Top threats to cyber defenders, according to a senior DISA official

Almost simultaneously as patches are released, adversaries are probing Department of Defense networks, according to Col. Paul Craft, commander of Global Operations Command at the Defense Information Systems Agency, which is responsible for global DoD network boundary defense.

Even adversaries know about “patch Tuesday,” Craft said during a June 14 panel at the Defensive Cyber Operations Symposium in Baltimore, Maryland. “We all know that patches come out and we know that it’s our responsibility within the DoD to get it patched quickly. I’ll tell you as the command that runs the boundary: We are immediately scanned for any of those vulnerabilities … by our adversaries.”

The adversary receives the same patch notice releases as everyone else making, it a known vulnerability, he said, and they’re going after these patches an hour after they’re released.

In terms of threats, Craft placed spear-phishing at the top of the list. He said this method isn’t solely aimed at government addresses, but the personal emails of DoD employees and cleared defense contractors because individuals check their personal email accounts on their government machines.

The nature of today’s world requires personnel to be on guard in both their public and private personas, the Air Force’s chief information security officer said in a Jan. 23 speech at the ICIT Winter Summit.

“Even in our personal social media lives we are being monitored. From LinkedIn to Facebook, we are being monitored,” Peter Kim said. “Our adversaries are watching. … Be mindful and wary of friend requests from anyone you don’t know. Even attempts to reach out to get to know you or connect for networking, you should all scrutinize every one of those, especially people you’ve never seen or heard from or met. Be mindful of Facebook pages and LinkedIn groups masquerading as official pages like an official F-22 page … where you can share your experiences and war stories and get to know others. Check the sources, ask your colleagues, go that extra mile before accepting.”

The second threat, according to Craft, is credential harvesting. “The first step is get in with an email. Second step is to be able to harvest those credentials that are out there,” he explained.

Nation-states are always changing their tactics, techniques and procedures, Craft said. “It’s not as simple as it was 10 years ago where if you blocked the IP [address and] it stopped the attack because all that happens in the world today is IPs change instantaneously,” he said.

The current environment is a constant back and forth — a constant knife fight with nation-states, he said.