Continuous diagnostics and mitigation will allow agencies to have a clearer view of vulnerability gaps, and could also aid forensic investigators after the fact.
One federal agency charged with tracking down cybercriminals is looking forward to the progression of continuous diagnostics and mitigation into federal networks, even though on-the-ground cyberforensics experience with the technologies is still hypothetical.
CDM will not only allow agencies to have a clearer view of vulnerability gaps in their networks, but could also enrich the forensic path for cybercrime investigators, said Eduardo Cabrera, assistant to the special agent in charge at the U.S. Secret Service.
Cabrera, who is also assigned to the Criminal Investigative Division at Secret Service's Cyber Operations and detailed to DHS's National Cybersecurity and Communications Response Integration Center, said the agency- and federal-level dashboards associated with CDM will serve as a starting point for cyber-intrusion investigations.
Common CDM dashboards that share information among agencies and aggregate it within them could provide be a starting point for cyber forensics investigators, Cabrera said at an April 8 CDM conference in Virginia.
The Secret Service is charged with protecting the kind of U.S. payment and financial systems often targeted by cybercriminals.
"It's conceptual now since CDM is just being implemented," he said in remarks to FCW after the event. But CDM technology is beginning its spread across federal agencies. DHS began rolling out orders under the $6 billion CDM multiple-source contracts in January, when it issued $60 million in task orders to four of the 17 companies that provide hardware and software for the project. It has since issued several more.
GSA and DHS are currently working with the vendor for the federal dashboard selected in early March on what kinds of detail it will include, according to Mark Kneidinger, senior advisor, cybersecurity and communications, Federal Network Resilience at DHS.
The dashboards are key to the CDM effort.
Agency-level dashboards will gather information on threats and vulnerabilities across individual agencies, while the federal-level dashboard will aggregate information to form an overall threat picture.
Agency-level dashboards will contain sensitive information that will be closely held. Rod Turk, director, office of cybersecurity and CIO at the Department of Commerce, said he plans to disseminate the information gathered by his agency's dashboard internally to select top information officers and Cabinet-level officials. The information won't be made available to the public or to vendors. "We see vulnerability information as sensitive," adding that data about gaps and security patches could be very valuable to "hacktivists" and others with questionable intent.
Cabrera told FCW that exactly how information gathered through CDM-related security measures would be used in cybercrime investigations wasn't clear at this point, but it would be a step up from where things stand now.
"The lack of information now can make it hard. The lack of logs and how attacks happen makes it difficult" to track cybercriminals in federal networks, he said. In the face of such unknowns, "any information is good information."
One of cybercriminals' weaknesses is a tendency towards laziness, aiming to expend as little energy as possible for the most return. To save on effort, they use similar malware to attack both federal and commercial networks, said Cabrera. The malware they produce is usually tweaked for a specific attack, but it can be similar to other versions in its methods and behavior. That commonality can leave forensic clues to be leveraged by investigators and federal information security officers -- if they are recognized.
Although cybercriminals have proven themselves to be excellent at IT and ever-adaptable, the CDM approach is a critical "pivot" in how federal agencies deal with security, said Cabrera.
CDM is also piquing the interest of commercial interests that have been repeated targets of attacks, according to Kneidinger. Although Homeland Security's CDM blanket purchase agreement cannot be used by commercial interests, the financial services industry has inquired about the CDM process and how it works. "We're getting interest in how we structure the program," he said, from domestic and international interests.