TECHNICAL WHITE PAPER FEATURING INTEGRATED "SHORTSTOP" REFERENCE ARCHITECTURE

Integrated Active Cyber Defense

MAY 2015

2

Integrated Active Cyber Defense

Copyright © 2015 Hexis Cyber Solutions, Inc. All rights reserved. Hexis Cyber Solutions, HawkEye and NetBeat are protected by U.S. and international copyright and intellectual property laws and are registered trademarks or trademarks of Hexis Cyber Solutions Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Hexis Cyber Solutions is a wholly-owned subsidiary of The KEYW Corporation.

Table of Contents

Executive Summary ................................................................................................................ 3

Multi-staged Cyber Attacks Require Multi-staged Cyber Defense ...................................... 6

SHORTSTOP Reference Architecture ........................................................................ 6

SHORTSTOP Architecture Deployed ......................................................................... 7

BenefitsofAdvancedCyberDefense(ACD)Integration ..................................................... 8

SHORTSTOP Deployed System ............................................................................................ 9

SHORTSTOP Components ................................................................................................... 10

HawkEye G ................................................................................................................. 10

Palo Alto Networks ................................................................................................... 10

FireEye .........................................................................................................................11

General Dynamics Mission Systems ........................................................................11

Splunk ......................................................................................................................... 12

KEYW .......................................................................................................................... 13

Conclusion ............................................................................................................................. 14

KEYW Corporation | 7740 Milestone Parkway, Suite 150 | Hanover, MD 21076 | ACD@keywcorp.com | 443.733.1600Hexis Cyber Solutions | 7740 Milestone Parkway, Suite 400 | Hanover, MD 21076 | info@hexiscyber.com | 443.733.1900

3

Integrated Active Cyber Defense

This white paper has been prepared by Hexis Cyber Solutions and KEYW Corporation to outline the critical cyber security issues impacting our nation. Hexis Cyber and KEYW have been selected by key members of the United States Intelligence Community as part of an integrated Active Cyber Defense (ACD) solution, protecting federal agencies’ networks against nation-state adversaries. As a core component, HawkEye G provides the only automated advanced threat removal capability available today. The ACD solution, referred to by the name SHORTSTOP, is provided as a turn-key system or as a reference design to federal agencies seeking best-in-class cyber defense. SHORTSTOP facilitates a convergence of commercial security technologies including HawkEye G and products from Palo Alto Networks, FireEye, General Dynamics Mission Systems, and Splunk.

First, we’ll start with an assessment of the current cyber threat landscape as reported in the Verizon Data Breach Incident Report (DBIR).

“Take a deep, calming breath before diving into this last one; it may result in mental or even bodily harm." In Figure 1, we’re contrasting how long it takes the attacker to compromise an asset with how long it takes the defender to discover this. We chose to peg this on “days” to keep things simple and stark (one might also add “sad” to that alliteration).

EXECUTIVE SUMMARY

Verizon 2014 DBIR Attack vs. Recovery Time Disparity

Figure 1. Percentage of breaches where time to compromise (orange)/time to discovery (green) was days or less. (2014 Verizon DBIR)

Time to compromise

Time to discovery

2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

100%

75%

50%

25%

4

Integrated Active Cyber Defense

Figure 2. History of IDS, SANS Institute Infosec Reading Room

This is what the 2014 Verizon DBIR continues to report regarding the lopsided battle- space between malicious actors/activities and effective response to those attacks. We still have a huge deficit between threat exploitation-speed versus detection, confirmation, and removal speed.

It is not that we haven’t been trying to improve this for some time. Research and development of technology for detection and prevention has been around for more than four decades.

1972:James P. Anderson outlined the fact that the USAF had “become increasingly aware of computer problems.”

1980:Anderson study/outline on ID called “How to use accounting audit files to detect unauthorized access.”

1984-86:Dorothy Denning and Peter Neumann researched and developed the first model of a real-time IDS.

1980s-90s:US Gov’t funded majority of IDS research. Developed projects like Discovery, Haystack, Multics Intrusion Detection and Alerting System (MIDAS) and Network Audit Director and Intrusion Reporter (NADIR).

The History and Evolution of Intrusion Detection

• Ignore the behavior of the lines for a minute and focus on the wide gap between percentages for the two phases. It smacks us with the fact that the bad guys seldom need days to get their job done, while the good guys rarely manage to get theirs done in a month of Sundays.

• The trend lines follow that initial smack with a roundhouse kick to the head. They plainly show that attackers are getting better/faster at what they do at a higher rate than defenders are improving their trade. This doesn’t scale well, people.

• We thought about superimposing “total spending on network monitoring,” “number of security products on the market,” and “number of Certified Information Systems Security Professionals (CISSPs) in the workplace,” but we were concerned it would result in much self-inflicted harm within the security community. And we’d much rather you guys and gals stick around and help us fix this.”

5

Integrated Active Cyber Defense

Bottom line, as the wave of connected devices and users increase, the vulnerabilities will continue to grow, and the adversary only needs to locate one chink in our enterprise armor. To address this rapid expansion of the cyber battle-space, enterprises are turning to big data analytics to detect attacks against these systems, but the volume of reporting and false positive rates on indicators of compromise (IOCs) are daunting to analyze. Luckily, major corporations and government entities have highly skilled professionals to review, validate, and respond to these threats, right? While there are certainly highly skilled computer network defenders (CNDs) operating in high profile corporations and government enterprises, the vast cyber terrain is still unmanageable by CNDs alone. This is like deploying a few highly trained ninjas to defend a city, whose walls are riddled with unknown vulnerabilities, against several thousand trained and armed militants trying every entry to get in. The odds just aren’t in their favor.

However, if we can leverage the big data combined with automated correlation, validation, and actions to detect and react to IOCs against our city (enterprises) then we can focus those CND ninjas on the highly skilled attackers and our cyber key terrain. We can also provide them verified and validated threat information to take them on.

Figure 3 - Business Insider’s John Greennough, THE INTERNET OF EVERYTHING: 2015Source: BI Intelligence Estimates (projected estimates for years 2015-19)

FIVE-YEAR CAGR 35%(2014-2019)

35

30

25

20

15

10

5

0

2013

2014

2015

2016

2017

2018

2019

BILLIONSOF DEVICES

Number of Devices in The Internet of Everything

■■ Internet of Things

■■ Connected Cars

■■ Wearables

■■ Connected Smart TVs

■■ Tablets

■■ Smartphones

■■ Personal Computers

So what’s happened? Have all of our efforts been in vain? Are the adversaries that much more advanced? The question is not of “effort and expertise”; it’s the sheer challenge of what is being defended vice what’s being attacked. The adversary need only find one vulnerable piece of code, one vulnerable user, one unpatched system, and they start their campaign. Compare that to the number of systems that network defenders need to defend.

6

Integrated Active Cyber Defense

MULTI-STAGED CYBER ATTACKS

REQUIRE MULTI-STAGED

CYBER DEFENSE

Today’s Advanced Persistent Threats (APTs) execute sophisticated, multi-phased attacks across multiple entry and exit points within the enterprise. Any formidable defense solution must address the APT at all of its potential entry, execution, and exfiltration points. The most advanced point solutions only cover a single portion of the threat landscape. An advanced, sophisticated, multi-phased defense solution is required.

The U.S. Intelligence Community is developing an integrated Active Cyber Defense (ACD) framework for protecting federal agencies' networks against nation-state adversaries. One instantiation of this ACD framework, referred to by the name SHORTSTOP, facilitates a convergence of commercial security technologies detecting threats at the perimeter, internal/external networks, and the endpoint and coordinates those threats with a central management and threat aggregation layer.

Figure 4 - SHORTSTOP Reference Architecture

INTERNET

NETWORK SENSOR

NETWORK SENSOR

GEOsBRANCHES

DOMAINS

ENTERPRISE

SANDBOX

CENTRAL MGMTAGGREGATION

EndpointSensing/Remediation

Classified Rules/Network Sensor

NEXT-GEN FIREWALL

Operators

Analysts

CND OPS (low domain)

Hunt & Analysis(high domain)

Tools

Dashboards

Automated Decision Making and Remediation

SHORTSTOP architecture layers:• Perimeter: An advanced next generation firewall (NGFW) with application awareness

and deep packet inspection gives enterprises more control over applications while also detecting and blocking malicious threats. Also at the perimeter is a solution to ingest custom threat feeds and protect at the highest security levels for threat alerts back to a security operations center (SOC).

7

Integrated Active Cyber Defense

• Network: An advanced network defense solution that provides traffic analysis and manipulation, sand-box detection technologies, and exfiltration blocking.

• Endpoint: An Endpoint Remediation Device enables detection of IOCs through heuristics, provides automated or machine-guided removal of threats, and controls countermeasures employed against the threat, as well as the level of automation, through organizational policy and Cybercon level configuration.

• Command/Control/Orchestration/Integration: An intelligent threat coordination and product integration layer enables modularity of components as ACD technology advances. Eliminates “solution creep” of continual add-ons of stove-pipe solutions.

KEYW Corporation and Hexis Cyber Solutions, in collaboration with the US Intelligence Community and industry leading cyber defense providers Palo Alto Networks, FireEye, Splunk, and General Dynamics Mission Systems, are implementing a low cost deployment of the SHORTSTOP architecture that provides automated sensing, sense-making, decision-making and actions against threats at the perimeter, network, and endpoint layers.

Figure 5 - SHORTSTOP Deployed Solution

INTERNET

HAWKEYE GNETWORK SENSOR

Operators

Analysts

GEOsBRANCHES

DOMAINS

ENTERPRISE CND OPS (low domain)

Hunt & Analysis(high domain)

HAWKEYE G HOST SENSOREndpoint Sensing/Remediation

CENTRAL MANAGEMENT AGGREGATION

TACLANETM

TACLANETM

Trusted Sensor Software

Counter-measuresThreat Feed

ThreatSync®

(PAN & FireEye)

HAWKEYE GNETWORK SENSOR

HAWKEYE GMANAGER

Policy Manager

SPLUNK

ThreatSync®

(PAN & FireEye)

Tools

Dashboards

Automated Decision Making and Remediation

8

Integrated Active Cyber Defense

Verify Host Infections:Alerts from Palo Alto Networks, TACLANE Trusted Sensor Software, and FireEye indicate a potential threat has breached an organization’s perimeter. However, due to a lack of visibility on hosts, these solutions cannot verify whether actual host infections have occurred and to what degree. Through real-time monitoring of activity on the endpoint and ThreatSync™, a threat fusion and analytics framework, HawkEye G can verify whether alerts from the network detection components represent actual host infections and help determine the scope of infection. This enables organizations to better prioritize alerts and plan the appropriate response mechanism.

Automated Threat Removal:While being able to detect and verify host infections are significant benefits, even more important is the ability to respond to verified threats by leveraging HawkEye G’s automated threat removal capabilities to stop executing malware, prevent their persistence, and remove the malware from any future execution attempts. HawkEye G offers a full arsenal of automated countermeasures, such as kill process, quarantine file, remove persistent malware from execution path, and expire credentials. These countermeasures can be flexibly deployed in machine-guided and/or fully automated mode, based on policy defined by the user. The policy driven actions enable CNDs to apply “right size” countermeasures against varying cyber key terrain with the ability to quickly ratchet up defense posture in all threat environments.

Improved Visibility with Endpoint Detection and Response:HawkEye G adds market leading real-time endpoint detection and response capabilities to the SHORTSTOP network sensing solutions from Palo Alto and FireEye’s market leading, network security solutions. HawkEye G’s host detection incorporates real-time eventing to capture all relevant system changes as they occur with detection of zero-day attacks and unknown malware, without using signatures, through behavioral and anomalous analytics for both static files at rest and dynamic processes, loaded modules, and threads.

Increased Detection Effectiveness and False Positive Reduction:The consumption of Palo Alto’s network indicators and FireEye’s sandbox malware object alerts directly into the SHORTSTOP integration framework of HawkEye G’s ThreatSync and Splunk’s data and action integration enables the corroboration of threat indicators from multiple sources directly with host indicators of what’s actually present and executing on the endpoint, resulting in increased detection effectiveness and reducing the amount of false positive alerts generated from network devices.

Benefits of ACD Integration

9

Integrated Active Cyber Defense

SHORTSTOP Deployed System

At the perimeter layer, a Palo Alto Next Generation Firewall and the General Dynamics Mission Systems TACLANE Trusted Sensor Software enables Secure Socket Layer (SSL) Interception (Palo Alto) and examination and manipulation of that traffic by reference to classified rule-sets (General Dynamics Missions Systems). At the network layer, FireEye Appliances coupled with the network sensor of HawkEye G accurately pinpoint attack vectors and targets, allowing for real time automation of actions on packets in transit. At the host layer, the HawkEye G real-time endpoint agent detects and remediates previously undetectable attacks through heuristic changes to the host, permitting detection of anomalous kernel-level events. Integration of these activities (data discovery/integration) is achieved by use of a Splunk layer and HawkEye G to provide a customizable command and control interface.

The integration of these solutions enables a true “Defense-in-Breadth” that provides cyber situational awareness across the enterprise with the ability to automate defensive actions on the endpoint, network, and perimeter. The perimeter, network, and endpoint sensors all see threats wherever they enter, exit, and exist across the enterprise and coordinate the IOCs to take automated action against threats. The integration system also provides a complete view of endpoint and network activity up to the integration layer that enables advanced hunting and detection of subtle indications of a more advanced actor as it attempts to evade detection during exploitation.

The SHORTSTOP architecture allows enterprise security operations to leverage their existing cyber defense investments and improve the actions available against those sensors. Through integration with Splunk and HawkEye G 3.0 threat fusion and threat analytics, all IOCs of the existing cyber defense solutions are verified and validated within the enterprise, reducing false positives and making resources more efficient for organizations by enabling them to:

• Confirm true host infections using HawkEye G’s real-time endpoint host sensor security posture plus Palo Alto Networks, General Dynamics Mission Systems and FireEye perimeter/network threat alerts and malware detection.

• Increase detection effectiveness and reduce false positives through the corrobora- tion of HawkEye G threat indicators with threat indicators from Palo Alto Networks and FireEye.

• Leverage HawkEye G’s automated response capabilities to more rapidly and efficiently contain and remove threats at machine speeds.

• Leverage Splunk’s coordination capabilities to automatically employ defensive actions at the perimeter, network, and endpoint devices in the architecture.

• Gain improved visibility through a unified solution architecture by combining HawkEye G’s next generation endpoint detection and response capabilities, including the ability to correlate across endpoints, with Palo Alto and FireEye’s network alerts.

• Provide additional analytic and hunting capabilities by leveraging Splunk to collect, synthesize, and enrich all threat indicators from HawkEye G, Palo Alto Networks, and FireEye.

10

Integrated Active Cyber Defense

SHORTSTOP Components

HawkEye G® HawkEye G is an active-defense technology that detects, engages, and removes cyber threats from a network before they can compromise intellectual property or disrupt processes. HawkEye G brings speed, automation, and accuracy to threat response through unique understanding of malicious tradecraft.

ThreatSync represents a threat fusion and threat analytics capability, plus a flexible and extensible framework that supports third-party integration. As a capability, ThreatSync improves detection effectiveness, validates alerts, reduces false positives, and enables alert prioritization. ThreatSync provides organizations with the confidence necessary to leverage automated threat removal capabilities or simplify and accelerate manual investigation and response workflows.

HawkEye G’s ThreatSync module consumes and fuses real-time endpoint and network detection indicators, plus available third party indicators from solutions like Palo Alto Networks, FireEye and others into a unified scoring model. ThreatSync is powered by a revolutionary approach that measures the effectiveness of an external threat actor in achieving their “objectives on target”, raising the threat score as objectives have been achieved, including: – has the threat actor successfully exploited a targeted machine; were they able to land malware, set up persistence points, download second stage toolkits, communicate to command and control servers, set up evasion techniques, and start to laterally move to high-value assets for the purpose of data theft, sabotage, business disruption, and more?

This approach is different from scoring based on the severity of the actual malware which often leads to false alarms or red herrings. In many cases, external threat actors use minor or low priority malware capabilities to perform their campaigns, often flying “under the radar” of traditional security systems that use severity scoring. The intent and objectives of the threat are more important than the type of malware used to conduct their operations.

Palo Alto Networks® Palo Alto Networks’ advanced firewall enables inspection of all allowed traffic, even SSL encrypted traffic, for threats and prevents or limits risky or unnecessary applications or features. This includes a variety of applications and technologies that are regularly used by attackers to hide their attacks such as proxies, encryption, and tunnels. The unified threat engine performs IPS, provides stream-based anti-virus prevention, and blocks unapproved file types and data. Additionally, the cloud-based WildFire™ engine identifies and targets malware and exploits that may have no known signature. This gives organizations the unique ability to reduce their exposure, ensure visibility of all traffic, and protect against all types of threats in a single pass of traffic.

11

Integrated Active Cyber Defense

FireEye™ FireEye identifies and blocks advanced cyber-attacks through a virtual machine-based security platform built from the ground up to combat next-generation threats. The core of the FireEye platform is a virtual execution engine, complemented by dynamic threat intelligence (DTI) that protects the primary threat vectors: web, email, files, and mobile devices.

• Deploys in-line (block/monitor mode) or out-of-band (TCP reset mode/monitor mode) and enables security analysis for IPv4 and IPv6 traffic

• Analyzes all suspicious web objects including PDFs, Flash, multimedia formats, and ZIP/RAR/TNEF archives and blocks outbound malware to thwart data exfiltration

• Integrates with the FireEye Email Threat Prevention Platform to stop blended spear-phishing attacks

• Distributes threat intelligence locally to the entire FireEye deployment and globally to the FireEye customer base through the FireEye Dynamic Threat Intelligence (DTI) cloud

• Provides role-based access control (RBAC) and audit logging

• Includes support for Windows, Mac OS X iOS and Android environments

• Consolidates signature-based and signature-less technologies with integrated IPS functionality

General Dynamics Mission Systems™ The General Dynamics Mission Systems TACLANE™ Trusted Sensor Software leverages deep packet sensing capabilities against rule sets – open source, custom, and government classified. TACLANE Trusted Sensor Software is NSA approved, and available for purchase today for the TACLANE-1G. This solution provides high assurance rule set protection mechanisms, allowing use in “sensor-only mode” to inspect traffic on unclassified networks with classified rule sets. The solution also provides Type-1 protection of classified rule sets that can be leveraged in “sensor-only mode” to inspect traffic in an unclassified environment. This enables advanced sensing against classified rule sets that can be communicated back to a classified enclave through the Type-1 encrypted tunnel for further forensic analysis, assessment, and notification when a threat is found.

The new in-line sensor capability supports both classified and unclassified networks by providing strong, Type-1 encryption at the network boundaries enhanced with Deep Packet Inspection (DPI) and collection of standard NetFlow statistics. Beyond a firewall’s limited use of header filtering, DPI technology enables network elements to filter for malicious data within the traffic. This in-depth inspection helps network defenders to assess the overall system’s health.

TACLANE™Mission Systems

12

Integrated Active Cyber Defense

Splunk® Splunk is leveraged in the solution for its excellent interoperability, integration, enterprise data collection, management, and analytic (system logs, net flows, etc.) features. Splunk’s ease of customization from analytics, data ingestion, and component integration (through Splunk Apps and custom development) makes Splunk ideal for operator integration, situational awareness, and future flexibility.

Splunk collects and indexes data from network devices, endpoints (Windows, Linux, physical, and virtual), and mobile devices. Leveraging Splunk as the data collection repository consolidates all data and lets Splunk assemble the complete cyber threat landscape so the network and endpoint components of the SHORTSTOP solution can take action. Splunk can readily collect and index Sys Log, Patch Logs, and Mobile Device Management (MDM) Logs, and Splunk has a very low latency forwarder for collection and subsequent analytics on the enterprise data. Its analytics can also identify threats and coordinate additional investigation by the other SHORTSTOP components (FireEye, Palo Alto Networks, TACLANE Trusted Sensor Software, and HawkEye G) to expose threats and remediate them. Custom analytics are also easily implemented.

Splunk functions as the integration and coordination layer in the solution, collecting the IOCs and alerts from the other sensing solutions on the platforms and enables the decision-making process to coordinate action against the threat as the perimeter, network, and endpoint with the defensive solutions at those attack points.

13

Integrated Active Cyber Defense

KEYW™

KEYW is currently deploying this solution with a US Intelligence Community customer and is able to work with Federal and Commercial entities to capture a strategy that either deploys the same capability or leverages their existing cyber defense tools to build a solution that coordinates the detection of threats to automatically validate the indicators and deploy countermeasures to remove the threat in real-time. We understand that migration/integration with existing tools will require planning, transition processes, cost-benefit analysis, and buy-in from stakeholders among the leadership down to the system operators. KEYW’s end-to-end methodology provides stakeholders a thorough understanding of the risks, costs, operations, and maintenance requirements in order to make informed decisions about the evolution of the ACD landscape.

Figure 6 - KEYW engages stakeholders throughout the integration process to ensure the ACD solution meets requirements and maintains its edge against evolving threats and technologies.

StakeholderRequirements Available Solutions

StakeholderEngagement & Acceptance

ACD RequirementCollection

Perimeter, Network, Endpoint

Component Research, Test & Evaluation

ACD Integration& Test

ACD SolutionTransition

ContinuousSolution

Monitoring

KEYW's Advanced Cyber Defense Methodology

14

Integrated Active Cyber Defense

About Hexis Cyber SolutionsHexis Cyber Solutions Inc. is a team of cybersecurity experts delivering solutions that enable organizations to defend against and remove cyber threats at machine speeds before they do damage. Hexis' advanced security solutions use real-time endpoint sensors, network detection, and threat analytics to provide organizations with an intelligent and automated threat detection and response solution. Hexis solutions deliver improved visibility into the network and endpoints, threat verification, and automated threat removal capabilities for organizations of all sizes. Hexis Cyber Solutions, Inc. is a wholly-owned subsidiary of The KEYW Holding Corporation (KEYW), based in Hanover, Maryland with engineering offices in Columbia, Maryland and San Mateo, California. Hexis' solutions were developed leveraging KEYW's expertise in supporting our nation's cybersecurity missions.

SHORTSTOP may not stop all threats and malicious actors from attacking our networks; but by applying the “80/20” rule, the SHORTSTOP solution addresses the majority (the “80%”) of “common threats” that flood systems and overwhelm CND responders to reduce risk of compromise.

With the SHORTSTOP ACD solution, organizations significantly improve efficiency by automating action against threats through:

• Enhanced correlation of IOCs across the enterprise;

• Defensive collaboration and threat verification across perimeter, network, and endpoint solutions;

• Removal and blocking actions at machine speed (especially the recurring threat).

The SHORTSTOP ACD solution frees the skilled CND operator to focus on the “20%” of APTs that still require human analysis, while equipping them with verified IOCs to find, fix, and eliminate threats from the enterprise.

Conclusion

Copyright © 2015 Hexis Cyber Solutions, Inc. All rights reserved. Hexis Cyber Solutions, HawkEye and NetBeat are protected by U.S. and international copyright and intellectual property laws and are registered trademarks or trademarks of Hexis Cyber Solutions Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Hexis Cyber Solutions is a wholly-owned subsidiary of The KEYW Corporation.

KEYW Corporation | 7740 Milestone Parkway, Suite 150 | Hanover, MD 21076 | ACD@keywcorp.com | 443.733.1600Hexis Cyber Solutions | 7740 Milestone Parkway, Suite 400 | Hanover, MD 21076 | info@hexiscyber.com | 443.733.1900

About KEYWKEYW provides agile cyber superiority, cybersecurity, and geospatial intelligence solutions for U.S. Government intelligence and defense customers and commercial enterprises. We create our solutions by combining our services and expertise with hardware, software, and proprietary technology to meet our customers' requirements.