The DOD Improves Their Security Posture Through the DIB-VDP
Four months into the 12-month pilot, nearly 200 hackers within the Department of Defense’s Defense Industrial Base Vulnerability Disclosure Program (DOD DIB-VDP) have identified 649 valid vulnerabilities. HackerOne recently sat down with Krystal Covey, DCISE Director, and Ashley Smith, DCSA Counterintelligence Directorate, to learn about their goals for engaging with hackers to improve national security. Read on to learn how the Defense Cyber Crime Center (DC3) and Defense Counterintelligence and Security Agency (DCSA) teams are improving the security of critical assets within DIB vendors and contractors and the mission that’s driving this program.
Who is DC3’s DCISE?
Krystal Covey: The Defense Collaborative Information Sharing Environment (DCISE) is the operational hub for the DOD’s DIB Cybersecurity (CS) Program offering no-cost cybersecurity services to Cleared Defense Contractors (CDCs). In addition, DCISE is currently piloting services to select non-CDCs.*
What is the DIB Cybersecurity (CS) mission?
Krystal Covey: The mission of the DIB CS Program is to enhance and supplement the capabilities of Participants to safeguard DOD unclassified information that resides on or transits DIB unclassified information systems.
How does DCISE support the DIB CS mission?
Krystal Covey: DCISE protects DOD information on DIB unclassified networks by fostering a collaborative information-sharing environment and delivering DIB-focused cybersecurity services and resources. DCISE is the conduit for reporting DIB cyber incidents to the DOD while simultaneously providing awareness across the US government of cybersecurity threats and trends that impact the DIB. DCISE develops and shares actionable threat products and performs cyber analysis, diagnostics, and consultation for the DIB.**
How many DIB companies are part of the DIB CS Program?
Krystal Covey: We have 800+ Partners with signed Framework Agreements within the DIB CS Voluntary Program.
What services does DCISE offer DIB Partners?
Krystal Covey: We offer various cyber threat products based on several sources, including Partner incident submissions, OSINT, DOD, and other USG reporting that provide a complete understanding of known or potential threats to unclassified DOD information on or transiting DIB systems and networks. Some statistics on DCISE analysis of nation-state Advanced Persistent Threat (APT) DIB cyber events since February 2008:
- Performed 76,628 hours of no-cost forensics and malware analysis
- Published 12,362 cyber reports
- Shared 507,483 actionable, non-attributional indicators
DCISE service offerings include internal/external customer services, outreach, operational metrics, process improvement, quality assurance, quality control, and organizational training. DCISE builds and manages relationships with many DIB companies and USG stakeholders and drives special projects that improve customer experience. Outreach activities include web conferences, Technical Exchanges, Regional Partner Exchanges, virtual events, and facilitating Analyst-to-Analyst and Business-to-Business Exchanges.
Additionally, DCISE research supports DIB Partners in protecting DOD information through numerous services. These services are piloted to the DIB Partnership and range from services to technologies, and are intended to encompass all concepts, technologies, and processes related to cybersecurity.
What are some of DCISE’s expanded pilots and services?
Cyber Resilience Analysis (CRA): CRAs are holistic assessments of a company’s technical controls and processes, from how they keep their security controls updated to how they document the process. The assessment consists of more than 300 questions across ten security domains to assess a company’s cyber resilience.
Adversary Emulation: A form of penetration testing that not only uses a standard playbook but also leverages adversarial tactics, techniques, and procedures (TTPs) to test security controls. These adversarial TTPs are determined by identifying the most likely adversary to target a company based on the technology the company develops.
Krystal Ball: A tool that uses publicly available information to passively identify vulnerabilities that a DIB Partner has and the threats that may leverage those vulnerabilities. Since it is openly available, this is the same information that any adversary would be able to discover about the same company.
Why is DCISE participating in the DIB-VDP Pilot?
Krystal Covey: There are thousands of CDCs that support the DOD, with varying sizes and resources. The DIB CS program has seen a steady increase of smaller companies that require added services to protect their assets. DCISE has resolved to grow with the Partnership and offer various solutions for its diverse DIB Partner makeup. The DIB-VDP Pilot is a great opportunity to demonstrate how DIB assets can be actively protected under a VDP.
What are the benefits to the DCSA participants in the DIB-VDP Pilot?
Ashley Smith: DCSA benefits because companies participating in the pilot can learn about weaknesses in their networks and receive no-cost recommendations for correcting vulnerabilities.
What if the system weakness or vulnerability is outside the scope and asset list provided?
Ashley Smith: If something outside the scope of the pilot is discovered, a DIB-VDP Pilot analyst will contact the participant to determine how they’d like to proceed. Participants have an option to expand their scope and asset list.
Who can participate in the DIB-VDP Pilot program?
Ashley Smith: The DIB-VDP Pilot program is open to any organization, both cleared and unclear. The Pilot Participation Request Form is here.
Anything else you’d like to share?
Ashley Smith: One of the primary missions of DCSA is to provide critical technology protection to the DIB. Given the recent increase in cyber incidents affecting the DIB, DCSA views this pilot as a promising way to identify and stop attempts at stealing our Nation’s secrets.
*DCISE is also the reporting and analysis hub for the implementation of Title 10 USC Sections 391 and 393 regarding the reporting of certain types of cyber incidents by CDCs and the related Defense Federal Acquisition Regulation Supplement (DFARS 252.204- 7012).
**as outlined in Title 32 Code of Federal Regulations (CFR) Part 236, and serves as the single focal point for receiving all mandatory cyber incident reports affecting unclassified networks while protecting Controlled Unclassified Information (CUI) in accordance with the DFARS clause 252.204-7012.
Read this blog to see what happened in the first 60 days of the DIB-VDP Pilot.
To learn more about the benefits of a vulnerability disclosure program, check out HackerOne Response