial institutions were targeted sometimes on a daily basis by the DDoS campaigns that were ongoing at that time. They took a lot of lessons learned from that activity and they put a lot of funding into cybersecurity because of the activity that they endured during that campaign.
I think you’re seeing some of those lessons learned from how the financial-service sector addressed those activities—things that they learned to do. They’re now sharing that across the other critical infrastructure ISACs. I know recently the financial sector, we helped introduce some discussions between them [and] the retail sector … so that they can learn from those things that the financial sector had already endured, and take those lessons learned and apply it to their constituents.
I think that’s where we’re seeing the benefit of this information-sharing initiative: Where one sector is specifically targeted, how did they resolve that activity? How were they able to maintain their capabilities and maintain their services, and what were the key aspects that they would recommend, and how do you share that to others so that they can ensure that one person’s event becomes somebody else’s protection? That’s a great example of that [principle]. I would definitely point to that [sharing] as an area of how we want to continue to see the evolution of information sharing and ensure that it’s done in a transparent manner.
You’re focusing on the actionable data, not so much the source of where that actually happened. I think that was an important aspect of that [sharing]. We didn’t have to share which specific financial institution was being targeted, but you could share the data associated with the attack that could then be leveraged for putting [in place] systems to protect others.
Correction: The “R” in “CERT” stands for “Readiness.”
Illustration via Max Fleishman