By Aaron Weathersby, CISSP . Aaron is the Chief Information Officer for Charles R. Drew University of Medicine and Science and holds a Doctor of Science in Cyber Security from Marymount University. He is an Information Technology professional with over 18 years of experience focused on cybersecurity issues.

Executive Summary: This policy brief was created to summarize the Biden Administration’s Executive Order on Improving Cyber Security through the lens of Cyber Threat Intelligence. This brief is geared towards those public and private entities required to implement the mandated elements within the EO. The brief details critical findings, recommendations, and challenges with implementing the orders.

POLICY SUMMARY

While Executive Order 14028 contains 8 top level directives, recurring CTI themes of visibility, detection and intelligence is easily recognizable throughout its text. As previously posited, a series of nationally impacting cyber incidents over the last 6 months have seemingly instigated the creation of this order. It is through this lens and more specifically Cyber Threat Information that this brief will explored.

Cyber Threat Information or Cyber Threat Intelligence (CTI) are those indications, tactics and knowledge that allow for threats to be detected, acted upon, or prevented. It is characterized by the gathering of intelligence and data from multiple sources and the creation of actionable intelligence. As described by the National Institute of Standards and Technology (NIST), CTI “can help an organization identify, assess, monitor and respond to cyber threats”. With its origins in military doctrine, it is a well- developed space within cyber security accounting for a billion-dollar industry. With the stated goas of both partnering with the private sector and making bold change, the EO presents its case for proactively addressing the challenges of cyber security.

In section 2 of the EO a direct call to remove those barriers to the Federal Government sharing CTI is identified. The EO presents contractual barriers to sharing information as challenging Federal Government suppliers from providing threat or incident information to relevant federal agencies. The EO calls for reviewing the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFAR) as to incentivize and require the sharing of relevant cyber security data points. Federal government suppliers would be required to “collect and preserve data” as well as promptly share such information when a cyber incident or potential cyber incident occurs. Moreover, federal government suppliers would need to deploy the capability of doing so if they currently lacked the ability. Specific call outs to address and ameliorate civil liberties and privacy concerns are also addressed.

In section 3, a directive to modernize federal government cyber security is presented. Broadly, this section requires the movement of government agencies to move towards a Zero Trust model.

Characterized by removal any implicit trust within a network, a Zero Trust architecture requires multiple layers of authentication to ensure users are who they present to be within a network. Acknowledging modern paradigms of cloud computing, government agencies are required to implement technical controls such as multifactor authentication and data encryption. Like section 2, the FAR is identified to be updated given the new guidance. Through the lens of CTI and CTI sharing, clear directives to “increasing the Federal Government’s visibility into threats” is provided. The EO requires the establishment of a framework to “collaborate on cybersecurity” in order to “ensure effective information sharing” among agencies. In this section the Federal Government is attempting to mandate a secure environment for which attacks are detected and immediately addressed.

In section 4, the enhancement of security for the software supply chain is presented.

Acknowledging the combination of criticality to federal government systems as well as the private nature of the supply chain, the EO identifies the need for “more rigorous and predictable mechanisms for ensuring that products function securely”. In this section the Federal Government is directed to work within both the government, academia, and private sector to identify new standards and tools to ensure the integrity of software. The auditing of vendors and the use of NIST provided guidance is leveraged to prevent the abuse of trust relationships within the supply chain. Notably through the lens of CTI we see again call outs for monitoring and alerting when cyber incidents are detected. The Federal Government is attempting to build a picture of the encapsulated and abstracted nature of the procurement systems to identify when a compromised component of the supply chain represents a threat.

In section 5, the establishment of a cyber safety review board is identified. With the mandate of reviewing and assessing significant cyber incidents involving federal and nonfederal systems, the creation of a Cyber Unified Coordination Group (UCG) is required. Again, in this section we see a clear link to CTI in the establishment for the collection of data, the sharing of it and its use to make decisions. The mandated coordination group is meant to provide the government an additional mechanism to review critical data relevant to a cyber incident.

In section 6, the Federal Government is directed to standardize response play books to address when a cyber incident is in progress. This section of the EO focuses on the response post breach to a cyber incident through coordinated and comprehensive planning. Requirements for building more effective processes across federal agencies are called out. While brief, specific requirements for the ability to centralize logging and tracking of cyber incidents is presented. Here again we see CTI as a theme to what the Federal Government is trying to achieve. Leveraging knowledge across the Federal Government, tactics, techniques and procedures (TTP) for adversaries can be documented and planned against.

In section 7, the improvement of the detection of cybersecurity vulnerabilities and incidents within Federal Government network is addressed. This section calls upon the Federal Government to “maximize the early detection of cybersecurity vulnerabilities and incidents on its networks”. In this section a prescriptive requirement for the development and deployment of Endpoint Detection and Response (EDR) is identified across all federal systems. In requiring the development and usage of EDR across federal agencies the EO is creating the foundation for threat intelligence to be collected and analyzed centrally.

In section 8, the improvement of government response, investigation, and remediation is described and mandated to occur. This section details the necessity for maintaining network and system logs for Federal Information Systems. Described as “invaluable” for investigation and remediation, the EO creates a framework for the Federal Government and federal contractors to collect, store and communicate critical information on cyber incidents. While brief, this section describes in plain language the desire of the Federal Government to build intelligence on the cyber operations for both internal and external partners. CTI in the form of system logs are directed to be centralized and visible “for the highest level security operations center of each agency”. Directly aligned to already established NIST guidance, this section permits federal agencies to share information on cyber risks and incidents.

Through the lens of CTI, the EO identifies a series of directives over the course of a year.

Prescriptive requirements for the collection, sharing and analysis of information are identified as the primary means to prevent and resolve cyber incidents. From this EO, the government is unequivocally attempting to move forward modern cyber security paradigms such as CTI to protect the governments infrastructure.

POLICY RECOMMENDATIONS & CHALLENGES

Recommendations

The EO is squarely aimed at both federal agencies and those that do business with the Federal Government. Prescriptive CTI requirements are identified including the removal of barriers to sharing threat information, modernizing standards, securing the supply chain, standardizing response, and improving detection of incidents. Beyond the articulated requirements of the order are clear themes that exist as they relate to the concept of Cyber Threat Intelligence. Below are recommendations to better prepare for federal and nonfederal actors for the implementation of this order.

1. Review NIST guidance: The National Institute of Standards and Technology has several publications that were directly or indirectly referenced in this order. Key publications in the space of cyber threat intelligence, the sharing of cyber threat intelligence and incident response should be reviewed to provide a meaningful point of reference.
2. Establish a baseline of your environment: Key to meeting requirements identified in this order is understanding your organizations current environment. The EO provides a run ramp of requirements over the period of a year. Utilizing a Capability Maturity Model (CMM) such as the Department of Homeland’s security “Cybersecurity Capability Maturity Model” can provide a systematized method to qualitatively identify your organizations current capability.
3. Identify resources for implementation: Concepts within CTI are relatively simple to understand yet complicated to implement. All organizations not already at a final level of maturity will need to invest resources to meet the requirements of this EO.

Challenges

The EO requires alignment to newly articulated priorities for the Federal Government based on already existing standards and guidance. While it is objectively urgent for the Federal Government to prioritize the protection of the nation’s cyber security infrastructure it is not clear that this order represents a paradigm shift. Existing executive orders, legislative actions, federal policy, and government guidance have already established most of the requirements of this order. Federal agencies and private contractors will need to fully evaluate the EO through the context of the failings of existing policy to meet the intent of this order. The following are challenges that covered entities of this EO will face in meeting its call to action to protect Americas cyber infrastructure from malicious actors.

1. Existing Methods haven’t reduced cyber incidents: An exponential growth of cyber attacks have been seen across society with an increasing growing potential for damage. Existing CTI systems such as CISA’s Einstein intrusion detection system, existing federal guidance such as NIST SP 800-150 Guide to Cyber Threat Information Sharing, and government formed bodies such as the Cyberspace Solarium Commission (CSC) were all ineffectual in detecting the government Sunburst/Solarwinds hack of 2021. Clearly existing methodologies while good in theory lack real world New-to-government paradigms in the CTI space will need to be developed to achieve the intent of the EO.
2. Implementation will be resource (time & money) intensive: An adage exists within cybersecurity that network defenders need to be right all the time while network attackers simply need to be right once. The defense of cyber systems across the federal government and its contractors is a massive endeavor. A significant investment of time and capital will be required to build effective technical systems, hire qualified staff to operate systems and adhere to processes to continuously monitor and communicate data to the Federal Government.

Closing

In closing, Executive Order 14028 clearly identifies the Presidents priorities for improving the nations cyber security. The Biden Administration is making a call to action to ameliorate the threats that ransomware, cyber criminals, malicious nation states and other cyber security actors create recognizing that cyber incidents have had increasingly destructive impact across the United States. The executive order acknowledges that current methodologies and practices are insufficient to meet a growing threat of sophisticated actors. To meet this gap the executive order mandates the implementation of Cyber Threat Intelligence practices that “improve its efforts to identify, deter, protect against, detect and respond”. Cyber Threat Intelligence has and will play a key role in allowing for organizations to meet the challenge of cyber security threat actors through data driven decision making.

Recommendations

• Review relevant NIST guidance.
• Establish a baseline of your environment.
• Identify resources for implementation.

Challenges

• Existing policies and methods have not reduced cyber incidents.
• The executive order mirrors current recommendations and prior policy actions.
• Implementation will be resource intensive to meet the intent of the executive order.

 

 

Bibliography

Exec. Order No. 14028. (2021). Retrieved from https://www.whitehouse.gov/briefing-room/presidentialactions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

Brooks, C. (2021). Alarming Cybersecurity Stats: What You Need To Know For 2021. Retrieved from https://www.forbes.com/sites/chuckbrooks/2021/03/02/alarming-cybersecurity-stats——-what-you-need-to-know-for-2021/?sh=d24630958d3d

Cichonski, P., Millar, T., TimGrance, & Scarfone, K. (2012). Computer Security Incident Handling Guide. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

FireEye. (2020). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved from https://www.fireeye.com/blog/threat-research/2020/12/evasive-attackerleverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

Johnson, C., Badger, L., Waltermire, D., Snyder, J., & Skorupka, C. (2016). Guide to Cyber Threat Information Sharing. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf

Kelly, S., & Bing, C. (2021, 05/07/2021). Top U.S. fuel pipeline operator shuts whole network after cyber attack. Reuters. Retrieved from https://finance.yahoo.com/news/colonial-pipeline-halts-pipeline-operations-045443078.html

Nuce, J., Kennelly, J., Goody, K., Moore, A., Rahman, A., Williams, M., . . . Wilson, J. (2021). Shining a Light on DARKSIDE Ransomware Operations. Retrieved from https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-ondarkside-ransomware-operations.html

Samtani, S., Abate, M., Benjamin, V. A., & Li, W. (2019). Cybersecurity as an Industry: A Cyber Threat Intelligence Perspective.

Sanger, D. E., & Perlroth, N. (2021, 05/14/2021). Pipeline Attack Yields Urgent Lessons About U.S. Cybersecurity. Nytimes. Retrieved from https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html

Service, C. N. (2021). Scripps Health Says Some Patient Info Acquired During Ransomware Attack. KPBS. Retrieved from https://www.kpbs.org/news/2021/jun/01/scripps-health-says-some-patient-info-acquired-dur/

Temple-Raston, D. (2021). A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack. NPR. Retrieved from https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack

Turton, W., & Mehrotra, K. (2021, 06/4/2021). Hackers Breached Colonial Pipeline Using Compromised Password.

Bloomberg.com. Retrieved from https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonialpipeline-using-compromised-password

Zibak, A., & Simpson, A. (2019). Cyber Threat Information Sharing: Perceived Benefits and Barriers. Paper presented at the Proceedings of the 14th International Conference on Availability, Reliability and Security, Canterbury, CA, United Kingdom. https://doi.org/10.1145/3339252.3340528

Zrahia, A. (2018). Threat intelligence sharing between cybersecurity vendors: Network, dyadic, and agent views. Journal of Cybersecurity, 4(1). doi:10.1093/cybsec/tyy008