DHS Cyber Hunt and Incident Response Teams (HIRT) Act: What you need to know
Introduction
Not a month goes by without the new media reporting that another city or municipality has fallen victim to a cyberattack, and oftentimes this attack comes in the form of ransomware. To help federal and non-federal entities with this ever-present risk, the DHS Cyber Hunt and Incident Response Teams Act of 2019, also known as HIRT, was passed. This law builds on DHS’s previous cybersecurity initiatives to strengthen DHS’s cybersecurity posture.
This article will detail the HIRT act. We will give an overview of what the HIRT Act is and the benefits that HIRT offers, as well as how HIRT fits into DHS’s efforts to prepare for large-scale cyberattacks.
Learn Incident Response
Learn Incident Response
What is HIRT?
The DHS Cyber Hunt and Incident Response Teams Act (HIRT) is a step towards a stronger cybersecurity posture for federal and non-federal entities and critical infrastructure (CI). This is achieved in part by coordinating with federal, state and local governments, as well as with owners, operators and vendors of control systems. Collaboration initiatives include efforts involving Computer Emergency Response Teams, or CERTS, in the private sector. HIRT operates under the National Cybersecurity and Communications Integration Center (NCCIC).
HIRT buttresses cybersecurity efforts contained in the Homeland Security Act of 2002 with the most dramatic change that it offers — permanently operating cyber hunting and incident response teams capable of aiding in the event of a large-scale cyberattack. This is especially important during debilitating ransomware attacks upon entities that do not have the resources or capability to pay the ransom or effectively respond to or mitigate the cyberattack.
The benefits of HIRT
HIRT offers distinct benefits over and above the Homeland Security Act of 2002 that make HIRT a more responsive and effective approach to cybersecurity and a solid step in the right direction in terms of security. Think of it as the team member that ties DHS’s cybersecurity and readiness together into something better.
Incident response
The most substantive benefit that HIRT offers organizations (in fact, HIRT is named after this benefit) is urgent investigation and resolution of cyber incidents in the form of a Hunt and Incident response team for free. This team forms DHS’s front-line response force for cyberattacks and offers proactive hunting for malicious cyber incidents.
The HIRT team begins a typical investigation by a notification of a cyberattack. The team performs a preliminary diagnosis to uncover the extent of the compromise. Based upon the organization’s request, the team can meet with the organization to identify compromised systems, review network topology, image drive for deeper analysis and collect other necessary data on an as-needed basis for complete analysis and investigation. After analysis, the team can provide mitigation strategies, help to restore service and offer recommendations for improving overall security of the organization’s network and control systems.
Advanced Analytical Laboratory
Available to the HIRT team is the use of the Advanced Analytical Laboratory, or AAL. This key service offering allows for advanced analysis of malware faced by control system environments. AAL offers on-site assistance, forensics analysis, remote analysis and recovery efforts.
Vulnerability coordination
To ensure timely ICS vulnerability mitigation in order to avert the likelihood of cyberattack success against US critical infrastructure, NCCIC offers vulnerability coordination. HIRT uses a five-step vulnerability coordination process:
- Detection and collection
- Analysis
- Mitigation coordination
- Application of mitigation
- Disclosure
Learn Incident Response
Site assistance and evaluation for ICS and CI
To strengthen US ICS and CI control system security postures, NCCIC offers site assistance and evaluations. Other offerings provided by NCCIS are incident handling and vulnerability coordination by using on-site analysis, assessment and mitigation techniques to counter cyber intrusions and exploits.
Cybersecurity Evaluation Tool
Another useful offering provided by HIRT is the Cybersecurity Evaluation Tool, or CSET. CSET is a desktop tool that allows users to create a self-assessment of their network security and ICS security practices. This data is held against industry and government guidelines, standards and recommended practices. The CSET report gives the organization a prioritized list of improvements for its respective network and ICS security practices as well as the steps needed to reach the recommended level of security.
How HIRT fits into DHS cybersecurity
NCCIC was created in 2009 to streamline and coordinate the nation’s response to cyber threats and HIRT was rolled out to advance these responsibilities. Before HIRT was created, NCCIC did not offer teams to organizations facing cyberattacks and lacked the ability to report on the effectiveness of its cyber risk mitigation capabilities.
HIRT addresses both of these weaknesses by serving as an on-demand cyber hunting and incident response team as well as providing enhanced data gathering capabilities and metrics to measure and report on its effectiveness in cyber-risk mitigation. In effect, HIRT gives DHS stronger cybersecurity capabilities which are more measurable.
Learn Incident Response
Conclusion
Cybersecurity is not a new focus for DHS; however, the application of their cybersecurity savvy was hampered to an extent by the original NCCIC, which did not translate into the advanced cybersecurity capabilities the age required. In response, HIRT was enacted into law, providing cyber hunt and incident response teams to federal and non-federal organizations that suffer large scale cyberattacks.
HIRT is not a magic bullet in the war against cyberattacks, but it is a substantial jump in the direction of a stronger DHS cybersecurity posture.
Sources
What Is The DHS Cyber Hunt And Incident Response Teams Act?, Triaxiom Security
NCCIC ICS, National Cybersecurity and Communications Integration Center
Senate Report 116-27 – DHS Cyber Hunt and Incident Response Teams Act of 2019, Congress.gov
Incident Response
Build your skills responding to each phase of an incident, and get a technical deep dive of the tools and techniques used. What you'll learn:- IR phases and stages
- IR tools and techniques
- Conducting memory, network and host forensics
- And more
In this Series
- DHS Cyber Hunt and Incident Response Teams (HIRT) Act: What you need to know
- Disaster recovery: What's missing in your cyber emergency response?
- How will zero trust change the incident response process?
- How to build a proactive incident response plan
- Sparrow.ps1: Free Azure/Microsoft 365 incident response tool
- Uncovering and remediating malicious activity: From discovery to incident handling
- When and how to report a breach: Data breach reporting best practices
- Cyber Work Podcast recap: What does a military forensics and incident responder do?
- Top 8 cybersecurity books for incident responders in 2020
- Digital forensics and incident response: Is it the career for you?
- 2020 NIST ransomware recovery guide: What you need to know
- Network traffic analysis for IR: Data exfiltration
- Network traffic analysis for IR: Basic protocols in networking
- Network traffic analysis for IR: Introduction to networking
- Network Traffic Analysis for IR — Discovering RATs
- Network traffic analysis for IR: Analyzing IoT attacks
- Network traffic analysis for IR: TFTP with Wireshark
- Network traffic analysis for IR: SSH protocol with Wireshark
- Network traffic analysis for IR: Analyzing DDoS attacks
- Wireshark for incident response 101
- Network traffic analysis for IR: UDP with Wireshark
- Network traffic analysis for IR: TCP protocol with Wireshark
- Network Traffic Analysis for Incident Response: Internet Protocol with Wireshark
- ICMP protocol with Wireshark
- Cyber Work with Infosec: How to become an incident responder
- Simple Mail Transfer Protocol (SMTP) with Wireshark
- Internet Relay Chat (IRC) protocol with Wireshark
- Hypertext transfer protocol (HTTP) with Wireshark
- Network traffic analysis for IR: FTP protocol with Wireshark
- Infosec skills - Network traffic analysis for IR: DNS protocol with Wireshark
- Network traffic analysis for IR: Data collection and monitoring
- Network traffic analysis for Incident Response (IR): TLS decryption
- Network traffic analysis for IR: Address resolution protocol (ARP) with Wireshark
- Network traffic analysis for IR: Alternatives to Wireshark
- Network traffic analysis for IR: Statistical analysis
- Network traffic analysis for incident response (IR): What incident responders should know about networking
- Network traffic analysis for IR: Event-based analysis
- Network traffic analysis for IR: Connection analysis
- Network traffic analysis for IR: Data analysis for incident response
- Network traffic analysis for IR: Network mapping for incident response
- Network traffic analysis for IR: Analyzing fileless malware
- Network traffic analysis for IR: Credential capture
- Network traffic analysis for IR: Content deobfuscation
- Traffic analysis for incident response (IR): How to use Wireshark for traffic analysis
- Network traffic analysis for IR: Threat intelligence collection and analysis
- Network traffic analysis for incident response
- Creating your personal incident response plan
- Security Orchestration, Automation and Response (SOAR)
- Top six SIEM use cases
- Expert Tips on Incident Response Planning & Communication
- How to Use AlientVault SIEM for Threat Detection & Incident Response
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Incident response
Disaster recovery: What's missing in your cyber emergency response?
Incident response
Incident response
Incident response
Sparrow.ps1: Free Azure/Microsoft 365 incident response tool