When you are the U.S. Federal Government, how do you uncover security weaknesses and vulnerabilities without jeopardizing the country’s most critical systems and data? The answer is to follow in the footsteps of leading technology brands who crowdsource vulnerability discovery and disclosure while ensuring uptime and security using Akamai’s services. That was the idea proposed by Defense Digital Service (DDS), the Department of Defense’s (DoD’s) arm of the White House’s U.S. Digital Service.
Created by Secretary of Defense, Ash Carter, to transform the way the DoD builds and applies technology, DDS is charged with leveraging private sector talent and best practices to improve the federal government’s most critical services. Recognizing that security through obscurity is not realistic or viable, in early 2016 DDS convinced the DoD to launch its first ever bug-bounty, called Hack the Pentagon. By taking advantage of the innovations and new thinking that characterize the private sector, the DoD found a cost-effective way to support its internal cybersecurity experts and better protect its systems and networks.
While bug bounties are common in the private sector, the federal government had never before implemented this approach. That said, the concept is relatively simple: an organization incents outside researchers – or white-hat hackers – to test the security of its networks and applications and report what they find so the organization can address the vulnerabilities. In this case, the U.S. Federal Government hired a third party, HackerOne, to organize and manage the “hackers” who would try to identify vulnerabilities.
To ensure the success of this program, DDS worked closely with Defense Media Activity (DMA), which provides DoD enterprise-wide cloud services consisting of a web-based content management system for over 700 public-facing military and DoD websites. Both DDS and DMA understood the risks involved and realized that the more hackers it invited to participate, the more bugs the DoD would find. They also knew that to provide both experienced researchers and novice hackers with a meaningful challenge, the program needed to include sites that were significant targets along with some outside of the DoD perimeter. Finally, in addition to launching and managing the overall program effectively, DDS and DMA also needed to manage all external communications with the press regarding every aspect of the program.
DDS needed to meet two key requirements to support its objectives:
From the start, DMA recommended that defense.gov be included in the Hackathon since it was already protected by Akamai. DDS also put other security measures in place to discourage nefarious activity during the event.
At the same time, DMA engaged Akamai’s Professional Services to prepare for the program. Because Akamai already has a bug bounty program in place, Akamai’s experts provided invaluable insights and suggestions for consideration throughout the program. In addition, DMA implemented Akamai’s Client Reputation service as an additional security layer. Client Reputation leverages advanced algorithms to compute a risk score based on prior behavior observed across the entire Akamai network, and profile the behavior of attacks, clients, and applications. Based on this information, Akamai assigns risk scores to each Client IP Address and allows DMA to choose which actions it wishes Akamai’s security services to perform. By using Client Reputation, DMA had actionable intelligence on approximately 54,000 unique client IP addresses trying to target defense.gov from day one of the program.
The program launched with just three sites, with only http://www.defense.gov/ protected by Akamai at the start. However, due to such tremendous interest from the hacker community – more than 1,400 hackers registered – DDS needed to widen the scope. DMA suggested adding two more sites to show diversity while enabling even less skilled hackers to find vulnerabilities on outdated and poorly configured web domains.
Two of the five total sites – defense.gov and dodlive.mil – were well hardened due to the fact that DMA had previously engaged Akamai to shore up protection with Akamai’s always-on Web Application Firewall (WAF), Site Shield, and Client Reputation services. When a third site buckled under the traffic surge in less than a day, DMA offered umbrella protection via Akamai’s WAF. The WAF solution is designed to deny application-layer and volumetric attacks 24x7, including distributed denial of service (DDoS), SQL injections, and cross-site scripting. Once it was in place, the site withstood the onslaught of attack and testing traffic to become available again for its end users.
The Hack the Pentagon program ran from April 18 – May 12, 2016, during which time 252 vetted hackers submitted at least one vulnerability report, for a total of 1,189 reports. As the hacker reports were submitted, DDS worked to remediate them in real time with support from HackerOne. A little more than a month after the pilot finished, DDS had remediated each reported vulnerability.
One-hundred thirty-eight reports qualified for the bounty, and 58 of the 1,410 registered hackers received payouts ranging from $100 to $15,000. The total contract value, including the paid out bounties, was approximately $150,000. In the Secretary of Defense’s estimation, the DoD would have spent more than $1 million uncovering the same vulnerabilities if it had undergone its typical process of hiring an outside firm to conduct a security audit and vulnerability assessment.
Akamai delivered and protected three of the five participating sites without interruption throughout the program while serving 213 million hits and 10 Terabytes of data, and absorbing traffic spikes of approximately 2,000 hits per second. Not surprisingly, the Bug Bounty program attracted attention from nefarious actors. For example Akamai protected defense.gov against 55 sophisticated attacks with over 19.2 million malicious requests denied, including two notable DNS domain flood attacks, and a DDoS attack originating from 250 IP addresses in 83 countries. Using Akamai Client Reputation, DMA also forecasted malicious intent associated with over 1 million requests. As a result, DMA was able to automatically deny all known high threats at the edge of the Internet and far away from DMA’s web server infrastructure.
By baselining website activity before, during and after the challenge, DMA could see higher scanning and research activity on sites protected by Akamai.
To commemorate the event, HackerOne gave out a Hack the Pentagon challenge coin for successful hackers. Pleased with the success of the program, Secretary Carter has already released detailed plans to expand the Bug Bounty program to other parts of the DoD.
“We want to put lots of DoD assets through this type of security program to streamline and shorten the time to discover vulnerabilities while allowing our internal teams to focus on remediation. As we launch more bug bounties, we will need to make sure the participating sites are exercised enough from a vulnerability perspective to make the challenge worthwhile. Ideally, we will have a commercial solution such as Akamai’s in place to help make this vision a reality,” concludes Lisa Wiswell, the Digital Security Lead for the Defense Digital Service.
Defense Media Activity (DMA) serves as a direct line of communication for news and information to U.S. forces worldwide. The agency presents news, information and entertainment on a variety of media platforms, including radio, television, internet, print media and emerging media technologies. DMA informs millions of active, Guard and Reserve service members, civilian employees, contractors, military retirees and their families in the U.S. and abroad.