The Air Force ran a standard security check after it started moving its apps to a new cloud server, and at the time, everything seemed fine. Security auditors looked through its standard checklist of security compliance, and the new cloud server, called Cloud One, had a clean bill of health.
Then from March 18 to June 21, hackers taking part in a bug bounty program gave it a second look and found 54 vulnerabilities with the cloud server. The most critical vulnerability had a $20,000 payout, which the Department of Defense declined to provide specific details on.
"Doing these checklists of various controls, various questions, don't do a great job of emulating what an adversary would do on a network," said Alexander Romero, a digital defense expert at Digital Defense Service. "That's really why the Air Force has found it valuable to use this method of testing."
The Digital Defense Service plans to announce the results of its bug bounty program on Thursday at Defcon, a hacker conference in Las Vegas.
While bug bounty programs, in which companies or government agencies open up their systems to the public to test their vulnerabilities, are increasingly attractive, Cloud One represented a more extensive challenge. This bug bounty went through six stages, looking for vulnerabilities on its internal servers, its staff and the apps. Cloud security is crucial, as a single misconfiguration could lead to massive breaches, like the hack Capital One suffered in July.
In the past, the Department of Defense partnered with BugCrowd, HackerOne and Synack for "Hack the Pentagon" campaigns. The DoD first announced the program in 2016, which has resulted in more than $400,000 in payouts.
Bug bounty programs attract what's known as "white hat" hackers with cash rewards to anyone who can find and report vulnerabilities to them. Google in July updated its bounty to allow for $30,000 payouts to anyone who can find Chrome vulnerabilities.
Cloud and clear
The Air Force started looking for a centralized server to host its major applications around 2014, according to James Thomas, a DDS expert. The server needed to be easily accessible for Air Force members, but more importantly, it needed to be secure.
The server, then called the Common Computer Environment, was eventually renamed to Cloud One. It was a mix of cloud servers from both Amazon Web Services and Microsoft's Azure Cloud, with a VPN between the two.
Cloud One is intended to host important apps like the Air Force's online portal, a repository that could allow people to access all the other apps available. If an attacker got access to that, they would be able to see everything the Air Force used.
It makes sense why the Air Force would want to keep this secure, even beyond its internal checklist. So the Air Force relied on the wisdom of the crowd through the bug bounty program, enticing groups of hackers that found security flaws on Cloud One that a standard audit did not account for.
"Having been an authorizing official in the past, there's nothing quite the same as having dozens of hackers test out the security in your system," Romero said.
The 54 vulnerabilities discovered generated a total payout of more than $130,000, Thomas said. The bug bounty program lasted for three months and went through six phases with different focuses at each one.
The first phase looked at Cloud One's source code, while the next two looked at the security on AWS and Azure. The fourth phase looked at network authentication, and the fifth looked at social engineering -- essentially how easily staffers in control of the cloud server could be tricked into giving up critical information. The final phase looked for vulnerabilities on the Air Force portal.
Typically, when a company wants to test how secure its system is, it can hire a penetration testing firm, which focuses on finding vulnerabilities and ways to break into a network. The DDS found the bug bounty route more cost-effective.
"They would have less people working for more time, and it would cost us more money," Romero said.