New CISA Operational Directive Strengthens Cyber Defenses for Federal Networks
Assets exposed to the internet serve as easy entry points for bad actors to access any organization. Once in, threat actors use those internet-facing assets to perform reconnaissance, steal data, move laterally, maintain access, and to cause destruction or disruption. Mandiant recently reported that about 26 percent of the time, actors gain initial access through the exploitation of public-facing applications, which underscores how critical it is for organizations to maintain an up-to-date inventory of assets and vulnerabilities; this is true for both public and private sector entities—as no one is immune—including the federal government. To effectively mitigate risks and protect against initial compromise, federal agencies need to identify, enumerate, and harden internet-facing devices, hosts, applications, and network services.
Binding Operational Directive 23-01 — Improving Asset Visibility and Vulnerability Detection on Federal Networks
The Cybersecurity and Infrastructure Security Agency’s (CISA) recent binding operational directive to improve asset visibility and vulnerability detection on federal networks includes the latest requirements to improve the Nation’s cyber security posture. The directive requires all federal civilian agencies to conduct continuous and comprehensive asset visibility and vulnerability enumeration for all IP-addressable networked assets. According to the new policy, this applies to all unclassified federal information systems, including those “used or operated by another entity on behalf of an agency that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.” Agencies are free to choose the method of asset discovery and vulnerability detection; however, they must take action by April 3, 2023 in order to achieve the following outcomes:
- Maintain an up-to-date inventory of networked assets accessible over IPv4 and IPv6 protocols;
- Identify software vulnerabilities through all means where technically feasible;
- Track how often the agency enumerates its assets, what coverage of its assets it achieves, and how current its vulnerability signatures are; and
- Provide asset and vulnerability information to CISA’s Continuous Diagnostics and Mitigation (CDM) Program Federal Dashboard.
Asset discovery and vulnerability detection are a component of a broader and holistic approach to cyber defense. Directive 23-01 comes on the heels of Executive Order 14208, Improving the Nation’s Cybersecurity, and a few additional recent White House policies to advance zero trust architecture implementation and the adoption of endpoint detection and response (EDR). Combining asset discovery and vulnerability detection with threat hunting, malicious activity detection, and a zero trust architecture offers a strong, comprehensive approach for federal agencies to protect their systems against cyber attacks.
When considering methods to proactively identify and validate external facing assets and services, evaluate for the following to achieve compliance quickly:
- Internal and external focused vulnerability assessments or penetration testing exercises
- Verify that existing technology vendors require patches or updates to known vulnerabilities
- Add a requirement for new technology vendors to patch or update known vulnerabilities
- Leverage a third-party vulnerability scanning technology or external attack surface management solution that have coverage across CISA’s Known Exploited Vulnerability catalog
External Asset Discovery and Vulnerability Enumeration with Attack Surface Management
Mandiant Advantage Attack Surface Management (ASM) offers a solution to the CISA mandate through a SaaS-based system that provides a unique, adversarial view of an organization's attack surface. Starting with simple information about the organization, (e.g., a domain, known networks, or SaaS accounts), ASM collects asset and exposure information about an organization’s distributed global infrastructure like an attacker would. The solution then performs exhaustive discovery by scanning externally facing assets and cloud resources daily to identify software, architecture and configuration risks to your organization. It cross-checks over 250 data sources, including Mandiant Threat Intelligence, NIST’s National Vulnerability Database, CISA’s Known Exploited Vulnerability catalog, and custom content created by Mandiant, to assign severity levels and provide guidance for risk remediation. By applying threat intelligence directly to the attack surface of customers, organizations can identify the assets most likely to be exploited within their specific industry for improved prioritization. This helps reduce additional cycles on defense teams, which decreases risks of burnout and could lead to potential cost savings as well.
As new intelligence is gathered from the frontlines of incident response and managed services, Mandiant experts rapidly craft checks for the latest vulnerabilities. Notable recent examples include Log4j and Microsoft Exchange Server vulnerabilities, both of which were detected by ASM within hours of discovery.
Attack Surface Management capabilities include:
- 15+ discoverable asset types across the open internet, cloud providers and code repositories
- 350+ active checks to validate asset exposure to known CVEs and misconfigurations
- Configurable issue creation settings to prioritize what matters most
- 4,400+ technology vendors and products fingerprinted
To learn more, visit Mandiant Advantage Attack Surface Management, or sign up for free access to the Mandiant Advantage platform for threat intelligence and attack surface management.