3. Major Operating Locations Melbourne United States Alaska Armenia Austria Canada Chile China Czech Republic Denmark Egypt Estonia Germany Hungary Ireland Japan Kazakhstan Latvia Malaysia Mongolia North Sea (Dutch) Norway Netherlands Scotland Singapore Slovakia South Africa Spain Taiwan Thailand United Kingdom Era Customers Australia Linz, Austria Pardubice, Czech Republic Paris, France Cologne, Germany Stuttgart, Germany Oxford, UK Fairfax, VA (HQ) Arlington, VA Alexandria, VA ---------------------------- Falls Church, VA Frederick, MD Reston, VA ------------------------ McLean, VA Vienna, VA ------------------------ Rockville, MD Washington, DC ------------------------ Egg Harbor Township, NJ Ft Monmouth, NJ Mt Arlington, NJ Shrewsbury, NJ Albuquerque, NM Las Vegas, NV New York, NY Cincinnati, OH Dayton, OH Hatboro, PA Sierra Vista, AZ Newport Beach, CA Sacramento, CA San Diego, CA Colorado Springs, CO Glastonbury, CT Ft Walton Beach, FL Atlanta, GA Warner Robins, GA Fairview Heights, IL Indianapolis, IN Louisville, KY Boston, MA Baltimore, MD Columbia, MD Frederick, MD Landover, MD Pax River, MD St Louis, MI Durham, NC Research Triangle Park, NC Providence, RI Charleston, SC Austin, TX San Antonio, TX Chesapeake, VA Newport News, VA Seattle, WA Milwaukee, WI Morgantown, WV North America SRA Operating Locations Europe
8. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Nation States Commercial Companies Organized Crime Syndicates Terrorist Organizations Who are we trying to catch?
9. Evolution of the Cyber Threat Significant Work. Extraordinary People. Inspiring Excellence. SRA. 1966 1971 1974 1981 1986 1989 1993 1995 1996 1999 2000 2002 2004 2005 Cyber threats are becoming extremely sophisticated but due to a lack of diligence by targeted organizations adversaries are still successful using low tech attacks Internet was designed for information sharing and collaboration; security was a design consideration but wasn’t considered relevant by the users. 1987 1988 2006 2007 2008 2009 2010 ‘ Virdem’ first to add code to executables .com to replicate themselves, Chaos Computer Club 1986 ‘ Morris worm’ first to attack buffer overflow vulnerability 1988 ‘ Cascade’ first self-encrypting virus 1987 ‘ Elk Clone’ first large scale virus Apple II 1981 ‘ Wibbit’ first self-replicating Denial of Service 1974 “ Theory of Self-producing Automata” John Von Neuman 1966 ‘ Catch me if you can’ DEC, first malware via network connection (ARPANET) 1971 ‘ Animal’ first Trojan , UNIVAC 1974 ‘ Freddy Kruger’ first virus to be delivered via BBS/shareware 1993 ‘ Pakistani Flu’ first IBM compatible virus 1986 ‘ Concept’ first to use MS Word 1995 ‘ Bandook’ First to hijack PC, botnet 2005 ‘ I Love You’, first to infect via email , $10B loss, attacked Registry 2000 ‘ Ply’ polymorphic, built-in mutation engine 1996 ‘ Ghostball’ firs t multi-part virus infection 1989 ‘ CIH’, first to infect COTS , attacked BIOS 1999 ‘ Vundo’, first to infect via pop-ups 2004 ‘ Nyiem’, mass mailing used to disable security 2006 ‘ Storm botnet’ , injection via video download 2007 ‘ Rustock’ , first root kit virus 2008 ‘ Stuxnet’, PLC/SCADA control systems 2010 ‘ Bohmini, Koobface, Conficker’ , Adobe, Facebook, & MS server 2009 ‘ Santy’, first web-worm using Google 2004 ‘ Beast’ MS Windows Backdoor allowed remote access 2002
10. Computer Networks - Our Achilles Heel Significant Work. Extraordinary People. Inspiring Excellence. SRA. The world depends on computer networks for national security (military and economic) and safety… and yet the networks are fundamentally flawed across all architectural layers An Achilles’ heel is a deadly weakness in spite of overall strength , that can actually or potentially lead to downfall
11.
12. Defense in Depth Significant Work. Extraordinary People. Inspiring Excellence. SRA. NAS Information System Security (ISS) Enterprise Architecture (EA)
19. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 0: Attacker Places Content on Trusted Site The attacker begins by placing content on a trusted third-party website, such as a social networking, blogging, photo sharing, or video sharing website, or any other web server that hosts content posted by public users. The attacker's content includes exploitation code for unpatched client-side software. APT Example – Step 0 Source: SANS
20. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 1: Client-Side Exploitation A user surfs the Internet from a Windows machine that is running an unpatched client-side program, such as a media player (e.g., iTunes, etc.), document display program (e.g., Acrobat Reader), or a MS office app (e.g., Word, etc.). Upon receiving the attacker's content from the site, the victim user's browser invokes the vulnerable client-side program passing it the attacker's exploit code. This exploit code allows the attacker to install or execute programs of the attacker's choosing on the victim machine, using the privileges of the user who ran the browser. The attack is partially mitigated because this victim user does not have administrator credentials on this system. Still, the attacker can run programs with those limited user privileges. APT Example – Step 1 Source: SANS
21. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 2: Establish Reverse Shell Backdoor Using HTTPS The attacker's exploit code installs a reverse shell backdoor program on the victim machine. This program gives the attacker command shell access of the victim machine, communicating between this system and the attacker using outbound HTTPS access from victim to attacker. The backdoor traffic therefore appears to be regular encrypted outbound web traffic as far as the enterprise firewall and network is concerned. APT Example – Step 2 Source: SANS
22. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Steps 3: Dump Hashes and Use Pass-the-Hash Attack to Pivot The attacker uses shell access of the initial victim system to load a local privilege escalation exploit program onto the victim machine. This program allows the attacker to jump from the limited privilege user account to full system privileges on this machine. The attacker now dumps the password hashes for all accounts on this local machine, including a local administrator account on the system. APT Example – Step 3 Source: SANS
23. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 4 Move Laterally and Escalate Permissions Instead of cracking the local administrator password, the attacker uses a Windows pass-the-hash program to authenticate to another Windows machine on the enterprise internal network, a fully patched client system on which this same victim user has full administrative privileges. Using NTLMv1 or NTLMv2, Windows machines authenticate network access for the Server Message Block (SMB) protocol based on user hashes and not the passwords themselves, allowing the attacker to get access to the file system or run programs on the fully patched system with local administrator privileges. Attacker now dumps the password hashes for all local accounts on this fully patched Windows machine. APT Example – Step 4 Source: SANS
24. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Step 5: Pass the Hash to Compromise Domain Controller In Step 5, the attacker uses a password hash from a local account on the fully patched Windows client to access the domain controller system, again using a pass-the-hash attack to gain shell access on the domain controller. Because the password for the local administrator account is identical to the password for a domain administrator account, the password hashes for the two accounts are identical. Therefore, the attacker can access the domain controller with full domain administrator privileges, giving the attacker complete control over all other accounts and machines in that domain. APT Example – Step 5 Source: SANS
25. Significant Work. Extraordinary People. Inspiring Excellence. SRA. Steps 6 and 7: Exfiltration In Step 6, with full domain administrator privileges, the attacker now compromises a server machine that stores secrets for the organization. In Step 7, the attacker exfiltrates this sensitive information, consisting of over 200 Megabytes of data. The attacker pushes this data out to the Internet from the server, again using HTTPS to encrypt the information, minimizing the chance of it being detected APT Example – Steps 6 & 7 Source: SANS
53. CIP Full Spectrum Capabilities Continuity of Operations /Government Planning Interdependencies Analysis Regional Resiliency Analysis Coordination with State, Local, Tribal and Territorial Governments SRA provides a tailored, scalable (from global to asset specific) framework for all-hazards infrastructure risk management. Prevention Response Recovery Protective Measures Planning Security Awareness Vulnerability/Consequence Assessments Threat Analysis Pandemic Preparedness Table Top and Functional Exercises Surge and Incident Management Support Fusion and Emergency Operations Centers Integration Credentialing/Access Policy Analysis SRA Infrastructure Protection and Resilience Offerings Public/Private Partnership Creation and Coordination Risk Assessment and Analysis Policy Analysis Communication, Training and Outreach Metrics Development and Analysis Information Sharing Environment Integration Preparedness Preparedness Preparedness Preparedness
56. What is One View Analyst? SOLUTIONS One View Analyst is a comprehensive knowledge management system that gathers complex data to uncover vital knowledge. “ A software solution for intelligence and law enforcement agencies” Developed for large-scale data collection and data mining, One View Analyst fully supports the five steps of the intelligence life cycle: – Searching – Collecting – Organizing – Analyzing – Reporting “ SMARTER TOOLS”
57.
58.
Hinweis der Redaktion
Need the organizational analysis as well as the technical… group modeling, SRA strength
SRA Today (this was deleted from the top right and was covering the SRA logo).
Only a fraction of the types of attacks, the point is that the vulnerablitiies are at every level and the complexity of the computer architectures means there will always be new vulnerabilities to be discovered… if we continue to play defense only we will be in a perpetual wac a mole environment