Why DHS might hack your agency

The cybersecurity penetration team that has the Department of Homeland Security's only "hands-on" cybersecurity testing capabilities is planning to expand its stable of test threats.

DHS' National Cybersecurity Assessments & Technical Services is currently piloting an Offensive Security Assessment service that mimics the stealthy advanced persistent threat groups (APTs) that quietly gain access to big networks and take their time working their way through a system.

NCATS, which is currently part of the DHS National Cybersecurity & Communications Integration Center, is also planning a Phishing Campaign Service to help agencies see the details of how phishing attempts appeal to actual users and measure their potential impact.

The two services would join NCATS' existing Risk and Vulnerability Assessments and Cyber Hygiene services that use cyber "red teams" to probe vulnerabilities in networks. Ken Vrooman, the NCCIC's cyber hygiene program manager, said NCATS was instrumental in helping federal agencies tackle the Heartbleed open SSL vulnerability in 2014.

NCATS provides objective third-party perspective on cybersecurity posture, not only for unclassified networks at federal agencies, but also for state, local and select critical infrastructure provider networks. NCATS security services are available free to stakeholders and can range from one day to two weeks depending on the security services required.

In a March 23 presentation to the Information Security and Privacy Advisory Board in Washington, Vrooman said the two planned new services would be available only to federal agencies, and are in different stages of development.

NCATS began a 90-day trial of the Offensive Security Assessment service with a large federal agency at the beginning of March, NCATS team member Will Burke said. The service mirrors the secretive behavior of APTs, using a phishing email or other method to gain access to a protected network and then moving across it, accessing data and other assets along the way. The NCATS service doesn't actually exfiltrate data from an agency, but sends up "signals" to see if network administrators notice.

The Phishing Campaign Service has not yet been deployed, Vrooman said, as it is still under development. NCATS team member Krysta Coble told the ISPAB that the idea is to send accurate replicas of phishing emails to agency users, without their knowledge, to see if anyone takes the bait. Using the data gathered from the email, like click rates and other data, agencies can then follow up on their email handling and education. There are no malware "payloads" actually attached, but the details of the email can be tweaked in sophistication.

The phishing email could use the same techniques that lead millions of regular computer users worldwide to click on bad links, taking them to questionable sites or download malware.

One phishing email that's been successful, said Coble, promises a "Free iPad" for a survey accessible by a click. A test email like the Free iPad example, she said, could be configured to seem like an obvious piece of spam with obvious clues, like backwards Apple logos, or mangled grammar, or constructed to appear more legitimate. The service can send those emails to targeted areas in an agency and measure click rates and other metrics -- all of which would then be shared with the customer agency.