Global Services

Business Cases Mitigate Pump and Dump (“unknown package”) - research “Investigation Package” to reduce cost of Insurance claim (stop premium from going up) Speed up, reduce cost of investigation Public trust management HIPPA FISMA PCI Keep your cardservices running (even if you had a breach) GBLeech

The Bad Guy always gets in There is no perfect security solution Attacker is constantly improving Security is only as good as the weakest link Security is always balanced against cost and convenience Current security solutions are not working Top three AV miss 80% of the threats 75,000 new malware per-day

Goal Help our customers stay ahead of the threat curve and truly understand their enemy(s) Detect active threats with no signature Assess specific intention of threat to customer information (what is being stolen, and why) Provide actionable data to rapidly remediate and mitigate Provide Intelligence and Operational support to eliminate the threat on various levels

Differentiators Focus is on currently active threats within the Enterprise The bad guy has already broken in… Identify who is behind the threat Geolocation Intention Capability and Funding

Tracking Human and Organizational Actors Managed OPS Center Emergency Services Tracking Human and Organizational Actors Malware Intelligence Feed

Managed OPS Center Emergency Services Strategic Long Term Monitoring Program Honeynet Deployment Tactical Short term deployment Assigned analyst or team

Specific Threat Tracking Managed OPS Center Emergency Services Knock and Talk Tactical Specific Threat Tracking

Managed OPS Center Emergency Services Tactical Track and Trace

Geolocation & Intelligence Walk the malware development chain Codename the Actors Penetrate their digital social network Geolocate both operators and developers Baybird Tiller Cedar Tiberwolf Springtime

Tracking Human and Organizational Actors Strategic Long Term Monitoring Program Malware Attribution Baybird Tiller Cedar Tiberwolf Springtime

Clear and Present Threat Identification Threat Advisory Ongoing Tracking Actionable Defense Security Consumables IDS and Firewall Rules DNS Blackholes Baybird Tiller Cedar Tiberwolf Springtime

AUTOMATED analysis pipeline Digital DNA™ AUTOMATED analysis pipeline TOOLKIT Developers Malware Operators Actors, Toolkits, and Variants are all Linked

Link Analysis and Visualization Real world relationships are linked using open source intelligence: Digital DNA™ Traces People, Groups, Social Networks Companies and Organizations Web sites ,Domains, and Net-blocks Phrases, Affiliations, Documents and Files * Software shown is Maltego, from Paterva

AUTOMATED analysis pipeline Ops Path Mr. A Mr. B Mr. C Malware (tip of the spear) AUTOMATED analysis pipeline Digital DNA Determine the capabilities of the attack Geolocation and Intent Infection Map Determine the scope of the attack Antiforensics and Stealth Audio / Video bugging Keylogging File theft Smart Card Attacks Exploitation Leasing Botnet / Spam Financial Fraud Identity Theft Pump and Dump Targeted Threat Email & Documents Theft Intellectual Property Theft Deeper penetration Distribution systems Social Engineering / Spearfishing Internal network attacks

Exploitation Capability Analysis Capability Core Impact with Private Development Extensions (product + custom dev) Intelligence Feed Relationships (IFR) 3rd party feed sources HBGary Exploitation Capability Arsenal (HECA) Feed Analytics with Digital DNA (Portal Management and Development) Rapid Response RE Geolocation and Implant (G&I, Crafted Documents, Custom Honeypots, HoneyNets) Maltego with Private Server (product + custom dev) Tracking Threats (HOTF) DDNA Feed Contact Local Authorities Threat Advisories Monthly Report

Product Output Rapid Response RE Tracking Threats (HOTF) Rapid response would be around $450/hour w/ 48 hour turn around for a full malware analysis. Threat tracking is done by HBGary and posted as link on portal. Threat tracking is available for base subscription. Each threat that is tracked can be identified by a codename. Malware developers that can be identified are added to threat tracking. Currently active attack operations are added to threat tracking. DDNA feed contains DDNA encoded version of all known pertinent threat features, including attribution traits and traits that are associated with a currently tracked threat. DDNA Feed Contact Local Authorities Threat Advisories Monthly Report

Special Operations Honey Net Operations: Track and Trace Infect a machine with booby-trapped files for the malware to steal When Files are opened they beacon out to the internet and identify their location All activity on this machine are traced and logged with a kernel mode debugger All network traffic is recorded

Product Output Rapid Response RE Tracking Threats (HOTF) If enough evidence can be linked to a specific individual malware author or malware operator / group, HBGary will supply this to government authorities, ISP’s and other locals in the country of origin. Threat advisories are posted over an RSS feed and detail known active attacks. Mitigations such as IDS signatures, IP blacklists, and other actionable data are included. Monthly report is simply a summary of the previous months events with some trending analysis included. DDNA Feed Contact Local Authorities Threat Advisories Monthly Report

Work Flow – Example Client X Client X is infiltrated by targeted malicious code Monitoring Operations commence while initial investigation starts HBGary starts initial intrusion investigation Damage Assessment is provided as deliverable RRMA is performed and Malware Analysis Factors Identified Drop points are located Communications Identified Geo-location

Work Flow – Example Client X cont. Response Action Plan decided upon with Client X Offensive? Tactical Honeynet Operations Strategic Honeynet Operations Will Chumming be included to bait the adversary? Booby Trapped “intellectual Property” offerings

Deliverables Threat Intelligence Reports Damage Analysis – Root Cause – What was stolen Funding sources of client X’s threat Geo Location of adversarial operations Motivations, Identify Teams, Partnerships, Black-market meeting centers