Interior’s Incident Detection and Response Program Requires Immediate Improvements

In a March 2018 report, the Department of the Interior’s IG described the unprepared state of the agency’s IT program in mitigating, detecting and responding to cyber attacks. The watchdog found, during the March 2016 to June 2017 time frame, that Interior lacked the foundation for a mature incident response program per NIST’s incident response lifecycle.

Background

One might not instantly think that Interior’s networks would be targeted by adversaries. However, the report states that the department is a regular target for security compromises by criminals and nation-states due to the large size of its computer networks. The networks contain a host of technical and sensitive information, particularly on the country’s natural resources. Moreover it cannot be forgotten that the OPM database that was compromised in 2014 was hosted within an Interior data center. The department operates from more than 2,400 locations, adding to the complexity of maintaining a unified and strong security program. In fact, the report found that the OCIO previously decided to desegregate the bureau’s networks in order to improve service delivery. That move resulted in the removal of various firewalls and intrusion detection systems, creating a security segmentation and increasing the risk of access to Interior’s systems, otherwise known as a flat network.

Findings

In order to evaluate the agency’s incident detection and response capabilities, the IG used NIST’s incident response lifecycle model as a basis:

Source: NIST SP 800-61r2

Under each of these lifecycle phases, the IG found a lack of compliance with the model and several weaknesses in Interior’s security program. In terms of preparation, the report indicated that Interior’s OCIO did not have a fully developed incident response plan due to a lack of roles and responsibilities across the bureaus. Though a plan was eventually published in August 2017, it still did not meet the standards of the incident response program recommended by NIST. The IG also found that bureau had a separate internal incident response program that varied greatly in capability. For instance, the Bureau of Indian Affairs had a staff of 15 dedicated incident response contractors for its 5,800 users while the National Park Service had only one full time employee dedicated to incident response for 22,890 users. Moreover, incidents that affected one or more bureaus were not coordinated properly.

With detection and analysis, the IG discovered the department was not consistent because the OCIO did not have visibility into Interior’s entire enterprise infrastructure nor a single mechanism for tracking and evaluating incident data. The OCIO also did not actively conduct threat-seeking activities due to lack of assignment to the department’s experienced cyber personnel. Instead, Interior depends primarily on automated detection systems without human interaction. In fact, during the IG’s testing at a USGS facility, the IG team discovered a workstation attempting to communicate with malware in Russia which USGS IT personnel later discovered the machine had indeed been compromised. The OCIO also did not recognize further tests by the IG until two weeks after compromise.

In regards to the third phase of the incident response lifecycle, the IG found risks at Interior were not contained or eradicated. In particular, the report indicated that sensitive data could be penetrated without detection when it found the OCIO did not detect or prevent sensitive information such as PII as part of the IG’s technical testing. Further, the OCIO’s enterprise incident response tools did not block the use of remote desktop sharing tools used by the IG. Interior’s TIC firewall was also analyzed and the IG found that its firewall rules did not comply with basic security principles. Consequently, the agency’s firewall allowed excessive outbound traffic and certain hosting facilities that bypassed the TIC architecture.

Finally, the IG found that the department did not learn from prior incidents. The OCIO’s official incident tracking system was not designed to support post-analysis functions. Further, the IG sampled 328 of 3,159 open tickets in the incident tracking system and found that only 82% were adequately documented to understand the incident and resolution, however, none contained indications for further lessons-learned activities. Many of this is due to the lack of enterprise oversight of incident analysis, resolution and documentation by the OCIO.

Recommendations

The IG made 23 recommendations as a result of its findings. Among others, the recommendations include creating a new, comprehensive policy for incident response and developing a solution to provide bureaus with consistent access to the enterprise incident response tools. Moreover, the recommendations indicate that Interior require all security incidents be tracked in a single enterprise system for department-wide incident correlation and that a Security Incident and Event Management (SIEM) be implemented to analyze events across multiple, segregated systems. All of the department’s Digital Loss Protection (DLP) systems must also be able to block the transfer of sensitive information and provide sufficient data to allow incident responders to identify and assess the impact of events.  The IG acknowledged that some recommendations would be difficult to address before three to five years. To this end however, the watchdog states that “in the interim, the Department should consider additional temporary or partial solutions.” Moreover, “we understand that some of these recommendations may require significant investment in cyber security infrastructure as well as the recruitment of additional staff, but the intended timeframe to implement these recommendations remains a concern.”