GUEST ESSAY: Theft of MQ-9 Reaper docs highlights need to better protect ‘high-value assets’

The discovery of sensitive U.S. military information for sale on the Dark Web for a nominal sum, in and of itself, is unfortunate and unremarkable.

However, details of the underlying hack, ferreted out and shared by researchers of the Insikt Group, an arm of the security research firm Recorded Future, are most welcomed. They help frame wider questions, and pave the way for improved best practices.

Here is what is known thus far: Team members of the Insikt Group encountered an English-speaking hacker who jumped on a Dark Web forum to pitch the sale of MQ-9 Reaper UAV docs for $150 to $200. The hacker/salesman also had other unclassified military intelligence for sale: an M1 Abrams tank maintenance manual, a tank platoon training course, a crew survival course, documentation on improvised explosive device (IED) mitigation tactics; he even claimed to have access to footage from a MQ-1 Predator drone.

The Insikt Group determined that the hacker/seller must have accessed a Netgear router with misconfigured FTP login credentials. This raises wider questions about data security best practices, not to mention the wider contractor support community.

The U.S. Department of Defense (DoD) generally handles unclassified documents such as these through the “Non-classified Internet Protocol Router Network,” or NIPRNet. It essentially functions as a private network used to exchange unclassified information, while also providing Internet access.  Abstracting mission-Internet from personal-Internet is a challenge.


In this case, one can surmise that military personnel, or perhaps a contractor, accessed the documents in question via an off-premise device connected to a home or other open WiFi network. And that’s how the Netgear router vulnerability would have come into play.  The idea that it was a two-year-old vulnerability and not patched tells me it may have been a personal WiFi access point left unmanaged and not regularly updated. If the docs were on a personal device or a government furnished equipment (GFE) laptop taken off-premises, connected to the Internet, suggests a more worrisome issue.

If the sensitive documents were stored on a GFE or personal device, connected to a vulnerable router, the question becomes: What protections could have been in place to segregate the DoD date from the network itself? If they were on a contractor device, what happened to safety measures that should have been in place to ensure the confidentiality and integrity of the data while on the device?  Worse yet, were the documents stored on a private NAS connected to their personal network?  What other documents could have been stored and exfiltrated?

Controlled data access while mobile is a great challenge for the DoD simply due to the vast number of users, contractors and programs. Efforts to consolidate high-value assets (HVA) is a key movement that’s underway in the Department of Defense, with the discussions being led by Ron Ross of the National Institute of Standards and Technology.

The discussion revolves around securing DoD HVAs. Once that is accomplished, the focus can shift to connections into the HVA, limiting access and assuring authentication of both the device and the user. By limiting access and controlling data flow the DoD should be able to reduce data loss, bringing the user to the data rather than have data stored outside the HVA enclave.

It’s important that the government and private companies find solutions for consolidating and robustly protecting HVAs. The goal should be to ensure isolation and integrity,  thwarting attempts to access and/or laterally move data from HVAs remotely.

The private sector doesn’t have to wait for the DoD and NIST. Companies and industry groups can join in the discussions and proactively champion best practices — today.

(About the essayist: Sherban Naum is Senior Vice President, Corporate Strategy and Technology, Bromium.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: