This past October, the US Department of Homeland Security (DHS) and the Cybersecurity & Infrastructure Security Agency (CISA) announced the Binding Operational Directive 23-01 (BOD23-01). The BOD 23-01 requires US government agencies to increase asset discovery and vulnerability enumeration capabilities to secure federal networks. This entails a reimagining and refining of discovering an organization’s known and unknown internet-connected assets to eliminate gaps in their security sector.
Why BOD 23-01 Happened
Attack surfaces are expanding at rapid rates in the cyberspace. To counteract this constant expansion, new solutions trying to address to one problem have opened the door to other issues related to the evolution in network vulnerabilities. Potential vulnerabilities often arise from outdated software versions, missing updates and misconfigurations. At the federal government level, this could be a critical pitfall if not addressed.
BOD 23-01 supports and enhances other recent cybersecurity directives, including Executive Order 14028 for Improving the Nation’s Cybersecurity and BOD 22-01, which introduced a list of Known Exploited Vulnerabilities (KEVs) that threat actors have exploited.
What The BOD Looks to Accomplish
The directive includes the following criteria:
- Ability to perform automated asset discovery every seven days
- Initiate vulnerability enumeration across all discovered assets nomadic / roaming devices every two weeks, including servers, workstations, laptops, printers, and managed network devices.
- Automate ingestion of vulnerability enumeration results into CDM agency dashboard within 72 hours of discovery
- Develop and maintain the operational capability to initiate on-demand asset discovery
- Report vulnerability enumeration performance data into a CDM Dashboard
Flow Metadata
What these agencies and organizations are looking for is a more proactive approach to identifying vulnerabilities and threats. Some proactive cyber defense and assessment methods include:
- Risk assessment – A cybersecurity risk assessment analyzes the different data assets that might be impacted by a cyber strike. This includes but isn’t limited to hardware, software, computer systems, mobile devices, intellectual property, and client data. Then, risks that may affect those assets are identified.
- Penetration testing – This is one of the most important proactive cyber security methods. It systematically tests your network for potential weaknesses, letting you know of gaps in your security.
- Threat intelligence – Information on potential threats that aids in the mitigation of security incidents in cyberspace is referred to as cyber threat intelligence. This can include information from humans, social media platforms, technology, and even information from the dark web.
All three of these methods can utilize flow metadata to their advantage. Network flow metadata, generated from multiple sources, can provide agencies with key information about subjects of interest and anomalous activity occurring through channels harboring unknown vulnerabilities.
Stay Ahead of The Threat!
Cyber attacks on government agencies are constant as these organizations are hacking groups’ favored targets. CISA’s BOD 23-01 and other BOD’s before it are enacted to optimize defense. Cybercrime persists and adapts, no matter what advancements in cybersecurity are made. The goal of BOD 23-01 is to instill a more proactive approach to protecting online assets.
NetQuest’s Streaming Network Sensors (SNS) can generate mass flow metadata records, using both NetFlow and IPFIX, for both encrypted and unencrypted traffic for telco and government security missions.