SHARKSEER Zero Day Net Defense SHARKSEER Program Definition Detects and mitigates web-based malware Zero-Day and Advanced Persistent Threats using COTS technology by leveraging dynamically producing and enhancing global threat knowledge to rapidly protect the networks SHARKSEER's GOALS IAP Protection Provide highly available and reliable automated sensing and mitigation capabilities to all 10 DOD IAPs Commercial behavioral and heuristic analytics and threat data enriched with NSA unique knowledge through automated data analysis processes form the basis for discovery and mitigation Cyber Situational Awareness and Data Sharing Consume public malware threat data enrich with NSA unique knowledge and processes Share with partners through automation systems for example the SHARKSEER Global Threat Intelligence GTI and SPLUNK systems The data will be shared in real time with stakeholders and network defenders on UNCLASSIFIED U FOUO SECRET and TOP SECRET networks What Are We Looking For CORRELATION Shell Code File Obfuscation IP Address Port Protocol URL File Mismatch Code Injection C2 Sleep Call Session SQL Injection SHARKSEER Zero Day Net Defense PROBLEM o Current defenses rely heavily on signature-based tools o Signatures are generated after threat is identified o DAT files are updated manually taking weeks or months Adversaries Attempt to Send Malicious Content Across Internet If When An Adversary Penetrates A Gateway s Prevent Outbound Callbacks And Or Exfiltration Shared Global Threat Data Cross Domains Inbound Malicious Traffic At The Gateways Components Host SHARKSEER Operational Space SOLUTION o Automate signature updates o Leverage behavior-based and cloud technologies Unclassified SECRET Analysis Cell Top Secret Targeting All Domains SHARKSEER Environment netspeed Classified IAP WP IA Router seconds - minutes DPI Mitigation WCF UPE Vendor 1 Sandbox Vendor 2 Sandbox Data Plane Unclass milliseconds Load Balanced Traffic Uncontrolled Commercial Infrastructure Enterprise GTI Sensor Storage SIEM TCSO C2 Controlled Unclassified Infrastructure Analysis Management Deep Packet Inspection Rule Enforcement Automated Analysis Automated Triage 24 7 Ops Center Tear-Line Reporting Unique IP PII Attribution Yes Deep Dive Full Content Response Tech - Indicators Knowledge Repositories Redacted Content STIX Mitigation Abstracted yet actionable data for sharing Network Mail Host Event Event Response Team SME Technical Data Response Collaborate Activity Adversary TTPs Indicator Response Human Machine Ontology Translation Tool - Proposed USG Unclass Real Time Defense Indicators Src IP 1 1 1 1 Anonymize URL evil com TTP Phishing ID 314 email subject OS Windows 7 8 HASH d131dd02c5e6eec4 RegKey HKEY_CLASSES_ROOT SNORT alert tcp any INDICATOR %appdata% My Docs SECRET Real Time Defense Indicators Src IP 1 1 1 1 dest IP 1 2 3 4 URL evil com TTP Phishing ID 314 INCIDENT 195730 CCMD CNO Response Actions Redact email subject OS Windows 7 8 HASH d131dd02c5e6eec4 RegKey HKEY_CLASSES_ROOT SNORT alert tcp any INDICATOR %appdata% My Docs ACTOR GOLDSTAR Sanitize Src IP 1 1 1 1 dest IP 1 2 3 4 URL evil com TTP Phishing ID 314 INCIDENT 195730 CAMPAIGN SHARKATTACK email subject OS Windows 7 8 HASH d131dd02c5e6eec4 RegKey HKEY_CLASSES_ROOT SNORT alert tcp any INDICATOR %appdata%My Docs TS Strategic Nation State Intelligence ACTOR 4125 SOURCE INTEL Src IP 1 1 1 1 dest IP 1 2 3 4 URL evil com TTP Phishing ID 314 INCIDENT 195730 CAMPAIGN SHARKATTACK email subject OS Windows 7 8 HASH d131dd02c5e6eec4 RegKey HKEY_CLASSES_ROOT SNORT alert tcp any INDICATOR %appdata%My Docs a Commercial NSA Cyber Knowledge 5- Intel PARTNER Automated Community Cyber Analysis Environment Alerts Machine Reports Readable Data Event Team Cyber SA Mitigation Remediation Discovery Authoring Sharing Dissemination SHERKSEER SHARKSEER Sandbox Environment Level 2 3 User Access Code Submission Trusted Guard Solution Top Secret Cyber Analyst Boundary Cyber Defense Command and Control GIG-Earth Top Secret Analysis Environment Sandboxing Environment Level 2 3 User Access Code Submission Secret Cyber Analyst METAWORKS GIG-Earth Secret Level 2 3 User Access Code Submission Unclassified Cyber Analyst GIG-Earth Unclassified Boundary Cyber Analyst Automated Grey Black Traffic Submission Reports Trusted Guard Solution Manual and or Automated Manipulation Detonation and Analysis MALWORKS Machine Readable Data Stakeholders Partnerships Enhanced Shared Situational Awareness ESSA Federal CIO COCOMs Intel Community Comprehensive National Cybersecurity Initiative CNCI Power Of Partnership McAfee and Symantec -- the nation's two biggest cybersecurity firms -- agreed to join a Cyber Threat Alliance founded in May by Fortinet and Palo Alto Networks The goal of the new consortium quoting a white paper it issued is to disperse threat intelligence on advanced adversaries across all member organizations to raise the overall situational awareness in order to better protect their organizations and their customers Shared Threat Data STIX - Structured Treat Information eXpression MAEC -Malware Attribute Enumeration and Characterization TAXII - Trusted Automated eXchange of Indicator Information SHARKSEER Cyber Environment Unclassified Tipping Secret METAWORKS Tipping GTI PDTI MALWORKS GOV To Top p Secret Norse CADS Sandboxing Trusted U Guard Solution S S Trusted Guard Solution TS ATO ATO ATO Gig-Earth Gig-Earth Gig-Earth DISA DISA NTOC Enhanced Shared Situational Awareness ESSA This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu