NASA is automating responses to basic security threats as it moves to a zero-trust architecture in order to free up its limited analysts to focus on customized attacks.
Before the coronavirus pandemic could reach the U.S, NASA tested its security and network operations centers with an enterprisewide telework scenario. Within hours, an employee at Ames Research Center reported the agency’s first COVID-19 infection, said Mike Witt, associate chief information officer for cybersecurity and privacy at NASA.
NASA’s shift to zero-trust will be a multi-year process, but the shift to telework is expediting the process. Many NASA employees were teleworking during SpaceX‘s Crew Dragon Demo-2 launch, and afterward, the agency’s security operations centers did a tabletop exercise with the company.
“We’ve got to get away from the mindset of: You can account for every alert,” Witt said during an ACT-IAC webinar Thursday. “You’ve got to embrace orchestration … artificial intelligence, machine learning.”
NASA is embracing commercial support moving forward that supplements its threat analysts, Witt said.
Phishing and basic credential attacks remain the most prominent infiltration methods agencies face, and criminal markets tend not to invest much in them because the goal is profit, not stealth or long-term intelligence, said Mike Benjamin, senior director of threat research at Black Lotus Labs. The phishing emails tend to be similar and domains the same because it’s not worth the attacker’s energy to craft specialized attacks.
“As an industry, we have to pay attention to how it is we are going to stop those more commodity level attacks or at least monitor for their occurrence and mitigate them quickly after they do,” Benjamin said. “And so simple things like credential reuse, understanding attack surface, training users, and then looking for the behavior of what happens when they do inevitably click those links are the ways to mitigate against those initial, very common infiltration methods that we see from even the most advanced actor groups.”
Companies like Black Lotus Labs focus on those commodity attacks so agencies like NASA can focus on the advanced ones.
NASA has seen some “really incredible” phishing attacks designed by nation-states, but simple ones continue to work, too, Witt said.
Trusted Internet Connections 3.0 is playing into NASA’s move to zero trust.
“The amount of data that we are bringing down from satellites is staggering now, and so we actually ran into … a problem,” Witt said.
The old TIC model of “boomeranging” data didn’t make sense, so 18 months before TIC 3.0 was released, NASA worked with the Department of Homeland Security and Amazon on a modern solution for bringing data from satellites straight to the cloud for easy sharing with researchers, he said.
NASA has also invested in an enterprise logging capability that not only collects system logs but runs machine learning on them to detect malicious activity. The agency is also red teaming with the Pentagon and intelligence community to identify network vulnerabilities before attackers do and has reduced its “significant” system footprint down to a third of its size three years ago, Witt said.
“We’re probably still not where we need to be,” he said.