[02:21] CISA’s CDM Program and Threat Hunting Subdivision

Rachael: This is probably my favorite organization in the federal government. Please welcome to the podcast, Richard Grabowski. He's the acting program manager for CISA's CDM program. And John McBride, Chief of Adversary Pursuit for CISA's Threat Hunting subdivision. 

Richard: Thank you for having us. It's okay to play favorites. 

Rachael: Everyone from CISA's amazing.

Eric: Who do you like better, Richard or Jonathan so far? I'll ask you at the end of the show also.

Rachael: I don't know yet, but just everyone we've talked to at CISA from Krebs and Eric and just all the folks that are wonderful. I love the work that you guys are doing and it just feels fresh, modern, and passionate. 

Eric: Before we get started, can I ask Richard and Jonathan how they feel about your TikTok obsession and the time you're spending? Is that a good safe activity or not?

Richard: I don't get the TikTok. I'm not that old, but I feel like social media has kind of just run LAPD around me at this point. I'm still in the email and chat functions right now, so I don't get it. I'm probably the wrong person to ask.

Eric: John, what do you think? She's on it all the time from what I hear. What do you look at what do you look at, Rachel? 

Rachael: The algorithm figures out how much I love animals. 

Jonathan: I'm not going to lie, I get the dog videos, motorcycle videos, and the woodworking. It's really easy to end up in a downward spiral two hours later. 

 

Executive Order on Cybersecurity

Jonathan: I'm looking at dovetail joints for some new cabinet that is going to be on a list that I will never get accomplished.

Rachael: I have a combo first question. I'd like to talk about the Biden administration and its executive order on cybersecurity. The steps that CISA has taken to improve our nation's cybersecurity, now that Biden's doubled down on it. But part two of that is, I read this really interesting article in Nextgov. It’s saying that basically, the government is ahead of private industry in zero trust implementation and adoption. I wonder, is there a corollary there between the two?

Richard: That's actually interesting you brought that up. On the theme of the government being a head of private industry, I had a conversation with a vendor who will remain nameless. We'll keep it that way.

There was a certain supply chain issue and we were really hammering them on it. Saying, "This code that you all are using is the end of life, end of support, and it's been that way for a while. Why haven't you addressed it?" 

They had said something very similar. It's like, the government's ahead of the curve. I was just like, gobsmacked. Is the government ahead of the curve, a private industry here? I think, to the credit of our leadership and at CISA, they've really talked about speed limits. 

They have really put the pedal to the metal on cyber issues to the extent that we are now really pushing the envelope on a lot of different things. Even if you look at policies and things that CISA's been doing with finding operational directives, they're setting standards right now that doesn't exist, irrespective of federal or private. 

 

A Very Encouraging Sign

Richard: That's a very encouraging sign, I think for people that look to CISA for leadership in cyberspace.

Eric: When I talk to people in the industry or those who want to get into the industry, I think DC, at least for the US, is the hub of cybersecurity. It's where things come together. Now, you may have people at Energy Labs or NASA spread all across the planet, or at least the country, but DC is where cybersecurity's at.

We're not as far as we want to be. There's a lot of work to be done, but I would fully agree with that. I think you see that in the hiring of government employees, former government employees in the banks, and industry across the land.

Jonathan: When it comes to the cyber landscape and kind of leading the charge, I'm a little remiss to hear that the federal government would be ahead of private. But we are trying to push the envelope. At CISA, we're in the middle of a paradigm shift with the way we operate, the authorities that we've been granted by Congress, and so forth.

There's a lot on the rise of us trying to drive innovation as well as help mold the private sector when it comes to cybersecurity. We've got to get away from being more reactionary and get left of boom. So any way that we can do that is by either influencing policy, influencing technology, or capability. This is the hub because it's where everybody comes from. Either they're lobbying for Congress to provide funding for certain capabilities or we're trying to ensure that we have the necessary accesses and authorities to carry out the mission.

 

A Lot of Work to Do with Threat Hunting

Jonathan: So I can see it, but I definitely am going to be hesitant to say that we are ahead of the curve.

Eric: Well, it doesn't mean we're playing in the major leagues right now, necessarily. There's a lot of work to do. The adversaries are growing every day. It's an almost undefendable space. But I do think we need leadership in the space and we are seeing that from the government.

Jonathan: On the leadership front, we're definitely stepping up. We know what we need to do and to carry it out. Again, CISA is at the forefront of trying to ensure that we close at least the hiring gap across the federal government. 

We've got our new hiring program, the CTMS or cyber talent management system. That's one of the ways that CISA's trying to work to ensure that we can close the gap between the federal hiring space and the private sector. CTMS is going to allow us to bring in talent temporarily as a government employee, but at the pay scales closer to what the private market is able to offer.

With that, we can ensure that we can bring in the brightest minds across, not only the technical landscape but even the managerial landscape throughout all of the government. Ensure that we can drive innovation and get federal space to where we are in front of the private sector in driving initiatives, and driving technologies. So there's a lot on the forefront. The program is really new if I'm not mistaken. I had heard director Easterly talk about it during DEFCON. 

 

Sky’s the Limit

Jonathan: This was a process that has been ongoing for the last eight years of trying to get this program up and running. It's only been implemented within the last year. I know we're hiring against it now. So, the sky's the limit. We'll see where it takes us.

Eric: I think when people leave government, this is important also, they leave government to private industry. They have an enterprise view, they understand the government's position and they have education and training they may not get in the commercial world as quickly. So, you're almost infusing that mindset and some of those capabilities even with turnover.

The better job that quite frankly the government does, I think the better protected, in this case, American industry will be too. Now that's a long-term plan, long-term play, there.

Jonathan: There's a lot of exposure that comes in working in the federal landscape. Specifically to CISA, not only are we focused at the federal level, but we're also focused on the state, local tribes, territories, and critical infrastructure. There's a wide swath of what we get to influence as well as what we interact with on a daily basis. From the services that we put into place, like for Richard across the CDM program, continuous diagnostics, and mitigation. But then also in my area in threat hunting.

My boss always likes to talk about how on one given day we could be working in a nuclear plant. We’re dealing with incident response while also interrogating the local coffee shop because it's feeding and supplying the personnel that is working at the nuclear plant.

 

[11:37] Different Avenues of Cyber Threats

Jonathan: There are so many different avenues when it comes to cyber threats. It takes a lot of the holistic chain of what we're dealing with that you're not going to get when you're in the private sector. In the private sector, you're typically focused on your given organization, your given mission set, the technologies that you're dealing with, etcetera.

Whereas the federal government, we have to take everything in at that mile wide, inch deep to ensure that we can provide the most secure cyberspace possible. To ensure that the interest of the US is taken into account.

Richard: What John said is very important. I think that's why CISA exists. America's cyber agency, that central point that can actually see the behaviors, the landscape across all of government. What we do here is a very partnership model. We partner with industry, we partner with agencies and that's to help with this broader enterprise efficacy. You're not going to expect one agency to know or be able to execute very specific things in another agency.

We have healthcare, energy, social services, and different types of things that these very specific agencies deal with. They know at a very parochial level what they need to do around their mission. You need someone that really can break down the silos and do that whole government perspective. That's honestly what we've been doing on the program for quite a while. 

John has eloquently stated, there's a need to make sure that there's that primacy over all of the government. The adversary doesn't respect, "That's a healthcare boundary, so we're not going to go into this." They're going as fast as they can across the silos and someone needs to keep pace with them.

 

Partnerships with Other Agencies on Threat Hunting

Rachael: I can't even imagine what you guys must see day to day. 

Eric: It's like my sock drawer, but it has consequences.

Richard: It truly is a civil service at its best. It is a calling.

Eric: My sock drawer at least has clean socks. They just get dirty. It's got to be a mess. 

Rachael: I love the partnership piece of it because it shields up. I feel like you guys are broader partners to organizations, large and small, with a helping hand. But the partnership with other agencies, in private industry in particular, and on the threat hunting. Have we figured out the information-sharing aspects of how to cross-pollinate details that we're getting? 

I know some folks when they are hit by a breach that sometimes they're reluctant to want to say anything. If it's a ransomware-related thing, they may or may not want to pay and there may or may not be a penalty. But information sharing seems to be a really hot topic still.

Jonathan: As an IT organization to some degree, it's in the title, cyber. Communication is always one of the biggest issues that anyone in IT has. When it comes to collaboration though, CISA is advancing every single day. I'm not going to say it's a perfect situation. We could always be quicker on the draw to ensure that we get information out. 

But CISA, through the various arms that we have, try to ensure that we do collaborate. Not only across the federal landscape, but with our vendors, with the private sector, with our states, local tribes, and territories. We put out our information directives to notify. 

 

Mission Partners in the Intelligence Community

Jonathan: We work with our mission partners both in the intelligence community, as well as our international partners. So the Brits, the Australians, the Canadians, et cetera. In working over incidents as well as indicators of compromise as they come out. We know in the past we've already talked solo lens a little bit. The most recent we had was Log4j. With Log4j, collaboration was one of the biggest proponents to ensure that we could minimize the impact of such a vulnerability across the landscape.

We're working on various initiatives. There's one that we want to ensure that we can make more of a cohesive, analyst environment. Not only within CISA and our mission partners, but all the way down to the agencies, departments, and organizations that we support. We can have analyst-to-analyst collaboration. 

Having a central location where all of the information flows, the analysts can go in and they can do the research. They can obtain the anonymized incident reports and so forth that we've gone out and done our threat hunting on or incident response activities. They can pull that information in and utilize it for their own consumption.

The other aspect is that CISA also puts out informational reports. CISA's not an intelligence agency, so we're not in the business of producing intelligence reports. From those information reports, we can disclose the information that we’ve gained and synthesized across all of the telemetries that CISA has access to at the federal level.

Richard: The other part is, I don't know if you all were tracking this, but a couple of years ago the cyber Solarian commission, I think in March of 2020 had made this call. 

 

Efforts in CISA

Richard: We need the ability to communicate and coordinate faster than before because of how pernicious the adversary is. There are efforts in CISA, you see it through our sister organization, the JCDC. The joint collaborative subdivision over there as well as looking at developing collaboration environments that go faster than email, phone calls, and meetings. That's at the speed at which we need to coordinate especially when we're talking about so many different partners.

There's always a higher probability of things being misconstrued, or miscommunicated. This is a very technical domain that we're talking about, so the need to have that kind of real-time actionable coordination is ever so critical now. 

To be more effective and really create force multipliers, if you will, of the staff that we have across the federal government. Not just that CISA, because CISA can't do it all itself. We need everyone to be able to pony up some resources and be more effective. With better communications and better collaboration, hopefully, we'll meet that requirement.

Eric: So pivoting, I guess this is maybe more for you, Richard, on the executive order and the evolution of the CDM program. Early days, 2012 to 16, 18, somewhere in that window probably had four areas of focus. It was who's on the network, what's on the network, what's happening on the network, and then how are we protecting data?

Recently, I saw that the language seems to have evolved. I want to say this is post executive order, I think 14028 is the executive order. May 21 from President Biden, but you almost align it with more commercially available terms of asset management for what is on the network.

 

Who’s on the Network?

Eric: Identity and access management, IDAM ICAM, for who's on the network. Network security management for what's happening and then the data protection is how are you protecting data? I'm assuming that was a conscious effort to better align. Has a lot changed though over the 10 years? I think about how crazy that question is by just throwing out 10 years of terms. Can anything change? 

Richard: One of the things from a naming perspective to your point is that when we went to those more shorter categories of marketing, we call them capability areas. Asset management, IDAM, NSM, and DPM or data protection networks are here. That is a much easier hook into where the industry is going. 

Certainly, if you look at things like the Zero Trust pillars, you might see that there's some organic alignment there. Looking at data, securing data, identity, and credentials obviously, and asset management devices. Those are natural touch points to be a little tongue-in-cheek. Everything changes all the time, every time. Certainly, what we're trying to do is position the program as a very large acquisition program to be able to keep pace with industry trends.

Those hierarchical arch types of categories of capabilities allow us some flexibility to determine what is the current state of the art of things that fall within those higher-level categories. Then pivot our technical resources in our initiatives to maintain pace with where the industry is going. For example, with EDR, we generally have the network security management capability area. That's where you would've found a lot of our incident detection response.

 

[20:49] A Framework for Threat Hunting

Richard: Thus, that flexibility to pivot into EDR quite easily, quite quickly, and move to action. This is much more of a framework for determining what's important to CDM and the government in cyber. Making sure that we are resourced and have the ability to do it so. That we don't have to deal with a lot of overhead or processes that overly constrain what the program can do.

Eric: So the EO comes out, obviously you knew something was coming out in the areas. I know this had a lot of advisement there. Any surprises or major shifts? Anything you were like, "Whoa, I didn't think they'd be that aggressive"? Or, "I thought they'd pay a little more attention over here"? as it relates to the CDM program. John, I'll come to you from a threat hunting perspective.

Richard: Not necessarily. We did hear word early. I can also spend some time on the language that's in the EO for CDM. It seems fairly modest at first glance. I forget exactly which section that requires agencies to reestablish new MOAs with the program. For those that don't know how the program operates, that's a pretty big deal for us. We've always had this constraint about how we can share information with CISA through the program. 

We used to just be able to do summary information. I think when you look at what's going on in the field, so to speak, in terms of threats and how CISA needs to position itself. Not only as a compliance auditing type of role or risk advisor, but more of a risk reduction, taking active action, a call to action to actually engage. 

 

Lower Level of Telemetry

Richard: You need that lower level of telemetry and you have to engage collaborative partners at a different level than ever before. What that EO did is remove those constraints from the program. Now, we can leverage the architecture to do things that we've always dreamed about but never had the policy to do it. 

So now we're talking, we can get hands-on access to tools when we need to. We can get access to host logs when we need to. In near real-time, we talked about collaborative environments. Determine not only that there's something anomalous going on, but we can actually on a common platform through CDM point to certain areas of data. 

Now our collaborative partners at the agencies can also see and then go after it. Traditionally we've had that challenge that the summary level data can only tell us so much. We can't provide those more detailed types of here's what you need to go suss out and track down immediately. Now we have that capability. It was a huge game changer for us, even though it might not come off that way from the EO.

Eric: John, I'm assuming from your perspective, the agencies are finally starting to get tools. When there's a problem and your team has to engage, there's at least some capability to help you other than reading log files.

Jonathan: When it comes to the threat hunting aspect of the cyber EO, not much was a surprise to us, as you had stated earlier. There was a lot of influence there from the CISA part. But when it came down to it, it was as if you won the lottery. 

 

Go Threat Hunting Give the Adversary a Bad Day

Jonathan: You could get anything that you wanted, money was of no concern. But what is it that we need across the federal government to ensure that we can appropriately get after the adversary and make them have a bad day? CISA put in its input. From that, it was very surprising to see that just about all of those inputs were accepted. Once the EO dropped, we all stood back, jaws on the floor. We're like, "Oh wow. Now we've got a lot of work to do." 

Eric: You got what you asked for.

Jonathan: We really didn't expect to get everything. From a threat hunting perspective, ensuring from CISA's perspective that there are two different fields that we have to look at here. Having agencies have the tools that their resident incident responders can leverage to conduct their own incident response and go forth with state-of-the-art tools is excellent. That's the main thing that we're going after.

Typically, with the way CISA operates, we actually deploy our own kits. When we go in response to a given incident that the agencies, they're waving the white flag. They’re saying, "We need help for a given activity." We deploy our kits, we collect the telemetry, we go forth and do analysis and then assist with providing recommendations for mediation, etcetera.

But with the cyber EO as well as the activity that Richard had alluded to. Having the new CDM MOA put in place allowed CISA to leverage the authorities. They’re what we've recently gained through the National Defense Authorization Act. Section 1705 has proactive threat hunting measures in place as well as proactive red teaming activities. 

 

The Federal Landscape

Jonathan: Essentially, it means that CISA has access to the federal landscape. We can go into organizations and no longer do we have to rely on agencies volunteering or requesting our service. If through our federal telemetry we identify that the adversary is actively within a network and they are exploiting it in its new novel techniques, we can show up. 

We can provide those services, do the investigation, and pull the information back into CISA's analytical environment. Then provide more finite, robust information disclosures to not only the impacted agencies but the rest of the federal landscape.

Eric: How do you do that? The EO and the NDAA enable that, but they've got to have tools that you have access to. Is that enabled through the CDM program?

Jonathan: Yes. We have two ongoing initiatives right now to which we are bringing these capabilities. As part of the Cyber EO activity, section seven discussed ensuring that all agencies would deploy EDR technologies within their security stack. From that, CISA provided an approach. Not only do we get to couple with the EDR deployment across all of the agencies but also be able to collect post-level telemetry.

So no longer we rely solely on the enterprise boundary telemetry that is collected at the network layer. Now we can start to correlate activity across these tool sets that are being made possible through the CDM program. We can correlate that enterprise boundary activity through the layer that takes place within a given agency. And we can go all the way down to the given host. We can see all of that activity taking place at the process level, and then we can correlate that with the outgoing network activity. 

 

The Cyber Kill Chain

Jonathan: From that, we can pivot to make a determination at what point of the cyber kill chain is the adversary. Are they just getting their initial access and then starting to do internal reconnaissance? Or are they trying to actually further that by, "They've identified their target now they want to ex-fill the data." We can see all of that activity taking place at the process level. Then we can correlate that with the outgoing network activity.

Eric: Rachel, can we do a little role-play here? Would you be the secretary of an agency I'll be John McBride and team, and John, check me here. Richard, let me know if I'm doing okay. Madame Secretary, this is John McBride from the CISA's Threat Hunting Subdivision. I think you have a problem.

Rachael: I do? How did you find it? Is it because of this great telemetry? How long have I had it? What can I do about it?

Eric: We're actively hunting on your network, correlating with data across all of the government and other sensors we have. We need to set up a meeting and help you remediate this immediately, understand it and remediate it.

Rachael: I've got time at 2:00.

Eric: You feel good about that?

Rachael: Yes.

Jonathan: I'll say it at a very infant level, that's pretty much how it goes. There’s definitely a lot of coordination that goes into the threat hunting subdivision within CISA. Obviously, we're comprised of many different branches and sections that carry out different roles and responsibilities. We have what we call the mission delivery model. This includes mission coordinators, issue coordinators, and incident managers that are constantly working with the agency CEOs, CIOs, and CSOs, and the disclosure of certain activities.

 

[30:34] How CISA Likes to Operate

Jonathan: While yes, the NDAA authority allows us to go in essentially on a no-knock basis, it really goes against how CISA likes to operate. We want to ensure that it's a collaboration and that agencies understand what we're there for and why we're there to assist. We don't want to, no offense to law enforcement, we don't want to show up and just say, "Hey, we're CISA, we're here to help. You will let us in." But we want to ensure that the agencies understand there is something to gain.

There's a lot of coordination that goes on to disclose all of the information. We put out reports ahead of time. When we identify something at the network layer, once all of these new capabilities come into play, we're able to correlate it down to the most minute process on a given endpoint. We will disclose all of that information back to the agency.

Again, as the federal government, CISA is just a small cog in a very large machine. To think that CISA has all of the capabilities and the personnel to respond to every single incident across the landscape is a little naive. We want to have to depend on the agencies, their expertise, and the personnel that they have hired. Ensure that if they can carry out the mission to do the incident response and remediation, that they do so. Because that ensures that the federal resources within CISA can focus on those agencies who really need the assistance.

Eric: The role play was in jest, but what you really want to do is avoid that. Nobody's calling the secretary of an agency and surprising them. 

 

A Threat Hunting Role Play

Eric: Rachel's response to the impromptu role play was probably similar if you just tell a secretary of whatever, we've got a problem.

Jonathan: While you think it may be in jest, it is actually very close to reality. SolarWinds is a perfect example of that. CISA is getting all of its information across many different avenues, whether it's closed source reporting in the intelligence community. We've got our vendors and partners that are reaching out directly to CISA prior to public notifications going out. To say, "We’ve got an issue. You need to be made aware of this. We've got this vulnerability," or "we've got this activity that we've observed. What do we need to do?"

It really becomes a collaborative effort of CISA game planning with the vendors, with the private sector, and with those that are impacted. We have our vulnerability disclosures where we then reach out to the agencies to notify them. With Solar Winds, a lot of these agencies really had no idea of the breadth of their compromise.

Being able to look across that federal telemetry and say, "Based on the IOCs and knowing how the adversarial techniques are being utilized, we can tell you that you might be at this phase one of a compromise." Whereas another agency might be at phase three because we're already seeing data going back out to command and control elements. The agencies may not have that information up front. 

We provide that information to say, "You may have a really big problem here. So we need you to go forth and look within your own enterprise to validate what we're currently seeing at your boundary." 

 

Wild Goose Chases

Jonathan: We don't have insight into the individual security stacks at all of these agencies and proponents. Because of that, some activities might be mitigated, some may not. With the new technologies and accesses that we are bringing on board as part of the cyber EO activities, we’ll have much higher fidelity access to what's happening within the enterprises. Agencies aren't having to go on these wild goose chases. When CISA knocks at the door, we can tell you all the way down to the given host, this is happening on your network.

You've got a problem, can you handle it yourself or do you need assistance?

Richard: There’s another thing I do want to make sure that it's not lost on your audience. I imagine a lot of them are from the federal space as well, which is how quickly we can get to that. By the way, we should get you both a Pulitzer for that role-play, that was phenomenal. That aside, I don't think it should be missed how efficiently we can get to that conversation. In the past time, you'd have to have a lot of coordination, a lot of discussions, and a lot of meeting rules of engagement. What's going to be deployed, when, where, and what timelines? 

All that gets shortcut by having this access and architecture. Now, you can get to that level of conversation quicker, which is the whole goal. Again, machine speed, machine access, machine conversations, less on meetings and emails and phone calls. The more of that we can cut through, the more effective the limited staff resources we have can be at finding the things that are blinking at night. That's really the goal there.

 

The Tools and Capabilities Needed in Threat Hunting

Eric: So Richard, the CDM program then is really responsible for the tools and capabilities that provide the access. I'm going to reuse the word capability, but the capability to better defend the .gov domain. Without CDM, we'd have a much more difficult time connecting agencies, is my thesis.

Richard: The reason why I like this particular recording is that now you can see it from the operator's perspective, which is John's and the provider's perspective. The two subdivisions that you're talking about right now have different parts of this equation. CDM and the subdivision where we work, are responsible for building out the architecture. It’s building out the capacity to do the things that the operators need, which is in John's vertical. 

I think for those that haven't worked on a very large program like CDM, there’s a lot that goes into buying things at scale, rolling them out, and sustaining them. There's a lot of government process that goes into that, a lot of coordination with industry, a lot of contractual things. We handle all that stuff. We've been doing that for almost a decade now, and we're very good at it.

Now you see it applied to a very specific case where we wanted to move quickly on a very specific capability. Set up partnerships, contracts, the acquisition framework, and procurement processes to get the best-in-class tools to the entire government. Then to enable the persistent access process that is brand new to the government, and to CISA, within a year. That's pretty impressive, at least when it comes to this scale of activities. The government is very large and got a lot of people involved. So we've been very successful, thus far.

 

Moving in the Right Direction

Eric: I feel like we're recording a commercial here, but I'm good with it because I'm happy we're moving in the right direction so quickly. There's also the reporting component that's now coming together. You can report up to the head of government what's happening on America's governmental networks.

If every agency did its own thing, everybody I'm assuming would either have some level of reporting capability. They would report in their own ad hoc way. We'd have how many agencies, but dozens of structures reporting back which would be chaos, for me.

Richard: We talked about machine speed, like visibility and communication. Today or maybe last year, if you had to figure out how badly has the government been owned. You had to circulate a memo, convene meetings, phone calls. It takes a long time. The way that these agencies are structured is that they're very siloed. They have their own operations, their own tools, and their own process. 

It takes a long time to come up with an answer. By the time you get an answer, that information could be OBE. So you need to get faster, you need to get a direct line of sight of what the adversary is doing. That's what John was talking about earlier. Everybody, including Congress, likes to have that touchpoint. A lead position person that can answer quickly without having to go to 15, 20, 30, 50.

How many different CIOs and CSOs get that answer? They need that response immediately. We're building the framework and the plumbing to make that a reality.

Eric: Secretary Lyon is impressed.

Rachael: I told you, this is my favorite organization. It's the reason why. They’re doing great things.

 

[39:04] What Are the Challenges in Threat Hunting?

Eric: What are the challenges, gentlemen? As you're trying to roll this out, the whole of government, the most massive government organization is probably in the free world. In the free world, there have to be barriers to implementation, and slowdowns that frustrate you. As a vendor community, you know you can't trust us. I don't want to put any ideas in your head and I don't like that last one. But, what are the barriers that really keep you up at night?

Richard: For me, we touched on this a little bit. Resourcing is always a key concern. There are multiple different spins on that, by the way, and there are financial resources. Cyber's expensive. Cyber tools are very expensive and you can't buy them all, regardless of what our vendors want to say. We have to pick and choose. 

EDR tools need to be sustained. We build out this capability, the underlying infrastructure that needs to be sustained in order to make it effective and establish permanence to it. So financial resources always keep me up at night, making sure the agencies and CISA have what it needs to be effective.

But also the staff. I mean, the cyber workforce is one, they're fairly stretched thin as it is. We've been busy the last 12, 18 months, more so than I've ever been so in my career. Two, there are just not as many operators out there. We have to continue to fill the pipelines with skilled individuals and get them interested in government work. There are a lot of openings not only in CISA but in the cyber federal workforce. So staffing on the human side keeps me up at night as well.

 

Operational Silos

Richard: Last but not least are the notions of these operational silos. The government has operated in a certain way when it comes to IT management and operations for the past 20, 30, and 40 years in a very specific way. I would say it’s probably not conducive to that operator speed we've been talking about in this podcast. We got to figure out ways to knock down the silos or coordinate amongst them differently than ever before. That is if we're going to try to keep up with some of these very sophisticated threat actors that are out there.

Eric: Can we throw that into bureaucracy in silos?

Richard: That would be another term for it, sure.

Eric: I've been in the commercial industry my whole life other than a couple of years out of high school in the Army. I'd say we have the same problems. The commercial industry is not on the same scale you're dealing with. We don't have all the constraints, maybe, but we can relate. The faster we can move, especially at the speed of cyber, that'd be good.

Eric: Rachael, how many cybersecurity jobs right now are open at the last data that you've seen?

Rachael: The last one I saw was about 3 million, but I think it depends also on your source of truth. It seems to vary sometimes by country.

Richard: Job security is always great, but it does keep you up. Just sleepless nights and working to the 11th hour.

Eric: Pros and cons, just like everything. I know John, you'd love more threat hunters.

Jonathan: Oh, hands down. If we could triple the workforce right now, I would not bat an eye.

 

The Skills Needed for Threat Hunting

Eric: We had a guest on the show way back, probably three years ago, Mike Surelli from Echelon Front. He wrote a book that tells the story of Navy SEALs. He's a former Navy SEAL. He talks about you can't put a job rec looking for a Navy SEAL, because they're trying to make Navy SEALs. If you're a Navy SEAL, you don't have to be made into a Navy SEAL. So they're looking at characteristics and everything.

I'm often reminded that threat hunting is very similar. You may need to look for certain math skills or inquisitive nature. But they're characteristics that I suspect matter more than looking for all threat hunters because there aren't a lot of them out there.

Jonathan: 100%. When it comes down to it, we're really trying to gauge aptitude. If the critical thinking skills are there and you have any prowess about you whatsoever when it comes to a computer. We can teach you what we need you to know. But it's having that inquisitive mind to ensure that you're there to solve the puzzle. 

With threat hunting, a lot of what we do is look for the unknown. There are enough vendors that are out there that are able to go after the broad base attacks that are happening by the billions every single second. What CISA is charged with, is finding the advanced persistent threats that are going undetected by all of the millions of dollars that we're investing into these security systems and preventing them from being successful.

With that, we have to ensure that we bring on those people that are inquisitive, have the aptitude to learn, and constantly want to learn. 

 

A Day at CISA

Jonathan: A day at CISA, not a single one of them is the same. We can go from one day working at a large federal entity to working with a small municipality that is focused on wastewater. 
In the swath that we cover, there is a lot to learn there and there's a lot that we still have to learn.

If we could hire as many as we could influence all the way down to the high school level. Having cyber-related curricula ingested into the public education system is much like how our mission partners do with the college level. We could start to train the workforce at a younger age so that when they get out, they can take on these entry-level jobs and then in a couple of years take over my position. I'll move on to greater, bigger things.

Rachael: To that point on education, with these kids that are born with the iPad in their hand at six months old, should we start younger? Like elementary school, junior high? I have a feeling we're going to start recruiting at a junior high with all these tech CEOs who are 14 years old now. I'm excited about our future in that regard. But I would love for people to get excited even earlier in life for security and threat hunting and all the things that come with this.

Jonathan: Hands down, if we could invest up front into STEM, there are kids that are in their middle school age who could probably out-program me any day of the week. Because from the time they could put a tablet in their hand, they've been working on these programs. 

 

An Undercurrent of Intimidation on Cyber

Jonathan: They've been dealing in robotics and other things. I grew up on the Atari. It was a joystick. So these kids are far more advanced than we were.

Richard: I have an engineering background by education, and I think there's this undercurrent of intimidation when it comes to STEM. You can make it accessible and you can make it as technically difficult as you want to. I think there's an educational change here that we have to look at. 

Don't be intimidated by cyber, don't be intimidated by tech. It can be very accessible. I have a five-and-a-half-year-old at home. To your point, the iPad is already functional and knows how to access the settings and drop wifi connections. Things that I didn't get to until I was in my twenties. I think that the next generation will be well prepared, just don't be intimidated by it.

I think the idea of being a threat hunter is almost like a digital detective of sorts. You get to find interesting things, find the story, find the thread, it becomes a very rewarding type of experience. If there are people that have that acumen, that have that interest, I would say don't be intimidated. Get your hands dirty.

The other thing is that we live in a great age of information. You can access a lot of stuff that is free. We have vendors that have free training and it is good stuff. Stuff that you would have to have paid thousands of dollars for. It's on YouTube or on various knowledge-based articles that are published. There is enough information out there that if you want to learn cyber, you can do so. All you need is a working computer, internet, and time.

 

[48:09] Technical Aptitude to Perform Threat Hunting Jobs

Jonathan: The plug comes back to the CTMS. That new process actually tests your technical aptitude to perform the job. So no longer are we really trying to align to what the federal GS civilian scale was, which is, "You had to have a college degree. You had to have all of these certs in order to do the job."

By using all of the open source information that is out there, you can become as technically proficient as people who hold 15 different certs. They've got the alphabet suit behind their name, but if you can perform the job, you can get hired at CISA.

Eric: You show the characteristics and ability.

Jonathan: 100%.

Rachael: Just a real quick plug for InfoSec Twitter. What you're talking about is hitting on a lot of the frustrations I think that I'm seeing with the folks wanting to get into cyber. They're, "I don't have all the alphabet soup, but I can do all these things." Or, "I'm perfectly aligned with what you're looking for, but you say I don't have enough experience. I've got 15 years' experience." It sounds like there's a huge door open with CISA. People just need to know that it's there and they could walk through it tomorrow if they've got the skills and the aptitude. 

Eric: This is not new to us. We've heard guest after guest says the same thing. It's also not tied to CISA. I mean CISA's hiring, it's awesome to hear what you gentlemen are looking for. But the whole world seems to be hiring for the same types of characteristics.

 

Things Critically Important in the Program

Eric: For anybody who wants to get into the industry, there are multiple avenues. I love the characteristics John gave us. Critical thinking, problem-solving, aptitude to learn. Richard, I think you'd probably agree those are critically important in the program.

Richard: I've never heard of one yet, but there's got to be a marketplace out there somewhere for a cyber trade school. You don't have to have a comp-sci degree to understand how cyber works, even though certainly those types of skill sets are meaningful.

Eric: SANS may be the closest I can think of. There's a lot of stuff on YouTube, there's a lot out there as we've been talking about. But in my mind, SANS is probably the closest. I hear a lot of kids coming out of college or in college. They're in these crazy cyber programming, IT, whatever you want to call it. The degrees are all different, but they're going for degrees. But I don't know, SANS is probably the best I've heard so far.

Jonathan: I'll say SANS is great. For what it does, you definitely will out of a SANS course with that technical proficiency that you're looking for. But again, the big issue is trying to close that gap to ensure that cyber education is available to all. At the current price point, and

I'm not bashing SANS by any means, it's a business model that they have. But not everybody can afford to take that SANS course.
So being able to leverage all of the open source available information, I will say it hands down every day of the week. If you can get on YouTube, you can get on Twitter, then you can learn cyber. 

 

Security Researchers

Jonathan: There are so many security researchers that are out there who are constantly disclosing the things that they are researching. They will put on full-on YouTube sessions of, "This is how I de-obfuscated this malware chain to find the payload that was reaching out to this C2 infrastructure," hosted in Timbuktu.

Being able to close that gap is one of the key things that we have to do. Because again, and this is just my own personal plug, your financial status shouldn't dictate the success that you can reach in the future. The education is out there, you just have to be willing to do the research and find it.

To Richard's point, if we could have that more robust availability of that information and then tie it into the current education systems, we can close the gap. We can have everybody from all walks of life across the US that can come in and fill these 3 million empty positions in cyber. Because again, we're looking for the aptitude. We're looking for the skills and the capability. We'll train you to do whatever you need to do, but you have to have that mindset.

Eric: And desire. We're at the end of our time, but gentlemen, I can't thank you enough for coming on the air with us and spreading the word. This is a very uplifting story.

Rachael: These are my favorite conversations, too. Because in addition to TikTok, I spent a lot of time on Twitter as well. I love that people want to share information, they want to help the next generation come up. They want to give people some insights and tools on how to succeed in this world.

 

Plenty of Room for Everyone in Cyber

Rachael: It's like what Tony Sager was saying, it's time to get rid of the wizards behind the curtain. Let's open up the curtain because there's plenty of room for everyone here. When we all work together, we all succeed. 
I feel like InfoSec Twitter or our community really does embrace that.

We want more people, we want everyone to come in. It only makes all of us stronger when we have all the folks around us who know what they're doing. I'm very excited for the future ahead when I think about the next generations coming up and all the great work that's going on to enable them.

To all of our listeners, thanks again for joining us for another awesome conversation. We just love everyone at CISA and thank you John and Richard again for joining us. Don't forget, tiptoe over to that subscription button and you get this episode right in your email inbox every Tuesday. Until next time everybody, be safe.

 

About Our Guests

Richard Grabowski: Acting Program Manager for the Continuous Diagnostics and Mitigation (CDM) at CISA

As Acting Program Manager for the CDM program, Richard has specific responsibilities. It includes managing portfolios to deliver CDM capabilities to agencies, engineering deployment, architecture-related activities, program support, acquisition, and outreach activities. Through partnerships with agencies and industry, the CDM Program fortifies the cybersecurity of civilian government data and networks. It’s providing capabilities that deliver relevant, timely and actionable information.

CDM enables cybersecurity professionals to manage risks. It’s providing innovative tools, processes, governance and training required to defend against cybersecurity threats and vulnerabilities. Prior to Richard’s current role, he led the CDM Program’s Architecture and Technology Integration Section. He started with CDM in 2014 as a Systems Engineer supporting the CDM Dashboard and Dynamic and Evolving Federal Enterprise Network Defense.

DEFEND is formerly Task Order [TO2]) Group C agencies. Previous to this, Richard spent over nine years providing client/server and virtualization integration services to the Federal government. Richard holds a B.S. in Systems and Information Engineering from the University of Virginia. He also has an M.S. in Systems Engineering from The George Washington University.

 

Jonathan McBride: Chief of Adversary Pursuit, CISA’s Threat Hunting subdivision

McBride oversees CISA's federal persistent hunt mission and services. He’s driving innovation in service delivery, sensing solutions, detection, and advanced analytics. Previously, he served as an engagement lead within the Host Forensics Section of CISA’s Threat Hunting Subdivision. He was leading rapid response personnel on incident response activities. He’s supporting the federal government, states, local tribes, territories, and critical infrastructure.

McBride has reached this point in his career by a non-traditional path. He was a third-generation US Army veteran who served the special operations community as a military intelligence specialist. McBride completed multiple deployments to Iraq, Afghanistan, and Africa focused on counter-terrorism and counter-insurgency operations. Upon leaving the US Army he transitioned into the cybersecurity workforce. There, he worked as a computer network defense (CND) intrusion analyst and quickly excelled.

Highlights include CND Operations lead for the Missile Defense Agency’s Ground-Based Midcourse Defense Intercontinental Ballistic Missile system. He’s a senior Fusion Analyst for Defense Information Systems Agency – Europe. He supported the Department of Defense’s European and Africa Combatant Commands. McBride was the Information Assurance Branch Chief for the Executive Office of the President – Office of Administration. He was also the Incident Response Manager for the Federal Communications Commission. He’s an avid outdoorsman and dabbles in ultramarathon running.