3PR Risk for Prime Contractors and Mitigation Steps

By Amy Williams, PhD, CISSP, CMMC-RP - Director of Proactive Services

This post focuses on the overall protection of the defense industrial base’s supply chain security and the role of the prime contractor in driving improvements within their ecosystem.

CMMC regulation was born from recognition that the defense industrial base’s cyber security attack surface isn’t siloed - it’s connected. Subcontractor networks and their employees, third-party applications and anything else that touches a prime contractor’s systems present cyber risk, leaving sensitive data as vulnerable as the weakest link in the prime’s ecosystem. National defense is at stake when it comes to protection of DoD prime contractor networks. In 2010, the Joint Strike Fighter breach was attributed to a third-party attack and third-party attacks on this industry have been growing ever since.

Subcontractors are often the first point of attack as a way into a prime contractor, but these subcontractors are also the creative engine in the design process.

Think about it: those small design firms with the big ideas are where the creativity resides. And the details in the design that those small companies create are more valuable to foreign interests than managers of those small companies realize. Also, smaller businesses are less likely to have formal security systems and processes. Accordingly, threat actors are increasingly focused on subcontractors because:

• They hold valuable intellectual property;
• They are less likely to have the resources needed to adequately protect against nation state attacks and;
• They may be used to open an exposure to other companies in the supply chain

As a result of the risks at the subcontractor level, prime contractors to the DoD must be prepared to answer questions like:

• What subcontractors are exposed to compromise?
• Across your network of subcontractors, are there common security risks?
• What are you doing about these risks?
• What have you done to minimize the likelihood of a successful third-party attack?

An Illustration of the Problem

To help explain how these attacks may take place, the following illustration is provided. This is purely fictional yet based loosely on common scenarios seen by our Incident Response (IR) team.

This fictional attack starts with Anna the Attacker exploiting a weakness she found in a popular training website TrainCo. TrainCo offers courses on engineering and business. They don’t have any trade secrets, so they haven’t felt the need to have any sort of security review.

If someone hacks their website, then they will just get free access to education, right? Anna reasons that they will be an easy target and she is correct. She was able to modify the website so that she captures the login credentials of anyone taking courses through the TrainCo website. This is called a waterhole attack. Now that she has modified the website, she just waits for her victims to show up.

Edison the Engineer works for DesignCo, a company that contributes design innovations on the software that goes into handheld navigational devices used by soldiers. Edison loves to learn and he’s currently taking a class on 3D CAD at TrainingCo.

When he logs in, Anna collects his credentials. His credentials are his company email address and a password. Anna can see from his email address what company he works for, so she takes a guess at DesignCo’s webmail address and tries to log in to Edison’s email address using the TrainCo password, and guess what? It works because Edison reuses his same password everywhere. This is called credential stuffing.

DesignCo does not use multifactor authentication, so now Anna is in Edison’s email, with full access to all of his messages, his contacts and his calendar. Edison is one of DesignCo’s lead designers, so he frequently talks with managers at ManuCo, who make the cases for the handheld devices. Since he also needs to occasionally have use case conversations with PrimeCo, the company that sells the final handheld product to the DoD, Edison also has email contact information for PrimeCo employees in his address book.

Now Anna has a multitude of different devious strategies to choose from. Does she send an email to Milo the Manager at ManuCo or Piper the Purchasing Officer at PrimeCo as her next step? Does Anna just use Edison’s email for its legitimacy, or does she try to redirect Milo or Piper via the content of a message to a rogue website?

It’s interesting to note here that somewhere between 90 - 95% of cyber security attacks involve some form of email attack, especially phishing attacks. Why? Two reasons: they work, and also because there is less to trace within the organization’s network if the attacker can get an employee to click on a link that is outside the organization, or convince the employee to send information, or convince the employee to perform an action. There’s less evidence in the network than there would be with, say, a malware attack where malware is downloaded onto the network.

Also, if you are a nation state hacker looking to collect intellectual property, you’d probably rather find a way to keep monitoring and collecting information rather than perform a one-time hit, so you’d want to avoid any actions that left a highly visible trail of your dirty deeds. Of course, there are exceptions, but this seems the most logic route for nation state attackers. Going back to the illustration above, the point is that Anna now has a myriad of different options at her disposal for her next method of attack simply by having access to the legitimate email account of a subcontractor to a subcontractor of a prime.

How BlueVoyant Can Help

The illustration above is far simpler than reality. Many DoD prime contractors have multiple layers of subcontractors. As many as seven layers is not uncommon. The least secure layer within that stack presents a risk to all the suppliers in the stack.

Many BlueVoyant team members, including our leadership, have served in the military or in government agencies. Our deep interest in helping DIB members is greatly supported by our extraordinary, holistic suite of services designed around the needs of companies at each level of compliance.

BlueVoyant’s understanding of supply chain risk and our dedication to securing the nation’s critical assets were the motivation for development of our supply chain defense services for prime contractors to the government. Our 3PR capabilities have been specifically mapped to CMMC to track risks directly related to the compliance requirements. The illustration below provides a small sample of our visibility into a prime contractor’s third-party risk from their subcontractor network.

Data Mapping | CMMC Domain to 3rd Party Risk Mapping Examples

With our 3PR for CMMC, the prime contractor can track evolving risks for each and every subcontractor without any required access to subcontractor networks. Risks are dynamic and so are our risk profiling capabilities so it's not one scan and done. Prime contractors can use our 3PR capabilities to:

• Get a regular global view of how their subcontractor population is doing overall.
• Identify the highest risk subcontractors so that they can provide help to the subs that need it most.
• Identify the most common risks across the entire population of subcontractors and use that to offer training/remediation advice for broader distribution across the population of subs with that problem.

Going back to the illustration of the fictional attack above, use of BlueVoyant’s 3PR capabilities can flag many telltale signs of the attack strategies used by Anna, which can then be used to stop the attack.

For example, weaknesses in website security, unpatched applications, credential theft, credential stuffing – these are all identifiable risks that can not only be flagged by our footprinting and data analytics but can actually be proactively resolved through:

• Engagement of our risk operations center to remediate new risks as they emerge throughout your entire supply chain.
• Selective engagement of our Proactive Services team to consult with select, high risk subcontractors.
• Direct engagement with subcontractors by you, the prime contractor, informed with the risk data generated by our 3PR capabilities.

Conclusion

It’s important that prime contractors engage subcontractors to help mitigate third-party risk. Nation state attacks are typically highly orchestrated, multi-faceted, multi-tiered attacks with different companies being victimized and targeted in different ways. You don’t have to look further than the SolarWinds attack to see how devastating these attacks can be.

BlueVoyant’s unrivaled supply chain defense capabilities are invaluable in the fight against nation state attacks for the following reasons:

• Our data: we utilize both proprietary and publicly-available data sources. Due to the origin and historical roots of our leadership team, BlueVoyant data sources are currently only available to ourselves and government agencies.
• Our experience: better service is as much about the people as the data and our team leaders have served as senior operators in both offensive and defensive cyber operations for national defense agencies. Both our data and our experience are unparalleled in the industry.
• Our tools: BlueVoyant leverages the tools and processes developed for our MSS service tailored to address the specific requirements of third-party cyber risk management.
• Our proven methodology: BlueVoyant has an established Risk Operations Center (ROC), which undertakes analysis, research, prioritization, and remediation effort on behalf of our clients and their third parties.

For more information on how BlueVoyant can help, contact [email protected]