Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Active HBGary Research (v.x.0.1)
- Yobie Benjamin, now CTO at Citigroup, helped create HBGary's business proposal (April 2, 2010)
- http://hbgary.anonleaks.ch/greg_hbgary_com/8987.html (powerpoint included)
- Strategic Partners: McAfee, Guidance Software (Encase), Agilex
- >HBGary R&D Funding:
- Airforce Research Labs:
- Next Genration Software Reverse Engineering Tools (Phase I and II)
- Kernel Virtual Machine Host Analyzer (Phases I and II)
- Virtual Machine Debugger (Phase I)
- Department of Homeland Security (HSARPA):
- Botnet Detection and Mitigation (Phases I and II)
- H/W Assisted System Security Monitor (Phases I and II)
- Subcontractor to AFCO Systems Development
- HBGary's full products (as of April 2, 2010)
- DoD: 13500 Nodes
- Civilian Agencies: 31,000 nodes
- Government Contractors & Consulting - 23 customers
- Fortune 500 - 23 customers
- Foreign Governments - 15
- Universities & Law Enforcement - 16 Customers
- (See Below for known clients)
- DigitalDNA (DDNA): Stand Alone Edition (Standard) and Enterprise Edition (comprehensive w/ active defense)
- DDNA detects zero-day threats; reverse engineering tecnology, automated, "detects software behaviors"
- Yobie Benjamin writes in SFGate.com, giving HBGary press, specifically about DigitalDNA (DDNA): http://hbgary.anonleaks.ch/greg_hbgary_com/26061.html http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail?entry_id=61673
- {{Yobie Benjamin Bio (mostly from SFGate.com):
- Yobie Benjamin is an experienced senior executive with expertise in innovation, technology and new business models. His last startup was a progressive ecommerce company called GoodStorm.com which was acquired by a Kleiner Perkins-funded Zazzle.com . Before becoming an entrepreneurial founder and CEO, Yobie was a management consultant and focused on technology, innovation, risk and information technology. His consulting career started as Chief Knowledge Officer at Cambridge Technology Partners. Yobie moved on to become a Partner at Ernst and Young where he held three roles - Chief of Strategy, Distinguished Fellow, CTO - Security and Technology Services. After E&Y, he joined Computer Sciences Corporation as Partner and Managing Director of the Business and Technology Risk Management group. He began his career in technology as an engineer at Lotus Development Corporation. <<Now CTO at Citigroup, tasked with "Reinventing Money">>
- Other highlights: writer, social activist, innovator in the consumer products space, software architect and engineer, and perpetual geek. Interests include: all things technology and music related and good food.
- Currently Principal of TrueCarbon.org, Advisor at Emicus.com, Trustee - University of California at Merced. Acting as a Chief Technology Officer to three startups. Governance, structuring and financing mentor to startups. He is also a proud active volunteer for Amnesty International and Art For Amnesty.
- Read more: http://www.sfgate.com/cgi-bin/blogs/ybenjamin/bios#ixzz1W5s12IHw}}
- Yobie Benjamin, now given the position of CTO at Citigroup : "it is a better place to endorse hbg. you can say the global cto of citi is behind the product" - http://hbgary.anonleaks.ch/greg_hbgary_com/24624.html
- Not currently known if Yobie is still backing HBGary after the leak. Though the business plan would seem to indicate he has some knowledge of the inner workings of the product. http://hbgary.anonleaks.ch/greg_hbgary_com/9529.html
- -----
- Known Clients/Contacts
- Aviation Management Associates: http://hbgary.anonleaks.ch/aaron_hbgary_com/16351.html
- Bank of the West: http://hbgary.anonleaks.ch/aaron_hbgary_com/16748.html
- CIBC: http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html
- Citigroup: http://hbgary.anonleaks.ch/greg_hbgary_com/22341.html http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html
- Comcast: http://hbgary.anonleaks.ch/aaron_hbgary_com/13565.html
- DigitalGlobe: http://hbgary.anonleaks.ch/phil_hbgary_com/12874.html http://hbgary.anonleaks.ch/greg_hbgary_com/23900.html http://hbgary.anonleaks.ch/phil_hbgary_com/10184.html http://hbgary.anonleaks.ch/aaron_hbgary_com/1990.html http://hbgary.anonleaks.ch/ted_hbgary_com/10545.html http://hbgary.anonleaks.ch/ted_hbgary_com/10545.html http://hbgary.anonleaks.ch/ted_hbgary_com/7702.html http://hbgary.anonleaks.ch/phil_hbgary_com/968.html
- DigitalGlobe Social Media/Persona training: http://hbgary.anonleaks.ch/ted_hbgary_com/8141.html
- Digital Globe Email asking about EndGames http://hbgary.anonleaks.ch/ted_hbgary_com/6642.html
- DHS: http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html
- DOE: http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html
- DOT: http://hbgary.anonleaks.ch/aaron_hbgary_com/3347.html
- Farallon Research: http://hbgary.anonleaks.ch/aaron_hbgary_com/13565.html
- Social Media cost-benefit analysis for Farallon Research: http://hbgary.anonleaks.ch/aaron_hbgary_com/6052.html
- Fidelis: http://hbgary.anonleaks.ch/phil_hbgary_com/10184.html
- FBI: http://hbgary.anonleaks.ch/greg_hbgary_com/332.html http://hbgary.anonleaks.ch/greg_hbgary_com/24177.html http://hbgary.anonleaks.ch/greg_hbgary_com/25692.html
- General Dynamics: http://hbgary.anonleaks.ch/aaron_hbgary_com/15253.html
- Goldman Sachs: http://hbgary.anonleaks.ch/ted_hbgary_com/7726.html
- Government Technology Research Alliance: http://hbgary.anonleaks.ch/aaron_hbgary_com/12993.html
- House of Representatives/CBO: http://hbgary.anonleaks.ch/phil_hbgary_com/1911.html http://hbgary.anonleaks.ch/phil_hbgary_com/461.htmlhttp://hbgary.anonleaks.ch/phil_hbgary_com/11367.html http://hbgary.anonleaks.ch/phil_hbgary_com/2140.html http://hbgary.anonleaks.ch/phil_hbgary_com/5517.html
- (notable people at the House; Paul Vann, Brent Conran)
- IAEA: http://hbgary.anonleaks.ch/ted_hbgary_com/11010.html http://hbgary.anonleaks.ch/greg_hbgary_com/21610.html
- IBM: http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html
- ICE: http://hbgary.anonleaks.ch/aaron_hbgary_com/3093.html http://hbgary.anonleaks.ch/greg_hbgary_com/3383.html http://hbgary.anonleaks.ch/phil_hbgary_com/10106.html
- Microsoft: http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html
- National Defense University: http://hbgary.anonleaks.ch/aaron_hbgary_com/13565.html http://hbgary.anonleaks.ch/aaron_hbgary_com/6529.html
- NYPD: http://hbgary.anonleaks.ch/greg_hbgary_com/16296.html
- Palantir (soysauce): http://hbgary.anonleaks.ch/greg_hbgary_com/8313.html
- Paradigm Solutions (State Department Contractor): http://hbgary.anonleaks.ch/greg_hbgary_com/15578.html
- OSD (Office of the Scretary of Defense): http://hbgary.anonleaks.ch/aaron_hbgary_com/16057.html
- SAIC: http://hbgary.anonleaks.ch/aaron_hbgary_com/15886.html
- State Department: http://hbgary.anonleaks.ch/phil_hbgary_com/7023.html http://hbgary.anonleaks.ch/greg_hbgary_com/13825.html
- http://hbgary.anonleaks.ch/phil_hbgary_com/6070.html
- TSA: http://hbgary.anonleaks.ch/greg_hbgary_com/1538.html http://hbgary.anonleaks.ch/aaron_hbgary_com/5837.html http://hbgary.anonleaks.ch/greg_hbgary_com/7986.html http://hbgary.anonleaks.ch/greg_hbgary_com/20763.html
- Aaron Barr speaking engagement with the TSA: http://hbgary.anonleaks.ch/aaron_hbgary_com/16278.html
- Presentation includes info on: Triad, ZeuS botnets, Poison Ivy implant, Stuxnet analysis damaging infrastructure
- http://hbgary.anonleaks.ch/aaron_hbgary_com/12635.html presentation: http://hbgary.anonleaks.ch/aaron_hbgary_com/3347.html
- US-CERT: http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html http://hbgary.anonleaks.ch/aaron_hbgary_com/8495.html http://hbgary.anonleaks.ch/ted_hbgary_com/10545.html
- ZionBanc: http://hbgary.anonleaks.ch/ted_hbgary_com/6723.html
- ----
- DDNA on a stick (.exe file)
- http://hbgary.anonleaks.ch/phil_hbgary_com/5375.html
- DigitalDNA: http://hbgary.anonleaks.ch/greg_hbgary_com/11935.html
- Team,
- What follows is my revised pitch on the Digital DNA messaging. The new
- sauce is my focus on the human factor as opposed to the malware. This
- should really get us some attention.
- snip --->
- HBGary has developed this system called Digital DNA. Customers can use
- Digital DNA to identify cyber-threats within the Enterprise and get
- actionable intelligence to mitigate the threat. We examine thousands of
- malware per day and decompile all the control and data flow automatically -
- literally millions of data points, and reduce it to a codified number
- sequence that can be used to trace back to the attackers - the organization
- that is operating the attack and the individual developers that built the
- malware. Because of this, Digital DNA can detect new emerging malware with
- no prior signatures. Think of Digital DNA as the next generation of
- hashing.
- How does it work? Digital DNA is a codified sequence of numbers calculated
- against the root behaviors and code idioms that are visible once the malware
- is actually executing in RAM. It can be used to traceback to developers,
- toolkit authors, and the source attacker. This is like a digital fingerprint
- that can be used to identify the attacker. While Digital DNA can be managed
- like a hash, remember that it's fuzzy and it's based on behaviors - this
- means you can identify new emerging threats without having any existing
- signatures. This fuzzy behavior is what sets it apart from anti-virus.
- Instead of tracking specific malware variants, HBGary is tracking the root
- sources of the attack, and calculating Digital DNA that identifies the human
- behind the malware. When that human or organization develops new variants,
- Digital DNA still detects it. There are upwards of 50,000 new malware
- released on the Internet daily. Obviously the developers aren't rewriting
- 50,000 new malware programs every day. The new malware is rebuilt from
- toolkits and components using automated systems. Those root components
- don't change, even though the malware's specific signature is different
- now.
- There are several factors that can be used to track back who is operating a
- malware attack.
- - Communications
- Certain organized groups use predictable or known dropsites for data and
- command/control. Use of these dropsites is an indicator of who is operating
- an attack. Another contributor to this is the protocol used - certain
- protocol features might be specific to an attacker's back end systems.
- - Command and Control
- The logic of the command/control loop in the malware can be very specific.
- Even when a developer makes modifications to an existing malware strain,
- they usually won't change this central control portion. It's very much like
- a fingerprint.
- - Development Environment
- Malware and toolkit authors all use of certain compilers, libraries, cut and
- paste code, and more - all can be identified. When combined together this
- reveals a great deal about the development environment - something very
- specific to the computer and the programmer who built the weapons package.
- - Computer Network Attack (CNA)
- CNA components (i.e., the stuff that attacks windows networks, USB
- thumb-drives, etc.) are re-used alot in malware development - think of it as
- cut-and-paste code. Much of this is custom code sequences that are specific
- to the developer - or perhaps shared amongst a small group of developers.
- We can draw inferences about relationships and code-sources from this
- information.
- - Information Security Threats
- The Digital DNA can provide alot of information about keylogging systems,
- file exfiltration, keyword searching, and other methods used by the
- attacker. This represents a set of capabilities and reveals some of the
- attacker's intent - especially when combined with any volatile runtime
- behaviors. It can give some damage assessment as well, since it reveals
- what information has been stolen from the Enterprise.
- - Stealth and Antiforensics
- Most malware has some method to remain undetected. Alot of this capability
- can be traced back to malware toolkits, such as rootkits, that are privately
- traded or sold for money. Regardless, most malware doesn't hide very well
- when Digital DNA is calculated. The tricks used by malware to hide on a
- system are actually anomolies - things that stand out very clearly when
- Digital DNA is calculated. The harder rootkits try to hide, the more
- clearly they become visible.
- - Installation and Deployment
- There are several hundred methods for a malware to survive reboot. There
- are established ways to inject code into other processes, or decrypt hidden
- payloads to the system. These methods are all obvious to Digital DNA and
- when combined with other factors create a complete fingerprint of malicious
- activity that can be traced back to individuals or organizations.
- Bringing the malware problem back to a human problem is a huge step forward
- in threat detection. There are perhaps 100+ top tier developers who are
- selling malware into the underground. Think of this as a digital arms
- bazaar. From these, there are thousands of middle-men that purchase the
- weaponry and use it for nefarious purposes. There are three main groups -
- Organized Crime, Foreign Intelligence, and Corporate Actors. They all
- operate differently, and have different goals, but all three groups use
- largely similar cyber-attack technology. Focusing on the malware itself is
- short sighted - the real threat comes from the human factors behind the
- malware. The malware is just the tip of the spear, an automaton - the
- attacker's intent, and thus the real threat, it represented by the human or
- organization that is attacking you. You obviously need to detect their
- malware, and Digital DNA can do that, but you also need to understand the
- threat - what capabilities they have, how often are they upgrading their
- attack technology, are they using bargain basement toolkits or high-grade
- rootkits? What are they stealing? Are they well funded? This is real
- intelligence, stuff you can use to gauge the threat against your
- Enterprise. Traditional IDS and AV can't give you any of this information.
- HBGary fills a massive gap in the defense-in-depth strategy. When something
- gets into your Enterprise, it means that the attacker's technology is
- superior to yours. It means the attacker has bypassed your security systems
- and is now on the inside. That is the ground truth intelligence that HBGary
- can provide you - a hard fact about who is in your network right now,
- stealing from you right now.
- ----
- Other:
- Kneber Botnet: http://hbgary.anonleaks.ch/greg_hbgary_com/19210.html
- ...
- whose tasks include searching through the computer hard drive for
- Word, Excel and PDF documents and sending them to a server located in
- Belarus
- ...
- This underscores my stance that "it doesn't matter who is at the other
- end of the keyboard" - when there is direct interaction with the host
- the compromise should be classified as APT. Most of stuff attacking
- your networking is not in this category - about 80% is external
- non-targeted, which most people associate with botnets. These
- attacks, once analyzed, will not show any interaction with the host -
- they are hard coded to steal credentials and such, and for the most
- part haven't done any damage. However, around 2-3% of these
- infections reveal interaction with the host - this means a command
- shell was launched and commands were typed, extra utilities were
- downloaded to the host and used, etc. Now everything is different, I
- suggest that in this case you have no choice but to treat this as APT.
- It doesn't matter if the hacker at the other end of the keyboard is
- Russian or Chinese. If you must adhere to the strictest definition of
- APT=CSST (Chinese State Sponsored Threat) you still have to consider
- the underground market of information trade and access trade. The
- hacker may be Eastern European, but the data can still reach the PRC.
- The key differentiator between non-targeted and targeted is
- interaction with the host. You can detect interaction primarily
- through timeline analysis on the target machine. I should mention
- that I have analyzed many different botnet infections and found that
- the botnet malware contains capability to interact with the host, even
- remote control and shells, but that no evidence of such interaction
- was found forensically on the machine - so in this case I wouldn't
- consider the attack targeted unless I already knew one of the threat
- groups were using it (or, found the same malware elsewhere on the
- network in conjunction with said interaction). Finally, if I find a
- RAT (Remote Access Tool) then the attack is targeted - RAT's are
- designed for one purpose only, direct targeted interaction with the
- host. Making the call is important, because external non-targeted
- attacks should take your response team no more than 15 minutes/machine
- to deal with, while a targeted compromise will consume 4 hours or
- more/machine - sometimes days/machine if a great deal of evidence is
- uncovered. Managing this time is one of the most important challenges
- for an IR team, as cost if everything at the end of the day.
- ---
- Massive RSA PDF: http://hbgary.anonleaks.ch/greg_hbgary_com/6590.html
- -----
- Everything Soysauce: http://hbgary.anonleaks.ch/aaron_hbgary_com/15661.html http://hbgary.anonleaks.ch/greg_hbgary_com/26996.html
- ---
- Government CIO Summit: http://hbgary.anonleaks.ch/aaron_hbgary_com/14119.html
- Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) - Rick Holgate, CIO
- Bureau of Economic Analysis - Alan Lorish, CIO
- Bureau of Land Management - Ronnie Levine, CIO
- CA National Guard - LT Col Keith Tresh, CIO
- Cook County Government Chicago, Illinois - Antonio Allan Hylton, CIO
- Cook County, Illinois - Antonio Hylton , CIO
- Department of Agriculture - Chris Smith, CIO
- Department of Commerce - Suzanne Hilding, CIO
- Department of Education - Danny Harris, CIO
- Department of Homeland Security - Joe Jarzombek, Director of Software Assurance
- Department of Homeland Security/TSA - Margie Graves, Deputy CIO
- Department of Housing & Urban Development - Jerry Williams, CIO
- Department of Justice - Vance Hitch, CIO
- Department of State - Gary Galloway, Deputy Director of the Office of Information Assurance
- Department of State - Charles Wisecarver, Deputy CIO for Operations and CTO
- Department of the Army - Michael Krieger, Deputy CIO
- Department of Transportation (DOT) - Jackie Patillo, Deputy CIO
- Department of Transportation (DOT) - Nitin Pradhan, CIO
- Deputy CTO for Open Government - Beth Noveck,
- Environmental Protection Agency - Myra Galbreath, Acting CTO
- Federal Aviation Administration - Dave Bowen, CIO
- Federal Housing Finance Agency - Kevin Winkler, CIO
- Federal Reserve Board - Maureen Hannan, CIO
- Federal Trade Commission - Stan Lowe, CIO
- FERC (Federal Energy Regulatory Commission) - Sanjay Sardar, Deputy CIO
- Florida Board of Governors - Ramon Padilla Jr., CIO | AST Vice Chancellor
- General Services Administration (GSA) - Casey Coleman, CIO
- Hidalgo County, TX - Renan Ramirez, CIO
- Institute of Museum and Library Sciences - Derek Scarborough, CIO
- Library of Congress - James Gallagher, Director, Information Technology Services
- NASA - Jerry L. Davis, Deputy CIO
- NASA - Linda Cureton, CIO
- NASA AMES Research Center - Chris Kemp, CIO
- NASA Glenn Research Center - Sasi Kumar Pillay, CIO
- National Archives and Records Administration - Martha Morphy, CIO
- National Institutes of Health (NIH) - Kathryn Wimsatt, Executive Officer for Center for information Technology
- National Transportation Safety Board - Bob Scherer, CIO
- Office of Government Ethics (OGE) - Ty Cooper, CIO
- Small Business Administration - Robert Naylor, CIO
- Smithsonian Institution - Ann Speyer, CIO
- Social Security Administration - Franklin Baitman, CIO
- State of Missouri - Dan Lohrman, State CTO
- State of Missouri - Ken Thesis, State CIO
- State of New York - Melodie Mayberry-Stewart, CIO
- State of Ohio - Sam Orth, CIO
- State of Ohio Office of Budget & Management - Kumar Rachuri, CIO
- State of Utah - Stephen Fletcher, CIO
- U.S. Postal Service - John Edgar, VP IT Solutions
- United States Cyber Security Coordinator - Howard Schmidt,
- US Department of Energy - Pete Tseronis, Deputy Associate CIO
- US Patent and Trademark Office - John B. Owens, CIO
- Veterans Affairs - Roger Baker, CIO
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement