With the deadline for compliance with DFARS Clause 252.204-7012 having passed on December 31st 2017, many companies are still scrambling to catch up. But in their haste, many may be ignoring a vital aspect of the mandate.
Chiefly designed to ensure adequate security in safeguarding “covered defense information” (CDI), DFARS requires Department of Defense (DoD) contractors and subcontractors to implement controls to protect sensitive data “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
However, it also includes clearly specified mandates for cyber incident reporting, when a contractor or subcontractor discovers that CDI has been compromised or adversely affected within their networks. In addition to safeguarding CDI, it is imperative that companies follow these prescribed reporting requirements if they experience a cyber incident.
Collecting information on cyber incidents allows the government to investigate key details in order to monitor and hopefully contain future cyber threats. As such, DFARS cyber incident reporting mandates are designed to assure businesses turn over this information quickly.
According to DFARS, a cyber incident is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” If you have determined that a cyber incident has taken place, then in accordance with the “Rapid Reporting” requirement you must:
(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and
(ii) Rapidly report cyber incidents to DoD at http://dibnet.dod.mil within 72 hours of discovery.
The DFARS provision defines a compromise as the “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.”
Although there has been some debate as to what reporting triggers define the start of the 72-hour timeframe, implementing a clear cyber incident response plan can create a track record of internal consistency that would prove responsibility if a contractor’s reporting methods were ever to be scrutinized.
A full list of what to report can be found on this page of the DoD’s DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal.
In the event that malicious software (malware) is found on a compromised system, the contractor must also collect information about the malware and submit it using a malware submission form to the DoD Cyber Crime Center (DC3) “in accordance with instructions provided by DC3 or the Contracting Officer.”
Preserve Your Media
The DoD may also choose to conduct a thorough post-incident investigation, also known as a damage assessment. To allow for this, they require companies that have been breached to “preserve and protect images of all known affected information systems” and “all relevant monitoring/packet capture data” for at least 90 days following the discovery of an intrusion.
Advice on Reporting
Opening up the lines of communication with the DoD prior to any incident ensures that the process is less complicated and helps you to report in a timely fashion.
In addition, making sure your forensics tools and procedures meet the DoD collection requirements will also ensure that you’re able to quickly gather the required information and report all the pertinent details in full.
Preparation is key. Make sure to practice using your forensics collection procedures so you can quickly report and recover without missing a beat. It’s also important to note that any report of a cyber incident must have a DOD-approved medium assurance certificate. Information on how to obtain this certificate can be found at iase.disa.mil.
If you’re looking for someone to stay on top of your reporting so you don’t drop the ball, or if you just need further assistance understanding the complex process of reporting a cyber incident, Contact Cybersheath today for a free consultation.
Researchers and security experts at Kaspersky Labs and Symantec have identified a new type of malware platform that has been so advanced and secretive that very few details are just coming to light now. ProjectSauron as the malware has been named has been active since at least 2011. What distinguishes ProjectSauron from other APTs and zero-day exploits is that it has operated virtually undetected for five years and has multiple modules that can be installed based on needs of the attacker(s). Security professionals are stopping short of naming its country of origin but suspect that the advanced persistent threat (APT) malware could “…probably have been developed only with the active support of a nation-state,” according to ARS Technica.
Researchers have also discovered that ProjectSauron is difficult to detect using traditional anti-virus due to the fact that much of the malware resides in computer memory and written in the form of Binary Large Objects. The way ProjectSauron works is still being learned about, but the clues left behind by the program’s software artifacts are unique to its targets. According to ARS Technica and Kaspersky, unlike “…many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.” This means that each instance of the malware is uniquely tailored to its environment. Both Kaspersky and Symantec researchers feel that this is just the beginning. Currently, more than 30 organizations have been attacked and that number is expected to rise. The targets have been government agencies, scientific research centers, military organizations, telecommunication providers, and financial institutions. So far, no US-based organizations have reported being infected with the malware, but it has appeared in Russia, Iran, Rwanda, China, Sweden, Belgium and possibly in Italian-speaking countries.
ProjectSauron itself is made up of many different modules that will do various things based on the target. According to an FAQ published by Kaspersky, in a discovered instance of ProjectSauron, it “registers its persistence module on domain controllers as a Windows Local Security authority password filter.” A password filter is a common tool used by system administrators to enforce password policies and validate new passwords against complexity and length requirements. ProjectSauron inserts itself in this process and starts every time any network, local user, and even an administrator logs in or changes a password. Then ProjectSuron harvests the password in plain text. In instances where domain controllers lack direct internet access, the attackers can install additional modules on “other local servers which have both local network and Internet access…” and passes through a significant amount of network traffic. These nodes are then set up for silent and inconspicuous data exfiltration that blends in with legitimate traffic, using the high volume of network traffic as a disguise. ProjectSauron’s modules are installed as “sleeper cells,” which means that they will not activate until commands are received through the incoming network traffic. Researchers believe this is why the APT malware has survived this long in the wild without discovery.
ProjectSaruon can also infect air-gapped networks. In situations where networks are isolated, Kaspersky identified a scenario where a toolkit was specially designed to move data from air-gapped networks to Internet=connected systems via infected removable USB devices. To do this, the attacker first comprises an Internet-connected system, waits for the user to attach a USB, then a ProjectSauron module is installed on a partition on the USB disk that reserves an amount of hidden data where custom-encrypted partitions that aren’t recognized by the common OS such as Windows. It should be noted that this method can also bypass many DLP products that disable the plugging of “unknown USB devices based on DeviceID” because in this case, the USB was known and recognized as a genuine USB drive.
For more information on ProjectSauron, please read the Kaspersky report.
CyberSheath stands with you in your effort to defeat advanced persistent threats. Let us help you shore up your security by conducting an assessment today.