While the IRS has done a good job of addressing cyberthreats, the Treasury Inspector General for Tax Administration said it needs to do better at documenting the incidents afterward.
In a
The goal of threat hunting, said TIGTA, is to perform an iterative review of different data sources and identify anomalies that may lead to a potential compromise or a security breach. The process is generally divided into four phases: pre-stage collection; techniques, tactics and procedure operationalization; hunting; and post-threat hunting. In this fourth and final step, according to the report, the IRS needs improvement.
"For the first three phases of the threat hunting process, we found that the Advanced Threat Analysis team properly conducted the threat hunts for each sampled ticket. For the fourth phase, post-threat hunting, we determined that improvements were needed," said TIGTA.
Inspectors found that 10 of the 25 threat intelligence tickets they examined (about 40%) did not contain sufficient information regarding the threat hunt process, results or severity of the risk; and seven (28%) of the 25 tickets did not contain all necessary documentation. TIGTA said this might be due to issues with the manual for procedures: Analysts have to record all steps and thought processes during the hunt and immediately report important findings to the Computer Security Incident Response Center and management. In the post-threat hunting phase, there is a requirement to document and submit the results to management. However, the IRS guide does not specify what should be included, such as actions taken to address the potential threat. Further, said TIGTA, the IRS has not added appropriate language to document a baseline of security controls for threat hunting.
TIGTA also faulted the IRS for the lack of management review and approval over blocked domains in the event of an external attack. The blocks are placed on the server through an automated process once an analyst submits the request. As there is no management oversight of such activity, analysts can independently remote blocks without management's review. While the IRS said such a setup allows threat teams to maintain speed and agility, TIGTA said that by not having a formal or documented review process in place for removing device or program blocks from the server, the IRS risks an analyst accidentally removing a device or program block from a domain that still poses a threat to the IRS network, or intentionally removing a block to cause harm to the IRS network.
TIGTA recommended that:
The IRS chief information officer ensure the Internal Revenue Manual is updated with NIST requirements for conducting threat hunting at the IRS; and that the CIO should ensure that the Cybersecurity function develops a formalized process for the review and approval of proposed device or program block removals.
The IRS agreed with both recommendations.