DOD’s Krystal Ball provides defense industrial base with an ‘outside-in’ view of security vulnerabilities

The DoD – Defense Industrial Base Collaborative Information Sharing Environment (DCISE) introduced its ‘Krystal Ball’ initiative to provide the defense industrial base with an ‘outside-in’ view of security vulnerabilities. 

DCISE has joined with LookingGlass, a cybersecurity solutions developer that empowers organizations to meet their missions with tailored, actionable threat intelligence, to offer the Krystal Ball platform that maps public-facing infrastructure, overlays it with threat intelligence sources, and provides a holistic view of the external threat landscape including indicators of compromise and risk.

The Krystal Ball initiative will be part of an information-sharing program at the Defense Department’s Cyber Crime Center, or DC3 unit, and utilize publicly available information and threat intelligence, to provide insight into their cybersecurity posture and what they can do to improve it. 

DC3 is the U.S. Department of Defense (DoD) center of excellence for digital and multimedia forensics. It has been designated as a federal cyber center and serves as the operational focal point for the defense industrial base cybersecurity program. Since 2008, the DC3 unit has been responsible for executing the broader defense industrial base cybersecurity program with 16 companies that volunteered to discuss information sharing and collaboration. The number of participating companies has since zoomed multi-fold and is made up of large and small suppliers across subsectors.  

The Krystal Ball project supports National Institute of Standards and Technology (NIST) and Cybersecurity Maturity Model Certification (CMMC) security objectives, creates a dynamic footprint of Internet-accessible assets and networks, delivers hacker’s view of an organization’s technical risk, and comes with real-time alerting on observed threats within the network. 

The initiative also offers continuous monitoring of an organization’s cybersecurity posture, helps in optimizing decision making with on-demand alerting and reporting using over 75 sources of threat-related data. It also provides organizations with a threat confidence score for every asset or network, while meeting threat and risk prioritization objectives. 

DCISE is a directorate within the DoD Cyber Crime Center and an operational hub of DoD’s Defense Industrial Base (DIB) Cybersecurity Program. The DCISE is a key part of the agency’s strategy to secure the defense industrial base as the scope and severity of cyberattacks increase, while focusing on developing and sharing actionable threat products, performing cyber analysis and diagnostics, and providing remediation consultation for DIB participants. 

DoD may work with a DIB participant on a more detailed, digital forensics analysis or cyber intrusion damage assessment, which may include sharing of additional electronic media/files or information regarding the incident or the affected information systems, networks, or information. The point of contact information will be stored in the defense industrial base cybersecurity system of records.

The public-private cybersecurity partnership provides a collaborative environment for crowd-sourced threat sharing at both unclassified and classified levels, CDC cyber resilience analysis, and cyber security-as-a-service pilot offerings. DCISE performs cyber analysis and diagnostics, offers mitigation and remediation strategies, provides best practices, and conducts analyst-to-analyst exchanges with DIB participants ranging in size from small to enterprise-sized companies.

The DCISE also delivers face-to-face consults with company cybersecurity analysts and executives and conducts interactive group technical exchanges with cybersecurity experts, to enhance expertise.

“We’ve been doing a sort of soft start to it since about February, a quiet rollout,” Terry Kalka, deputy director for DCISE (pronounced ‘dice’), said in an interview to Nextgov. “We’ve talked about it kind of all along the way, with some [DIB companies], but we haven’t really stood up and said hey, guess what we’re doing now. And that’s going to happen this Friday.”

The DCISE3 offering aims at strengthening the level of trust between companies and DC3. Kalka said they’ve had a lot of success through participants handing over their firewall logs for rapid analysis in conjunction with both government and commercial threat feeds. That yields a richer analysis and points to specific actions companies can take, he said.  

Participating companies sign an agreement with the DOD CIO that protects their identity in the event DC3 needs to share indicators discovered with the rest of the defense industrial base. 

DC3 is also the place where the companies have to report breaches under Defense Federal Acquisition Regulations. The information is also anonymized before DC3 shares it with other government partners, such as the Cybersecurity and Infrastructure Security Agency (CISA).   

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.