Defending DoD from cyberattacks, getting to the left of the boom
In this Q&A with Deon Viergutz, Vice President of Cyber Solutions at Lockheed Martin Information Systems & Global Solutions in Fort Meade, Md., he discusses the most common cyber attacks against the military, the biggest threats are going forward such as insider attacks, and how Lockheed Martin leverages its Cyber Kill Chain approach to defend against cyberattacks. Edited excerpts follow.
MCHALE REPORT: Please provide a brief description of your responsibility within Lockheed Martin and your group’s role within the company.
VIERGUTZ: I run the Cyber Solutions business under Lockheed Martin Information Systems and Global Solutions. We provide the full spectrum of cyber services and solutions from defensive to offensive capabilities for intelligence and defense customers. I am also responsible for the Lockheed Martin Cyber Center of Excellence in Fort Meade, which brings company employees together with defense and intelligence customers and industry under one roof to solve cyber challenges. Significant work is performed there as it is close to the future site of the U.S. Cyber Command’s Joint Operations Center.
We provide cyber capabilities in business platforms and systems. Cyber is a growing part of Lockheed Martin and an area we have focused on for many years. We were doing cyber way before anyone ever called it cyber. We are making investments in education and in our workforce and how we run our business corporate wide and cyber is an integral part of that. [For information on cyber-related employment opportunities with Lockheed Martin.]
MCHALE REPORT: What types of cyberdefense problems do your solutions solve? Please provide examples of current military cyberdefense programs/applications Lockheed Martin is involved in.
VIERGUTZ: From a macro level we have been looking at cyber for 30-plus years and therefore everything we do and every program we administer there is a cybersecurity thread that runs through it. To put it into military terms there are traditionally four domains – sea, land, air, and space. Now we have a fifth domain, cyber, which runs all the way through the other four domains.
One example of where we are enabling cyber defense throughout the four domains is in the DoD Cyber Crime Center (DC3), which is a program where we provide cyber capability and forensic support to the country’s largest forensic laboratory work through cyber evidence in support of the customer. It includes digital and multimedia forensics examination, analysis, research, development, test and evaluation, information technology, and cyber analytical services.
Another program lies within the Defense Information Systems Agency (DISA) where we are managing the transformation of their Global Information Grid under the Global Systems Management Operations contract. We provide DISA with analysts, tools, and capability for this effort, which is helping defend the largest network in the world, the DoD Intranet. Lockheed Martin analysts and DoD personnel work in partnership.
We also earned the NSA Cyber Incident Response Assistance (CIRA) accreditation from the agency’s Information Assurance Directorate (IAD) last year.
MCHALE REPORT: What is the Cyber Kill Chain?
VIERGUTZ: The Cyber Kill Chain goes back to Lockheed Martin’s approach to cybersecurity developed more than a decade ago where we needed to defend our own networks, which are large and global in scale. We developed a methodology that emphasizes intelligence analysis characteristics and prediction to ensure a rapid and agile response to ensure the reliability of our systems.
When it comes to catching cyber threats we look at it from an 80/20 perspective. In other words 80 percent are going to be caught by traditional products already out there that defend against phishing and malware. The other 20 percent we define as advanced persistent threats, which are the most difficult to detect and can cause the most serious damage across various network sectors. This approach was a key part in developing the Cyber Kill Chain to defend our own networks.
The Cyber Kill Chain is comprised of seven phases of intrusion where the adversary is using a weapon against the network:
- Command and control
- Action on objectives
When an adversary is delivering cyber weapons against us we look across those seven steps and at what methods or tools we can use to protect against each one. We figure an adversary will have to be right seven times to be successful against our defenses.
The valuable thing about the Cyber Kill Chain is the return on investment in each of those phases. We look at what tools we used to stop a threat at phase 2, evaluate their effectiveness and change them out if necessary. There is a return on investment at each step.
This methodology can go further. For example, if we stopped a threat at phase 1 we look at how much further it would have gone through the chain if we had not stopped it at the first step.
The chain was part of a strategic decision we made years ago to protect our own networks given the criticality of what is on those networks. We are now applying this same approach and its methodologies to the DoD, government agencies, and the industry. We have also gathered more than 12 years of threat data such as tactics, techniques, actor behavior, and how to work around those threats so we can – to use a military term – get left of the boom. In other words, to see the threat and prepare for it before it happens.
MCHALE REPORT: What are the most common cyberattacks U.S. military organizations face and how do you defeat or counter them?
VIERGUTZ: From the 80/20 perspective mentioned above most attacks within the 80 percent range are phishing attacks, looking for weaknesses in networks. The threats range from state actors to individuals. This broad range requires networks to make sure they have good network hygiene whether they are government agencies or the industrial base.
The 20 percent are zero day attacks and how you survive them comes down to how fast you patch the holes. They could be looking for IP, reconnaissance, or to inflict damage or harm and it is clear that the threats are getting more and more tenacious and continuous. They are not one and done. Unfortunately, there is no silver bullet to stop them. You must assume the attacks will continue and will vary in terms of complexity and intent. To combat the advanced persistent threat you must be positioned for something unknown in the future. This is why the seven-part Cyber Kill Chain is effective. Adversaries have to be successful seven different times.
MCHALE REPORT: Are defense suppliers more or less likely to be victims of cyberattacks from terrorists or unfriendly nation states when compared to DoD sites?
VIERGUTZ: Like other defense prime contractors and suppliers we are providing products and services to the DoD and federal customers so our data is of interest to potential cyber adversaries. We focus on identifying these threats as we can’t take action against those delivering the attack. However, we can report it to the appropriate authority, who will then determine the appropriate action. We do share the threat information that we gather.
MCHALE REPORT: What cyber threats keep you up at night? How can existing technology to help prepare for such threats?
VIERGUTZ: Two things. First is securing the supply chain. There are thousands of suppliers around the world feeding into military systems. This is something we are always thinking about and making sure we understand what more we can do as a prime contractor. We currently apply our Cyber Kill Chain approach to help ensure the security of our own supply chain and work with our suppliers to help them secure their own channels.
The second is defending against insider threats. This requires an overarching approach to protecting the infrastructure. Insider threats can be mitigated by good cyber hygiene among employees with effective password protection, etc. We’ve also implemented insider threat protection tools within infrastructures by leveraging our tool called LM WISDOM ITI. It a predictive analytics and big data technology tool that monitors and analyzes rapidly changing open source intelligence data such as social media and turns this data into actionable intelligence. Organizations can use LM WISDOM ITI to monitor behavior patterns among employees to see where a potential insider threat might be emerging.
MCHALE REPORT: Looking forward, what disruptive technology/innovation will be a game changer for cyberdefense? Predict the future.
VIERGUTZ: The number one thing I’m focused on is developing a self-healing system for cyber defense. In other words a hardened system that assumes it is going to be attacked and can implement methods to not only stop an intrusion, but learn from it and “heal” from the damage.
The other game changer for cyber defense will be the convergence of cyber with signals intelligence and electronic warfare. We will merge these three disciplines to enable advanced analysis and big data capabilities and enable persistent situational awareness in real time. This will help look across networks on a global scale and to engage the health and wellness of those networks and how they are tied to the workforce operating those networks.