Global provider of innovative technology products, solutions and professional services
Over 90% US government business
Growing international, state & local and commercial components
Diversified mix of national security, civil government & health missions
Deeply embedded culture focused on creating real value for customers
FY08 revenue of $1.507B
87% as a prime contractor
Technology and professional services employer of choice
Major Operating Locations Melbourne United States Alaska Armenia Austria Canada Chile China Czech Republic Denmark Egypt Estonia Germany Hungary Ireland Japan Kazakhstan Latvia Malaysia Mongolia North Sea (Dutch) Norway Netherlands Scotland Singapore Slovakia South Africa Spain Taiwan Thailand United Kingdom Era Customers Australia Linz, Austria Pardubice, Czech Republic Paris, France Cologne, Germany Stuttgart, Germany Oxford, UK Fairfax, VA (HQ) Arlington, VA Alexandria, VA ---------------------------- Falls Church, VA Frederick, MD Reston, VA ------------------------ McLean, VA Vienna, VA ------------------------ Rockville, MD Washington, DC ------------------------ Egg Harbor Township, NJ Ft Monmouth, NJ Mt Arlington, NJ Shrewsbury, NJ Albuquerque, NM Las Vegas, NV New York, NY Cincinnati, OH Dayton, OH Hatboro, PA Sierra Vista, AZ Newport Beach, CA Sacramento, CA San Diego, CA Colorado Springs, CO Glastonbury, CT Ft Walton Beach, FL Atlanta, GA Warner Robins, GA Fairview Heights, IL Indianapolis, IN Louisville, KY Boston, MA Baltimore, MD Columbia, MD Frederick, MD Landover, MD Pax River, MD St Louis, MI Durham, NC Research Triangle Park, NC Providence, RI Charleston, SC Austin, TX San Antonio, TX Chesapeake, VA Newport News, VA Seattle, WA Milwaukee, WI Morgantown, WV North America SRA Operating Locations Europe
NCSD, ICE, CBP, FEMA, TSA
DEA, FBI, OJP
State & local gov’ts
Army Air Force Navy National Guard OSD, DARPA, DISA, DMDC, USTC FDIC State EPA NIH CDC FDA CMS HRSA GAO SBA NARA Transportation Treasury Agriculture Labor Commerce Interior Pharma & biotech Foundations & academia
Some Cyber Security Customers Significant Work. Extraordinary People. SRA.
Agriculture and Food
Banking and Finance
Defense Industrial Base
The United States’ 18 CIKR Sectors: The Public-Private Partnership
Healthcare and Public Health
National Monuments and Icons
Nuclear Reactors, Materials and Waste
Postal and Shipping
And State and Local Governments
SRA’s Critical Infrastructure Protection Clients
DHS National Cyber Security Division —provide mission support to all branches of DHS’s cyber security sector specific agency, including control systems security , supply chain risk management , cyber exercises , and international coordination .
DHS Partnership and Outreach Division —support all 18 Critical Infrastructure Protection Sectors, including Regional Resilience initiatives, and International Interdependency studies and coordination
DHS Sector Specific Agency Executive Management Office —provide risk management, protective program, and exercise and training support to the Chemical, Commercial Facilities, Critical Manufacturing, Dams, Emergency Services and Nuclear Sectors.
DHS Office of Infrastructure Protection Measurement and Reporting Office —provide preparedness metrics development and analysis for DHS’ infrastructure protection efforts, including support for State and local metrics, and support across all federal departments and agencies.
Significant Work. Extraordinary People. Inspiring Excellence. SRA. Nation States Commercial Companies Organized Crime Syndicates Terrorist Organizations Who are we trying to catch?
Evolution of the Cyber Threat Significant Work. Extraordinary People. Inspiring Excellence. SRA. 1966 1971 1974 1981 1986 1989 1993 1995 1996 1999 2000 2002 2004 2005 Cyber threats are becoming extremely sophisticated but due to a lack of diligence by targeted organizations adversaries are still successful using low tech attacks Internet was designed for information sharing and collaboration; security was a design consideration but wasn’t considered relevant by the users. 1987 1988 2006 2007 2008 2009 2010 ‘ Virdem’ first to add code to executables .com to replicate themselves, Chaos Computer Club 1986 ‘ Morris worm’ first to attack buffer overflow vulnerability 1988 ‘ Cascade’ first self-encrypting virus 1987 ‘ Elk Clone’ first large scale virus Apple II 1981 ‘ Wibbit’ first self-replicating Denial of Service 1974 “ Theory of Self-producing Automata” John Von Neuman 1966 ‘ Catch me if you can’ DEC, first malware via network connection (ARPANET) 1971 ‘ Animal’ first Trojan , UNIVAC 1974 ‘ Freddy Kruger’ first virus to be delivered via BBS/shareware 1993 ‘ Pakistani Flu’ first IBM compatible virus 1986 ‘ Concept’ first to use MS Word 1995 ‘ Bandook’ First to hijack PC, botnet 2005 ‘ I Love You’, first to infect via email , $10B loss, attacked Registry 2000 ‘ Ply’ polymorphic, built-in mutation engine 1996 ‘ Ghostball’ firs t multi-part virus infection 1989 ‘ CIH’, first to infect COTS , attacked BIOS 1999 ‘ Vundo’, first to infect via pop-ups 2004 ‘ Nyiem’, mass mailing used to disable security 2006 ‘ Storm botnet’ , injection via video download 2007 ‘ Rustock’ , first root kit virus 2008 ‘ Stuxnet’, PLC/SCADA control systems 2010 ‘ Bohmini, Koobface, Conficker’ , Adobe, Facebook, & MS server 2009 ‘ Santy’, first web-worm using Google 2004 ‘ Beast’ MS Windows Backdoor allowed remote access 2002
Computer Networks - Our Achilles Heel Significant Work. Extraordinary People. Inspiring Excellence. SRA. The world depends on computer networks for national security (military and economic) and safety… and yet the networks are fundamentally flawed across all architectural layers An Achilles’ heel is a deadly weakness in spite of overall strength , that can actually or potentially lead to downfall
Generic Network-Centric Vulnerabilities Significant Work. Extraordinary People. Inspiring Excellence. SRA. Internet Point to Point Point to Point
Vulnerabilities at all layers
Software (malware, botnets)
Databases (SQL injection)
- and more…
Defense in Depth Significant Work. Extraordinary People. Inspiring Excellence. SRA. NAS Information System Security (ISS) Enterprise Architecture (EA)
Vulnerabilities are Expanding Significant Work. Extraordinary People. Inspiring Excellence. SRA.
Paradigm Shift yields an increased focus on client-side and web-based application attacks vs. server-side
Attackers no longer need to penetrate enterprise security
They simply entice end-users to come and get the hack
It’s not really “hacking” anymore Symantec Corp. 2008 SRA PROPRIETARY
APT have varying degrees of sophistication, different threat actors have different Tools, Techniques, and Practices (TTP) that act as a fingerprint for their activities.
APT tools and malware are packaged to avoid anti-virus technology, because of the targeted nature of the attacks these tools have a very limited distribution which often keeps them off A/V vendor radar.
Data theft is primary objective, data is quickly identified, compressed and exfiltrated using a variety of covert channels. This exfiltrated data is often encrypted and the forensic evidence is immediately deleted leaving little clue as to what was targeted
APT Communication generally uses outbound connections or “call outs”
Call outs are generally over commonly used ports and use obfuscated or encrypted communications
APT Social Engineering can be relevant to geopolitical events or specific to job functions of an individual target
APT targeting includes dissident groups and exiled governments, Western Government agencies, Cleared Defense Contractors (CDC), and Cutting edge technology companies
Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 0: Attacker Places Content on Trusted Site The attacker begins by placing content on a trusted third-party website, such as a social networking, blogging, photo sharing, or video sharing website, or any other web server that hosts content posted by public users. The attacker's content includes exploitation code for unpatched client-side software. APT Example – Step 0 Source: SANS
Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 1: Client-Side Exploitation A user surfs the Internet from a Windows machine that is running an unpatched client-side program, such as a media player (e.g., iTunes, etc.), document display program (e.g., Acrobat Reader), or a MS office app (e.g., Word, etc.). Upon receiving the attacker's content from the site, the victim user's browser invokes the vulnerable client-side program passing it the attacker's exploit code. This exploit code allows the attacker to install or execute programs of the attacker's choosing on the victim machine, using the privileges of the user who ran the browser. The attack is partially mitigated because this victim user does not have administrator credentials on this system. Still, the attacker can run programs with those limited user privileges. APT Example – Step 1 Source: SANS
Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 2: Establish Reverse Shell Backdoor Using HTTPS The attacker's exploit code installs a reverse shell backdoor program on the victim machine. This program gives the attacker command shell access of the victim machine, communicating between this system and the attacker using outbound HTTPS access from victim to attacker. The backdoor traffic therefore appears to be regular encrypted outbound web traffic as far as the enterprise firewall and network is concerned. APT Example – Step 2 Source: SANS
Significant Work. Extraordinary People. Inspiring Excellence. SRA. Steps 3: Dump Hashes and Use Pass-the-Hash Attack to Pivot The attacker uses shell access of the initial victim system to load a local privilege escalation exploit program onto the victim machine. This program allows the attacker to jump from the limited privilege user account to full system privileges on this machine. The attacker now dumps the password hashes for all accounts on this local machine, including a local administrator account on the system. APT Example – Step 3 Source: SANS
Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 4 Move Laterally and Escalate Permissions Instead of cracking the local administrator password, the attacker uses a Windows pass-the-hash program to authenticate to another Windows machine on the enterprise internal network, a fully patched client system on which this same victim user has full administrative privileges. Using NTLMv1 or NTLMv2, Windows machines authenticate network access for the Server Message Block (SMB) protocol based on user hashes and not the passwords themselves, allowing the attacker to get access to the file system or run programs on the fully patched system with local administrator privileges. Attacker now dumps the password hashes for all local accounts on this fully patched Windows machine. APT Example – Step 4 Source: SANS
Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 5: Pass the Hash to Compromise Domain Controller In Step 5, the attacker uses a password hash from a local account on the fully patched Windows client to access the domain controller system, again using a pass-the-hash attack to gain shell access on the domain controller. Because the password for the local administrator account is identical to the password for a domain administrator account, the password hashes for the two accounts are identical. Therefore, the attacker can access the domain controller with full domain administrator privileges, giving the attacker complete control over all other accounts and machines in that domain. APT Example – Step 5 Source: SANS
Significant Work. Extraordinary People. Inspiring Excellence. SRA. Steps 6 and 7: Exfiltration In Step 6, with full domain administrator privileges, the attacker now compromises a server machine that stores secrets for the organization. In Step 7, the attacker exfiltrates this sensitive information, consisting of over 200 Megabytes of data. The attacker pushes this data out to the Internet from the server, again using HTTPS to encrypt the information, minimizing the chance of it being detected APT Example – Steps 6 & 7 Source: SANS
Canadian group called Information Warfare Monitor (IWM) in 2008 begins investigation into suspected compromises of Tibetan Government in Exile
– Dalai Lama’s computers were infected and that he was a top victim
– Social engineering malware attacks identified, over 8 different Trojan families in use
– 70% of control servers behind Tibetan attacks are IP addresses in China; others were US, Sweden, South Korea, and Taiwan
– Found that a total of 1,295 computers were infected within 103 countries
This is the first widely reported investigation of an attack that meets the criterion for an Advanced Persistent Threat
Gh0stNet was named due to the use of malware which contained the string ‘Gh0st’ in the malware
A recent report by Pike Research listed cybersecurity as the #1 Smart Grid trend to watch:
“ My SCADA system is safe because it is not connected to the Internet”
FALSE – Stuxnet was apparently spread by a USB memory stick
“ I keep my SCADA Windows Machine updated with the latest security patches and antivirus protection”
FALSE – Stuxnet exploited a zero-day vulnerability
“ At least the threats are limited to my Windows-based management consoles”
FALSE – Stuxnet also infected Programmable Logic Controllers
The September 2010 US National Institute of Standards and Technology (NIST) “Guidelines for Smart Cyber Security” is three volumes/537 pages
Stuxnet aka ‘first super cyber weapon’
• In June 2010 malware is discovered using a very advanced 0day to spread using USB devices, malware is named ‘stuxnet’ by researchers – 0Day exploits are very difficult to obtain and once they are used their
effectiveness diminishes as use is discovered
• Extremely heavy distribution in Iran, Indonesia, and Pakistan
• Malware was custom designed to attack a Siemens product used in Industrial Control called WinCC
– Extremely advanced targeting
– Demonstrated knowledge of advanced systems
– Targeted specific components of WinCC systems
• The malware utilized a rootkit to hide it from system security tools, this root kit was signed using one of two (depends on version) valid certificates from legitimate chip production companies
– Extremely advanced techniques demonstrates capability of actor
The implication of the increasing number of duplicate 0day discoveries is fairly alarming, in that the main mitigation for vulnerabilities of this type is patching, which is an invalid strategy for protecting against 0day exploits.
There is a heightened risk from cyber criminals, who can discover zero-day vulnerabilities and exploit them for profit.
Add to this that software vendors have not necessarily lowered their average time for patching vulnerabilities reported to them, and that a number of vulnerabilities that were reported to vendors two years ago and are still awaiting a patch.
Zero Day Vulnerabilities Source: SANS
The Cyber Threat is Real
Undermining both our national security and our economic leadership in the world marketplace
Threat started as nuisance activities by isolated bad actors
Threat is now coming from nation states, commercial espionage, terrorist organizations, organized crime groups, and ‘for-hire’ cyber organizations —it’s a business—and often in concert
Our operational stability and intellectual property is being exfiltrated; sensitive designs, oil exploration data, Google IP, critical infrastructure knowledge, command and control processes, ….
The extent of the damage is only beginning to be publicly acknowledged
$1 trillion annually and years of technology leadership
Advanced Persistent Threats embedded in our critical networks
Keeping security threats out while letting new technologies in…
Best of Breed Partnerships Significant Work. Extraordinary People. SRA. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Solutions
Threat Feeds & Intelligence
Deep Packet Inspection
Data Loss Prevention
SRA integrates applications from world-class leaders to provide proactive, end-to-end protection that stays one step ahead of the cyber threats. SRA solutions are predicated on a core of best-of-breed products and technology delivered by an experienced team of professionals well-versed in cyber trade craft.
Framework of SRA’s cyber security operations center solution and the various components of which it is comprised
Individual functions and capabilities are tailored to fit each customer’s organizational mission and goals
The most widely deployed gang information sharing system, this browser-based tool aids in the identification, location and apprehension of gang members:
- Collect and analyze gang information
- Visualize relationships and incidents
- Share information across jurisdictions
What is GangNET ® ? SOLUTIONS GangNET® is an award-winning investigative, analytical and statistical resource for recording and tracking gang members and related group-based criminal activities. “ a software solution for Gang Tracking Case Management”
GangNET ® Solutions
Discover hidden relationships through statistical reports, ad hoc query reports and automated multi-level link analysis.
Multi-level link analysis helps the user discover information about the structure of organizations, interrelationships, and the roles of individuals within organizations or events.
Integrates with a sophisticated 255 points facial recognition engine.
Plot gang activity across the local, regional, state or national area.
Several types of geographical data is available including addresses of gang member residences, arrests, crimes and locations where field interviews occurred.
Rapidly enter real-time information on several subjects at once through a single on-screen form.
Automatically creates relationships between subjects, vehicles and addresses.
Submit information remotely from a crime scene and receive immediate feedback that can help resolve the case in minimal time.
Data Analysis Biometrics Mapping Field Interview Form
Security Assessments (Security Testing and Evaluation)
Significant Work. Extraordinary People. SRA.
SRA’s Cyber Security Services (cont.)
Security Operations Center management and design
Security Program Planning and Management Support
Technical Security Architecture Design and Development
Security Certification and Accreditation
Disaster Recovery and COOP
Significant Work. Extraordinary People. SRA.
Effective SA provides the ability to understand what is happening in your own network and then correlating internal events with events happening in the internet in near-real time.
SRA’s Flow Analysis and Attribution Solution SRA’s Mirror World Visualization Displays Attacks / Trace Routing SRA PROPRIETARY
CIP Full Spectrum Capabilities Continuity of Operations /Government Planning Interdependencies Analysis Regional Resiliency Analysis Coordination with State, Local, Tribal and Territorial Governments SRA provides a tailored, scalable (from global to asset specific) framework for all-hazards infrastructure risk management. Prevention Response Recovery Protective Measures Planning Security Awareness Vulnerability/Consequence Assessments Threat Analysis Pandemic Preparedness Table Top and Functional Exercises Surge and Incident Management Support Fusion and Emergency Operations Centers Integration Credentialing/Access Policy Analysis SRA Infrastructure Protection and Resilience Offerings Public/Private Partnership Creation and Coordination Risk Assessment and Analysis Policy Analysis Communication, Training and Outreach Metrics Development and Analysis Information Sharing Environment Integration Preparedness Preparedness Preparedness Preparedness
Significant Work. Extraordinary People. SRA. SRA SOC Maturity Model
GangNET ® Solutions
The user is notified when someone enters a new record that matches specific criteria they’ve already entered.
The ability to share search information during an investigation can speed case resolution.
Networked database that supports full or partial text searches.
Agencies can search their local GangNET system simultaneously with external networked GangNET systems through a single search command.
The “matrix” search function allows users to query several data fields simultaneously and generate two and three-dimensional charts based on the results.
Designed and tested with input from seasoned investigators, GangNET® Mobile is optimized for use on a PDA or Blackberry.
Systems with the Facial Recognition function can use the wireless device’s built-in camera to take and save a photo as well as search on a photo using the facial recognition feature.
Watch List Simultaneous Search GangNET ® Mobile
What is One View Analyst? SOLUTIONS One View Analyst is a comprehensive knowledge management system that gathers complex data to uncover vital knowledge. “ A software solution for intelligence and law enforcement agencies” Developed for large-scale data collection and data mining, One View Analyst fully supports the five steps of the intelligence life cycle: – Searching – Collecting – Organizing – Analyzing – Reporting “ SMARTER TOOLS”
Gather and organize data quickly and easily from web browser or files on a network via drag and drop
Store data in easy to understand structure and customer drive structure- Cabinets
Tailor new virtual environments on-the-fly.
Advanced indexing technology
Boolean Logic and Concept search
Proximity, fuzzy, and stemming searches
Matrix search technology
Process hundreds of searches simultaneously
Prioritized search results by file
Highlighted search results by word
Create custom reports with a push of a button using XSL Style sheets
GIS - ESRI ArcView integration
Create GIS overlay from metadata stored in Cabinets
Link Analysis - I2 Analyst Notebook integration
Create link charts from metadata stored in Cabinets
Collects and Analyzes Searching Reporting Analysis
SRA Benefits to India
Single-source systems integrator with cross-cutting expertise in law enforcement, homeland security, counter terrorism and cyber security
Unparalleled expertise in building and implementing the most comprehensive public-private homeland security partnership for infrastructure protection
Tailorable, scalable solutions for differing global markets
Cutting edge cyber security awareness and expertise
Proven law enforcement information sharing solutions