NSA’s Cybersecurity Operations Mission in the Public EyeNSA
April 5, 2018
By David Hogue Until four years ago, destructive cyberattacks were rare, though very notable, resulting in national security implications and generating widespread public concern. The 2014 attack on Sony Motion Pictures, performed by the Democratic People’s Republic of Korea (North Korea), was one such incident.
More recently, news headlines such as the Equifax breach and the cyberattack during the Olympic Opening Ceremony have showcased the continued aggressive and disruptive activities in the cyber threat landscape. These two instances represent the range of disruption that such attacks can cause. While the Olympic attack only caused a momentary takedown of the Olympics website; the Equifax breach, however, resulted in the potential exposure of sensitive data on 145.5 million U.S. consumers. The rising regularity of these attacks is evidence that we are in the midst of a troublesome escalation in major, upsetting incidents.
This trend did not take NSA by surprise. For more than 65 years, the National Security Agency has worked hard to stay ahead of such threats, which are real, evolving, and growing.NSA has two complementary missions 1.) We provide foreign intelligence to our national leaders and combatant commanders in defense of the nation, and 2.) We provide solutions to secure and defend National Security Systems (often referred to as NSS), which handle the most sensitive data of the federal government and military.
Those two missions come together in NSA’s Cyber Threat Operations Center (NCTOC), where we leverage our unique insights to foreign threat actors to ensure the nation’s critical networks are equipped with this knowledge and defended to the best of our ability. Our Operations Center has historically focused on the top four cyber threats identified by the Director of National Intelligence: China, Iran, Russia and North Korea. Coupled with an increase in the frequency and boldness of attacks have certainly increased, we have seen fundamental shifts in the way our adversaries operate in cyberspace, as they continuously aim to conceal their activity and evade detection.
As NCTOC works significant cybersecurity events occurring throughout the world, we equip our partners with the intelligence necessary to ensure a robust national cyber network defense posture. Furthermore, NSA is striving to be more involved in the public discourse on cybersecurity, helping to educate and inform cybersecurity practices. Learn more about the NCTOC Top 5 Security Operations Center Principles (Please see below).
Recognizing that the dynamic cybersecurity threat landscape demands an around-the-clock vigilance, NCTOC has made one of the largest cybersecurity personnel investments in 24/7/365 operations across the U.S. government.
In partnership with U.S. Cyber Command and the Defense Information Systems Agency (DISA), NCTOC is on the ‘front lines’ in defending the unclassified Department of Defense (DoDIN) network, which serves over 2.9 million users in places ranging from the battlefields in Afghanistan to the nation’s capital. For me, it is both an honor and a privilege to be a part of this dedicated workforce. Our mission never sleeps as we defend the nation’s most critical networks.
NCTOC Top 5 Security Operations Center(SOC) Principles
NSAs Cybersecurity Threat Operations Center (NCTOC) serves as the focal point for execution of the agencys 24/7/365 cybersecurity operations mission. NCTOC leverages unique insights into adversary intentions and tradecraft to develop and implement strategic defense measures for the nation's most critical networks.
NCTOC resources fully equipped teams who partner with U.S. Cyber Command to serve as the front lines in defending the unclassified Department of Defense Information Network (DoDIN), a global network encompassing 3 global million users everywhere from office buildings in Washington D.C., to battlefields in Afghanistan. This enormous footprint encounters a wide variety of cyber threats on a daily basis, and from our years of experience, NCTOC offers the following 5 key principles for those who operate in, or oversee, a Security Operations Center (SOC):1. Establish a defendable perimeter
Over the last several years, the DoDIN network infrastructure has been consolidated so rather than hundreds of enclaves with direct connections to the Internet, DoDIN traffic is routed through a very finite number of Internet-facing gateways. This results in centralized coverage on over 99% of network traffic, sharpening the ability to detect threats while reducing the potential attack surface an adversary can potentially exploit. A defensible perimeter should also utilize a combination of known indicators, heuristics, and behavioral analysis, deployed across an array of host-based (computer/endpoint) and network-based (boundary protection) platforms, to see and act upon cyber activity in real time.2. Ensure visibility across the network
Visibility and continuous monitoring of network traffic must encompass all levels of the network to include gateway, midpoint, and endpoints. If a rule-set alerts at the network level, analysts must be able to pinpoint and isolate the actual end-host which generated the activity. The efficacy of this process should be measured in minutes, not hours. Furthermore, as the majority of network traffic becomes encrypted, SOCs must architect solutions to ensure visibility against sophisticated threats who blend into legitimate activity.3. Harden to best practices
Incidents are most often a result of vulnerable networks that are not compliant with current
software and hardware updates, as well as substandard security practices such as using
that are no longer vendor-supported. Furthermore, when an exploit is disclosed or a patch is
within 24 hours the DoDIN is scanned for unpatched servers by malicious actors. Therefore applying
updates in a timely manner to reduce vulnerability exposure and maximize software reliability and
protections remains one of the best defense practices NCTOC can advocate.
Customized threat intelligence sources are recommended to be tailored based on the network environment. For example, the DoDIN may not be subject to the same cyber threat activity that a hospital network may encounter. SOCs should understand the defensive architecture that is already in place, determine what network assets may be of value to an adversary, and tailor threat intelligence feeds accordingly. Furthermore, when faced with an overwhelming amount of threat intelligence or network activity alerts, SOCs should employ data science and machine learning concepts to expeditiously distill this volume into actionable results. Security teams should have the capacity to both respond to pre-existing alerts, and proactively hunt for previously undetected threat activity across the network.5. Create a culture of curiosity
Cybersecurity metrics based on how fast an incident ticket is closed can be misleading. Responders may focus on closing the alert, as opposed to seeking a holistic understanding of the threat activity. Incident responders should be challenged to anticipate reactions that would be used against newly implemented countermeasures, as a persistent adversary may continue to probe for entry points into a network of interest. SOCs should always strive to preemptively defensive actions and infuse an innovative mentality amongst their teams in pursuit of new adversary tradecraft.
IC Officers Engage at National STEM Academic ConferenceNGA
Jan 25, 2018
For the third consecutive year, members of the United States Intelligence Community (IC) joined the “Out in Science, Technology, Engineering, and Mathematics” (oSTEM) National Conference in Chicago, Illinois. This conference brings together distinct talent from across the IC and provides the opportunity to dispel misconceptions of being Lesbian, Gay, Bisexual, Transgender, and Queer (LGBTQ) in the IC.
oSTEM is a national organization that focuses on educating, empowering, and engaging a diverse community, as well as well as identifying, addressing and advocating for the needs of LGBTQ students. oSTEM works to fulfill these students’ needs through mentorship, networking, strategic collaboration, and professional development.
The conference had more than 700 STEM undergraduate and graduate students from universities across the country.
One session, the Career and Graduate School Bootcamp, provided an opportunity for the students to engage with industry partners and hone their skills for interviewing, resume writing, and “elevator pitching.” Members of IC Pride, the ODNI LGBT IC Affinity Network, were on-hand to meet with the students and discuss STEM careers in the IC.
Lee M., Chair of IC Pride, and an inspector with the National Geospatial-Intelligence Agency (NGA) said, “The boot-camp provided an informal environment for the students to engage with industry. Many of the students with whom I spoke came by the job fair to drop off their resumes. [It] was a great icebreaker.”
Chris M., the Deputy Director of Equal Employment Opportunity & Diversity at the National Security Agency (NSA), was a panelist in the Inside Scoop from Professional Recruiters workshop. He shared unique insights into making resumes and cover letters stand out from the crowd and provided tips to avoid common pitfalls. Chris highlighted the importance of social skills like collaboration, attitude, and self-awareness.
“From 15 years of experience as a technical recruiter, applicants often forget that their interpersonal skills are equally important to showcase along with technical skills since most companies have highly-collaborative, team-based environments,” he said.
The Career and Graduate School Expo drew a healthy crowd, and the attendees had an opportunity to ask questions and network. ODNI sponsored an IC booth; professional recruiters from CIA, DIA, and NSA were on hand to answer questions about their respective agencies; and members of IC Pride from CIA, NGA, NSA and NCTC provided their insights to the students on being LGBTQ in the IC.
Chris C., a CIA LGBT Community Outreach Program Manager noted that more than 100 students stopped by the IC and CIA booths. He said, “A large majority of the students who approached the booth were highly qualified in their academic prowess and overall suitability for entry-level positions in the IC.”
CIA led a special two-hour workshop entitled “How Your STEM Background Will Help CIA Accomplish Its Mission.” The Directorate of Science & Technology and the Directorate of Digital Innovation facilitated a simulation exercise that allowed students to have the opportunity to assess data, evaluate the implications for U.S. interests and present their conclusions.
Brian S., Co-Chair of IC Pride and an engineer at NSA, said “stem is a great recruitment opportunity for the IC. Not only did this year have 25% of the attendee population self-identifying as gender non-binary, but also each of the sessions and speakers were able to show the educational and business imperatives of being inclusive to the intersections of the queer community and other diverse populations. These students are extremely high performing, and their personal experiences will be essential in bringing mission success to the future of the U.S. Intelligence Community.”
The oSTEM National Conference strives to provide a safe place for all people to express themselves and contribute to the mission where diversity drives innovation. The 2018 oSTEM National Conference will be held in Texas. For more information on careers in the IC, visit: IntelligenceCareers.gov .