DOD Offering Defense Industrial Base a ‘Krystal Ball’ Into Adversary Insights

Companies participating in an information-sharing program at the Defense Department’s Cyber Crime Center, or DC3, were alerted to a new potential service offering Friday that will utilize publicly available information and threat intelligence to provide insight into their cybersecurity posture and what they can do to improve it, according to a leading official. 

“We've been doing a sort of soft start to it since about February, a quiet rollout,” Terry Kalka, deputy director for DOD’s defense industrial base collaborative information-sharing environment, or DCISE (pronounced ‘dice’), said in an interview with Nextgov. “We've talked about it kind of all along the way, with some [DIB companies], but we haven't really stood up and said hey, guess what we're doing now. And that's going to happen this Friday.”

The pilot—referred to as Krystal Ball—is the newest offering being tested by DC3, which senior policy officials consistently highlight in describing plans to tackle cybersecurity threats including intellectual property theft and, more recently, the endangerment of critical infrastructure from ransomware attacks.

DC3 is responsible for executing the broader defense industrial base cybersecurity program which started in 2008 with about 16 companies voluntarily sharing information with the department. In 2021, that number has grown to 850 companies which Kalka says accounts for the full spectrum of large and small suppliers across all subsectors.  

Participating companies sign an agreement with the DOD CIO that protects their identity in the event DC3 needs to share indicators they’ve found with the rest of the defense industrial base. DC3 is also the place where the companies have to report breaches under Defense Federal Acquisition Regulations. That information is also anonymized before DC3 shares it with other government partners, namely the Cybersecurity and Infrastructure Security Agency.   

DC3 service offerings are free to the companies who agree to share information under these circumstances. Two services that have already become standard through the office are a Cyber Resilience Analysis, or CRA, and DCISE3, which allows DC3 to monitor a company’s network traffic in real-time. 

Requests for both of these, and Krystal Ball, are expected to increase with the emergence of DOD’s Cybersecurity Maturity Model Certification program, which aims to institute a system of mandatory third party audits for all contractors in coming years and is making some stakeholders nervous.

“We continue to find companies who really aren't clear on what CMMC is, or if it's going to apply to them and what they're going to do about it, and I hear that inside and outside of the partnership,” Kalka said. “I'm pleased with the current demand signal. I anticipate that it's going to continue, and it is going to grow as CMMC becomes more and more prevalent in requests for proposals.” 

The Cyber Resilience Analysis specifically maps to cybersecurity controls in the CMMC standard. Before the pandemic, companies requesting a CRA would even receive on-site visits from DC3 in preparation for a CMMC audit.

“There are commercial organizations that will give you an in depth analysis, and all the artifacts you need to be compliant. But we saw a need within our partnership to give them a tool to at least get a start and see where they are so that they know where to go. And that was the birth of the cyber resilience analysis tool,” Kalka said. “It's not a sort of certificate of compliance by any stretch, but it is a lightweight assessment tool, free to members of the DIB cybersecurity program.”

The DCISE3 offering suggests an even greater level of trust between companies and DC3. Kalka said they’ve had a lot of success through participants handing over their firewall logs for rapid analysis in conjunction with both government and commercial threat feeds. That yields a richer analysis and points to specific actions companies can take, he said.  

The firewall logs are shared through a third party intermediary. DC3 personnel don’t know who’s traffic they’re looking at as they’re looking at it. They only reach out to the intermediary to tip companies off when they see anomalies requiring their attention. 

“The intermediary will get permission from the company to sort of de-cloak themselves so we can have a conversation about what we're seeing and advise the company on how to defend against it,” Kalka said, adding that the intermediary stores the logs in a secure cloud enclave that is not part of the DOD Information Networks, but must adhere to the same security controls that govern the DODIN.

Kalka, and other Defense officials, distinguish between the DCISE3 initiative and other models that have been proposed for DIB information sharing that rely on sensors and are generally unwelcome by industry. 

“In DCISE3, we're not placing sensors on a dib company network, so that's a key distinction from some other sensor approaches,” he said, stressing the need for government-industry collaboration.

For Krystal Ball, DC3 is partnering with the firm LookingGlass to create what Kalka described as a company’s internet footprint from open-source information.

“They might have web servers, they might have mail servers, they might have remote access systems and, you know, if we can see them, then an adversary can certainly see them,” he said. “So then it's a question of using those footprints to figure out if there are any vulnerabilities that are available, or exposed.”  

Kalka said even in the slow rollout phase DC3 was already able to identify high-profile vulnerabilities on DIB networks, including those related to Pulse Secure, and Microsoft’s Remote Desktop Protocol.  

He added that while the office generally caters to small and medium-sized businesses, larger organizations can reap the benefits of the new pilot offering too.

“What Krystal Ball is showing us so far is that the need for help exists across the entirety of the DIB,” he said. “I can't name names, but I can tell you that there are some, you know, larger companies, generally have more capable, robust cybersecurity programs, but because of their size, the threat of shadow IT is a big one. There are cases where we've identified infrastructure that the company had just about lost track of.”

That’s exactly what seems to have happened in the case of Colonial Pipeline, according to the company’s CEO. Defense officials in a recent Senate Armed Services Committee hearing noted that DCISE is prioritizing ransomware reporting.

“We focus on the small and medium companies, because those are the organizations that are frankly less likely to be able to meet the cyber security needs of the times we're in,” Kalka said. “But that doesn't mean that large companies can't get a boost as well.”

He’s not intimidated by the expected demand for DC3’s services, and noted that DC3’s technical solutions directorate is working on special software in-house that should be able to handle all the data.

“One of the things we’re working on is creating a software to visualize and assist in the analysis and I believe once that's in place, we will have the resources we need to analyze the data coming in, no matter how many companies,” he said.