Scrutiny of defense industrial base (DIB) cybersecurity has never been higher. The costs and impacts of security lapses are on full display in the wake of the SolarWinds breach, as federal agencies continue to investigate the full scale of the intrusion, likely the work of Russia.
Even before recent events, Cybersecurity Maturity Model Certification (CMMC) loomed large among the DIB. We took a snapshot this fall of where DoD contractors stand, surveying more than 200 senior executives to find out what work still needs to be done, the risks and challenges they face, and how to ensure long-term security and compliance.
The results reveal new opportunities, including mitigation and investment strategies, and highlight some of the biggest remaining unknowns that the DIB must quickly address.
This report is designed to help the DIB, the US DoD, and the general security community better understand the level of compliance, the acceptance of new rules, the level of understanding of the cyberattack threat landscape, and current levels of preparedness and business impacts.
Once you learn what DoD suppliers are thinking, find out what they’ve been doing for the past five years. We’re opening the vault on data from the hundreds of Prime and Sub-contractor assessments we’ve completed and scored, sharing trends and benchmarks to help contractors better navigate the road to CMMC compliance. Join our free webinar on February 3, 2021 for all the findings.
Among the key findings of the Fall 2020 executive survey:
Finding 1: 21% of DIB companies surveyed have experienced a cybersecurity incident
A little over one-fifth of DIB companies indicated that they have been a victim of a cyberattack, highlighting the risk that CMMC aims to curb. But as the demand for security professionals outpaces supply, executives are increasingly looking to public cloud and key DIB partners to assist in managing security.
Public cloud infrastructure offers some of the best bets, and allows DIB companies to compete effectively in today’s digital world and stay secure. Moreover, as cyberattacks become more rampant, DIB C-Suite professionals are looking for active management and continuous monitoring of all infrastructures.
Finding 2: 82% of DIB contractors are handling CUI, a Critical Element in DFARS Compliance (CMMC / NIST 800-171)
Of DIB companies surveyed, 82% understand that they process Controlled Unclassified Information (CUI) as first defined by a ruleset under the Obama administration. As a result, they inherit the most onerous requirements of CMMC and NIST 800-171 security standards, which are critical to ensuring future DoD revenue.
Executives are concerned about the impact security threats can have on business performance, pointing to the potential loss of customers, brand reputation, and operational productivity. Many report adjusting budget priorities to better secure networks and prevent attacks.
The impacts of attacks on DIB corporate networks can vary depending on the industry in which companies compete. Manufacturers that have long embraced automation to boost production efficiencies now plan to integrate artificial intelligence in security measures with a corresponding shift in their IT budgets.
Events that most influence how executives view their companies’ security vulnerabilities include high-profile data breaches and nation-state attacks on peer companies, cyber-attacks on their organizations, and government regulations.
Finding 3: 93% of DIB companies are aware of CMMC
The DIB C-Suite research reveals that nearly all companies in the sector – 93% – are aware of the new CMMC rules and the important sector trends. DIB companies are attempting to educate themselves about the effects of recent rule changes on security requirements. Suppliers of all sorts need to consider documentation, adherence, and, in some cases, transformation of their security practices to protect and comply with the requirements of the new DoD rules.
Fortunately, only 13 of 201 respondents cited that they were unaware of the CMMC rules. Unfortunately, many in the DIB are ill prepared to actually implement them.
Finding 4: A third of DIB companies don’t know which CMMC level to focus on
The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” The intent is to incorporate CMMC as a requirement for contract award.
While 56% of respondents said they’re focused on Levels 1-3, with 42% focused on Level 3 alone, a large portion of respondents still don’t know which level to focus on. Some 33% of respondents said the level they would focus on is “uncertain.” That will limit their speed in adopting and certifying their compliance with the level they eventually must meet.
Finding 5: More than half of DIB companies outsource IT and security functions
DIB C-suite executives face tough choices when deciding where to invest resources to propel their businesses forward. At least 4 in 10 respondents identify increasing infrastructure complexity, digital transformation plans, integrations of artificial intelligence, and migration to the cloud as putting pressure on security planning and budget allocation.
Executives understand that compliance to DFARS, NIST 800-171, and CMMC is paramount and to transform their businesses, they must embrace the integration of new technologies.
At the same time, they’re facing an internal skills gap. One-third of respondents report dependence on their internal IT talent, promoted from within, which can create a knowledge gap in security strategy.
The internal skills gap is not easily solved because the demand for security professionals outpaces supply. As a result, more executives report the need to look to outside security vendors for assistance.
In fact, more than 54% of executives report outsourcing both IT and IT Security to gain traction on competent and quick compliance. They’ve decidedly moved toward public and private cloud environments, and the survey data also reveals a shift of network security budgets toward technologies that employ more automation, more technology integration, and the ability to operate from a sovereign US environment on government-certified FedRAMP environments.
Finding 6: China and Russia aren’t the only risks on DIB companies’ minds
DIB C-Suite executives face tough choices when deciding where to invest resources to propel their businesses forward. As the threat of network attacks becomes a question of when, not if, chief executive officers and chief security officers must carefully evaluate the risks associated with security vulnerabilities and the costs of implementing effective security solutions.
At least 4 in 10 respondents identify these factors as putting pressure on their organizations’ security planning and investment:
- Increasing infrastructure complexity
- Threat from China, Russia, and Iran
- Compliance to new regulations
- Migration to the cloud
Finding 7: 40% of DIB companies estimate the cost of an attack at more than $1 million
Data breaches are expensive. They rack up monetary costs that directly affect companies’ bottom lines, but more troubling is the damage inflicted to intangibles such as brand reputation and customer trust.
Almost 40% of respondents estimated the hard cost of every attack to be more than 1 million USD/EUR/GBP, with cost estimates surging to more than 25 million USD/EUR/GBP for 5% of respondents. While soft costs are difficult to quantify, it is likely their impact is much higher over the long run than hard costs.
About the Research
On behalf of CyberSheath, BAO surveyed 201 Executives from July to September 2020. To participate in the 2020 DIB C-Suite Compliance Security Survey, respondents were required to be a company who contracts with the US DoD and by design, the survey required at least half respondents to be C-level executives, though this year’s research attracted far more C-level corporate leaders. About 2/3rds of the companies in the survey have less than 500 employees.
Don’t forget: Sign up for our free webinar on February 3, 2021 to learn what high- and low-scoring organizations have in common, variables that negatively affect most businesses, and characteristics of companies attaining compliance. Don’t miss it!
With the deadline for compliance with DFARS Clause 252.204-7012 having passed on December 31st 2017, many companies are still scrambling to catch up. But in their haste, many may be ignoring a vital aspect of the mandate.
Chiefly designed to ensure adequate security in safeguarding “covered defense information” (CDI), DFARS requires Department of Defense (DoD) contractors and subcontractors to implement controls to protect sensitive data “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
However, it also includes clearly specified mandates for cyber incident reporting, when a contractor or subcontractor discovers that CDI has been compromised or adversely affected within their networks. In addition to safeguarding CDI, it is imperative that companies follow these prescribed reporting requirements if they experience a cyber incident.
Collecting information on cyber incidents allows the government to investigate key details in order to monitor and hopefully contain future cyber threats. As such, DFARS cyber incident reporting mandates are designed to assure businesses turn over this information quickly.
According to DFARS, a cyber incident is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” If you have determined that a cyber incident has taken place, then in accordance with the “Rapid Reporting” requirement you must:
(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and
(ii) Rapidly report cyber incidents to DoD at http://dibnet.dod.mil within 72 hours of discovery.
The DFARS provision defines a compromise as the “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.”
Although there has been some debate as to what reporting triggers define the start of the 72-hour timeframe, implementing a clear cyber incident response plan can create a track record of internal consistency that would prove responsibility if a contractor’s reporting methods were ever to be scrutinized.
A full list of what to report can be found on this page of the DoD’s DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal.
In the event that malicious software (malware) is found on a compromised system, the contractor must also collect information about the malware and submit it using a malware submission form to the DoD Cyber Crime Center (DC3) “in accordance with instructions provided by DC3 or the Contracting Officer.”
Preserve Your Media
The DoD may also choose to conduct a thorough post-incident investigation, also known as a damage assessment. To allow for this, they require companies that have been breached to “preserve and protect images of all known affected information systems” and “all relevant monitoring/packet capture data” for at least 90 days following the discovery of an intrusion.
Advice on Reporting
Opening up the lines of communication with the DoD prior to any incident ensures that the process is less complicated and helps you to report in a timely fashion.
In addition, making sure your forensics tools and procedures meet the DoD collection requirements will also ensure that you’re able to quickly gather the required information and report all the pertinent details in full.
Preparation is key. Make sure to practice using your forensics collection procedures so you can quickly report and recover without missing a beat. It’s also important to note that any report of a cyber incident must have a DOD-approved medium assurance certificate. Information on how to obtain this certificate can be found at iase.disa.mil.
If you’re looking for someone to stay on top of your reporting so you don’t drop the ball, or if you just need further assistance understanding the complex process of reporting a cyber incident, Contact Cybersheath today for a free consultation.
Researchers and security experts at Kaspersky Labs and Symantec have identified a new type of malware platform that has been so advanced and secretive that very few details are just coming to light now. ProjectSauron as the malware has been named has been active since at least 2011. What distinguishes ProjectSauron from other APTs and zero-day exploits is that it has operated virtually undetected for five years and has multiple modules that can be installed based on needs of the attacker(s). Security professionals are stopping short of naming its country of origin but suspect that the advanced persistent threat (APT) malware could “…probably have been developed only with the active support of a nation-state,” according to ARS Technica.
Researchers have also discovered that ProjectSauron is difficult to detect using traditional anti-virus due to the fact that much of the malware resides in computer memory and written in the form of Binary Large Objects. The way ProjectSauron works is still being learned about, but the clues left behind by the program’s software artifacts are unique to its targets. According to ARS Technica and Kaspersky, unlike “…many malware operations that reuse servers, domain names, or IP addresses for command and control channels, the people behind ProjectSauron chose a different one for almost every target.” This means that each instance of the malware is uniquely tailored to its environment. Both Kaspersky and Symantec researchers feel that this is just the beginning. Currently, more than 30 organizations have been attacked and that number is expected to rise. The targets have been government agencies, scientific research centers, military organizations, telecommunication providers, and financial institutions. So far, no US-based organizations have reported being infected with the malware, but it has appeared in Russia, Iran, Rwanda, China, Sweden, Belgium and possibly in Italian-speaking countries.
ProjectSauron itself is made up of many different modules that will do various things based on the target. According to an FAQ published by Kaspersky, in a discovered instance of ProjectSauron, it “registers its persistence module on domain controllers as a Windows Local Security authority password filter.” A password filter is a common tool used by system administrators to enforce password policies and validate new passwords against complexity and length requirements. ProjectSauron inserts itself in this process and starts every time any network, local user, and even an administrator logs in or changes a password. Then ProjectSuron harvests the password in plain text. In instances where domain controllers lack direct internet access, the attackers can install additional modules on “other local servers which have both local network and Internet access…” and passes through a significant amount of network traffic. These nodes are then set up for silent and inconspicuous data exfiltration that blends in with legitimate traffic, using the high volume of network traffic as a disguise. ProjectSauron’s modules are installed as “sleeper cells,” which means that they will not activate until commands are received through the incoming network traffic. Researchers believe this is why the APT malware has survived this long in the wild without discovery.
ProjectSaruon can also infect air-gapped networks. In situations where networks are isolated, Kaspersky identified a scenario where a toolkit was specially designed to move data from air-gapped networks to Internet=connected systems via infected removable USB devices. To do this, the attacker first comprises an Internet-connected system, waits for the user to attach a USB, then a ProjectSauron module is installed on a partition on the USB disk that reserves an amount of hidden data where custom-encrypted partitions that aren’t recognized by the common OS such as Windows. It should be noted that this method can also bypass many DLP products that disable the plugging of “unknown USB devices based on DeviceID” because in this case, the USB was known and recognized as a genuine USB drive.
For more information on ProjectSauron, please read the Kaspersky report.
CyberSheath stands with you in your effort to defeat advanced persistent threats. Let us help you shore up your security by conducting an assessment today.