Lockheed Martin continues fighting cybercrime for DoD

Story

April 20, 2017

A recently won $347 million contract enables Lockheed Martin to continue overseeing the world's largest accredited digital forensics lab for five more years, as the company continues its role as the prime contractor for the Department of Defense (DoD) Defense Cyber Crime Center (DC3). Operating under the Air Force Office of Special Investigations, DC3's scope encompasses the entire DoD, providing operations, management, and mission support to more than 10 agencies, including the Department of Homeland Security (DHS), National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Defense Security Service (DSS), and U.S. Cyber Command (USCYBERCOM).

A recently won $347 million contract enables Lockheed Martin to continue overseeing the world’s largest accredited digital forensics lab for five more years, as the company continues its role as the prime contractor for the Department of Defense (DoD) Defense Cyber Crime Center (DC3). Operating under the Air Force Office of Special Investigations, DC3’s scope encompasses the entire DoD, providing operations, management, and mission support to more than 10 agencies, including the Department of Homeland Security (DHS), National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Defense Security Service (DSS), and U.S. Cyber Command (USCYBERCOM).

DC3’s objective: To determine what adversaries are doing to copy, clone, steal, or destroy sensitive military and industrial secrets to gain a competitive advantage or an advantage in a warfighting scenario. “Our highly skilled cyber forensic analysts support this mission,” says Tom Warner, program director for Lockheed Martin’s DoD Cyber Solutions Division.

To this end, DC3’s Defense Computer Forensics Laboratory (DCFL) receives “inputs from the defense criminal investigative organizations like the Air Force Office of Special Investigations, NCIS, etc.,” Warner explains. “When digital assets – laptops, cellphones, etc. – are seized as part of crime investigations, they come to DC3. Our analysts do forensics examinations and pull together reports to be used in court to support the legal process.”

Their capabilities include determining cyberattack attributions in order to gain a better understanding of adversaries and their infrastructure. “Analysts work to understand all of the details around specific cyberattacks and can provide that information to the appropriate authorities – law enforcement, counterintelligence, or the military – to help them perform their missions,” he adds.

Another group within DC3, called RDT&E [Research, Development, Test, & Evaluation], specializes in development, tools, and support. “Our software engineers work in partnership with the government to develop capabilities that fill the gaps that COTS [commercial off-the-shelf] solutions can’t accomplish today to help our employees find evidence on devices and do the analytics to better understand our adversaries from a cyber perspective,” Warner says. But another central focus is “making cyber information-sharing easy” to help defend the defense industrial base and the DoD.

Nation-state cyberattacks on the DoD are escalating in terms of complexity, frequency, and stealth. These attackers are extremely well funded and resourced, and have a very clear directive on their objectives, unlike the noisy and relatively easy types of attacks that fraudsters and hacktivists tend to favor.

“Nation-state attacks – from our biggest adversaries – are the most challenging,” Warner acknowledges. “They’re driving us to innovate in the ways we defend against threats.”

How do nation-state attacks get started? Most begin with social engineering and a targeted phishing email with a link to a compromised website to click as bait, where malicious code is waiting to be surreptitiously downloaded onto the victim’s computer.

As Warner acknowledges, humans are the main reason DC3 exists. In many cases, he notes, “human action is what causes the initial compromise, and it’s why we need to explore and understand how the initial compromise happened. Humans are one of our greatest assets, but also the biggest risk if they aren’t educated to know how to handle these situations when they arise – report any suspicious emails and don’t click links.”

Nation-state attacks most frequently arrive in the form of what the Center calls advanced persistent threats, which are akin to “attempting to find a needle in a ‘needlestack’ rather than a needle in a haystack,” Warner says. “These are well-resourced and trained adversaries who conduct multiyear intrusion campaigns targeting highly sensitive economic, proprietary, or national-security information.”

Don’t expect advanced persistent threats to go away any time soon. “The threat and ops tempo is increasing, stealth is ever-present, and these operations are downright surgical in terms of specific technologies they’re targeting,” Warner points out. “But as encryption becomes the norm, it’s making it more difficult to understand the traffic that’s potentially leaving networks – in terms of command and control between the adversary and the malicious code they have running on somebody’s computers. This makes it more challenging to do investigations.”

It’s important to note that the threat is evolving as more devices become connected. Anything with an IP address is vulnerable and “there’s a potential to connect in a malicious way,” he adds. “Our data is everywhere – on smartwatches, phones, gaming, the Internet of Things, anything that’s connected. A surprising amount of data resides on those devices. As our defense as a nation increases, our adversaries are continuing to evolve their attacks. We’re doing our best to continue to keep ahead of that threat.”

DC3 is one of Lockheed Martin’s flagship cyber programs, and “we’re thrilled to have the opportunity to support it for another five years,” Warner says. For more on DC3, visit www.dc3.mil.