Craig wilson


Published on

1 Comment
1 Like
  • It seems odd to me that someone would put a good slide set like the above and yet disable download. We are all busy during the day; who has the time to go through a slide show when reading print is 3 times faster? Also, those who would steal and not attribute could simply do screen prints one by one. But good slide deck nontheless.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Need the organizational analysis as well as the technical… group modeling, SRA strength
  • SRA Today (this was deleted from the top right and was covering the SRA logo).
  • Only a fraction of the types of attacks, the point is that the vulnerablitiies are at every level and the complexity of the computer architectures means there will always be new vulnerabilities to be discovered… if we continue to play defense only we will be in a perpetual wac a mole environment
  • Source: Source: Source:
  • Craig wilson

    1. 1. Cybersecurity Awareness “ Catch me if you can…”
    2. 2. SRA Overview <ul><li>Global provider of innovative technology products, solutions and professional services </li></ul><ul><li>Over 90% US government business </li></ul><ul><ul><li>Growing international, state & local and commercial components </li></ul></ul><ul><li>Diversified mix of national security, civil government & health missions </li></ul><ul><li>Deeply embedded culture focused on creating real value for customers </li></ul><ul><li>FY08 revenue of $1.507B </li></ul><ul><ul><li>87% as a prime contractor </li></ul></ul><ul><li>Technology and professional services employer of choice </li></ul><ul><ul><li>7000+ employees </li></ul></ul>
    3. 3. Major Operating Locations Melbourne United States Alaska Armenia Austria Canada Chile China Czech Republic Denmark Egypt Estonia Germany Hungary Ireland Japan Kazakhstan Latvia Malaysia Mongolia North Sea (Dutch) Norway Netherlands Scotland Singapore Slovakia South Africa Spain Taiwan Thailand United Kingdom Era Customers Australia Linz, Austria Pardubice, Czech Republic Paris, France Cologne, Germany Stuttgart, Germany Oxford, UK Fairfax, VA (HQ) Arlington, VA Alexandria, VA ---------------------------- Falls Church, VA Frederick, MD Reston, VA ------------------------ McLean, VA Vienna, VA ------------------------ Rockville, MD Washington, DC ------------------------ Egg Harbor Township, NJ Ft Monmouth, NJ Mt Arlington, NJ Shrewsbury, NJ Albuquerque, NM Las Vegas, NV New York, NY Cincinnati, OH Dayton, OH Hatboro, PA Sierra Vista, AZ Newport Beach, CA Sacramento, CA San Diego, CA Colorado Springs, CO Glastonbury, CT Ft Walton Beach, FL Atlanta, GA Warner Robins, GA Fairview Heights, IL Indianapolis, IN Louisville, KY Boston, MA Baltimore, MD Columbia, MD Frederick, MD Landover, MD Pax River, MD St Louis, MI Durham, NC Research Triangle Park, NC Providence, RI Charleston, SC Austin, TX San Antonio, TX Chesapeake, VA Newport News, VA Seattle, WA Milwaukee, WI Morgantown, WV North America SRA Operating Locations Europe
    4. 4. Major Customers <ul><li>Homeland Security </li></ul><ul><li>NCSD, ICE, CBP, FEMA, TSA </li></ul><ul><li>Justice </li></ul><ul><li>DEA, FBI, OJP </li></ul><ul><li>State & local gov’ts </li></ul>Army Air Force Navy National Guard OSD, DARPA, DISA, DMDC, USTC FDIC State EPA NIH CDC FDA CMS HRSA GAO SBA NARA Transportation Treasury Agriculture Labor Commerce Interior Pharma & biotech Foundations & academia
    5. 5. Some Cyber Security Customers Significant Work. Extraordinary People. SRA.
    6. 6. <ul><li>Agriculture and Food   </li></ul><ul><li>Banking and Finance   </li></ul><ul><li>Chemical   </li></ul><ul><li>Commercial Facilities   </li></ul><ul><li>Communications   </li></ul><ul><li>Critical Manufacturing   </li></ul><ul><li>Dams   </li></ul><ul><li>Defense Industrial Base   </li></ul><ul><li>Emergency Services  </li></ul><ul><li>Energy   </li></ul>The United States’ 18 CIKR Sectors: The Public-Private Partnership <ul><li>Government Facilities  </li></ul><ul><li>Healthcare and Public Health   </li></ul><ul><li>Information Technology  </li></ul><ul><li>National Monuments and Icons   </li></ul><ul><li>Nuclear Reactors, Materials and Waste   </li></ul><ul><li>Postal and Shipping  </li></ul><ul><li>Transportation Systems  </li></ul><ul><li>Water  </li></ul><ul><li>And State and Local Governments </li></ul>
    7. 7. SRA’s Critical Infrastructure Protection Clients <ul><li>DHS National Cyber Security Division —provide mission support to all branches of DHS’s cyber security sector specific agency, including control systems security , supply chain risk management , cyber exercises , and international coordination . </li></ul><ul><li>DHS Partnership and Outreach Division —support all 18 Critical Infrastructure Protection Sectors, including Regional Resilience initiatives, and International Interdependency studies and coordination </li></ul><ul><li>DHS Sector Specific Agency Executive Management Office —provide risk management, protective program, and exercise and training support to the Chemical, Commercial Facilities, Critical Manufacturing, Dams, Emergency Services and Nuclear Sectors. </li></ul><ul><li>DHS Office of Infrastructure Protection Measurement and Reporting Office —provide preparedness metrics development and analysis for DHS’ infrastructure protection efforts, including support for State and local metrics, and support across all federal departments and agencies. </li></ul>
    8. 8. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Nation States Commercial Companies Organized Crime Syndicates Terrorist Organizations Who are we trying to catch?
    9. 9. Evolution of the Cyber Threat Significant Work. Extraordinary People. Inspiring Excellence. SRA. 1966 1971 1974 1981 1986 1989 1993 1995 1996 1999 2000 2002 2004 2005 Cyber threats are becoming extremely sophisticated but due to a lack of diligence by targeted organizations adversaries are still successful using low tech attacks Internet was designed for information sharing and collaboration; security was a design consideration but wasn’t considered relevant by the users. 1987 1988 2006 2007 2008 2009 2010 ‘ Virdem’ first to add code to executables .com to replicate themselves, Chaos Computer Club 1986 ‘ Morris worm’ first to attack buffer overflow vulnerability 1988 ‘ Cascade’ first self-encrypting virus 1987 ‘ Elk Clone’ first large scale virus Apple II 1981 ‘ Wibbit’ first self-replicating Denial of Service 1974 “ Theory of Self-producing Automata” John Von Neuman 1966 ‘ Catch me if you can’ DEC, first malware via network connection (ARPANET) 1971 ‘ Animal’ first Trojan , UNIVAC 1974 ‘ Freddy Kruger’ first virus to be delivered via BBS/shareware 1993 ‘ Pakistani Flu’ first IBM compatible virus 1986 ‘ Concept’ first to use MS Word 1995 ‘ Bandook’ First to hijack PC, botnet 2005 ‘ I Love You’, first to infect via email , $10B loss, attacked Registry 2000 ‘ Ply’ polymorphic, built-in mutation engine 1996 ‘ Ghostball’ firs t multi-part virus infection 1989 ‘ CIH’, first to infect COTS , attacked BIOS 1999 ‘ Vundo’, first to infect via pop-ups 2004 ‘ Nyiem’, mass mailing used to disable security 2006 ‘ Storm botnet’ , injection via video download 2007 ‘ Rustock’ , first root kit virus 2008 ‘ Stuxnet’, PLC/SCADA control systems 2010 ‘ Bohmini, Koobface, Conficker’ , Adobe, Facebook, & MS server 2009 ‘ Santy’, first web-worm using Google 2004 ‘ Beast’ MS Windows Backdoor allowed remote access 2002
    10. 10. Computer Networks - Our Achilles Heel Significant Work. Extraordinary People. Inspiring Excellence. SRA. The world depends on computer networks for national security (military and economic) and safety… and yet the networks are fundamentally flawed across all architectural layers An Achilles’ heel is a deadly weakness in spite of overall strength , that can actually or potentially lead to downfall
    11. 11. Generic Network-Centric Vulnerabilities Significant Work. Extraordinary People. Inspiring Excellence. SRA. Internet Point to Point Point to Point <ul><li>Vulnerabilities at all layers </li></ul><ul><li>Internet connections </li></ul><ul><li>Email </li></ul><ul><li>Software (malware, botnets) </li></ul><ul><li>Hardware </li></ul><ul><li>Firmware </li></ul><ul><li>Web pages/banners/pop-ups </li></ul><ul><li>Databases (SQL injection) </li></ul><ul><ul><li>- and more… </li></ul></ul>
    12. 12. Defense in Depth Significant Work. Extraordinary People. Inspiring Excellence. SRA. NAS Information System Security (ISS) Enterprise Architecture (EA)
    13. 13. Vulnerabilities are Expanding Significant Work. Extraordinary People. Inspiring Excellence. SRA.
    14. 14. Hacking? <ul><li>Paradigm Shift yields an increased focus on client-side and web-based application attacks vs. server-side </li></ul><ul><li>Attackers no longer need to penetrate enterprise security </li></ul><ul><ul><li>They simply entice end-users to come and get the hack </li></ul></ul>It’s not really “hacking” anymore Symantec Corp. 2008 SRA PROPRIETARY
    15. 15. ADVANCED PERSISTENT THREATS (APT) Significant Work. Extraordinary People. Inspiring Excellence. SRA.
    16. 16. Advanced Persistent Threat <ul><li>The term ‘Advanced Persistent Threat’ has been generating a lot of press and notoriety in the world of Cyber Security </li></ul><ul><li>Government agencies and industries have been compromised by malicious hackers for the last several years and increasingly we see this being attributed to Advanced Persistent Threats </li></ul><ul><li>Advanced Persistent Threat is an simply an attack that is targeted with a goal of data exfiltration driven by a human </li></ul>Significant Work. Extraordinary People. Inspiring Excellence. SRA.
    17. 17. APT Facts <ul><li>APT have varying degrees of sophistication, different threat actors have different Tools, Techniques, and Practices (TTP) that act as a fingerprint for their activities. </li></ul><ul><li>APT tools and malware are packaged to avoid anti-virus technology, because of the targeted nature of the attacks these tools have a very limited distribution which often keeps them off A/V vendor radar. </li></ul><ul><li>Data theft is primary objective, data is quickly identified, compressed and exfiltrated using a variety of covert channels. This exfiltrated data is often encrypted and the forensic evidence is immediately deleted leaving little clue as to what was targeted </li></ul><ul><li>APT Communication generally uses outbound connections or “call outs” </li></ul><ul><li>Call outs are generally over commonly used ports and use obfuscated or encrypted communications </li></ul><ul><li>APT Social Engineering can be relevant to geopolitical events or specific to job functions of an individual target </li></ul><ul><li>APT targeting includes dissident groups and exiled governments, Western Government agencies, Cleared Defense Contractors (CDC), and Cutting edge technology companies </li></ul>Significant Work. Extraordinary People. Inspiring Excellence. SRA.
    18. 18. Advanced Persistent Threat Exploitation Cycle <ul><li>Step 1 – Reconnaissance </li></ul><ul><li>Step 2 - Initial Intrusion into the Network </li></ul><ul><li>Step 3 - Establish a Backdoor into the Network </li></ul><ul><li>Step 4 - Obtain User Credentials </li></ul><ul><li>Step 5 - Install Various Utilities </li></ul><ul><li>Step 6 - Privilege Escalation / Lateral Movement / Exfiltration </li></ul><ul><li>Step 7 - Maintain Persistence </li></ul>Significant Work. Extraordinary People. Inspiring Excellence. SRA.
    19. 19. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 0: Attacker Places Content on Trusted Site The attacker begins by placing content on a trusted third-party website, such as a social networking, blogging, photo sharing, or video sharing website, or any other web server that hosts content posted by public users. The attacker's content includes exploitation code for unpatched client-side software. APT Example – Step 0 Source: SANS
    20. 20. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 1: Client-Side Exploitation A user surfs the Internet from a Windows machine that is running an unpatched client-side program, such as a media player (e.g., iTunes, etc.), document display program (e.g., Acrobat Reader), or a MS office app (e.g., Word, etc.). Upon receiving the attacker's content from the site, the victim user's browser invokes the vulnerable client-side program passing it the attacker's exploit code. This exploit code allows the attacker to install or execute programs of the attacker's choosing on the victim machine, using the privileges of the user who ran the browser. The attack is partially mitigated because this victim user does not have administrator credentials on this system. Still, the attacker can run programs with those limited user privileges. APT Example – Step 1 Source: SANS
    21. 21. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 2: Establish Reverse Shell Backdoor Using HTTPS The attacker's exploit code installs a reverse shell backdoor program on the victim machine. This program gives the attacker command shell access of the victim machine, communicating between this system and the attacker using outbound HTTPS access from victim to attacker. The backdoor traffic therefore appears to be regular encrypted outbound web traffic as far as the enterprise firewall and network is concerned. APT Example – Step 2 Source: SANS
    22. 22. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Steps 3: Dump Hashes and Use Pass-the-Hash Attack to Pivot The attacker uses shell access of the initial victim system to load a local privilege escalation exploit program onto the victim machine. This program allows the attacker to jump from the limited privilege user account to full system privileges on this machine. The attacker now dumps the password hashes for all accounts on this local machine, including a local administrator account on the system. APT Example – Step 3 Source: SANS
    23. 23. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 4 Move Laterally and Escalate Permissions Instead of cracking the local administrator password, the attacker uses a Windows pass-the-hash program to authenticate to another Windows machine on the enterprise internal network, a fully patched client system on which this same victim user has full administrative privileges. Using NTLMv1 or NTLMv2, Windows machines authenticate network access for the Server Message Block (SMB) protocol based on user hashes and not the passwords themselves, allowing the attacker to get access to the file system or run programs on the fully patched system with local administrator privileges. Attacker now dumps the password hashes for all local accounts on this fully patched Windows machine. APT Example – Step 4 Source: SANS
    24. 24. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 5: Pass the Hash to Compromise Domain Controller In Step 5, the attacker uses a password hash from a local account on the fully patched Windows client to access the domain controller system, again using a pass-the-hash attack to gain shell access on the domain controller. Because the password for the local administrator account is identical to the password for a domain administrator account, the password hashes for the two accounts are identical. Therefore, the attacker can access the domain controller with full domain administrator privileges, giving the attacker complete control over all other accounts and machines in that domain. APT Example – Step 5 Source: SANS
    25. 25. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Steps 6 and 7: Exfiltration In Step 6, with full domain administrator privileges, the attacker now compromises a server machine that stores secrets for the organization. In Step 7, the attacker exfiltrates this sensitive information, consisting of over 200 Megabytes of data. The attacker pushes this data out to the Internet from the server, again using HTTPS to encrypt the information, minimizing the chance of it being detected APT Example – Steps 6 & 7 Source: SANS
    26. 26. Gh0stNet <ul><li>Canadian group called Information Warfare Monitor (IWM) in 2008 begins investigation into suspected compromises of Tibetan Government in Exile </li></ul><ul><li>Findings: </li></ul><ul><li>– Dalai Lama’s computers were infected and that he was a top victim </li></ul><ul><li>– Social engineering malware attacks identified, over 8 different Trojan families in use </li></ul><ul><li>– 70% of control servers behind Tibetan attacks are IP addresses in China; others were US, Sweden, South Korea, and Taiwan </li></ul><ul><li>– Found that a total of 1,295 computers were infected within 103 countries </li></ul><ul><li>This is the first widely reported investigation of an attack that meets the criterion for an Advanced Persistent Threat </li></ul><ul><li>Gh0stNet was named due to the use of malware which contained the string ‘Gh0st’ in the malware </li></ul>Significant Work. Extraordinary People. Inspiring Excellence. SRA.
    27. 27. “ Operation Aurora” Significant Work. Extraordinary People. SRA. <ul><li>In January 2010 Google reports it was the victim of a cyber attack alleges the attack originated in China </li></ul><ul><li>0day exploit in Internet Explorer is used to gain access to systems, malware is installed which allows remote control of systems </li></ul><ul><li>In the wake of the Google announcement, 34 other companies including Yahoo, Northrop Grumman, Adobe, and Dow Chemical identify similar activity on their networks </li></ul><ul><li>The use of a 0day for IE and the effectiveness of the attackers to remain undetected for many months are TTPs of an APT actor </li></ul>
    28. 28. Malware Capabilities <ul><li>Vary depending on APT and toolkit </li></ul><ul><li>Common functionality </li></ul><ul><ul><li>Search for documents </li></ul></ul><ul><ul><li>Report system configuration </li></ul></ul><ul><ul><li>Key Logging </li></ul></ul><ul><ul><li>Data Exfil Utility </li></ul></ul><ul><ul><li>Command Line access </li></ul></ul><ul><li>Persistence </li></ul><ul><ul><li>Load DLL as a service </li></ul></ul><ul><ul><li>Load registry key to instantiate malware on reboot in HKCU or HKLM </li></ul></ul><ul><ul><li>Rootkit to hide files/activity </li></ul></ul><ul><li>“commercial” RAT’s are often used Obfuscation </li></ul>Significant Work. Extraordinary People. SRA.
    29. 29. Spreading <ul><li>Initial foothold is secured </li></ul><ul><li>Connects out to remote host </li></ul><ul><li>Remote host operator will </li></ul><ul><ul><li>Use existing user credential to laterally spread to other workstations </li></ul></ul><ul><ul><li>Load a different malware onto other systems to ensure secondary communication channel </li></ul></ul><ul><li>Offline hash cracking with massive rainbow tables reduces password crack time to several seconds </li></ul><ul><li>Initiate keystroke logging to record additional account passwords </li></ul>Significant Work. Extraordinary People. SRA.
    30. 30. Exfiltration <ul><li>Data will be amassed into a folder, likely a temp folder either in user profile or main windows temp directory </li></ul><ul><li>Generally either a Roshal ARchiver (RAR) or Windows CABinet utility will be used to compress data </li></ul><ul><li>Additional tools to encrypt data archive may be employed </li></ul><ul><li>Exfiltration will occur via covert channel typically over a legitimate looking port such as 80 or 443 </li></ul>Significant Work. Extraordinary People. SRA.
    31. 31. APT Incident Investigation <ul><li>• Adversary is categorized by TTP, Investigation of these TTP’s facilitates knowing the adversary </li></ul><ul><li>– Solid Intelligence feed helps identify incidents </li></ul><ul><li>• Find Initial Infection Vector </li></ul><ul><li>• Identify network callouts IP and DNS </li></ul><ul><li>• Recover network traffic </li></ul><ul><li>• Pull systems off line (when feasible) </li></ul><ul><li>– Memory Dump </li></ul><ul><li>– Forensic Disk Image </li></ul><ul><li>• Malware Analysis </li></ul><ul><li>– Dynamic </li></ul><ul><li>– Static </li></ul><ul><li>• Correlate and Track </li></ul>Significant Work. Extraordinary People. Inspiring Excellence. SRA.
    32. 32. Industrial Control Systems Security
    33. 33. Smart Grid Security <ul><li>A recent report by Pike Research listed cybersecurity as the #1 Smart Grid trend to watch: </li></ul><ul><li>“ My SCADA system is safe because it is not connected to the Internet” </li></ul><ul><ul><li>FALSE – Stuxnet was apparently spread by a USB memory stick </li></ul></ul><ul><li>“ I keep my SCADA Windows Machine updated with the latest security patches and antivirus protection” </li></ul><ul><ul><li>FALSE – Stuxnet exploited a zero-day vulnerability </li></ul></ul><ul><li>“ At least the threats are limited to my Windows-based management consoles” </li></ul><ul><ul><li>FALSE – Stuxnet also infected Programmable Logic Controllers </li></ul></ul><ul><li>The September 2010 US National Institute of Standards and Technology (NIST) “Guidelines for Smart Cyber Security” is three volumes/537 pages </li></ul>
    34. 34. Stuxnet aka ‘first super cyber weapon’ <ul><li>• In June 2010 malware is discovered using a very advanced 0day to spread using USB devices, malware is named ‘stuxnet’ by researchers – 0Day exploits are very difficult to obtain and once they are used their </li></ul><ul><li>effectiveness diminishes as use is discovered </li></ul><ul><li>• Extremely heavy distribution in Iran, Indonesia, and Pakistan </li></ul><ul><li>• Malware was custom designed to attack a Siemens product used in Industrial Control called WinCC </li></ul><ul><li>– Extremely advanced targeting </li></ul><ul><li>– Demonstrated knowledge of advanced systems </li></ul><ul><li>– Targeted specific components of WinCC systems </li></ul><ul><li>• The malware utilized a rootkit to hide it from system security tools, this root kit was signed using one of two (depends on version) valid certificates from legitimate chip production companies </li></ul><ul><li>– Extremely advanced techniques demonstrates capability of actor </li></ul>Significant Work. Extraordinary People. Inspiring Excellence. SRA.
    35. 35. Significant Work. Extraordinary People. Inspiring Excellence. SRA. <ul><li>The implication of the increasing number of duplicate 0day discoveries is fairly alarming, in that the main mitigation for vulnerabilities of this type is patching, which is an invalid strategy for protecting against 0day exploits. </li></ul><ul><li>There is a heightened risk from cyber criminals, who can discover zero-day vulnerabilities and exploit them for profit. </li></ul><ul><li>Add to this that software vendors have not necessarily lowered their average time for patching vulnerabilities reported to them, and that a number of vulnerabilities that were reported to vendors two years ago and are still awaiting a patch. </li></ul>Zero Day Vulnerabilities Source: SANS
    36. 36. The Cyber Threat is Real <ul><li>Undermining both our national security and our economic leadership in the world marketplace </li></ul><ul><ul><li>Threat started as nuisance activities by isolated bad actors </li></ul></ul><ul><ul><li>Threat is now coming from nation states, commercial espionage, terrorist organizations, organized crime groups, and ‘for-hire’ cyber organizations —it’s a business—and often in concert </li></ul></ul><ul><ul><li>Our operational stability and intellectual property is being exfiltrated; sensitive designs, oil exploration data, Google IP, critical infrastructure knowledge, command and control processes, …. </li></ul></ul><ul><li>The extent of the damage is only beginning to be publicly acknowledged </li></ul><ul><ul><li>$1 trillion annually and years of technology leadership </li></ul></ul><ul><ul><li>Advanced Persistent Threats embedded in our critical networks </li></ul></ul><ul><li>What’s next? </li></ul>Significant Work. Extraordinary People. Inspiring Excellence. SRA.
    37. 37. Near-Term – Move beyond signature based defenses <ul><li>• Advanced Persistent Threat is a genuine cyber threat </li></ul><ul><li>• Different APT actors have different tools, techniques, and practices; group modeling required </li></ul><ul><li>• User awareness and a robust security monitoring and incident response process can cut off the bleeding and reduce impact </li></ul><ul><li>• Need to go beyond signature base defenses to anomaly detection </li></ul><ul><li>• Some technologies such as full packet capture and SEIM are critical in remediating APT </li></ul><ul><li>• Analyze each incident and derive intelligence from the TTP’s in order to better defend against the next wave - which is coming on the heels of the one you have remediated </li></ul><ul><li>• Cyber Intelligence is critical </li></ul><ul><li>• Anti Virus cannot save you </li></ul><ul><li>• Inherent design flaws in computer architectures means this will be a continuing battle </li></ul>Significant Work. Extraordinary People. Inspiring Excellence. SRA.
    38. 38. Mid-Term Solutions <ul><li>Need to discover basic systemic anomalies and stop or alter execution (make them inert) in real time </li></ul><ul><ul><li>in memory at execution when obfuscation is stripped away </li></ul></ul><ul><ul><li>at communication nodes/gateways as packets are inspected and transmitted </li></ul></ul><ul><li>Adobe.pdf spear phishing attacks can be camouflaged in the programming code but are exposed in memory during execution </li></ul>Significant Work. Extraordinary People. Inspiring Excellence. SRA.
    39. 39. Leading-Edge Technology Significant Work. Extraordinary People. SRA. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Solutions <ul><ul><li>Data Containment </li></ul></ul><ul><ul><li>Malware analysis </li></ul></ul><ul><ul><li>Discovery, Detection, </li></ul></ul><ul><ul><li>Visualization </li></ul></ul><ul><ul><li>Cyber Attacks </li></ul></ul><ul><ul><li>Mobile Security </li></ul></ul><ul><ul><li>Encrypted Mobile Voice </li></ul></ul>Keeping security threats out while letting new technologies in…
    40. 40. Best of Breed Partnerships Significant Work. Extraordinary People. SRA. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Solutions <ul><ul><li>Threat Feeds & Intelligence </li></ul></ul><ul><ul><li>Two-factor Authentication </li></ul></ul><ul><ul><li>SIEM </li></ul></ul><ul><ul><li>Encrypted Mobility </li></ul></ul><ul><ul><li>Deep Packet Inspection </li></ul></ul><ul><ul><li>Intrusion Detection </li></ul></ul><ul><ul><li>Data Loss Prevention </li></ul></ul><ul><ul><li>Endpoint security </li></ul></ul>SRA integrates applications from world-class leaders to provide proactive, end-to-end protection that stays one step ahead of the cyber threats. SRA solutions are predicated on a core of best-of-breed products and technology delivered by an experienced team of professionals well-versed in cyber trade craft.
    41. 41. SRA Security Operation Centers Significant Work. Extraordinary People. SRA. <ul><li>Framework of SRA’s cyber security operations center solution and the various components of which it is comprised </li></ul><ul><li>Individual functions and capabilities are tailored to fit each customer’s organizational mission and goals </li></ul>
    42. 42. <ul><li>The most widely deployed gang information sharing system, this browser-based tool aids in the identification, location and apprehension of gang members: </li></ul><ul><li>- Collect and analyze gang information </li></ul><ul><li>- Visualize relationships and incidents </li></ul><ul><li>- Share information across jurisdictions </li></ul>What is GangNET ® ? SOLUTIONS GangNET® is an award-winning investigative, analytical and statistical resource for recording and tracking gang members and related group-based criminal activities. “ a software solution for Gang Tracking Case Management”
    43. 43. GangNET ® Solutions <ul><li>Discover hidden relationships through statistical reports, ad hoc query reports and automated multi-level link analysis. </li></ul><ul><li>Multi-level link analysis helps the user discover information about the structure of organizations, interrelationships, and the roles of individuals within organizations or events. </li></ul><ul><li>Integrates with a sophisticated 255 points facial recognition engine. </li></ul><ul><li>Plot gang activity across the local, regional, state or national area. </li></ul><ul><li>Several types of geographical data is available including addresses of gang member residences, arrests, crimes and locations where field interviews occurred. </li></ul><ul><li>Rapidly enter real-time information on several subjects at once through a single on-screen form. </li></ul><ul><li>Automatically creates relationships between subjects, vehicles and addresses. </li></ul><ul><li>Submit information remotely from a crime scene and receive immediate feedback that can help resolve the case in minimal time. </li></ul>Data Analysis Biometrics Mapping Field Interview Form
    44. 44. QUESTIONS? Significant Work. Extraordinary People. Inspiring Excellence. SRA. <ul><li>Craig Wilson </li></ul><ul><ul><li>Principal </li></ul></ul><ul><ul><li>Infrastructure Protection and Resilience Division </li></ul></ul><ul><ul><li>SRA International, Inc. </li></ul></ul><ul><li>[email_address] </li></ul>
    45. 45. Products & Solutions
    46. 46. Protecting Critical Utility-based Infrastructure <ul><li>Conducted Risk Assessment and Vulnerability Baseline for National-level Utility Sector </li></ul><ul><li>Supported the creation of the National Infrastructure Advisory Council’s Convergence of Physical and Cyber Technologies and Related Security Management Challenges report </li></ul><ul><li>Mapped Critical Utility and Electricity Transmission Infrastructure for the State of California, as well as devised protective programs around key transmission infrastructure. </li></ul><ul><li>Assisted in the generation of protective and resilience programs for the National-level Electric Sector. </li></ul><ul><li>Support the Industrial Control Systems Branch for the National Cyber Security Division at DHS. </li></ul>
    47. 47. SRA Security Operations Core Services <ul><li>Cyber Security Operational Baseline Reviews </li></ul><ul><li>Security System Engineering and Architecture </li></ul><ul><li>SIEM Integration and Best Practices </li></ul><ul><li>Monitoring and Management of Security Devices </li></ul><ul><li>Event Monitoring, Analysis and Notification </li></ul><ul><li>Event Correlation, Data Reduction and Event Detection </li></ul><ul><li>Incident Response </li></ul><ul><li>Coordinating Defense Against and Responses to Cyber Attacks </li></ul>Significant Work. Extraordinary People. SRA. Real-Time Security and Compliance Management
    48. 48. SRA Security Operations Core Services (Cont.) <ul><li>Testing and Validation of Security Monitoring/Detection Services </li></ul><ul><li>Focused Data and Trend Analysis – enabling resources to concentrate on real threats </li></ul><ul><li>Continuous Tuning of Sensors to Reduce False Positives and Increase Accuracy </li></ul><ul><li>Vulnerability Scanning Tool(s) </li></ul><ul><li>Red Team/Blue Team and Penetration Testing </li></ul><ul><li>Forensic Analysis </li></ul>Significant Work. Extraordinary People. SRA. Real-Time Security and Compliance Management
    49. 49. <ul><li>Malware Analysis and Recovery Support </li></ul><ul><li>Advanced Technology Research & Development </li></ul><ul><li>Cyber Intelligence Analysis </li></ul><ul><li>Advanced Warning of Emerging Threats </li></ul><ul><li>Vulnerability Management Capabilities </li></ul><ul><li>Compliance Verification </li></ul><ul><li>Configuration Management </li></ul><ul><li>Facilities Construction </li></ul>Significant Work. Extraordinary People. SRA. SRA Security Operations Core Services (Cont.)
    50. 50. SRA’s Cyber Security Services <ul><li>Support to Computer Network Defense </li></ul><ul><li>Red Team / Blue Team Operations </li></ul><ul><li>Software Reverse Engineering (Malcode) </li></ul><ul><li>Computer Forensics and Digital Media Analysis </li></ul><ul><li>Security Assessments (Security Testing and Evaluation) </li></ul>Significant Work. Extraordinary People. SRA.
    51. 51. SRA’s Cyber Security Services (cont.) <ul><li>Security Operations Center management and design </li></ul><ul><li>Security Program Planning and Management Support </li></ul><ul><li>Technical Security Architecture Design and Development </li></ul><ul><li>Security Certification and Accreditation </li></ul><ul><li>Disaster Recovery and COOP </li></ul>Significant Work. Extraordinary People. SRA.
    52. 52. Situational Awareness <ul><ul><li>Effective SA provides the ability to understand what is happening in your own network and then correlating internal events with events happening in the internet in near-real time. </li></ul></ul>SRA’s Flow Analysis and Attribution Solution SRA’s Mirror World Visualization Displays Attacks / Trace Routing SRA PROPRIETARY
    53. 53. CIP Full Spectrum Capabilities Continuity of Operations /Government Planning Interdependencies Analysis Regional Resiliency Analysis Coordination with State, Local, Tribal and Territorial Governments SRA provides a tailored, scalable (from global to asset specific) framework for all-hazards infrastructure risk management. Prevention Response Recovery Protective Measures Planning Security Awareness Vulnerability/Consequence Assessments Threat Analysis Pandemic Preparedness Table Top and Functional Exercises Surge and Incident Management Support Fusion and Emergency Operations Centers Integration Credentialing/Access Policy Analysis SRA Infrastructure Protection and Resilience Offerings Public/Private Partnership Creation and Coordination Risk Assessment and Analysis Policy Analysis Communication, Training and Outreach Metrics Development and Analysis Information Sharing Environment Integration Preparedness Preparedness Preparedness Preparedness
    54. 54. Significant Work. Extraordinary People. SRA. SRA SOC Maturity Model
    55. 55. GangNET ® Solutions <ul><li>The user is notified when someone enters a new record that matches specific criteria they’ve already entered. </li></ul><ul><li>The ability to share search information during an investigation can speed case resolution. </li></ul><ul><li>Networked database that supports full or partial text searches. </li></ul><ul><li>Agencies can search their local GangNET system simultaneously with external networked GangNET systems through a single search command. </li></ul><ul><li>The “matrix” search function allows users to query several data fields simultaneously and generate two and three-dimensional charts based on the results. </li></ul><ul><li>Designed and tested with input from seasoned investigators, GangNET® Mobile is optimized for use on a PDA or Blackberry. </li></ul><ul><li>Systems with the Facial Recognition function can use the wireless device’s built-in camera to take and save a photo as well as search on a photo using the facial recognition feature. </li></ul>Watch List Simultaneous Search GangNET ® Mobile
    56. 56. What is One View Analyst? SOLUTIONS One View Analyst is a comprehensive knowledge management system that gathers complex data to uncover vital knowledge. “ A software solution for intelligence and law enforcement agencies” Developed for large-scale data collection and data mining, One View Analyst fully supports the five steps of the intelligence life cycle: – Searching – Collecting – Organizing – Analyzing – Reporting “ SMARTER TOOLS”
    57. 57. Analyst Benefits <ul><li>Gather and organize data quickly and easily from web browser or files on a network via drag and drop </li></ul><ul><li>Store data in easy to understand structure and customer drive structure- Cabinets </li></ul><ul><li>Tailor new virtual environments on-the-fly. </li></ul><ul><li>Advanced indexing technology </li></ul><ul><li>Boolean Logic and Concept search </li></ul><ul><ul><li>Proximity, fuzzy, and stemming searches </li></ul></ul><ul><li>Matrix search technology </li></ul><ul><ul><li>Process hundreds of searches simultaneously </li></ul></ul><ul><li>Prioritized search results by file </li></ul><ul><li>Highlighted search results by word </li></ul><ul><li>Create custom reports with a push of a button using XSL Style sheets </li></ul><ul><li>GIS - ESRI ArcView integration </li></ul><ul><ul><li>Create GIS overlay from metadata stored in Cabinets </li></ul></ul><ul><li>Link Analysis - I2 Analyst Notebook integration </li></ul><ul><ul><li>Create link charts from metadata stored in Cabinets </li></ul></ul>Collects and Analyzes Searching Reporting Analysis
    58. 58. SRA Benefits to India <ul><li>Single-source systems integrator with cross-cutting expertise in law enforcement, homeland security, counter terrorism and cyber security </li></ul><ul><li>Unparalleled expertise in building and implementing the most comprehensive public-private homeland security partnership for infrastructure protection </li></ul><ul><li>Tailorable, scalable solutions for differing global markets </li></ul><ul><li>Cutting edge cyber security awareness and expertise </li></ul><ul><li>Proven law enforcement information sharing solutions </li></ul>