SHARKSEER

ZeroDayNetDefense
RonaldNielson
TechnicalDirector
 SHARKSEER

Program Definition: Detects and

mitigates web-based malware Zero-Day
and Advanced Persistent Threats using
COTS technology by leveraging,
dynamically producing, and enhancing
global threat knowledge to rapidly protect
the networks.
 SHARKSEERs GOALS

IAP Protection: Provide highly available and reliable automated

sensing and mitigation capabilities to all 10 DOD IAPs. Commercial
behavioral and heuristic analytics and threat data enriched with NSA
unique knowledge, through automated data analysis processes,
form the basis for discovery and mitigation.

Cyber Situational Awareness and Data Sharing: Consume

public malware threat data, enrich with NSA unique knowledge and
processes. Share with partners through automation systems, for
example the SHARKSEER Global Threat Intelligence (GTI) and
SPLUNK systems. The data will be shared in real time with
stakeholders and network defenders on UNCLASSIFIED, U//FOUO,
SECRET, and TOP SECRET networks.
 What Are We Looking For?

CORRELATION ShellCode
File
Obfuscation
IPAddress
Port/Protocol
URL
FileMismatch

C2 CodeInjection

Session SleepCall
SQLInjection
 SHARKSEER Zero Day Net
Defense
PROBLEM
Adversaries Attempt to
Current defenses rely heavily on
Send Malicious Content
signature-based tools Across Internet
Signatures are generated after
threat is identified
DAT files are updated manually
taking weeks or months

If/When An Adversary
Penetrates A Gateway(s),
Prevent Outbound Callbacks
And/Or Exfiltration
Targeting All
Shared
Domains
Inbound Malicious
Global Threat Data
Traffic At The
Cross Domains
Gateways,
Components, Host

SHARKSEER
Operational Space

SOLUTION Unclassified SECRET TopSecret

Automate signature updates
Leverage behavior-based and
cloud technologies Analysis Cell
 SHARKSEER Environment

netspeed milliseconds seconds Enterprise

Uncontrolled
Commercial
Infrastructure Unclass Classified minutes
Vendor 1 Sandbox

LoadBalancedTraffic
IAP Vendor 2
Sandbox
WP
GTI
IA Sensor

DataPlane
DPI/Mitigation
Router
WCF
Storage
UPE
SIEM

TCSO
C2
Analysis
Management
Controlled
Unclassified
Infrastructure
Deep Packet Inspection Automated Automated 24/7 Ops
Rule Enforcement Analysis Triage Center
 Tear-Line Reporting
UniqueIP,PIIAttribution=Yes
DeepDive,FullContentResponse Event EventResponse

Tech Indicators,Knowledge Mitigation SMETechnicalData

STIX Repositories,RedactedContent Team
Response
Abstracted,yetactionabledataforsharing
(Network,Mail,Host)
Activity/AdversaryTTPs
Collaborate &IndicatorResponse
Machine Human

Ontology(TranslationTool) Proposed

USG Unclass SECRET TS

RealTime RealTime CCMDCNO StrategicNationState

DefenseIndicators DefenseIndicators ResponseActions Intelligence
<Src IP>1.1.1.1 Anonymize <Src IP>1.1.1.1 Redact <ACTOR>GOLDSTAR <ACTOR>4125
<dest IP>1.2.3.4 Sanitize <SOURCE>INTEL
<URL>evil.com <URL>evil.com <Src IP>1.1.1.1 <Src IP>1.1.1.1
<TTP>PhishingID314 <TTP>PhishingID314 <dest IP>1.2.3.4 <dest IP>1.2.3.4
<INCIDENT>195730 <URL>evil.com <URL>evil.com
<email>subject <TTP>PhishingID314 <TTP>PhishingID314
<OS>Windows7,8 <email>subject <INCIDENT>195730 <INCIDENT>195730
<HASH>d131dd02c5e6eec4 <OS>Windows7,8 <CAMPAIGN>SHARKATTACK <CAMPAIGN>SHARKATTACK
<HASH>d131dd02c5e6eec4 <email>subject <email>subject
<RegKey>HKEY_CLASSES_ROOT <OS>Windows7,8 <OS>Windows7,8
<SNORT>alerttcp any> <RegKey>HKEY_CLASSES_ROOT <HASH>d131dd02c5e6eec4 <HASH>d131dd02c5e6eec4
<INDICATOR>%appdata% <SNORT>alerttcp any> <RegKey>HKEY_CLASSES_ROOT <RegKey>HKEY_CLASSES_ROOT
MyDocs <INDICATOR>%appdata% <SNORT>alerttcp any> <SNORT>alerttcp any>
MyDocs <INDICATOR>%appdata%My Docs <INDICATOR>%appdata%My Docs
Establishing Cyber SA
 SHARKSEER Sandbox Environment

Trusted
Level 2/3 User Access/Code Submission
Guard
Solution
Top Secret
BoundaryCyberDefense
Cyber Analyst CommandandControl
GIG-Earth
Top Secret AnalysisEnvironment
Level 2/3 User Access/Code Submission SandboxingEnvironment

Secret
Cyber Analyst
METAWORKS MALWORKS
Machine
Reports Readable
GIG-Earth
Secret Data
Trusted
Level 2/3 User Access/Code Submission
Unclassified Guard
Cyber Analyst Solution

GIG-Earth Manual and/or Automated

Unclassified
Manipulation, Detonation, and
Boundary Automated Grey/Black Traffic Submission Analysis
Cyber Analyst
 Stakeholders & Partnerships

Enhanced Comprehensive
Shared National
Situational Cybersecurity
Awareness Initiative
Federal (CNCI)
(ESSA)
CIO

COCOMs

Intel
Community
 Power Of Partnership

McAfee and Symantec the nations two biggest

cybersecurity firms agreed to join a Cyber Threat
Alliance founded in May by Fortinet and Palo Alto
Networks. The goal of the new consortium, quoting a
white paper it issued, is to disperse threat
intelligence on advanced adversaries across all
member organizations to raise the overall situational
awareness in order to better protect their
organizations and their customers.

Shared Threat Data

STIX - Structured Treat Information eXpression
MAEC Malware Attribute Enumeration and
Characterization
TAXII - Trusted Automated eXchange of
Indicator Information
 SHARKSEER Cyber Environment

Unclassified Tipping Secret Tipping To

Top
pSecret

METAWORKS PDTI GTI GOV Norse

MALWORKS
CADS

Sandboxing
Trusted Trusted
U Guard S S Guard TS
Solution Solution
ATO ATO ATO

GigEarth GigEarth GigEarth

DISA DISA NTOC

Enhanced Shared Situational Awareness (ESSA)