With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.
CyberSheath can help. We offer services to build on all the great work you have already done to safeguard your information and your IT infrastructure.
What these services are and why you need them
Anti-spam and phishing protection
Your organization needs to guard against threat actors delivering unwanted emails and trying to engage people to perform dangerous activities, like downloading and installing infected applications. To limit the ability of these threat actors to send email to your employees, you should have the right spam tool with the right settings in place.
Solution: Microsoft 365 Defender helps stop phishing attacks. This tool, which is part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. It offers two options, with both plans providing configuration protection capabilities, anti-phishing, and real-time detections. The more robust Plan 2 layers on additional capabilities like automation investigation or remediation, and education capabilities.
Endpoint detection response (EDR)
An important step to protecting your network is securing all your endpoints, including servers, individual workstations, and remote laptops. There are many ways these nodes can be inadvertently compromised, paving the way for a threat actor to install ransomware on one of your endpoints, lock it up, and encrypt critical files.
Solution: Microsoft Defender for Endpoint allows your team to minimize the damage to your environment by providing traditional signature-based antivirus protection where the tool identifies a bad program based on certain characteristics and then neutralizes that program before it causes harm. This solution also stops heuristic threats, and helps you gain visibility into potential malicious or anomalous behavior. In the event that malware is installed on an endpoint, Defender for Endpoint can also isolate a workstation before it becomes a malware host.
Domain name server (DNS) filtering
The next step to securing your infrastructure is to restrict access to websites serving potentially dangerous content. Issues could arise when users are accessing a new website and are mistakenly redirected to a different site, or when ad servers on a frequently visited site are compromised.
Solution: Cisco Umbrella provides DNS filtering for security protection from these issues. This solution keeps a record of all the websites that are known to be malicious and prevents employees from accessing those sites. Default DNS services do not possess this capability.
Spam, endpoint, and DNS tools all work together to make sure that your employees don’t download anything harmful and that nothing compromising is accessed. Even though they come from different solution providers, they are able to play in the same sandbox.
Our skilled team can install, configure, and monitor any of these tools. Contact us today to get started.
Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none of those communications are harmful, directing employees to share security information or download damaging files?
What spam and phishing are–and why they are dangerous
A threat actor can deliver something via email that can then be downloaded and installed on the recipient’s computer, or convince unwary employees to take an action that could be detrimental to themselves or their company. These unwanted emails are called spam and the action of trying to engage people to perform dangerous activities is called phishing.
Often the nefarious entities sending this spam are looking for financial gain, but in the case of the defense industrial base (DIB), they could want to gain access to information in your possession that could benefit the entity that they may be working for.
There are different avenues they take, but it’s all about using email to get you to trust them and then take action. Here are a couple of examples.
- An email received from a Gmail account stating that it is from the CEO and he has been locked out of his account. The communication would then direct the reader to call a number or download software.
- A communication could mimic a partner company, perhaps misrepresenting themselves as Microsoft, and directing the recipient to download a software update to protect themselves from a threat.
Since life these days is chaotic and we are all engaged more hours than we are on the clock, we might not be sitting in front of our computers, but instead be rushing off on an important errand when we glance at our phones and notice an email, purportedly from our boss. Any one of us could take the action requested by the spammer, and not realize until much later the error in judgment.
Protecting your business from these threats
The solution is to limit the ability of these threat actors to send email to your employees by having the right spam tool with the right settings in place. In some cases, a company might have a good tool in place, but it might not be optimally deployed.
In a nutshell, companies should configure everything with ‘anti’ in the name (anti-malware, anti-phishing, anti-spam), and set up features with ‘safe’ in the name (safe links, safe attachments). These actions help ensure that attachments are scanned before they are delivered to your endpoint. Realistically speaking, you want to support digital interactions as you are mitigating risk through the proper setup of these types of tools.
Microsoft 365 Defender helps stop attacks
This solution, which is part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. It offers two options.
- Plan 1 – This option provides configuration protection capabilities, such as establishing safe attachments and safe links. It also performs anti-phishing and real-time detections.
- Plan 2 – This option takes those basic anti-spam capabilities and layers on additional capabilities like automation investigation or remediation, and education capabilities. Since the education piece is critical, our experts recommend Plan 2. With the evolving security landscape, this solution has dynamic features which can accommodate the threats of today and meet future challenges.
As a Microsoft partner, we are skilled in implementing and optimizing Microsoft 365 Defender to help you safeguard your organization. Reach out to us to get a quote. We can provision licenses, implement the tool, and push out solid security policies in your Office 365 environment. If you already have the licenses, we can also maximize the entitlements that these licenses have. Contact us to get started.
It’s no secret that the supply chain is under attack. We’ve seen the ramifications in headlines all year, most notably the Kaseya attack that compromised 60 customers and 1,500 downstream businesses.
You can’t afford to be vulnerable as a defense contractor, especially with stakes so high.
Adversaries are seeking to exploit the U.S. supply chain as a vector to gather intellectual property and, according to Gen. Paul M. Nakasone, commander of U.S. Cyber Command and director of the National Security Agency, “our adversaries are demonstrating a new risk calculus that has changed the traditional threat landscape.”
Your best defense in this dynamic cyber environment is Cybersecurity Maturity Model Certification (CMMC). Whether you’re ready to implement, or still in the assessment stage, there is an increasing urgency to proceed in your CMMC journey. CyberSheath investigated the networks of more than 600 contractors and found that 66% did not have the proper access controls to secure controlled unclassified information (CUI).
Trying to decipher what qualifies as CUI and only protect those assets is futile. Your entire network, not just select data, needs to be secure in order to do business with the federal government and to avoid being the unfortunate victim in the next cyberattack headline.
Confused about where to go from here? Download the 2021/2022 edition of our CMMC Companion eBook to help you map out your compliance strategy.
CyberSheath CEO, Eric Noonan, provides commentary for Catherine Herridge of CBS Evening News on the latest ransomware attack.
CyberSheath CEO, Eric Noonan, provides commentary for CBS’s Jeff Pegues on an episode of America Changed Forever, taking a deep dive into the Colonial Pipeline hack and the lack of regulations that leave our critical infrastructure vulnerable.
To understand just how consequential president Biden’s executive order on cybersecurity is for federal contractors, look no further than the Wall Street Journal article that bluntly explained how the new order will impact federal contractors:
“Contractors that fail to comply with the baseline standards would essentially be prohibited from selling their products to the federal government, a black mark that could be crippling to a company’s commercial viability as well.”
Mandatory Baseline Standards for all Federal Contractors
Aggressive timeframe for implementation.
The executive order calls for mandatory baseline standards for all federal contractors to replace the patchwork of inconsistent and unenforced agency-specific policy that exists today. However, unlike many executive orders, this isn’t just a call to action, the clock already started ticking, and common baseline standards are to be here within 120 days. Current federal contractors doubting that the federal government can do anything within 120 days should remember that the Cybersecurity Maturity Model Certification (CMMC) was published and made federal acquisition law within nine months.
Effects the largest supply chain in the world.
The executive order mandates that within less than six months, the largest supply chain in the world, which includes many hundreds of thousands of large and small privately held companies and trillions of dollars of committed federal contracting dollars, will be required to meet baseline cybersecurity standards to do business with the federal government. This is one of the most common sense and consequential actions to improve cybersecurity ever proposed and largely in this administration’s control. They have tremendous influence over federal acquisition regulations. Many Americans might be surprised that we didn’t already have mandatory cybersecurity minimums for government contractors. I expect special interest groups to ask who is going to pay for this immediately. Still, in many instances, like defense contractors doing business with the Department of Defense (DoD), these mandatory minimums have been in place for nearly a decade; they just haven’t been enforced. For defense contractors, in some cases, the cost of cybersecurity should have been paid for as far back as 2015.
To meet this level of protection the cost on organizations is unavoidable.
The executive order does not leave very much room for federal contractors to find a way out of implementing mandatory cybersecurity minimums on their corporate networks. In many ways, the arguments around cost are nonsensical. Americans are paying for this one way or the other, be it the OPM hack, the Equifax hack, Colonial pipeline, SolarWinds, etc. the list goes on and on. Yet, nobody asks who paid for the fire alarms in their house or pays for the regulation to implement fire safety code in retail outlets, or even who pays for the antilock brakes and airbags mandated in our vehicles. We accept that the cost for all these things is built into the products and services we consume. We expect these protections and don’t even ask questions about their existence. We know they have to be baked into the product or service we are buying before it comes to market.
This level of expectation around minimum protections just became the new standard by which all federal contractors will be measured before the end of 2021. The federal government isn’t going to buy contractors products and services if they don’t come with assurances that you have met the mandatory minimums for cybersecurity. Certainly, you can argue with the fire inspector why you have no fire alarms in your house or the acquisition official for your federal contract about who will pay for your corporate cybersecurity, but it’s an argument you are going to lose.
On the heels of Solarigate and Hafnium, companies are once again evaluating their overall IT and security posture. While ransomware has grabbed much of the attention over the past three years, it’s increasingly obvious nation state-related attacks infiltrating organizations and exfiltrating their data have not faded away. In fact, these efforts have just become more sophisticated and targeted.
Companies that are part of the Defense Industrial Base are being pushed due to requirements around NIST and CMMC, but the details to become compliant often do not give a clear path to being secure. As such, these companies should re-evaluate these two critical things:
- Cloud Strategy
- Security Toolset
For many smaller companies, it should be clear that the speed that technology changes and the continued exploits of zero-day attacks that on-premise architecture puts IT teams at a considerable disadvantage. Even with known vulnerabilities, the discipline and effort to consistently apply a patch management strategy has been challenging to apply among a sprawling patchwork of different vendor operating systems and tools. And, ironically, the Solarigate attack targeted the same software that was meant to assist with on-premise monitoring and management.
Increasingly there are other reasons for companies to manage on-premise infrastructure and services. Especially in the post-COVID world, where companies have now had a crash course in managing and granting access to a remote workforce, a cloud-first strategy becomes increasingly realistic. Leveraging services continually monitored and patched by the vendors, especially with Government Community Clouds now available, should be the primary go-forward strategy for small and medium-sized businesses.
The security vendor landscape is still a jumbled mass of products offered by multiple vendors, many of which overlap. Purchasing strategies have swung back and forth like a pendulum in approaches from ‘best of breed’ to a single vendor approach. Wherever your organization is hanging at this point, you must be implementing these essential technologies:
Endpoint Detection and Response
Traditional endpoint anti-virus is no longer sufficient for security teams to leverage in their environment. Endpoints are now distributed throughout many geographic locations, and the ‘hard and crunchy outside’ provided by legacy IT infrastructure designs no longer exist as employees work from home en-mass. Security analysts must have the capability not only to see alerts from signatures but also to investigate anomalous activity while potentially needing to isolate the host to prevent the threat actor from doing additional damage or exfiltrating damage.
Security Information and Event Management (SIEM)
Data is critical to determining what is happening in your environment. The purpose of the SIEM is to collect, correlate, and assist with analyzing the massive amounts of data generated by endpoints, network devices, and security tools. As threats emerge, the SIEM becomes one of the primary tools to determine if those threat indicators exist in your environment. However, the effort that goes into tuning and normalizing the data to be useful, not to mention analyzing the data even after data correlation, is a large lift for many organizations. Not utilizing a SIEM capability can make it very difficult to understand the full scope of attacks you are facing.
CMMC: Understand How It Fits into the Overall IT and Security Strategy
To conclude, companies subject to CMMC should take this time to understand how it fits into the overall IT and Security strategy and not have a myopic focus on just achieving compliance. Recent coordinated hacks are having a significant impact on the operations of many companies. Organizations must leverage new ways of approaching traditional IT challenges that also reduce their overall security exposure.
CyberSheath has long recognized that a large part of IT delivery, things like patching and asset management, are foundational to NIST 800-171 and CMMC compliance, which is why we are offering a force-multiplying solution for Managed IT services. This offering is only available to defense contractors and can be paired with our Security solution to make CMMC and NIST 800-171 compliance a natural outcome of day-to-day operations.
The SolarWinds hack and the subsequent Senate hearings attended by principal players in that event have made supply chain cybersecurity a national discussion. Some of the questions being asked suggest that America is for the first time considering how to protect our supply chains, form effective public/private partnerships, share cyber threat intelligence and enforce mandatory breach disclosure among a relevant group of stakeholders. However, it is not the first time; many parts of the federal government have been working hard to answer these questions with considerable progress for a long time. Specifically, I can speak from my nearly thirteen-years of experience and the progress I have witnessed firsthand between the Department of Defense (DoD) and the Defense Industrial Base (DIB).
A Public/Private Partnership
The public/private partnership between the Department of Defense, the largest procurement authority in the world, and its supply chain has substantially answered nearly every salient question being asked in the wake of the SolarWinds breach. The partnership has spanned four presidential administrations and gained a decade of bipartisan support. The parties have operationalized threat information sharing, breach disclosure, and mandatory minimums for supply chain cybersecurity. Some of the very people I worked with more than a decade ago when the DoD, Intelligence Community and Industry came together for the first time are now leading the way for the current presidential administration. Anne Neuberger, for example, has been appointed to lead the government’s response to the SolarWinds hack for President Biden. Anne has been on the front lines of these issues since at least 2009 when I worked with her as a part of the Defense Industrial Base Cybersecurity initiative (DIBCSI), and she understands the issues inside and out. Anne knows the legal limitations of our intelligence agencies domestically, has heard all of the industry’s concerns and has long been a part of the teams working through these issues.
DIBCSI, initially led many years ago by Victoria Morgan, an unsung heroine who dragged along reluctant defense industry prime contractors, questioning, “who is going to pay for this?,” to a partnership with DoD, has evolved into the Cybersecurity Maturity Model Certification (CMMC). Led by another DoD heroine, Katie Arrington, CMMC has answered the cost question, made the program law, and dramatically increased awareness of the responsibilities that come with being a defense contractor. Defense contractors have had a seat at the table for more than a decade in this partnership and have helped DoD and the federal government answer many of the questions being posed in the wake of the SolarWinds breach.
Let’s look at the critical questions being asked and the answers that the DoD and their supply chain have collectively crafted throughout the decade-plus partnership.
Threat Information Sharing and Breach Disclosure
The DoD and industry partnership produced DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, which mandates rapid reporting of cyber incidents to DoD. Specifically, the clause requires:
(c) Cyber incident reporting requirement.
(1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall—
(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and
(ii) Rapidly report cyber incidents to DoD.
(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements.
(3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents.
(d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer.
(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.
(f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.
(g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.
CMMC: A Framework that has Considered and Solved Legal, Logistical, and Operational Issues
Looking at this list of reporting requirements, we have a framework that has considered and solved many legal, logistical, and operational issues around threat information sharing and breach disclosure. Many elements of the law have been in place for almost six years now, with some having been implemented voluntarily for more than a decade. It changes the behavior of the largest supply chain in the world and was created to answer many of the questions currently being asked before important government bodies.
The U.S. has to up-level its cybersecurity. That’s the gist of what we’ve been hearing from multiple sources, including congressional commissions and the Department of Defense (DoD). The alarm bells — and the calls for more stringent security practices — will only grow louder.
The Cyberspace Solarium Commission used the U.S. COVID-19 response as an opportunity to assess the nation’s preparedness for a major, debilitating cyberattack. It highlighted the need to implement more than 30 recommendations from a previous report, as well as five more based on its findings around the pandemic.
Eric Noonan, CyberSheath’s CEO, will be speaking about those kinds of preparations for a national cyberattack against the U.S. on a panel at Cybersecurity Forum 2020. He will be joined by Paul Anderson of Port Tampa Bay, and Michael Wee of Northrop Grumman to talk about lessons learned from the pandemic, the state of cybersecurity planning and organization, and where to focus efforts to better prepare for a major attack. Register for the event here and tune in on Wednesday, September 16 at 2:15 pm ET, if you’d like to learn more.
Another ongoing effort to shore up security is the Cybersecurity Maturity Model Certification (CMMC). This is the DoD’s effort to ensure all defense contractors are practicing and maintaining the proper level of security to better protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).
As founder and CEO of CyberSheath, the Title Sponsor of Cybersecurity Forum 2020, Eric is well versed in the goals and efforts behind the CMMC. CyberSheath has been delivering audit-ready, compliance-focused managed services for NIST 800-171 requirements for 8+ years, and the CMMC is the next evolution of those standards.
It’s one of the most comprehensive and impactful moves by the DoD to better secure sensitive data that resides on defense contractors’ systems and networks. As a new set of requirements, many defense contractors are still working to understand the complexities and nuances of the standards, what they’re responsible for, and how to implement those changes.
CyberSheath launched our compliance managed services for CMMC to assist DoD contractors through the process. Through our managed services, we’re able to meet contractors where they are, identify gaps in CMMC compliance, implement the changes, and maintain and assure their compliance at the proper level.
We wanted to be the Title Sponsor of Cybersecurity Forum 2020 because it’s advancing important conversations around the state of security and where we can go from here. In particular, we are looking forward to keynote speakers Senator Marco Rubio, who will give an overview of the risks of national cyber breaches; and Katie Arrington, CISO for the Office of the Secretary of Defense for Acquisition and Sustainment, who will speak on what’s needed for CMMC compliance.
While the U.S. faces cyber threats from around the world, we have plenty of lessons to learn from other disaster responses and a new bar for effective cybersecurity. We don’t know what attacks might be coming, but we do know how to prepare. We hope this year’s conference will spur all in attendance to advance the cybersecurity goals that will defend American innovation and infrastructure.
The US Department of Defense (DoD) has one of the largest supply chains in the world, scaling to hundreds of thousands of different vendors and partners. While valuable, these vital partners in our nation’s defense infrastructure pose a huge cyber risk. Today that risk is largely unchecked and unregulated as contractors can “self-attest” to their ability to protect Controlled Unclassified Information (CUI).
Commercial companies are the lifeblood of any economy and the circulatory system of modern day societies. They provide needed innovation, new discoveries, critical high-value support as well as materials and quick solutions to a myriad of problems. From the most arcane to the most mundane, the US Defense Department has needs in nearly every aspect of procuring commercial services, but this lifeblood paradoxically may imperil the entire system by leveraging companies with little respect for cybersecurity controls. In fact, in this connected world, no government or company can perfectly protect all its data from hackers and rival states. Even so, it is astonishing that, from January 2016 to February 2018, nearly 6 percent of U.S. military and aerospace contractors reported data breaches (according to Stars & Stripes).
And experts feel this is just the tip of the iceberg – the vast majority of security incidents are never uncovered. The Pentagon needs to tighten cybersecurity across its vast contracting operations and hold contractors accountable for minimum standards of care around cybersecurity. Essentially that is the goal behind the Cybersecurity Maturity Model Certification (CMMC) and the ambitious effort to secure the DoD supply chain. The CMMC effort is not without its critics but who can argue that real change wasn’t urgently needed? Learn More about CMMC
Let us review some major breaches of national security that hopefully can be prevented in a post CMMC world so that you might be the judge:
Example One – Jan-Feb, 2018: Comprise of US Navy “Operation SEA DRAGON” – Chinese hackers stole sensitive U.S. Navy submarine plans from Rhode Island DoD contractor
Citing unnamed U.S. officials, the Washington Post reported in June of 2018 about a very disturbing cyberattack of a US DoD contractor. Evidently Chinese government hackers compromised the computers of a U.S. Navy contractor and stole a large amount (approximately 600+ Gigabits) of highly sensitive data on undersea warfare, including plans for a supersonic anti-ship missile for use on U.S. submarines.
The breaches took place in January and February, the officials told the Post, speaking on condition of anonymity about an ongoing investigation led by the Navy and assisted by the Federal Bureau of Investigation.
The U.S. Navy and an unnamed defense contractor are/were working on a new missile which the Navy says will give its submarines a new, “disruptive offensive capability” to take on enemy ships. The previously unknown weapon, known as Sea Dragon, supposedly combines an existing U.S. Navy platform with an existing capability, is likely a new version of a versatile air defense missile capable of pinch-hitting as an anti-ship missile.
Example Two – March 2019: US Navy Review Concludes it is “Under Siege” by Chinese Hackers & Attackers
An internal U.S. Navy review concluded that the service and its various industry partners are “under cyber siege” from Chinese hackers who are building Beijing’s military capabilities while eroding the U.S.’s advantage, The Wall Street Journal reported Dec 2018 – Mar 2019. Chinese hackers have repeatedly hit the Navy, defense contractors, and even universities that partner with the service. “We are under siege,” a senior Navy official told The Journal. “People think it’s much like a deadly virus — if we don’t do anything, we could die.”
Three particularly worrisome recent incidents (2018-2020) were the theft by China of highly sensitive information on naval projects left on an unclassified network (2019), last year’s breach of private information on 30,000 Pentagon employees(2018), and the exposure of 60,000 files on a publicly accessible server involving a subcontractor to Booz Allen Hamilton (2018), the firm that employed Edward Snowden. And perhaps most embarrassing was the 2016 theft of sensitive plans for the F-35 fighter — a plane that will cost taxpayers $1.5 trillion over its lifespan. A small Australian subcontractor on the project had reportedly never changed its Windows passwords from the defaults “admin” and “guest.”
Example Three – Sept-Dec 2019: Compromise of Emails and LinkedIn Accounts of military defense companies
In a report released in June 2020 by Slovakia-headquartered ESET cybersecurity company who said the cyberattacks of mainly European aerospace and military defense firms were launched between September and December 2019. A collaborative investigation with two of the affected European companies allowed them to gain insight into the operation and uncover previously undocumented malware.
To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation, and impersonating legitimate software and companies.
According to their investigation, the primary goal of the operation was espionage. However, in one of the cases we investigated, the attackers attempted to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.
As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representative of well-known companies in the aerospace and defense industries. In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.
With the profiles set up, the attackers sought out employees of the targeted companies and messaged them with fictitious job offers using LinkedIn’s messaging feature, as seen in Figure 1. (Note: The fake LinkedIn accounts no longer exist.)
Once the attackers had the targets’ attention, they snuck malicious files into the conversation, disguised as documents related to the job offer in question.
Example Four – 2017-2020: The Chinese APT Threat to Cleared Defense Contractors
In a report published in June of 2020, cyber-security firm Lookout said it found evidence connecting Android malware (APT 15) that was used to spy on minorities in China to a large government defense contractor from the city of Xi’an.
Lookout’s 52-page report details a years-long hacking campaign that has primarily targeted the Uyghur ethnic minority, living in western China, but also the Tibetan community, to a lesser degree.
The campaign infected individuals in these communities with malware, allowing government hackers to keep an eye on the activities of minority communities in China’s border regions but also living abroad in at least 14 other countries.
“Activity of these surveillance campaigns has been observed as far back as 2013,” Lookout researchers said. The company attributed this secret surveillance to a hacking group they believe operates on behalf of the Chinese government.
The fact that Lookout linked an APT15 malware sample to a Chinese defense contractor is not a novel discovery. From 2017 to 2019, four other Chinese state-sponsored hacking groups have been linked to contractors hired by Chinese intelligence agencies operating in various regional offices.
APT3 – linked to a company named Boyusec operating on behalf of Chinese state security officials in the province of Guangdong
APT10 – linked to several companies operating on behalf of Chinese state security officials in the province of Tianjin
NEW! APT 10 – Xi’an Tianhe Defense Technology, a large defense contractor in the city of Xi’an, in central China.
APT17 – linked to several companies operating on behalf of Chinese state security officials in the province of Jinan
APT40 – linked to several shell companies operating on behalf of Chinese state security officials in the province of Hainan
Based on previous threat intelligence reports published by cyber-security firms Recorded Future and CrowdStrike, the Chinese Ministry of State Security outsources hacking operations to outside contractors, who report directly to, and take orders from intelligence officials.
In an FBI warning in 2018, https://publicintelligence.net/fbi-defense-contractors-apt/, specifically cites examples against “Cleared Defense Contractors” and here is an excerpt of the alert:
“APT actors in the near future likely intend to target US Cleared Defense Contractors (CDC) via spear phishing campaigns or network infrastructure compromises, according to recent intelligence. Common spear phish targets may include individuals featured on internet-facing CDC Web sites and high-ranking CDC executives.
FBI has observed APT actors over the past two years precede spear phishing campaigns with open source research of targeted US company websites, particularly sections containing contact information for company officials which include names, titles, telephone numbers, and email addresses. In one case, an APT actor sent spear phishing emails within one-to-two weeks after researching the targeted US company.
Historically, APT actors have a strong desire to collect US defense and scientific intelligence to further their interests and advance strategic goals. As a result, US CDCs and research facilities may likely be targets for cyber adversaries due to their involvement in national security and their close relationship with the US Government.”
Example Five – Feb-June 2020: DCSA Bulletin – US Defense Focused
In a report published recently by politico, they suggest they obtained a Defense Counterintelligence and Security Agency (DCSA) bulletin marked “unclassified/for official use only” and warns that DCSA’s cyber division detected nearly 600 “inbound and outbound connections” from “highly likely Electric Panda cyber threat actors” targeting 38 cleared contractor facilities, including those specializing in health care technology. Moreover, the bulletin goes on to say, “Nearly 40 U.S. contracting facilities with access to classified information have been targeted by a hacking group with suspected ties to the Chinese government since Feb. 1”, according to a bulletin disseminated to contractors by the Defense Counterintelligence and Security Agency.
The so-called Electric Panda group is not new and appears to have been operating since at least 2016, according to one of the indicators listed by DCSA. The bulletin goes on to say that this group has been targeting contractors that specialize in cybersecurity, aerospace, naval, health care, power generation, IT systems, telecommunications, risk analysis, and space systems.
Conclusions: How to Solve the Problem?
Given this, how safe is the US DoD Supply chain from cyberattacks? From casual, publicly available information, there is strong evidence that the supply chain base of the US DoD system is under dedicated and constant attack, most probably needs dramatic investments in order to stay safe and sound from cyberattacks and to keep the US military safe.
The key to understanding the solution is to understand that the threat is immeasurably more serious as we must concern ourselves with the great possibility of a loss of life scenarios.
Let us hope that the new CMMC regulation is a very important step in accelerating the awareness of the real possibilities of these dangers, then to assemble a well-orchestrated cybersecurity risk and mitigation strategy for each attribute of DoD Supply chain may be placed in harm’s way.
If you have any questions or would like support as you ready your organization for CMMC, contact us. We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS. Register Now
In this webinar you will learn:
- Mapping NIST 800-171 to CMMC
- Levels 1-5: Challenges and complexities to consider at each compliance level
- Step by step path to attaining CMMC
In today’s security landscape, threats to your IT infrastructure are constantly evolving. As you work to secure your IT systems and processes, penetration testing (pen testing) is an important component of your plan. Pen testing can help your organization gain a fresh perspective with a third party looking at your security from the viewpoint of an attacker.
What is a penetration test?
A pen test is performed by attempting to exploit any of your organization’s identified vulnerabilities or configuration flaws to determine if the protective controls of a given system can be bypassed. Penetration tests can have multiple goal-based scenarios, including PII hunting, database breaches, domain control, and more.
Following the initial compromise of a host or credential set, analysts performing the pen test continue the attack lifecycle by pivoting to other hosts in the network, and then work to show how a compromised host can impact your business.
Why should you run penetration tests?
Pen testing examines the subsystems, components, and security mechanisms comprising your organization’s infrastructure and identifies weaknesses. Penetration tests can help you:
- Validate the effectiveness of your environment
- Meet contractual requirements
- Satisfy compliance objectives (PCI)
- Test your system from multiple adversary roles including potential employees, external adversaries, and more
- Adopt an agile methodology and regularly examine your systems
How do you conduct pen testing?
- Use commercial tools, public domain utilities, and proprietary tools to examine the security posture of a system or application and apply numerous industry frameworks like OWASP.
- Conduct tests from both the vantage point of an unauthorized and authorized user. Working from both of these perspectives drives a more complete understanding of the threats to your organization’s security.
- Go beyond automated tools and use manual testing methodology. Manual testing involves verifying vulnerabilities identified by the automated scanners so that any false positives can be eliminated. It also shows the business impact of a reported vulnerability. Automated scanners lack the ability to detect business logic flaws in the application. A combination of automated and manual testing provides a more thorough analysis.
- Leverage the expertise of licensed, third party analysts holding the appropriate certifications to provide an outside view of those looking to infiltrate your systems. These professionals have no personal ties to the company, thus removing any negative theories.
- Know when to run pen tests. This can be at defined frequencies like annually for small businesses, twice-annually for mid-size organizations or quarterly for large enterprises. Note that PCI requires pen testing annually. It is also good practice to pen test during the development of new systems, such as applications, services, or platforms, when system components or modules are in a static pre-production state. This can address vulnerabilities before exposing a system. In addition, make sure to pen test after changes to system components that are expected to have an impact on the security of a system, including the launch of new technologies, major infrastructure or application changes, modification to authentication mechanisms, or logging capability adjustments.
- Document findings and know how to proceed. The results of the pen test should be incorporated into a report reviewing the results to ensure all findings and vulnerabilities are categorized and documented. This report should provide detailed results of the test including a summary of the findings and the technical details for significant findings per project task, in-depth conclusions identifying affected hosts or application identifiers (i.e. Internet Protocol addresses), recommendations for remediation for each significant finding, and other details such as testing limitations, tools used during the test, and any follow-on environment clean up requirements.
Other pen testing tips
- Ensure that the scope of your pen test is appropriate for what you are protecting such as internet exposed applications and services, internet exposed APIs, access gateways and mechanisms, supporting infrastructure (authentication services and management interfaces), and sensitive data sets existing on applications, databases, and unstructured storage repositories.
- Know and define your attacker’s perspective. An external internet-based attacker targets applications and network services exposed to the internet, whereas a malicious insider earmarks sensitive internal network applications or known network locations housing important datasets. Both types of attackers may or may not have credentials to your network and both may proceed with either a wide scope discovery or a pinpoint approach. Attackers can also test roles to see the impact of escalating privileges and pivot to other roles within an application.
Penetration testing is an important part of your security plan. Make sure you get it right. If you would like help from experienced security professionals on running penetration tests for your organization, contact us.
In today’s digital world, no matter what type of sensitive data you handle, attackers are hard at work developing ways to access it. The rash of high-profile security breaches making headlines every day is clear evidence of the struggle businesses face in trying to stay ahead of these sophisticated cyber attacks.
In response to these threats, local and federal governments around the world have begun to impose increasingly stringent regulations to force companies to re-examine their internal cybersecurity standards.
DFARS clause 252.204-7012, HIPAA, PCI DSS, and GDPR are just some of the many compliance mandates that companies are currently juggling. And considering the disastrous fallout of even the smallest breach, not to mention the heavy penalties associated with non-compliance, there’s no time to waste in getting up to date.
The Risks of Non-compliance
As early as 2005, former U.S. President Barack Obama voiced his concern about cyberattacks, calling them a “national emergency.” In the years following this call to action, Federal agencies continually increased the regulatory mandates for private contractors, and over half of the state governments in the U.S. passed laws to put in place punitive measures for companies that fail to sufficiently protect sensitive data.
These include hefty fines and in some cases, jail time. Of course, these punishments are minuscule when compared to the consequences of actually being hacked. The costs of penalties, legal fe