Why Defense contractors still have a cyber target on their backs

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Defense Department is still figuring out how to raise the cybersecurity waterline among its vendor community as part of its Cybersecurity Maturity Model Certification program. And some new research based on privately collected cyber risk intelligence shows the problem is as urgent as ever. According to a new report from Black Kite, almost three quarters of...


Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Defense Department is still figuring out how to raise the cybersecurity waterline among its vendor community as part of its Cybersecurity Maturity Model Certification program. And some new research based on privately collected cyber risk intelligence shows the problem is as urgent as ever. According to a new report from Black Kite, almost three quarters of defense contractors have had network credentials leaked in just the past 90 days. That’s a huge jump from the last time the firm measured that statistic. Jeffrey Wheatman, is a senior vice president at Black Kite, and he spoke to the Federal Drive with Tom Temin more about the findings.

Interview transcript:

Jared Serbu: Jeffrey, thanks for doing this. And let’s start with sort of the headline number from this latest piece of research: 72% of contractors had at least one leaked credential in the last 90 days. Can you take us inside that a little bit? Because the term “defense contractors” can cover a lot of territory. I assume there are some that are more vulnerable than others.

Jeffrey Wheatman: Yeah absolutely. And it’s great to be here, Jared, thanks for setting aside some time to talk to me today. Yeah, so as part of building this report, which by the way, we did a previous version in January of last year, we looked at the top 100 defense contractors out of the Defense contract network systems, right, so we can see who those organizations are. So these are folks that are supplying for the DoD and that sort of military complex. And the challenge that we have seen with a lot of organizations that have leaked credentials, leaked credentials are one of the number one vectors for ransomware infections, right? Because if you have someone’s email, you can create malware in that or insert malware into that. You send it to someone in the organization, and they say, “Hey, look at that. That came from JeffreyWheatman@blackkite.com, I’m safe.” So when those credentials get out there, they become a very, very big attack vector. And unfortunately, as much as we have been recommending, for years, a lot of organizations are still not doing strong authentication or multi-factor. So if I have your email login and your password, I’m you for all intents and purposes, which is a huge exposure, as I’m sure you can imagine.

Jared Serbu: The Defense Department has pointed out for years that it sees its vendor base as kind of a soft underbelly of the whole enterprise from a from a cyber risk perspective. Does your research kind of bear that out when you compare contractor vulnerabilities versus what you see in the government itself?

Jeffrey Wheatman: That’s a great question. I think you know this as well as I, the government is not one entity, right? It’s a bunch of different entities. And to be honest, some agencies are much better than others. And I think you can imagine which ones those would be. I do see, in my long career of working with folks in the federal space, I think oftentimes, the government asks partners and contractors to do things that they themselves are not really able to do, or at least don’t do at the level that they need to be. And I think that over the last number of years, you know, with digital business, and the government is no exception. With cloud explosion – it’s not even an expansion anymore – it’s no longer about one person’s posture. It’s about everybody connected to their posture. And I think that the DoD is 100% correct, in that they’re potentially very exposed. And I think one of the big challenges is everybody thinks Defense contractors are all huge. But there are thousands and thousands of Defense contractors, most of them are not those big companies, they’re small shops that are doing manufacturing of one sensor or one component. And over the last 10, 15 years, the DoD has tried multiple attempts to figure out what the posture is and how to fix the cybersecurity posture, and the latest attempt to CMMC. And we know that back in September, they frankly took a lot of the teeth out of it, because I think they realized, too many of their contractors can’t do what they need them to do, or what they’ve asked them to do.

Jared Serbu: And to your point as GAO just pointed out, they found that DoD couldn’t live up to the CMMC standards, either. Let’s, dig a little deeper on that Defense contractor space. From what you can tell, do attackers see the difference between those large firms and the smaller firms who may have slightly more vulnerable security postures? In other words, are they more likely to go after a smaller mid-tier contractor than they are one of the big five?

Jeffrey Wheatman: So it’s an interesting question, and I think there’s sort of there’s a multi-part answer. I think some of the attacks we see out there are very much “let’s take some malware, let’s throw it against the wall and see what sticks,” right? So sometimes it’s just pure luck, that a piece of malware goes out there. And maybe it infects a small company, and maybe it infects a big one, maybe a small one comes back and they say, “Oh, hey, this company is connected to here,” or we know they’re a supplier. So some of it sort of just luck of the grab. I do however, think that we’ve seen a huge, I think we know, there’s been a huge uptick in nation state-sponsored accounts, whether they’re actual governments or whether the governments are throwing money at a lot of these ransomware gangs. And I think those are going to be much, much more targeted. And I think those people know that they will have an easier time getting into those smaller companies who are not necessarily in a position to be able to defend themselves. And if those attackers are patient enough, and frequently, they can afford to be patient, they’re OK if it takes a couple of steps. So maybe they go to a real small company, and then they get to a slightly larger one. And then maybe they can jump right into one of the big ones through a trusted connection, because we tend to trust our partners. And that has proven itself to be problematic to say the least.

Jared Serbu: Another data point, the research points out is that companies that have lower technical capacity or technical ratings, as you put it, are many times more likely to actually have a breach. Can you can unpack that a little bit for us?

Jeffrey Wheatman: Yeah, I mean, the way we like to look at it is that people take a controls-based approach. But the reality is, you have to look at the entire ecosystem of your plan, your program, how you run your security organization. And if you think about our programs as a home, right, the attackers only need to find one open window, one open door, one garage code that’s 1234. And they’re in and then they can roam around. So the more open ports, the more breached credentials, the more missing patches, the less encrypted traffic, all of these things are just other opportunities to get in. And, the bad, the attackers know that. And they only need one way, the metaphor I use all the time is the defenders need to be perfect.

But the attackers only need to find one missing scale in the dragons armor. And they’re inside. And I think that the more complex an organization is, the more complex an ecosystem, the more likely it is that there’s a T that’s not crossed or an I that’s not dotted. And then they wedge a pole, and they get in and they can sit, and they can be patient. And I was actually at a networking event last night with a former FBI agent who works for one of our partners. And he was talking about the fact that there is malware that was probably planted 18, 24, 36 months ago, that is just sitting and waiting for an opportunity to be triggered. And that stuff I think is largely from nation states. And your audience may be familiar, I’m sure they are, with the SolarWinds problem that happened a couple of years ago. Well, there are still lots of companies out there that have SolarWinds that have not patched it. And that means they’re probably infected. And the attackers are just waiting to see something interesting.

Jared Serbu: Bottom line here. Everyone within the sound of our voices heard this 20,000 times at this point, but this is all cyber hygiene stuff, right? It is basic blocking and tackling that gets you into a better place.

Jeffrey Wheatman: That is absolutely true. Verizon just reached their, released their annual DBIR – the Data Breach Investigation Report – and I don’t have the exact number but I can tell you about what is: 75% of successful attacks are the compromised systems were a patch has been available for at least a year. So absolutely basic blocking and tackling, putting in strong passwords, putting in MFA, patching systems, segmenting networks, all things that we have known should have been done 10, 15, 20 years as long as I’ve been a practitioner, even longer than 20 years. And I think people are still just overwhelmed with the size of their networks, that complexity, especially a lot of larger organizations have a lot of heterogeneity in their environment. So they don’t have three operating systems to patch they have 12 at 50 different patch levels. It’s just it’s a lot to balance. And that’s why getting ahead of the curve, kind of, we refer to as “left of boom,” right? What do we know upfront? Let’s get as much information so that we can at least know where our exposures are, and then use that to prioritize how we’re going to protect ourselves.

Jared Serbu: Last thing, Jeffrey, I’m hoping you can say a little bit about the methodology behind your study. I mean, you guys are a cyber risk intelligence firm. I know you don’t want to spill all your secret sauce here on the radio. But let’s say a little bit about when you throw out a figure along the lines of 72% of contractors have had at least one breach. How do we know that?

Jeffrey Wheatman: Yeah, so there’s a bunch of different things that go in there. But the first thing is we have the largest data store. We have, I think the second largest data store in Google’s cloud right now. We have data on 34 million organizations across the world. We have over 400 open source intelligence sources, some of which you would know, some I can’t actually share. So we collect all of this data, and we run it through a tremendous amount of analysis, and we benchmark people against the NIST framework and this MITRE ATT&CK framework, which is where we get a technical score. We also do financial analysis based on Open FAIR, which is a risk assessment methodology. And then we also have a module where we ingest compliance documents and questionnaires. And we score people against 14 or 15 different frameworks.

And then we also have the ability – so we have what we call a data breach index, which is backward looking. So we look at the dark web, and we have people that lurk in a lot of different languages on the hacker boards. We comb the news, we comb, required reporting, a lot of the federal government stuff is required for, you have to report when you have a breach. We see credentials out there. So we take that and we can tell you when people have been breached in the past, and then we actually did some work a couple years ago, a lot of our clients said, “Hey, you know what, we’re vulnerable here and there, but ransomware, that’s the biggest problem.” So we actually worked with the research team from IBM. And we came up with this ransomware susceptibility index, where we know that even though there are 292 controls that we measure people against, a very small number of them are actually relevant to ransomware.

So we basically compress that and we have this RSI, where it’s a, I always hesitate to use predictive because it’s more probabilistic than saying, “you’re going to be breached,” because we don’t like to say that. But above six, you’re exposed. And we know from the report that quite a few organizations were above that. So essentially, we have a tremendous amount of data. It’s very, very highly validated, we don’t put anything in a report unless we have two confirming sources for it. And we’re able to bring together a lot of different perspectives and views.

In my 15 years at Gartner, prior to arriving at Black Kite, I advised a lot of CISOs and CROs going in front of the boards, going in front of the trustees, going in front of Congress in the federal space on how to effectively communicate risk in nontechnical language. And what we have found is the more different views or perspectives you can bring to bear, the more powerful the story is if you go to your executive and say, Hey, we’re a B. As compared to what? Well, okay, we’re a B, and we have $17 million worth of financial exposure because we have regulated data and some intellectual property. Those are two very, very different stories. And as we say, not every B is the same B, right. Some of them are much, much more exposure than others. For example, we see lots of companies that have A-, B+ scores, but their RSI is 0.7. So overall, they’re doing okay, but the specific things that are used to defend against ransomware they’re not doing well in that area.

Related Stories

    Getty Images/iStockphoto/KanawatTH

    The Air Force launches two new cybersecurity courses available across the Defense Department

    Read more
    (AP Photo/Jose Luis Magana)U.S. Capitol

    Contractors seek clarification on government cyber standards

    Read more