Hack-a-Ton

Every new vulnerability is a race against time; for 2024, Google’s Mandiant cybersecurity firm found that exploits are now happening before patches are even released. Hack-a-Ton automatically detects and tracks these vulnerabilities across the government’s publicly accessible government websites and systems on the internet.

Problem Statement

In discussions with agency partners, we found a few key challenges to patching vulnerabilities quickly:

• Fragmented and incomplete inventory of exposed assets

• Lack of high-signal detections for vulnerabilities

• Slow attribution of asset owners to patch vulnerabilities

Hack-a-Ton approaches this problem from the attacker’s mindset, proactively detecting and scanning exposed assets on the internet for the latest critical vulnerabilities. In doing so, we aim to drastically reduce the time to detect vulnerable government websites and make visible the time to remediate across government.

After all, threat actors are already scanning us whether we like it or not - why not make use of our home ground advantage?

Opportunity

Hack-a-Ton is not a hygiene scanner. It looks for real, exploitable vulnerabilities, either from known/disclosed vulnerabilities, or new findings from threat intelligence and internal research. By finding these before threat actors, we are able to detect and patch them early ourselves instead of responding to a breach later on.

There are three sets of users:

• System Owners/Agency CIOs: Need well-prioritised alerts for truly exploitable vulnerabilities, not more busywork alerts.

• Central cybersecurity teams: Need a central view of exploitable vulnerabilities across government and faster threat intelligence/detection time.

• Senior leadership: Need a high-level view of “how vulnerable are we” whenever serious vulnerabilities are published, e.g. Solarwinds, Log4Shell.

Our Progress

We built an automated scanning pipeline for [redacted] government domains and three sets of automated checks for specific vulnerabilities and technology stacks. This led to [redacted] vulnerability findings that propelled Hack-a-Ton to one of the all-time top 10 white hat researchers in the government’s Vulnerability Disclosure Programme.

We have met with cybersecurity teams and agencies within the government and will set up threat intelligence and vulnerability information sharing with them. For now, we will continue monitoring the government’s internet attack surface for the next critical vulnerability.

We are able to run a complete scan for a new vulnerability within 1 hour, compared to an estimated 1 day or more to perform an inventory. This creates a measurable improvement in time to detect and helps with prioritisation of patching efforts.