It is impossible to stop every cyber attack, but a solid defense can help mitigate some of the worst threats. Cybersecurity researchers, working as part of Department of Defense (DoD) pilot program designed to root out digital vulnerabilities among government contractors, recently discovered some 400 issues across dozens of companies.
The HackerOne Bug Bounty program, which enlists the hacker community, was able to find the issues during the recent Defense Industrial Base-Vulnerability Disclosure Program (DIB-VIP), which was coordinated by the DoD’s Cyber Crime Center’s (DC3) DoD Vulnerability Disclosure Program (VDP), DoD DIB Collaborative Information Sharing Environment (DCISE), and the Defense Counterintelligence and Security Agency (DCSA), as a free benefit to voluntary DIB participants.
It reached the one-year mark and its conclusion at the end of April.
The number of contractors involved in the recent bug bounty was not disclosed. When the campaign was launched in April 2021, it included some 14 participating companies and 141 publicly accessible assets, which could be examined by hackers. The interest was so great that it ballooned to 41 companies, while nearly 350 assets were eventually admitted.
“DC3’s DoD VDP has long since recognized the benefits of utilizing crowdsourced ethical hackers to add defense-in-depth protection to the DoD Information Networks (DoDIN),” said Melissa Vice, interim director, VDP, in a statement. “The pilot intended to identify if similar critical and high severity vulnerabilities existed on small to medium cleared and non-cleared DIB company assets with potential risks for critical infrastructure and U.S. supply chain.”
Vice added that when comparing monthly findings in its VDP Bug Bytes and DIB-VDP Pilot Myte Bytes reports, similar trends have emerged. Analysis of the DIB Vulnerability Report Management Network (VRMN) will occur following the conclusion of the pilot to document the DIB-VDP pilot’s lessons learned and inform the way forward for a funded program.
“The initiative and teamwork among VDP, DCISE, DCSA, and the HackerOne community to facilitate the DIB-VDP pilot speaks volumes to the continued commitment of DC3 and partner agencies seeking new avenues to better support their customers and the DoD Cyber Strategy,” said Joshua Black, acting executive director, DC3.
Plugging the Holes
Since 2016, VDP has received more than 40,000 vulnerability reports, discovered by more than 3,200 crowdsourced cybersecurity researchers in 45 countries, resulting approximately 70% of vulnerabilities being validated as actionable and processed for remediation by DODIN components.
“Every organization should prioritize securing their software supply chain, but it’s even more critical for federal agencies that protect national security,” said HackerOne co-founder and chief technology officer Alex Rice.
“With CISA now mandating vulnerability disclosure for government agencies and federal contractors, the DIB-VDP takes the practice a leap forward by demonstrating the efficacy of VDPs in the real world,” Rice noted. “We should all be thankful to DoD for creating this innovative operating model, proving its effective operation at scale, and then making it available for other organizations to replicate.”
Bug bounties, which employ white hat hackers – the good guys – can be a low cost method to plugging any security holes before the black hat hackers find the vulnerabilities.
“This kind of initiative, where experts from different parts of the cyber eco-system share information, is vital to our safety,” explained David Stewart, CEO at cybersecurity research firm Approov.
“You might think that there is already plenty of data about cyber-attacks in the news but those stories usually only cover ‘what’ the outcome of a given cyber-attack was,” Stewart told ClearanceJobs via an email. “The important, rarely revealed information, is the detail about how it was done. Sharing of the ‘how’ between experts is an excellent way to propagate the appropriate knowledge needed to bolster our defenses quickly and efficiently.”
It also isn’t enough to do this on an ad hoc basis. Some experts suggest that regularly penetration testing needs to be regular and ongoing.
“These types of activity are critical to our success as defenders against attack,” said Dave Cundiff, chief information security officer at cyber research firm Cyvatar “The attackers only have to be right once, where the defenders have to be right always.”
The more information which flows between groups the better to be able to respond more effectively against emerging attacks, Cundiff continued.
“The only drawbacks are the ability of misdirection, or red herrings creating noise which is difficult to reduce once created,” Cundiff told ClearanceJobs. “As long as the program takes into consideration the curation of the data as well as the sharing of information, this could be a wonderfully helpful approach between the two groups.”