DHS Using Red Team Approach to Improve National Cyber-Security

Leaders of the Department of Homeland Security (DHS) National Cybersecurity Assessments and Technical Services (NCATS) explain at DEF CON about how conducting penetration testing against government and private sector infrastructure helps to improve cyber-resilience.


As fears about the security of  elections and voting machines remain a concern, the U.S Government is doing more than just waiting for attackers, it's hacking its own systems with penetration testing activities.

Speaking at DEF CON in Las Vegas on Aug. 10, members of the Department of Homeland Security (DHS) National Cybersecurity Assessments and Technical Services (NCATS) described their Red Team activities to help evaluate the cyber-hygiene of software infrastructure. NCATS Red Team services help both government agencies as well as critical infrastructure in private organizations.

"We believe in not just identifying vulnerabilities, but also in understanding what organizations do with the notifications we give them," Robert Karas, Director, NCATS, Office of Cybersecurity and Communications, Department of Homeland Security said.

Karas said that in additional to identifying issues, NCATS wants to know how long it takes an organization to fix an issue after it is reported. He noted that in the federal government at one point it was taking over 300 days to close critical vulnerabilities that had been identified.

"We issued what is known as a binding operational directive and now the closure rate on critical vulnerabilities is approximately 12.5 days," Karas said.

Among the services that NCATS provides is a Risk and Vulnerability Assessment (RVA), which Karas said is a two-week penetration test, that looks for both insider and outsider vulnerabilities. Looking specifically at election security, NCATS has an Applied Vulnerability Assessment (AVA) function, where vendors can submit their election control systems for analysis. NCATS wlil also look at the election systems with a full penetration test and help to identify any potential flaws.

"Everything we do has legal documentation. We're not just going out there and scanning for the heck of it," Karas said. "What we get from it is invaluable, we can see trends across different sectors."

Risks and vulnerabilities identified

Jason Hill, Red Team Lead at NCATS, Department of Homeland Security, explained that the penetration test will show everything that is potentially at risk. Hill said that a penetration test typically will start with running scanners, such as Nessus or Nexpose, looking for known issues. Looking beyond just scanners, Hill said that the NCATS Red Team also tries to emulate adversarial activity and attempts to get a foothold in a vulnerable network.

"We try to show our customers what it looks like to be hacked," Hill said. 

The foothold in a network can come from a variety of attack vectors, including phishing, misconfiguration or an exploitable vulnerability. Once the red team has initial access, Hill said that his team looks to escalate privileges to get access to sensitive business systems.

Top vulnerabilities in election systems

In terms of vulnerabilities, Karas said that the top issues are largely the same across all sectors including election-related systems. He noted that election systems and frameworks are not really all that different from any enterprise network.

The top vulnerability found by NCATS Red Team is phishing, which Hill said is often how his team is able to get into an organization. He noted the fact that someone can get into an organization via phishing is a concern, but there are larger issues as well.

"Long gone are the days of stopping people at the perimeter," Hill said. "What's important now is how we identify that an intruder is in the network and how we can slow them down long enough to catch them."

Besides phishing, Karas said that NCATS usually also finds unsupported, older versions of software, including PHP and HTTP servers at organizations. The unsupported software can be at risk from known vulnerabilities that are relatively easy to exploit. Password reuse is another common challenge found by NCATS. Hill said that he typically finds that administrator passwords are reused across an organization for multiple domain and personal accounts. Insecure default configurations are also a concern and something that Hill said he commonly sees, which enables the NCATS Red Team access into an environment.

Overall both Hill and Karas emphasized that NCATS Red Team activities are all about helping both government and private organizations improve security.

"Our goal is to defend our nation, we want to keep it secure," Hill said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.