The recent audit report detailing numerous breaches of NASA’s Jet Propulsion Laboratory in the last 10 years was released this month. It’s interesting for a few reasons that I’ll go over in this blog but is also a reminder of the importance of basic cyber security hygiene. What we learned about NASA’s JPL network from the audit report exposed many security practices that in all honesty, many organizations also lack. From AttackIQ’s observations, many security organizations focus on adding more mature security technologies and capabilities before they have ensured basic security hygiene is in place and as a result attackers don’t need to use sophisticated methods to breach the network and move laterally. Because basic defensive capabilities are missing, basic attack techniques are successful.
To that effect, I’m going to review how AttackIQ can measure and validate your cyber security hygiene and review the Sliding Scale of Cyber Security – a model that can be used as a discussion point when building your security program to categorize actions, competencies, and investments of resources that organizations can make to defend against threats. The model serves as a framework for understanding what actions contribute to improving cyber security hygiene.
NASA’s Jet Propulsion Laboratory breach
- An audit document from the U.S. Office of the Inspector General was released detailing numerous breaches of NASA’s Jet Propulsion Laboratory (JPL) over the last 10 years
- Breaches involved both individuals and nation-state actors
- Data was stolen involving NASA’s critical missions, launch codes, flight trajectories for spacecraft as well as other sensitive and proprietary information
Recommendations from U.S. Office of the Inspector General Audit:
The U.S. Office of the Inspector General’s audit outlines technical details of the breaches, faults within NASA’s IT infrastructure and provided 10 recommended improvements for overall security hygiene. The recommendations included:
- Ensure inventory tracking of assets
- Segment and segregate network IT environment
- Review of partner ISAs (Interconnection Security Agreements)
- Improve incident response procedures and ticketing systems
- Formalize security workflow and responsibilities within JPL
- Implement a security training program
- Develop and implement a comprehensive strategy for institutional IT knowledge and incident management
- Perform routine threat hunting procedures and add success metrics
- Integrate continuous monitoring tools that provide the NASA SOC with oversight of JPL network security practices
As the audit concluded, NASA’s JPL Security practices lacked basic cyber security hygiene. The details of the audit might surprise some of you, but our observations is that NASA as a high profile target and the faults found within JPL are all too common amongst organizations of all sizes. Many organizations lack the basic cyber security hygiene.
What is Cyber Hygiene?
The Center for Internet Security (CIS) and the Council on Cyber Security (CCS) defines cyber hygiene as a means to appropriately protect and maintain IT systems and devices and implement cyber security best practices.
“Lack of Cyber Hygiene is Leading to Cyber Attacks and Cyber Threats” (Source)
How do you measure and improve your Cyber Hygiene?
Existing models and frameworks are key to providing agreement and consensus on lexicons and best practices to measuring your security hygiene amongst the leadership and operations teams and AttackIQ incorporates and supports mapping of results to and from multiple frameworks. More well known is the CIS Critical Security Controls framework, but less well known is the Sliding Scale of Cyber Security. The Sliding Scale of Cyber Security can be instrumental as a discussion point for building the foundations of your security program and you can use AttackIQ to sit above your security controls, validating your cyber security hygiene against the various foundations within the Sliding Scale of Cyber Security.
All that is required to use AttackIQ to measure your cyber security hygiene is to:
|Setup||Active Testing||Measure and Validate||Insight|
|Deploy test agents on and around devices within the network
Why? To gain visibility within your environment
|Select and run an assessment template
Why? To emulate attacker behavior and relevant events
|Configure the integration manager
Why? to concurrently measure security controls and provide evidence of capabilities and security configurations
|Receive reports and alerts
Why? To gain real-time metrics of your cyber security hygiene and remediate to improve overall security posture
Once you have AttackIQ setup to measure your cyber security hygiene let’s talk about how AttackIQ can help you gain visibility at the various foundations of the sliding scale:
The Sliding Scale of Cyber Security
The Sliding Scale of Cyber Security was created by Robert M. Lee, SANS instructor and Founder and CEO of Dragos. The five categories in the scale are Architecture, Passive Defense, Active Defense, Intelligence, and Offense. Each category helps better understand the impact on cyber security capabilities and maturity against the cost of security investments. At each category within the sliding scale, AttackIQ can provide controls validation to measure and validate your cyber security hygiene:
|Category||Description||What/Why/How AttackIQ Measures|
|Architecture||“the planning, establishing, and upkeep of systems with security in mind.” 
Involves: identify the business objectives supported by its IT systems, patch management, network monitoring controls, network segmentation 
|AttackIQ can emulate endpoint and network (internal, remote and cloud) behavior to validate network segmentation, user segregation as well as network monitoring.|
|Passive Defense||“systems added to the architecture to provide consistent protection against or insight into threats without constant human interaction” 
Involves: firewalls, anti-malware systems, intrusion prevention systems, anti-virus, intrusion detection systems, and similar traditional security systems 
|AttackIQ can emulate endpoint and network attacker TTPs from MITRE ATT&CK and other frameworks and concurrently validate technologies, people, processes, tools and technologies.|
|Active Defense||“the process of analysts monitoring for, responding to, learning from, and applying their knowledge to threats internal to the network.“ 
Involves: “ incident responders, malware reverse engineers, threat analysts, network security monitoring analysts, and other security personnel who utilize their environment to hunt for the adversary and respond to them.“ 
|AttackIQ can emulate attacker behavior in order to test, measure and improve SOC incident response and threat hunting analysts skillset and procedures.|
|Intelligence||“the process of collecting data, exploiting it into information, and producing an assessment that satisfies a previously identified knowledge gap.“ 
Involves “continual cycle of collecting data, processing and exploiting that data into information, and analyzing and producing information from various sources to produce Intelligence.” 
|AttackIQ’s platform can operationalize and integrate threat intelligence frameworks and feeds like the MITRE ATT&CK framework to provide insight into overall risk, current security capabilities and gaps to ultimately drive data-driven decision making that is relevant to your organization.|
|Offense||“legal countermeasures and counterstrike actions taken against an adversary outside of friendly systems for the purpose of self-defense.” 
Involves actions of “deny, disrupt, deceive, degrade, and destroy” to describe a cyber attack.” . As Robert points out in the paper, “It is in the opinion of the author that civilian organizations cannot currently participate in such actions and remain within the spirit of the law”. For that reason, most organizations will not incorporate offense as a category within their security investments. 
|AttackIQ can emulate various attacks and validate counter measurements are working as expected. Note: The Offense category is for organizations that have an offensive countermeasure program (more often government-related like the recent US cyber attacks on Iran)|
(Source: SANS, Robert M. Lee, Dragos)
Regardless of what maturity level your security program is, it’s important to proactively revisit each category within the sliding scale to determine your current capabilities. The sliding scale should be thought of as a foundation leading to another foundation. You should have a strong architecture leading to a strong passive defense. If you find that you have a multitude of capabilities within active defense and intelligence, but weak capabilities within architecture and passive defense, your cyber security hygiene is resting on a weak foundation as each category relies on a solid base. You should then prioritize your security investments moving forward to re-invest foundational security capabilities and resources to ensure improved cyber security hygiene.