One weapon in the Defense Information Systems Agency’s arsenal is a commercial off-the-shelf tool that maps and monitors the internet attack surface, which is comprised of all the assets and devices connected to the internet, and helps reduce exposure to attackers.
The agency uses the tool in its efforts to operate and defend the Department of Defense’s Information Network (DODIN), and also helps combatant commands, services, and agencies and members of the intelligence community streamline acquisition of the tool for use within their own networks.
“We have found a lot of value in this tool,” said Amanda Villwock, chief of DISA’s Cyber Analytics Branch. “We have customers who use it and acknowledge how it enhances their Defense Cyberspace Operations (DCO) missions.”
Villwock encourages DCO analysts and those throughout the department analyzing potential network mapping capabilities to reach out to DISA for more information.
A solid cybersecurity foundation begins with a complete understanding of assets and the potential exposure they present to an organization or individual, said Craig Williams, a program analyst with the Cyber Situational Awareness and Analytics Division. The most critical exposures often lie at the network perimeter on devices – both physical and virtual – that are exposed directly to the internet.
Villwock provided an example of how the tool, procured through a Blanket Purchase Agreement managed by the DoD Enterprise Software Initiative, is used.
“RDP, or remote desktop protocol, is a proprietary protocol developed by Microsoft that provides a user with an interface to connect to another computer over a network connection. Cyber researchers assess that 70 percent of the Fortune 100 unintentionally expose RDP to the public internet at least once every 90 days,” said Villwock. “Often without knowing that it happened at all.”
Misconfigurations, like devices with exposed RDP, typically occur in an organization’s unregistered, unmonitored, and possibly unknown internet protocol (IP) space. These misconfigurations happen not just because of negligence or malfeasance, but because IT personnel are trying to efficiently enable core operations and support mission requirements.
“Not many exposures are the result of malice, but that doesn’t mean they present any less risk to the organization,” said Williams. “It’s critical for those responsible for maintaining and protecting networks to have visibility into all internet-exposed assets to quickly find and remediate exposures, no matter the cause.”
The tool DISA uses enables network managers and cyber defenders to:
- Detect and manage misconfigured, unknown, or unauthorized internet-facing and cloud assets.
- Find critical exposures and validate remediation results.
- Address emergent compliance requirements.
- Be alerted to any public-facing network change and exposures across the global network “edge” of the mission partner or subscriber.
- Monitor compliance of contractors’ privileged access subnetworks connected to subscriber or mission partner networks.
- Identify out-of-policy or risky system behaviors and communications between the network attack surface and public internet, without sensor installation.
Mission Partners interested in learning more, and who would like DISA representatives to provide a demonstration, should contact their DISA Mission Partner Engagement Office representative.