Existing Agency Threat Hunters Welcome CISA’s New Authorities 

Existing Agency Threat Hunters Welcome CISA’s New Authorities 

New authorities allowing the Cybersecurity and Infrastructure Security Agency to look for threats across federal agencies’ networks will boost work some departments have already been doing to spot and remove threats outside their perimeter, according to a leading chief information security officer.

“We're very excited about [CISA’s] threat hunting authorities, simply because it gives us more folks out in the wilderness looking for those bad actors,” Department of Education CISO Steve Hernandez said. “We see this as an absolute win, it's only going to supplement and help reinforce the work we're already doing.”

Hernandez spoke Tuesday along with James Saunders, senior adviser to the acting chief information officer for cybersecurity at the Office of Personnel Management, at an event hosted by cybersecurity firm ZeroFOX.

Hernandez, who co-chairs the Federal Chief Information Security Officers Council and Saunders, who was formerly the Small Business Administration’s CISO, detailed the agencies’ threat-hunting activities, which grew in response to fraudsters trying to take advantage of the pandemic.

“We always leverage a capability from [Department of Homeland Security] shared services which enables us to take down malicious urls, malicious websites. We built that into our processes where we get a malicious email, if it makes it to a user's mailbox, we analyze the email, submit it for a site takedown,” Saunders said.

The agency’s threat-hunting activities included taking down those URLs and also scouring social media websites for malicious actors impersonating the SBA.

“When [Paycheck Protection Program], and CARES Act implementation was ordered, it spiked tremendously,” Saunders said referring to loan and stimulus programs launched in response to the pandemic.

Hernandez said the Education Department’s threat-hunting program started well before COVID and was also well aligned with anti-fraud activity.