Why DHS might hack your agency

Shutterstock image (by fotogestoeber): virus infection spreading out in a network.

The cybersecurity penetration team that has the Department of Homeland Security's only "hands-on" cybersecurity testing capabilities is planning to expand its stable of test threats.

DHS' National Cybersecurity Assessments & Technical Services is currently piloting an Offensive Security Assessment service that mimics the stealthy advanced persistent threat groups (APTs) that quietly gain access to big networks and take their time working their way through a system.

NCATS, which is currently part of the DHS National Cybersecurity & Communications Integration Center, is also planning a Phishing Campaign Service to help agencies see the details of how phishing attempts appeal to actual users and measure their potential impact.

The two services would join NCATS' existing Risk and Vulnerability Assessments and Cyber Hygiene services that use cyber "red teams" to probe vulnerabilities in networks. Ken Vrooman, the NCCIC's cyber hygiene program manager, said NCATS was instrumental in helping federal agencies tackle the Heartbleed open SSL vulnerability in 2014.

NCATS provides objective third-party perspective on cybersecurity posture, not only for unclassified networks at federal agencies, but also for state, local and select critical infrastructure provider networks. NCATS security services are available free to stakeholders and can range from one day to two weeks depending on the security services required.

In a March 23 presentation to the Information Security and Privacy Advisory Board in Washington, Vrooman said the two planned new services would be available only to federal agencies, and are in different stages of development.

NCATS began a 90-day trial of the Offensive Security Assessment service with a large federal agency at the beginning of March, NCATS team member Will Burke said. The service mirrors the secretive behavior of APTs, using a phishing email or other method to gain access to a protected network and then moving across it, accessing data and other assets along the way. The NCATS service doesn't actually exfiltrate data from an agency, but sends up "signals" to see if network administrators notice.

The Phishing Campaign Service has not yet been deployed, Vrooman said, as it is still under development. NCATS team member Krysta Coble told the ISPAB that the idea is to send accurate replicas of phishing emails to agency users, without their knowledge, to see if anyone takes the bait. Using the data gathered from the email, like click rates and other data, agencies can then follow up on their email handling and education. There are no malware "payloads" actually attached, but the details of the email can be tweaked in sophistication.

The phishing email could use the same techniques that lead millions of regular computer users worldwide to click on bad links, taking them to questionable sites or download malware.

One phishing email that's been successful, said Coble, promises a "Free iPad" for a survey accessible by a click. A test email like the Free iPad example, she said, could be configured to seem like an obvious piece of spam with obvious clues, like backwards Apple logos, or mangled grammar, or constructed to appear more legitimate. The service can send those emails to targeted areas in an agency and measure click rates and other metrics -- all of which would then be shared with the customer agency.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.