What skills does it take to hack an institution like the U.S. Army?
The answer to that (and many other questions) can be found as part of the “Hack the Army” bug bounty challenge, which is running now through Feb. 17. The program is overseen by the Defense Digital Service and HackerOne, and is the third time that the Army has offered ethical and white hat hackers a chance to find and report vulnerabilities in its systems and networks.
Like other bug bounty programs overseen by the U.S. Department of Defense, Hack the Army is open to both military and civilian participants and offers not only recognition of hacking skills, but financial rewards as well. A similar program run by the U.S. Air Force in 2018 uncovered 120 vulnerabilities and paid out $130,000 to the hackers who uncovered them. Overall, the Pentagon is spending about $34 million on bug bounty challenges and programs as part of an effort to upgrade its IT posture.
The allure of trying to find vulnerabilities in large-scale organizations such as the U.S. Army and Air Force is considered a challenge for not only the hackers who participate in these programs but also for the government agencies sponsoring these events, since cybersecurity is now an increasing priority for the Defense Department, said Jobert Abma, the co-founder of HackerOne.
“The U.S. Department of Defense has a large infrastructure that requires digital reconnaissance skills in order to map important systems before looking for vulnerabilities,” Abma told Dice. “Developing this helicopter view, and continuously monitoring it, is important to always be at the forefront of finding vulnerabilities fast. The ethical hackers targeting these systems are continuously coming up with innovative ways to map out the digital footprint of the Defense Department and use that information to prioritize where to look for vulnerabilities first.”
Abma noted that, while the Defense Department does not have cash incentives for all of the agencies under its purview, the chance for white hat and ethical hackers to test their skills during these bug-hunting programs is seen as the ultimate training ground. For technologists, it’s a way to test what skills work and which ones require development.
“People swarm to these programs for a chance at finding a vulnerability in an organization as powerful and esteemed as the Department of Defense,” Abma said. “Additionally, due to the size of the infrastructure and diversity of its systems, it is an amazing training ground for new ethical hackers to learn the ropes.”
Which Hacking Skills Matter
While many private businesses and organizations run bug bounty programs, the types of hacking programs hosted by the Army and Air Force have some noticeable differences.
The military’s classified systems are not typically included in public bug bounty programs, for starters, and require not only different skill sets to look for vulnerabilities but also security clearances, said Rick Holland, CISO of security firm Digital Shadows and a former Army intelligence analyst.
“When it comes to military bug bounties, the focus is typically on unclassified networks and applications, not on classified systems. Uniformed service members, civil servants, or Department of Defense contractors with appropriate access conduct vulnerability research on classified programs,” Holland told Dice. “Regardless if something is classified or unclassified, if it runs code, it is vulnerable. Classified systems could be running legacy or unique software that requires a very particular set of skills. Researches that are only familiar with modern programming languages would have to expand their skill sets.”
In the case of the Hack the Army program, Ben Sageghipour, head of hacker education at HackerOne, said the military is most interested in finding vulnerabilities that can lead to the leaking of data, including personally identifiable information.
“Hacking on a government program is just like hacking on any other. The key to success is knowing what is important to them,” Sageghipour told Dice. “Beyond scope, it’s understanding the types of vulnerabilities that would have the biggest impact and understanding what the organization’s most important assets are.”
This is why those hackers who can spot vulnerabilities such as insecure direct object references (IDOR), information disclosures or authorization issues have an advantage.
“While these vulnerabilities range in criticality, they can be disastrous if sensitive customer or internal information is leaked by misconfigured permissions,” Sageghipour said. “Government organizations have important data, and knowing this is important to them can help a hacker prioritize what to look for in their bug bounty to find a more important, and therefore more valuable, vulnerability.”
Tim Wade, a former network and security technical manager with the U.S. Air Force who is now a technical director at the security firm Vectra AI, noted that Hack the Army is not essentially different compared to other bug bounty programs, but he would recommend that any hacker who wants to participate in future programs should brush up on understanding specific military systems and networks.
“Participating in military-specific variants of these types of programs can likely dip into many of the same skill sets that you’d find in a traditional program, with the exception that some of the systems in scope could involve non-commercial-off-the-shelf targets, depending on the program structure,” Wade told Dice. “Additionally, the full operational context of some military systems can mean that seemingly lower severity findings become more interesting and/or concerning.”
One part of the Hack the Army program that stood out for Justin Albrecht, security intelligence engineer at security firm Lookout, is the focus on sign-on authentication services and Army-owned VPNs.
VPN vulnerabilities have been in the news over the last year as COVID-19 has forced millions of employees to work remotely, relying on VPNs to connect to their corporate networks. Organizations such as the U.S. Cybersecurity and Infrastructure Security Agency have sent out a steady stream of warnings that nation-state attackers and cybercriminals have increasingly focused on VPN vulnerabilities as a way to gain entry into networks.
This is why having a broad knowledge of technologies such as VPNs can prove helpful for those hackers who want to dig into bug bounty programs—and also why organizations such as the Army would want to know of any vulnerabilities.
“There may be an advantage, of course, in having foreknowledge of the technology and measures in use, but it seems likely based on the description [the Army has] provided that the participants will be made aware of which technologies or resources they are to target, and which categories of vulnerabilities are valid for receiving the bounty,” Albrecht said.