Rather than having to rely on the intelligence community as is currently the case to defend against unforeseen cyber attacks, a Senate panel is telling the Defense Department it needs to have its own capabilities for discovering these ‘Zero-Day’ attacks.
In a report accompany its mark-up of the FY ’12 DoD Authorization Bill, the Senate Armed Services Committee (SASC) says that advanced discovery capabilities developed within the National Security Agency (NSA) over the years are unlikely to be shared widely across government, or even to defend private critical infrastructure, because of their classified nature.
Therefore, SASC wants the “Secretary of Defense to develop and implement a strategy to acquire advanced threat discovery capabilities to complement current cybersecurity systems that depend heavily on advanced knowledge of specific attacks,” says the report, which was issued last week.
The report says that current defenses against cyber attacks typically require advanced knowledge of the attack signatures but new attacks, which have never been seen before and are known as zero-day attacks, take a lot of time and manpower to discover, and the results are not reliable. The NSA and other intelligence agencies have developed capabilities here with “remarkable results,” but these means alone are not reliable enough to protect DoD, federal civilian and private critical infrastructure networks, SASC says.
So rather than rely on a defense model based on classified means to detect unknown attacks, SASC says that “It is essential for network defenders to have their own means for independently discovering new attacks by examining the behavior and impact of attackers and their tools on the traffic flowing across the defended networks and their endpoint targets.”
Zero-day attacks are not as rare as they once were, so it is a “worthy goal” to develop means for non-signature-based intrusion detection, a government official tells TR2.
To obtain these discovery tools, SASC recommends that DoD, the Department of Homeland Security and the rest of government turn to the commercial sector. This will reduce their dependence on NSA and boost competition, the report says.
SASC notes that the Defense Information Systems Agency is already using a commercial capability to detect previously unknown threats as they pass into a network, but this capability hasn’t been upgraded to keep pace with the rapid rise in network traffic the past several years. Moreover, and this seems to be a common theme in any discussion about cyber security, the report says the lack of a trained analytic workforce with cyber skills hinders the ability to discover zero-day attacks.
Not all is lost though.
“One path to coping with this shortfall is to ‘outsource’ the function,” SASC says. The report points out that at congressional direction DoD has been conducting a number of pilot projects, including one for outsourced managed security services.
The report says managed security services are already available to government agencies through the General Services Administration’s Networx contract. Currently four companies- –AT&T [T], CenturyLink [CTL], Sprint [S] and Verizon [VZ]–have been selected under Networx to provide managed security services on the Managed Trusted Internet Protocol Services program, which includes behavior-based and forensic discovery capabilities. SASC says that more can be done on this program.
As long as the proposed solutions to be pilot-tested are based on open sources and open standards, then the recommendation by SASC is a good one, the government official says.
The report also points to the Host-Based Security System (HBSS) that is being deployed by DoD for endpoint protection includes an open framework that allows new capabilities to be added. As such, it recommends that commercially-developed HBSS-compatible systems that are supposed to stop unknown malware from infecting computers and to detect and remediate attacks that have succeeded be tested in realistic environments to see if they will be useful and cost-effective for DoD.
Such technologies “should also materially improve the ‘transparency” of the DoD network security situation, the lack of which is consistently cited by the Commander of U.S. Cyber Command as a serious deficiency,” SASC reports.