The FBI launched a new portal Monday to test out how companies could report cyber threats or attacks in real time and in a more consistent way.
The portal, iGuardian, in its pilot stage for the next few months, is available to 58,000 companies comprising the FBI’s InfraGuard network.
“If it’s successful we’re hoping that this is something that we, at some point, are going to role out universally to a much wider audience,” said Rick McFeely, the FBI’s assistant director of criminal, cyber, response and services branch, Tuesday at the AFCEA International Global Intelligence Forum in Washington. “Obviously, our concern is the critical infrastructure sectors that are out there. They’ll probably be the next up. But we know that, from a technological standpoint, it works; it’s working now. We have a very high degree of faith that this is going to work.”
Participating companies can submit a form online in the instance of a cybersecurity breach to their networks. The National Cyber Investigative Joint Taskforce (NCI-JTF) handles the information provided by these companies, McFeely said.
The NCI-JTF includes 19 agencies that have come together to share cyber threat information and coordinate operations. The task force helps identify and address cyber threats and vulnerabilities before adversaries are able to exploit weaknesses. These efforts are only part of the solution.
McFeely said the FBI will have to deal with a lot of false positives or even a hack that was stopped before it caused damage. He says the information will help lead the FBI and the NCI-JTF to where the biggest threats are.
Similar to police reports
McFeely said this reporting tool is similar to a police report that covers all the bases of what happened and when.
He said in the past, the companies would tell the FBI they had an intrusion or the FBI would let the company know based on their intelligence efforts, but there was not consistency in the data collected or shared.
Through iGuardian, every report to the FBI will include the same data describing what happened, he said.
“It’s going to be the individual field offices, and the cyber task forces in those field offices that are actually going to be the ones interfacing with the companies,” he said. “It may be something that’s going to be very resource- intensive, especially as we expand this program. And part of what we’re going to assess is what we’re going to need to resource this. That’s a huge question for us right now.”
iGuardian is another step in changing the way the FBI and private industry works together to improve communications, use intelligence and protect their computer networks from cyber attacks, McFeely said.
“I can tell you that the FBI was not a good partner in this arena up until about a year and a half ago,” he said. “We have radically retooled the way that we work with private industry. Previously, we would actually watch our adversaries go into your networks, and we would be afraid to go out and tell the victims too much because of the fear of revealing our sources and methods. That fear no longer exists.”
Testing malware sharing tool
The new online portal is an outgrowth of eGuardian, released in 2009, which serves as a repository enabling the DoD and federal, state and local law enforcement agencies to share terrorism-related cyber activity.
With the new portal, the FBI is looking for patterns and methods adversaries use to gain access to companies’ networks. That information can then be disseminated, without attaching the victim company’s name, so other companies and the FBI know what to look for and protect against.
In addition to iGuardian, McFeely said the FBI is in the process of making available malware collection and analysis, currently used by and within agencies, available to the private sector.
“We have an in-house capability to analyze malware. And we use that within our circle, within the intelligence community to share malware,” McFeely said. “One of the things we’re testing, and we have a high degree of confidence that over the next couple years we’re going to actually be able to roll that out to the private sector.”
The FBI’s new approach to information sharing is part of an emerging rethinking of what is threat data, where to find it and even how to share it.
Troy Mattern, the technical director for cyber intelligence at the Software Engineering Institute at Carnegie Mellon University, said one industry sector already is changing the information sharing lexicon.
“The financial sector has recently started using slightly different language, saying that information sharing is not sufficient. What we really need is analytic collaboration. There’s a difference there,” he said. “It’s one thing to give you some of my data and show you what’s happening, but it’s another thing for us to sit down and realize it’s a community or sector problem. It’s not just my organization. It’s not just your company. To sit down and look at that to try to figure out what’s really going on and how does it affect us more broadly together. That’s different.”
Mattern said the government needs to help industry improve how it uses intelligence and understand the legal and ethic issues associated with it.
Perimeter defense no longer works
Part of the reason for the change in information is because industry is becoming more adept at using intelligence to understand threats, said Richard Howard, a vice president and chief information security officer at TASC and a former Army cyber official.
He said companies also better understand the changing threat landscape, with the Defense Industrial Base and the financial services sector comprehending better than most companies and that they can no longer defend their network’s perimeter.
“They have realized that it’s OK to accept the bad guys will get into your perimeter and what you do about it. They understand the value of the kill chain. The bad guys have to be successful in six areas,” Howard said. “He has to recon. He’s got to develop a weapon that can get by whatever he noticed on the recon. He has to deliver the weapon. He has to execute the weapon. He has to establish command and control so it can give him more stuff to do. And then he has to do what he’s supposed to do, which is either exfiltrate documents or go lateral in the network. The bad guys have to be successful in all six of those missions or he fails. That’s the good news for us. All we have to do is stop him at one of those locations.”
Companies and the government are developing indicators of where the compromise happened in each one of those six areas the hacker needs to be successful in.
Howard said that’s leading to a transformation of incident response centers where they are focusing on actionable intelligence and giving analysts information to disseminate to business or agency leaders.
He said the end goal has to be to share indicator information without ruining the business.
To that end, Mattern said the Office of the Director for National Intelligence asked SEI to create a report on the state of cybersecurity intelligence.
SEI issued that report in January. It looked at 30 organizations, six of which were government and the rest were from across the commercial sector.
Mattern said the goal was to evaluate what is the state of cyber intelligence across five domains and figure out what was working and what wasn’t.
Mattern said SEI will release two more white papers by the end of the calendar year looking at training and education and one on how best to implement the framework that came from the January 2013 report.
Melissa Dawkins is an intern for Federal News Radio