ARSTRAT Cyber Threat Center Concept Overview & HBGary Capabilities
Presentation Outline HBGary Overview Products Services ARSTRAT Cyber Threat Center Concept Overview
HBGary Company established in 2003, founded by Greg Hoglund Recently formed HBGary Federal Provide classified software and services, leveraging HBGary malware analysis product-line HQs in Sacremento, CA offices in DC, establishing SCIF in Colorado Aaron Barr CEO Ted Vera President | COO
Evolving Risk Environment Valuable cyber targets Attackers are motivated and well-funded Malware is sophisticated and targeted Existing security isn’t stopping the attacks
Traditional Malware Analysis is Difficult Requires lots of technical expertise Time consuming Expensive Doesn’t scale Traditional methods to analyze memory and malware are difficult. It requires expertise, is time consuming and expensive, and it doesn’t scale.
HBGary Responder
Digital DNA Automated zero-day malware detection. 75% effective against zero-day malware attacks. Trait/Behavior based software classification system 3500 software and malware behavioral traits Example Huge number of key logger variants in the wild About 10 logical ways to build a key logger
Digital DNA Ranking Software Modules by Threat Severity 0B 8A C2 05 0F 51 03 0F 64 27 27 7B ED 06 19 42 00 C2 02 21 3D 00 63 02 21 Malware shows up as a red alert. Suspicious binaries are orange. For each binary we show its underlying behavioral traits. Examples of traits might be “packed with UPX”, “uses IRC to communicate”, or “uses kernel hooking with may indicate a presence of a rootkit”. The blue bar shows the Digital DNA sequence for the binary iimo.sys. 8A C2 0F 51 0F 64 Software Behavioral Traits
HBGary Cybersecurity Services Advanced malware detection & threat analysis Live first response triage of servers and workstations Enterprise scope of breach analysis Root cause analysis Malware analysis Enterprise containment, mitigation and remediation
HBGary IO Mission Expertise Computer Network Operations Computer Network Attack Custom malware development Computer Network Exploitation Persistent software implants Covert Communications Net-centric Space Based Influence Operations Netcentric influence operations Payload & platform development Campaign management
CNA/CNE 0-day Exploit Development Unpublished 0-day Exploits (on the shelf) VMware ESX and ESXi Win2K3 Terminal Services Win2K3 MSRP Solaris 10 RPC Adobe Flash Sun Java Win2k Professional & Server XRK Rootkit and Keylogger (NextGen) Rootkit 2009
Space-based IO Space-based COVCOM system Uses COTs capabilities Secure message traffic Red - Black interface Secure space-based implant C2
HBGary Global Malware Genome Malware feeds (over $25K in subscriptions) Receives thousands of malware samples daily 64 simultaneous VMWare instances of Windows HBGary Responder automated reverse engineering and classification of 5000 unique malware daily Automated signature, DDNA behavior, and social analysis (attribution) Accessible via online Portal Nobody else does this!
Global Malware Genome Portal
Cybersecurity Challenges Most CERT/SOCs do not have the tools or capabilities to enable them to move past analysis of infections to analysis of threats. A set of capabilities need to be developed and integrated in the following areas to enable better situational awareness and incident response. Malware and Threat analysis Workflow and knowledge management Communications and Collaboration Resource Characterization and Visualization Mission Impact and COAs
How can ARSTRAT Help the Cyber Mission How can ARSTRAT Help the Cyber Mission? Establish ARSTRAT Cyber Threat Center ARSTRAT can drive past the vehicles of infection to analyze and identify the threats and their methods of attack - attribution. ARSTRAT can provide cyber threat products to subordinate commands. Enhance their capability to fight infections. ARSTRAT cyber threat products would significantly benefit the entire cybersecurity community.
ARSTRAT Cyber Threat Center (Concept) All-source analysis Blueshash/Tutiledge Alerts Joint Cyber Database (JCD) Centaur DB (Netflow) SIPR Intel Feeds Open Source HBGary feed processor Automatically REs 5000 malware/day (scalable) Racks and stacks by severity Force multiplier - queues malware up for analysts Staffing Requirement: 6 FTEs 1 Threat Analyst (Palantir) 3 FTE malware/threat analyst (REs) 2 FTE linguist/analysts (chinese & russian)
ARSTRAT Cyber Threat Products (Concept) Threat Maps Link analysis Threat Vectors Distributed Malware association Threat Reports Digital DNA sequences (behaviors) Threat markers Author Digital Fingerprints - attribution Evolution of attacks / threats
Questions? Aaron Barr aaron@hbgary.com Ted Vera ted@hbgary.com