The outgoing director of the Department of Homeland Security’s U.S. Computer Emergency Readiness Team has a message for federal agencies: Know your endpoints, know your data and boost your internal training to retain your best talent.
Ann Barron-DiCamillo, the longest tenured leader in US-CERT history, left her position earlier this month for the private sector. Her new role, chief technology officer at Strategic Cyber Ventures, will see her advise early-stage cybersecurity companies on technology that fills what she said are “gaps in the marketplace.”
The ever-growing endpoints
When it comes to gaps in federal cybersecurity, Barron-DiCamillo said endpoints need to be more of a focus for those charged with guarding agency assets. She said over her three years, she has seen an evolution from crude DDoS and SYN Flood attacks to spear phishing that’s meant to inject malware further down the stack.
“It’s all about the endpoint now,” Barron-DiCamillo told FedScoop. “It’s where you have the biggest bang for your buck right now. Look, users are going to click things. You are going to get a click rate with” phishing.
She said US-CERT has seen a rise in spear phishing payloads that carry attacks associated with macros, which execute malware inside applications like Microsoft Office. A popular form of attack in the ’90s, macro threats have re-emerged as browser vendors have patched vulnerabilities in Flash, Java and other various add-ons and plugins, Barron-DiCamillo said. With spear phishing, the highly targeted attacks are carefully crafted to be indistinguishable from genuine communications — often from a victim’s actual colleagues — with the malicious payload hidden in an attachment. The malware only executes and installs itself once the seemingly innocuous Word document or Excel spreadsheet is opened.
To combat these attacks, US-CERT has been working on pilot programs that use containerization, which allows malware to be cordoned off from infecting an entire system. And gives analysts the opportunity to learn more about the attack in a virtualized environment known as a sandbox. This is the kind of technology Barron-DiCamillo said advances cyber defenses by moving past signature examination and more toward protecting endpoints.
“Think about adversarial modeling and how the whole enterprise protects its capabilities … there’s been anti-virus products around for a long time,” she said. “You have to get past signature-based detection and get into a sandbox where you ask ‘is this behavior normal?’ and put it into a virtualized environment.”
This type of protection is something that the private sector has asked the government to take a look at for some time. Anup Ghosh, CEO of Invincea, told FedScoop last year that containerization would allow agencies to respond to attacks in hours instead of having to rely on other agencies.
He reiterated last week that the work DHS is doing is where the vast majority of attacks are currently taking place.
“Ninety-five percent of all breaches start with spear phishing end users,” Ghosh told FedScoop. “The end point is the new battleground between attackers and defenders.”
Moving to Mobile
Barron-DiCamillo said that battle of the endpoints will soon shift to mobile ground as more agencies equip their workforce with smartphones and tablets. She sees attacks on mobile devices geared toward obtaining credentials for other endpoints instead of trying to find valuable data on the device. The areas for attack seem to be wide: Barron-DiCamillo said a joint program between US-CERT and Carnegie Mellon University found 26,000 vulnerabilities in Google’s Android OS in 2015. Despite that figure, she said mobile attacks are only being conducted by advanced adversaries.
“It’s a huge attack vector, but you have to look at the bang for the buck you get from a mobile device,” she said. “You are not going to be able to get access to the content that a lot of [criminals] are going to want. If I pop your device, there’s nothing there that I can monetize.”
However, she said, as attackers find ways to make compromising mobile devices more lucrative, so the huge mobile attack surface starts to attract more attention.
“That’s the scary aspect. Cyber crime isn’t doing that,” she said. “It will not be very long before you see movement in that.
“Once it becomes monetized, then it’s blown up.”
Train to Retain
Be it current or emerging threats, Barron-DiCamillo said it’s important for agencies to invest in training for their workforce. She told FedScoop that she was extremely proud of the public-private partnership US-CERT established with Northrop Grumman and George Mason University that trained everyone from entry-level analysts to “cyber ninjas” in areas like network analysis, malware analysis, digital media analysis and incident response. These courses, she said, led to the “biggest retention within our organization of anything I can point to.”
“Cyber depends on three things: data, which we have tons of, tools, which are difficult to do in an environment where things are changing and evolving, and then the last thing is the training aspect,” Barron-DiCamillo told FedScoop. “It gives [employees] a clear path of ‘What I do need to do to get to the next level?’ and it helps them understand what expectations their supervisors or managers have of them, as well as what industry is looking at.”
The training program, which started in US-CERT, has since moved throughout the National Cybersecurity & Communications Integration Center.
“We grew it from what we needed to do in our organization and then it grew from there,” Barron-DiCamillo told FedScoop. “I’m really proud of that program, I’m proud of what we were able to accomplish. I’m also proud of where it’s headed.”
Contact the reporter on this story via email at firstname.lastname@example.org, or follow him on Twitter at @gregotto. His OTR and PGP info can be found here. Subscribe to the Daily Scoop for stories like this in your inbox every morning by signing up here: fdscp.com/sign-me-on.