The Department of Homeland Security has carried out quiet “red-teaming” exercises at three federal agencies, breaking into networks and telling agency officials how it was done. The goal is for officials to more quickly realize when a hacker has a foothold in their systems to keep them from exfiltrating data.
“We go really quietly and slowly, just like an adversary would,” Rob Karas, the DHS official leading the red-team exercises, said Wednesday at the Cybersecurity Leadership Forum presented by Forcepoint and produced by CyberScoop and FedScoop.
Karas said his team has carried out five such red-team drills at three agencies, declining to name them. The 90-day assessments begin with about two weeks of reconnaissance that might culminate in a carefully crafted spearphishing email.
“We send a phishing email and it beacons back to our host in Arlington, and then we have a foothold” into the organization, said Karas, DHS’s director of national cybersecurity assessments and technical services. “From there, we pivot to other computers, to domain controllers, to enterprise computers.”
His team of security testers litters the target network with signatures representing ransomware or other malware — no actual malicious code is used. They check to see if the agency’s security operations center (SOC) detects malicious scans of the network and how it responds. The ethical hackers also attempt to exfiltrate large volumes of data over various channels.
Cybersecurity experts say rigorous red-team exercises are key to giving an organization a clear understanding of its vulnerabilities. A recent Office of Management and Budget report suggests many agencies still lack that clear understanding. Just 27 percent of agencies say they can detect and investigate “attempts to access large volumes of data,” and even fewer agencies test that capability annually, according to the report.
One of the more infamous cases of an undetected data heist at an agency was the 2015 hack of the Office of Personnel Management. Hackers sat unnoticed on the agency’s network for months and made off with the personal data of 22 million current and former federal workers.
Karas is trying to keep that from happening again.
At the end of a red-team assessment, Karas’s team sits down with officials from the target agency to deliver their security verdict. It might take three or four days for an agency to notice Karas’s testers had created or deleted accounts on the network, he said. “Other things might take them weeks — or they might not notice at all.”
After the initial assessment, the plan is to do another test in six months or a year’s time, he said.