The maturing partnership of information sharing between CISA and Cyber National Mission Force (CNMF) has helped thwart a an incident in which three US federal state agencies faced an intrusion campaign from foreign-based cyber-criminals.
Speaking during day one of the RSA Conference, Eric Goldstein, executive assistant director for cybersecurity, CISA, confirmed that the organization had observed a threat actor with connections to known adversaries “attempt to harvest credentials."
Which agencies were affected was not disclosed.
“We reached out the agencies immediately and notified them of the activity and gave them guidance on the mitigations to take and kicked off incident response,” Goldstein explained.
Read more: NCSC Warns of Destructive Russian Attacks on Critical Infrastructure
At the same time, as the work going in to protect the federal agencies and identify any potential areas of impact, the CISA also gathered information about the adversary infrastructure, what they were doing, where it was coming from and share it quickly with partners at the Cyber National Mission Force (CNMF).
Speaking to reporters, Goldstein said, “This really is a great story because using our visibility we saw the initial states of cyber-criminal activity and because of CISA’s fast response defensively, and equally critically CMFS’ ability to execute their operations, we were able to blunt impact to the enterprise which really is our goal, to get ahead of the adversaries here and stop the intrusions before harm occurs.”
“The ability for the [Department of Homeland Security] CISA to rapidly provide us with information has become a large driver for CNMF,” said US Army Maj. Gen. William J. Hartman, Commander for CNMF, which operates under US Cyber Command.
Once the information has been evaluated and the CNMF is comfortable that next steps first within the authority the force operates under the organization looks to disrupt the ongoing threat or deter a future threat.
“I want to highlight that this isn’t something we would be talking about if this was a couple of years ago,” Hartman said. “The maturation in this relationship [with CISA] and the fact that it happens in real time every day has really become a significant driver of our mission.”
Read more: #RSAC: Computer Science Courses Must Teach Cybersecurity to Meet US Government Goals
Goldstein said a lot of progress has been made with relation to the partnership over the past few years and a lot of the work the two agencies are doing is new and novel.
Hartman explained: "We have a number of private industry partners we work with but no partner is more important than DHS' CISA. On a daily basis, our two organizations work in very closely together."
The two speakers highlighted other incidents in which information sharing has been critical, including the SolarWinds attack and Iranian-backed cyber-criminal activity observed during the 2020 US General Election.
The CISA and CNMF leaders highlighted that their partnership is a key driver in protection the US against cyber threats.
The CNFM was officially activated in January 2014 and in late 2022 officially became a Department of Defense subordinate unified command.
CNMF is the US military’s joint cyber force charged with defending the nation in cyberspace through full-spectrum operations, including offensive, defensive and information operations.