Key Takeaways from US Presidential Executive Order on Cybersecurity
The latest White House Executive Order from President Biden outlines sweeping changes and requirements by the current administration to immediately enable the public and private sector to combat rapidly increasing digital and physical threats that are impacting commerce, trade and government agencies and services across the United States. This renewed commitment to cybersecurity is a step forward together for both the public and private sector. Within this post, we’ll provide a brief summary of each of the major sections of the executive order on cybersecurity as well as key takeaways for threat intelligence teams looking to proactively implement solutions on these sections.
Executive Order on Cybersecurity: Section 1. Policy
Section 1 outlines the Federal Government’s renewed commitment to improving cybersecurity efforts to “identify, deter, protect against, detect, and respond to” cyber incidents as a top priority of national and economic security. Many of today’s cyber incidents occur outside an organization’s traditional security perimeter. The ability to identify, analyze and disrupt external threats outside the perimeter on public platforms such as social media, surface, deep and dark web, code shares, paste sites, mobile apps and more is a necessity to reduce risks and mitigate impact to organizations.
What Security Teams Can Do
- Focus on External Threat Intelligence and Protection: Understanding the digital threat landscape is critical for improving cybersecurity efforts. Extend protection outside your internal networks onto public platforms to identify, detect and respond to impersonations, phishing, fraud and other digital threats that can lead to breaches.
- Remediation and Disruption: One of the key elements of the outlined policy in this executive order on cybersecurity is the need to not only identify but respond to threats. ZeroFox goes beyond simply alerting on cyber incidents and takes action to address the immediate threat as well as dismantle the attacker infrastructure leveraged to conduct current and potential future attacks.
Section 2. Removing Barriers to Sharing Threat Information
Section 2 of the executive order on cybersecurity focuses on breaking down barriers between the public and private sectors. Current contract terms or restrictions may limit the sharing of threat or incident information with executive departments and agencies that are responsible for investigating or remediating cyber incidents. Integrations between private and public sectors are critical for enriched threat intelligence at scale. Rapid information dissemination via tightly integrated and automated connections will radically improve and support all parties involved. Threat Intelligence needs to become part of the daily process in cybersecurity, similar to how first responder networks have improved public safety and saved lives via a faster and more efficient dissemination of information. To help accomplish this, ZeroFox enhances intelligence programs by integrating with 700+ data and technology providers.
What Security Teams Can Do
- Integrate Security Tech Stack: Threat intel teams typically leverage 7+ tools for identification, analysis and remediation, according to Forrester. It’s critical that these systems speak to each other in order to understand the full scope of threats facing your organization. ZeroFox has partnered with hundreds of security, technology, digital platform and data providers, integrating the unique intelligence and IOCs ZeroFox provides into your larger security and operations technology stack. The ZeroFox Threat Feed provides government customers and organizations API-based delivery of all relevant IoCs for detected threats, campaigns, threat research findings, and disrupted attacker infrastructure (taken down/spoofed domains, malicious IPs, etc.) for defense hardening and blacklisting.
- Gain Access to Global Intelligence: Situational awareness of not only the unique threats facing your business but also global threat trends is important for removing barriers to threat information. ZeroFox conducts global threat research that is made available to all customers in the form of strategic advisories directly in the platform, on the mobile app, and sent via email. These advisories include detailed intelligence on breaches, adversaries, campaigns and breaking news.
Section 3. Modernizing Federal Government Cybersecurity
Section 3 outlines the Federal Government’s commitment to adopting security best practices, advancing toward Zero Trust Architecture, accelerating movement to secure cloud services, including Software-as-a-Service (SaaS), Infrastructure-as-a-Service (IaaS), and Platform-as-a-Service (PaaS); and centralizing and streamlining access to cybersecurity data.This drives analytics for identifying and managing cybersecurity risks and investments in both technology and personnel to match these modernization goals. Advocacy and adherence to standards such as NIST and MITRE ATT&CK are a part of achieving this objective. Many people within the government have been focused on this modernization but it has not moved fast enough or been widely adopted. There needs to be a greater catalyst for change. The pandemic has given us a very public example of how radical IT transformation in a short period of time can and will help ensure continuity of business and capability. Movement to a modern architecture, data flow and delivery will improve security, monitoring and response.
What Security Teams Can Do
- Focus on Both Detection and Remediation: Government organizations increasingly rely on third-party digital platforms to engage with citizens, provide services, and fulfill their purpose. Attackers exploit these same public-facing platforms to launch attacks and steal proprietary information and identities/credentials. Continuous monitoring and detection, along with quick remediation, are requirements to operate securely in this public ecosystem.
- Leverage NIST Standards Proponent: In March 2020, The National Institute of Standards and Technology released the latest draft of its fifth major revision to Special Publication 800-53. In Revision 5, NIST advises organizations to additionally (1) choose and notify designated personnel when evidence of information disclosure is discovered and (2) define and follow some course of action in response. ZeroFox contributed to the draft v5 standard drawing from our experiences of being an industry leader in providing detection, alerting and procedural remediation based on established playbooks to help organizations secure the public attack surface.
- Reference Mitre ATT&CK Framework: Mitre’s ATT&CK framework suggests defensive actions that disrupt adversaries and reduce their ability to gather the information required to launch successful, targeted intrusions. ZeroFox enables organizations to adhere to this framework via its managed service offering.
Section 4. Enhancing Software Supply Chain Security
Section 4 of the executive order on cybersecurity mandates improved security and integrity measures for ‘critical software’ providing the capability to and for the federal government, including monitoring operations and alerts and responding to attempted and actual cyber incidents; audit trust relationships; participating in a vulnerability disclosure program that includes a reporting and disclosure process. Many of today’s cyber incidents occur on externally facing infrastructures (outside the traditional security perimeter) used to engage stakeholder constituents. We have to look no further than the Colonial Pipeline ransomware-triggered shutdown for why this matters. Although the private sector has started to focus on the digital supply chain and its impact, it has created points of risk exposure to other networks and systems. Security leaders need visibility and defensibility throughout their supply chain to keep business and commerce running.
What Security Teams Can Do
- Conduct 3rd-Party Risk Assessments: Understanding the potential risk of the 3rd party systems your team relies on is critical. ZeroFox periodically conducts 3rd-party risk assessments via our threat investigations team to identify vendor-supply chain vulnerabilities. These include the identifying of vendor digital footprints, such as exposed confidential or sensitive data, credentials, identities (PII) or other proprietary information that can lead to further compromises.
- Find Impersonators Before They Attack: Supply chain attacks can originate with impersonation of key personnel at either buyer or supplier organizations. ZeroFox monitors for executive and brand impersonations and can quickly take down offending accounts and sites,thwarting phishing attacks and preventing further organizational or employee compromise.
- Identify Vulnerabilities: ZeroFox identifies vulnerabilities (open ports, expired certificates, misconfigurations, etc.) in these platforms and further identifies, analyzes and disrupts external threats (such as impersonations) outside the perimeter on public platforms such as social media, surface, deep and dark web.
Section 5. Establishing a Cyber Safety Review Board
Section 5 mandates the creation of a Cyber Safety Review Board under the leadership of the Secretary of Homeland Security, in consultation with the Attorney General. The board’s membership will include federal officials and representatives from private-sector entities. Collaboration and rapid dissemination of information is critical for cyber safety. The establishment of an oversight and review board will drive visibility and accountability needed to enhance private-public cooperation. ZeroFox continues to participate in several working groups and maintains a customer advisory board for sharing knowledge and intelligence for both the private and public sector.
What Security Teams Can Do
- Participate in Threat Sharing and Thought Leadership Groups: Towards the goal of removing barriers to global threat information, in recent years several working groups focused on specific threats like phishing have emerged to enable better global threat detection. ZeroFox is an active member of APWG, M3AAWG, FS-ISAC and other collaborative working groups dedicated to the global identification and remediation of threats such as phishing.
Section 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Section 6 of the executive order on cybersecurity focuses on standardizing the response processes of vulnerabilities and incidents to ensure more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses. The current state of vulnerability and incident response programs needs to be more outcome-oriented and updated to reflect changes or shifts to modern architecture, technology and processes; and specifically, will be required based on the other sections of this directive.
What Security Teams Can Do
- Leverage Vulnerability Intelligence: Vulnerability research takes time, and prioritization of those vulnerabilities is even more cumbersome. ZeroFox provides security teams access to thousands of vulnerability disclosures to provide real-time intelligence on potential risks and reduce the time spent on manual vulnerability research efforts.
- Rely on External Incident Response: Security teams are often overwhelmed with internal issues and have limited time for true incident response. ZeroFox’s 24x7x365 SOC maintains standard procedures and incident response protocols for analyzing potential threats for every customer and analyzes, triages and actions every alert in the ZeroFox Platform to ensure a standardized response and coordinated effort in addressing all threats.
Section 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks.
Section 7 mandates that the Federal Government will employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks. Early detection is critical for effectively addressing cyber threats and limiting risk. Managing drift in systems, applications and user configurations, as well as monitoring data sources outside of the traditional network, are an absolute necessity to prevent harm or data loss. ZeroFox continuously monitors the surface, deep and dark web to identify the unique threats to our customers.
What Security Teams Can Do
- Take Inventory of Your Assets: Understanding where you may be exposed is the first step to a robust security program. ZeroFox takes inventory of the brands, executives, digital assets and data that could be exposed or targeted by cyber threats. ZeroFox can also assess and alert on vulnerabilities (open ports, expired certificates, misconfigurations, etc.) in externally facing systems.
- Rely on Team of Expert External Analysts: ZeroFox has one of the largest private teams of threat intelligence analysts and experts that offer support in 27+ languages, conducting global and tailored threat research.
Section 8. Improving the Federal Government’s Investigative and Remediation Capabilities
Section 8 outlines requirements for logging cybersecurity incidents. Information from network and system logs on federal information systems is invaluable for both investigation and remediation purposes. These requirements should be designed to permit agencies to share log information, as needed and appropriate, with other federal agencies for cyber risks or incidents. Improving remediation capabilities is critical for not only identifying but truly addressing threats. ZeroFox’s disruption capabilities are focused on dismantling attacker infrastructure to thwart future attacks.
What Security Teams Can Do
- Focus on Adversary Disruption: Go beyond addressing the individual threat and focus on dismantling attacker infrastructure to thwart future attacks. ZeroFox provides unlimited disruption of attacker infrastructure including unlimited takedowns (inline, social, domain), infrastructure dismantlement with automated takedown submissions to major registrars, hosting providers, cloud front end providers and deny list reporting (Google Safe Browsing, APWG, VirusTotal, phishtank, etc.). This includes disruption feed of all impacted host IPs, hostnames, and URLs.
As a cloud security provider, ZeroFox is 100% supportive of this executive order on cybersecurity and is aligned to the mission to drive more radical improvement within government and critical infrastructure security. We look forward to seeing how this initiative continues to be implemented by both the public and private sector.