WIXLIB

SHARKSEERZero Day Net DefenseRonald NielsonTechnical Director

SHARKSEERProgram Definition: Detects andmitigates web-based malware Zero-Dayand Advanced Persistent Threats usingCOTS technology by leveraging,dynamically producing, and enhancingglobal threat knowledge to rapidly protectthe networks.

SHARKSEER’s GOALSIAP Protection: Provide highly available and reliable automatedsensing and mitigation capabilities to all 10 DOD IAPs. Commercialbehavioral and heuristic analytics and threat data enriched with NSAunique knowledge, through automated data analysis processes,form the basis for discovery and mitigation.Cyber Situational Awareness and Data Sharing: Consumepublic malware threat data, enrich with NSA unique knowledge andprocesses. Share with partners through automation systems, forexample the SHARKSEER Global Threat Intelligence (GTI) andSPLUNK systems. The data will be shared in real time withstakeholders and network defenders on UNCLASSIFIED, U//FOUO,SECRET, and TOP SECRET networks.

What Are We Looking For?CORRELATIONShell CodeFileObfuscationIP AddressPort/ProtocolURLFile MismatchCode InjectionC2Sleep CallSessionSQL Injection

SHARKSEER Zero Day NetDefensePROBLEM Current defenses rely heavily onsignature-based tools Signatures are generated afterthreat is identified DAT files are updated manuallytaking weeks or monthsAdversaries Attempt toSend Malicious ContentAcross InternetIf/When An AdversaryPenetrates A Gateway(s),Prevent Outbound CallbacksAnd/Or ExfiltrationSharedGlobal Threat DataCross DomainsInbound MaliciousTraffic At TheGateways,Components, HostSHARKSEEROperational SpaceSOLUTION Automate signature updates Leverage behavior-based andcloud technologiesUnclassifiedSECRETAnalysis CellTop SecretTargeting AllDomains

SHARKSEER EnvironmentnetspeedClassifiedIAPWPIARouterseconds –minutesDPI/MitigationWCFUPEVendor 1SandboxVendor 2SandboxData PlaneUnclassmillisecondsLoad Balanced dInfrastructureAnalysisManagementDeep Packet InspectionRule EnforcementAutomatedAnalysisAutomatedTriage24/7 OpsCenter

Tear-Line ReportingUnique IP, PIIAttribution YesDeep Dive, Full Content ResponseTech ‐ Indicators, KnowledgeRepositories, Redacted ContentSTIXMitigationAbstracted, yet actionable data for sharing(Network, Mail, Host)EventEvent ResponseTeamSME Technical DataResponseCollaborateActivity/Adversary TTPs& Indicator ResponseHumanMachineOntology (Translation Tool) ‐ ProposedUSGUnclassReal TimeDefense Indicators Src IP 1.1.1.1Anonymize URL evil.com TTP Phishing ID 314 email subject OS Windows 7, 8 HASH d131dd02c5e6eec4 RegKey HKEY CLASSES ROOT SNORT alert tcp any INDICATOR %appdata%My DocsSECRETReal TimeDefense Indicators Src IP 1.1.1.1 dest IP 1.2.3.4 URL evil.com TTP Phishing ID 314 INCIDENT 195730CCMD CNOResponse ActionsRedact email subject OS Windows 7, 8 HASH d131dd02c5e6eec4 RegKey HKEY CLASSES ROOT SNORT alert tcp any INDICATOR %appdata%My Docs ACTOR GOLDSTARSanitize Src IP 1.1.1.1 dest IP 1.2.3.4 URL evil.com TTP Phishing ID 314 INCIDENT 195730 CAMPAIGN SHARKATTACK email subject OS Windows 7, 8 HASH d131dd02c5e6eec4 RegKey HKEY CLASSES ROOT SNORT alert tcp any INDICATOR %appdata%My DocsTSStrategic Nation StateIntelligence ACTOR 4125 SOURCE INTEL Src IP 1.1.1.1 dest IP 1.2.3.4 URL evil.com TTP Phishing ID 314 INCIDENT 195730 CAMPAIGN SHARKATTACK email subject OS Windows 7, 8 HASH d131dd02c5e6eec4 RegKey HKEY CLASSES ROOT SNORT alert tcp any INDICATOR %appdata%My Docs

Establishing Cyber SA

SHARKSEER Sandbox EnvironmentLevel 2/3 User Access/Code SubmissionTrustedGuardSolutionTop SecretCyber AnalystBoundary Cyber DefenseCommand and ControlGIG-EarthTop SecretAnalysis EnvironmentSandboxing EnvironmentLevel 2/3 User Access/Code SubmissionSecretCyber AnalystMETAWORKSGIG-EarthSecretLevel 2/3 User Access/Code SubmissionUnclassifiedCyber AnalystGIG-EarthUnclassifiedBoundaryCyber AnalystAutomated Grey/Black Traffic SubmissionReportsTrustedGuardSolutionManual and/or AutomatedManipulation, Detonation, andAnalysisMALWORKSMachineReadableData

Stakeholders & nalCybersecurityInitiative(CNCI)

Power Of PartnershipMcAfee and Symantec — the nation’s two biggestcybersecurity firms — agreed to join a Cyber ThreatAlliance founded in May by Fortinet and Palo AltoNetworks. The goal of the new consortium, quoting awhite paper it issued, is “to disperse threatintelligence on advanced adversaries across allmember organizations to raise the overall situationalawareness in order to better protect theirorganizations and their customers.”Shared Threat Data STIX - Structured Treat Information eXpression MAEC –Malware Attribute Enumeration andCharacterization TAXII - Trusted Automated eXchange ofIndicator Information

SHARKSEER Cyber ngGTIPDTIMALWORKSGOVToTopp SecretNorseCADSSandboxingTrustedU ��EarthGig‐EarthGig‐EarthDISADISANTOCEnhanced Shared Situational Awareness (ESSA)

SHARKSEER Zero Day Net Defense Author: Ronald Nielson, Technical Director, Program Manager, Department of Defense Keywords: SHARKSEER Zero Day Net Defense, 2015 Cybersecurity Innovation Forum Created Date: 9/16/2015 4:33:28 PM