Advertisement

Red-teaming by DHS ‘quietly and slowly’ uncovers agency vulnerabilities

The Department of Homeland Security is looking to expand a program that breaks into federal networks and tells agencies how it was done, says Rob Karas, the official leading the exercises.
Rob Karas speaks June 13, 2018, at the Forcepoint Cyber Leadership Forum produced by CyberScoop and FedScoop. (CyberScoop)

The Department of Homeland Security has carried out quiet “red-teaming” exercises at three federal agencies, breaking into networks and telling agency officials how it was done. The goal is for officials to more quickly realize when a hacker has a foothold in their systems to keep them from exfiltrating data.

“We go really quietly and slowly, just like an adversary would,” Rob Karas, the DHS official leading the red-team exercises, said Wednesday at the Cybersecurity Leadership Forum presented by Forcepoint and produced by CyberScoop and FedScoop.

Karas said his team has carried out five such red-team drills at three agencies, declining to name them. The 90-day assessments begin with about two weeks of reconnaissance that might culminate in a carefully crafted spearphishing email.

“We send a phishing email and it beacons back to our host in Arlington, and then we have a foothold” into the organization, said Karas, DHS’s director of national cybersecurity assessments and technical services. “From there, we pivot to other computers, to domain controllers, to enterprise computers.”

Advertisement

His team of security testers litters the target network with signatures representing ransomware or other malware — no actual malicious code is used. They check to see if the agency’s security operations center (SOC) detects malicious scans of the network and how it responds. The ethical hackers also attempt to exfiltrate large volumes of data over various channels.

Cybersecurity experts say rigorous red-team exercises are key to giving an organization a clear understanding of its vulnerabilities. A recent Office of Management and Budget report suggests many agencies still lack that clear understanding. Just 27 percent of agencies say they can detect and investigate “attempts to access large volumes of data,” and even fewer agencies test that capability annually, according to the report.

One of the more infamous cases of an undetected data heist at an agency was the 2015 hack of the Office of Personnel Management. Hackers sat unnoticed on the agency’s network for months and made off with the personal data of 22 million current and former federal workers.

Karas is trying to keep that from happening again.

At the end of a red-team assessment, Karas’s team sits down with officials from the target agency to deliver their security verdict. It might take three or four days for an agency to notice Karas’s testers had created or deleted accounts on the network, he said.  “Other things might take them weeks — or they might not notice at all.”

Advertisement

After the initial assessment, the plan is to do another test in six months or a year’s time, he said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts