Hill Associates, a Rockville, Maryland based small business specializing in IT infrastructure and cybersecurity services, has highlighted critical areas for Federal Government cybersecurity in 2021. While the COVID pandemic defined 2020 for the Federal Government, Brian Clary, Senior Vice President at Hill Associates, stated “The large-scale hack on Federal Agencies in December provides a reminder that cybersecurity threats remain a significant risk.”
Kim Vance, Cyber Risk Lead at Hill Associates, stressed the importance of reducing cybersecurity risk via an emphasis on improved identification and management of high value assets (HVA). HVAs are data or systems which process high value information or serve a critical function in accomplishing the Agency’s mission.
According to Ms. Vance, “the key to success is to approach the HVA identification and maintenance processes with a risk-based mindset. Agencies should focus on truly understanding their mission, knowing which systems are critical to mission accomplishment, the impact to the organization should a system be disrupted or the data compromised, and how to mitigate and prioritize vulnerabilities inherent in those systems. CIOs and CISOs should maintain good working relationships with agency functional mission owners to ensure technology solutions and counter-measures support mission needs.
Appropriate risk identification and management will enable efficient allocation of resources and controls to HVA systems. Risk cannot be eliminated; but appropriate application of risk methodologies, such as the NIST Cybersecurity Framework (CSF) and Risk Management Framework (RMF) at a minimum, will assist agencies in defining risk tolerance, establishing controls to reduce risk, and improving the organization’s ability to remain resilience and continue mission essential functions in the case of a cyber incident.
Ms. Vance stated, “we are able to help Federal Government organizations mature their HVA programs throughout the entire lifecycle, whether it be in mission risk review, system identification, application of RMF, CSF, and security controls, security architecture review (SAR), support for risk and vulnerability assessments (RVA), or other internal agency conducted assessments.”
A recent cybersecurity incident referred to as “SUNBURST” has demonstrated the heightened threats that exist in cybersecurity and the need to have robust incident response plans in place to counter this risk. In the SUNBURST incident, attackers were able to infiltrate private sector and Government systems through a malicious software update introduced via the Orion application from SolarWinds, a U.S. network-management company.
The SolarWinds’ Orion application build system was compromised, and software updates became surreptitiously weaponized.
Jakub Pitha, Hill Associates cybersecurity consultant, points out: “This attack demonstrates that Federal Agencies remain vulnerable to cyber threats. Agencies are advised to have an incident response (IR) plan in place that can be quickly implemented. NIST and SANS have excellent guides that can help organizations develop thorough incident response plans.”
Mr. Pitha further explained that “In a cyber incident, time is of the essence. Based on our experience, organizations that are able to rapidly identify, contain, and mitigate a compromise may be able to lower the risk of mission impacts and information loss, and restore their networks to a more secure state. We recommend organizations periodically exercise their incident response plan. This will help key stakeholders and leadership familiarize themselves with their IR role. In addition, it will also improve the organization’s ability to rapidly think through and solve unexpected challenges, such as how to efficiently share information and coordinate recovery actions when the organization’s network has been compromised and can't be trusted.”
Federal Government Agencies can further reduce cybersecurity risk by considering investments in cyber threat hunt capabilities. Threat hunt enables cybersecurity experts to proactively search organizational systems, networks, and infrastructure for vulnerabilities and advanced threats. Tim Clinton, Hill Associates cybersecurity operations lead, stated: “It is absolutely critical that organizations adopt the adage “know thyself” and ensure visibility into enterprise assets, leveraging log data that may identify indications of compromise, such as unusual network traffic or suspicious file changes. The goal of threat hunting is to identify and disrupt cyber adversaries as early as possible in the attack sequence, and to measurably improve the speed and accuracy of organizational incident response.”
Mr. Clinton further emphasized that “Adversaries have gotten much more sophisticated and persistent. Threat hunting is so important to cyber risk management, that NIST has included threat hunt as a new, separate security control - RA-10: Threat Hunting - in the newest version of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations. While threat hunting is not necessarily new, it has gained in importance over the past few years. It is exciting to see threat hunting receive formal NIST recognition as a unique capability that can be integrated with risk management, cyber threat intelligence, and incident response.
With NIST’s addition of threat hunting as an important security control, Agencies will need to consider options for implementing the capability, where applicable. Mr. Clinton points out that “there is no turnkey solution that fits all organizations. Threat hunting begins with the ability to ingest internal and external intelligence insights about vulnerabilities and threats, and the organization’s exposure to them. In addition to technical solutions, we recommend that Federal Agencies focus on human capital, including developing data analytic skills, investigative skills, and data engineering. Organizations can build capabilities in-house, or consider partnering with external third party companies who provide outsourced threat hunt via services.
Kelsey Hill, President & Executive Principal,Hill Associates
