Using CISA resources to improve your security program

CISA releases documents regularly with information about the work they are performing on assisting federal agencies with cybersecurity. On 11 July 2024 they released an advisory detailing a red team exercise they performed with an unnamed federal agency. While I was reading this document, I saw many examples of items to review in my own environment.

For a quick review of the document, go right to the Lessons Learned and Key Findings section, which is page 15 of the PDF. Review the 16 findings in this section and think about which may apply to your environment. It’s likely that even if you are doing all 16 of those already, there are areas where you could improve! They also have a Mitigations section where they list recommendations for their findings. ?

One of the examples I highlighted in the document was that the attackers were able to send 8 GB of traffic outbound without being caught. How much data is “too much” in your environment and would trigger an alert? Is there any alerting at all? Is this something that you should do in a tabletop exercise to review how well you would respond to it?

After reviewing the key findings, I strongly suggest that you read the entire document. They go into their tactics and techniques, and even a nontechnical member of staff can find good information. For example, they talk about finding a backup file on one of the servers where the attackers could read the information. Are you ensuring that your backups are stored where attackers cannot get to them, and you don’t have backup files even temporarily on your production systems?

Besides the findings, I suggest that you also make a list of items that you already do in your environment. This helps you know what you are doing well! For example, Findings 10 and 11 have to do with cross-functional teamwork. This has always been a focus of mine when I start at a company since my team generally doesn’t manage every part of IT. Integration and collaboration between groups is key to establish before there is an incident, so the trust is already in place when time is of the essence.

Do you have compliance requirements where you must do a risk assessment regularly or that you are reviewing threat intelligence? Congratulations, you just did those! In the NIST world, these are RA-3 and CA-7 in SP800-53, 3.11.1 and 3.12.1 in SP800-171, and 3.1.1e in 800-172. For other compliance requirements, I always suggest looking at the Secure Controls Framework to figure out the crosswalk to these documents.

In summary, the government DOES have some good help for companies! This is one example of how you can use some of the resources to help your company out. Free is always good, especially when it’s as helpful as this is.

?