API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 25th, 2011
877
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 19.77 KB | None | 0 0
raw download clone embed print report
  1. Active HBGary Research (v.x.0.1)
  2.  
  3. Yobie Benjamin, now CTO at Citigroup, helped create HBGary's business proposal (April 2, 2010)
  4. http://hbgary.anonleaks.ch/greg_hbgary_com/8987.html (powerpoint included)
  5.  
  6. Strategic Partners: McAfee, Guidance Software (Encase), Agilex
  7. >HBGary R&D Funding:
  8. Airforce Research Labs:
  9. Next Genration Software Reverse Engineering Tools (Phase I and II)
  10. Kernel Virtual Machine Host Analyzer (Phases I and II)
  11. Virtual Machine Debugger (Phase I)
  12.  
  13. Department of Homeland Security (HSARPA):
  14. Botnet Detection and Mitigation (Phases I and II)
  15. H/W Assisted System Security Monitor (Phases I and II)
  16. Subcontractor to AFCO Systems Development
  17.  
  18. HBGary's full products (as of April 2, 2010)
  19. DoD: 13500 Nodes
  20. Civilian Agencies: 31,000 nodes
  21. Government Contractors & Consulting - 23 customers
  22. Fortune 500 - 23 customers
  23. Foreign Governments - 15
  24. Universities & Law Enforcement - 16 Customers
  25. (See Below for known clients)
  26.  
  27. DigitalDNA (DDNA): Stand Alone Edition (Standard) and Enterprise Edition (comprehensive w/ active defense)
  28. DDNA detects zero-day threats; reverse engineering tecnology, automated, "detects software behaviors"
  29.  
  30.  
  31. Yobie Benjamin writes in SFGate.com, giving HBGary press, specifically about DigitalDNA (DDNA): http://hbgary.anonleaks.ch/greg_hbgary_com/26061.html http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail?entry_id=61673
  32.  
  33. {{Yobie Benjamin Bio (mostly from SFGate.com):
  34.  
  35. Yobie Benjamin is an experienced senior executive with expertise in innovation, technology and new business models. His last startup was a progressive ecommerce company called GoodStorm.com which was acquired by a Kleiner Perkins-funded Zazzle.com . Before becoming an entrepreneurial founder and CEO, Yobie was a management consultant and focused on technology, innovation, risk and information technology. His consulting career started as Chief Knowledge Officer at Cambridge Technology Partners. Yobie moved on to become a Partner at Ernst and Young where he held three roles - Chief of Strategy, Distinguished Fellow, CTO - Security and Technology Services. After E&Y, he joined Computer Sciences Corporation as Partner and Managing Director of the Business and Technology Risk Management group. He began his career in technology as an engineer at Lotus Development Corporation. <<Now CTO at Citigroup, tasked with "Reinventing Money">>
  36.  
  37. Other highlights: writer, social activist, innovator in the consumer products space, software architect and engineer, and perpetual geek. Interests include: all things technology and music related and good food.
  38.  
  39. Currently Principal of TrueCarbon.org, Advisor at Emicus.com, Trustee - University of California at Merced. Acting as a Chief Technology Officer to three startups. Governance, structuring and financing mentor to startups. He is also a proud active volunteer for Amnesty International and Art For Amnesty.
  40.  
  41. Read more: http://www.sfgate.com/cgi-bin/blogs/ybenjamin/bios#ixzz1W5s12IHw}}
  42.  
  43. Yobie Benjamin, now given the position of CTO at Citigroup : "it is a better place to endorse hbg. you can say the global cto of citi is behind the product" - http://hbgary.anonleaks.ch/greg_hbgary_com/24624.html
  44.  
  45. Not currently known if Yobie is still backing HBGary after the leak. Though the business plan would seem to indicate he has some knowledge of the inner workings of the product. http://hbgary.anonleaks.ch/greg_hbgary_com/9529.html
  46.  
  47. -----
  48.  
  49. Known Clients/Contacts
  50.  
  51. Aviation Management Associates: http://hbgary.anonleaks.ch/aaron_hbgary_com/16351.html
  52. Bank of the West: http://hbgary.anonleaks.ch/aaron_hbgary_com/16748.html
  53. CIBC: http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html
  54. Citigroup: http://hbgary.anonleaks.ch/greg_hbgary_com/22341.html http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html
  55. Comcast: http://hbgary.anonleaks.ch/aaron_hbgary_com/13565.html
  56. DigitalGlobe: http://hbgary.anonleaks.ch/phil_hbgary_com/12874.html http://hbgary.anonleaks.ch/greg_hbgary_com/23900.html http://hbgary.anonleaks.ch/phil_hbgary_com/10184.html http://hbgary.anonleaks.ch/aaron_hbgary_com/1990.html http://hbgary.anonleaks.ch/ted_hbgary_com/10545.html http://hbgary.anonleaks.ch/ted_hbgary_com/10545.html http://hbgary.anonleaks.ch/ted_hbgary_com/7702.html http://hbgary.anonleaks.ch/phil_hbgary_com/968.html
  57. DigitalGlobe Social Media/Persona training: http://hbgary.anonleaks.ch/ted_hbgary_com/8141.html
  58. Digital Globe Email asking about EndGames http://hbgary.anonleaks.ch/ted_hbgary_com/6642.html
  59. DHS: http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html
  60. DOE: http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html
  61. DOT: http://hbgary.anonleaks.ch/aaron_hbgary_com/3347.html
  62. Farallon Research: http://hbgary.anonleaks.ch/aaron_hbgary_com/13565.html
  63. Social Media cost-benefit analysis for Farallon Research: http://hbgary.anonleaks.ch/aaron_hbgary_com/6052.html
  64. Fidelis: http://hbgary.anonleaks.ch/phil_hbgary_com/10184.html
  65. FBI: http://hbgary.anonleaks.ch/greg_hbgary_com/332.html http://hbgary.anonleaks.ch/greg_hbgary_com/24177.html http://hbgary.anonleaks.ch/greg_hbgary_com/25692.html
  66. General Dynamics: http://hbgary.anonleaks.ch/aaron_hbgary_com/15253.html
  67. Goldman Sachs: http://hbgary.anonleaks.ch/ted_hbgary_com/7726.html
  68. Government Technology Research Alliance: http://hbgary.anonleaks.ch/aaron_hbgary_com/12993.html
  69. House of Representatives/CBO: http://hbgary.anonleaks.ch/phil_hbgary_com/1911.html http://hbgary.anonleaks.ch/phil_hbgary_com/461.htmlhttp://hbgary.anonleaks.ch/phil_hbgary_com/11367.html http://hbgary.anonleaks.ch/phil_hbgary_com/2140.html http://hbgary.anonleaks.ch/phil_hbgary_com/5517.html
  70. (notable people at the House; Paul Vann, Brent Conran)
  71. IAEA: http://hbgary.anonleaks.ch/ted_hbgary_com/11010.html http://hbgary.anonleaks.ch/greg_hbgary_com/21610.html
  72. IBM: http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html
  73. ICE: http://hbgary.anonleaks.ch/aaron_hbgary_com/3093.html http://hbgary.anonleaks.ch/greg_hbgary_com/3383.html http://hbgary.anonleaks.ch/phil_hbgary_com/10106.html
  74. Microsoft: http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html
  75. National Defense University: http://hbgary.anonleaks.ch/aaron_hbgary_com/13565.html http://hbgary.anonleaks.ch/aaron_hbgary_com/6529.html
  76. NYPD: http://hbgary.anonleaks.ch/greg_hbgary_com/16296.html
  77. Palantir (soysauce): http://hbgary.anonleaks.ch/greg_hbgary_com/8313.html
  78. Paradigm Solutions (State Department Contractor): http://hbgary.anonleaks.ch/greg_hbgary_com/15578.html
  79. OSD (Office of the Scretary of Defense): http://hbgary.anonleaks.ch/aaron_hbgary_com/16057.html
  80. SAIC: http://hbgary.anonleaks.ch/aaron_hbgary_com/15886.html
  81. State Department: http://hbgary.anonleaks.ch/phil_hbgary_com/7023.html http://hbgary.anonleaks.ch/greg_hbgary_com/13825.html
  82. http://hbgary.anonleaks.ch/phil_hbgary_com/6070.html
  83. TSA: http://hbgary.anonleaks.ch/greg_hbgary_com/1538.html http://hbgary.anonleaks.ch/aaron_hbgary_com/5837.html http://hbgary.anonleaks.ch/greg_hbgary_com/7986.html http://hbgary.anonleaks.ch/greg_hbgary_com/20763.html
  84. Aaron Barr speaking engagement with the TSA: http://hbgary.anonleaks.ch/aaron_hbgary_com/16278.html
  85. Presentation includes info on: Triad, ZeuS botnets, Poison Ivy implant, Stuxnet analysis damaging infrastructure
  86.  
  87. http://hbgary.anonleaks.ch/aaron_hbgary_com/12635.html presentation: http://hbgary.anonleaks.ch/aaron_hbgary_com/3347.html
  88. US-CERT: http://hbgary.anonleaks.ch/phil_hbgary_com/14634.html http://hbgary.anonleaks.ch/aaron_hbgary_com/8495.html http://hbgary.anonleaks.ch/ted_hbgary_com/10545.html
  89. ZionBanc: http://hbgary.anonleaks.ch/ted_hbgary_com/6723.html
  90.  
  91. ----
  92.  
  93. DDNA on a stick (.exe file)
  94.  
  95. http://hbgary.anonleaks.ch/phil_hbgary_com/5375.html
  96.  
  97. DigitalDNA: http://hbgary.anonleaks.ch/greg_hbgary_com/11935.html
  98.  
  99. Team,
  100. What follows is my revised pitch on the Digital DNA messaging. The new
  101. sauce is my focus on the human factor as opposed to the malware. This
  102. should really get us some attention.
  103.  
  104. snip --->
  105.  
  106. HBGary has developed this system called Digital DNA. Customers can use
  107. Digital DNA to identify cyber-threats within the Enterprise and get
  108. actionable intelligence to mitigate the threat. We examine thousands of
  109. malware per day and decompile all the control and data flow automatically -
  110. literally millions of data points, and reduce it to a codified number
  111. sequence that can be used to trace back to the attackers - the organization
  112. that is operating the attack and the individual developers that built the
  113. malware. Because of this, Digital DNA can detect new emerging malware with
  114. no prior signatures. Think of Digital DNA as the next generation of
  115. hashing.
  116.  
  117. How does it work? Digital DNA is a codified sequence of numbers calculated
  118. against the root behaviors and code idioms that are visible once the malware
  119. is actually executing in RAM. It can be used to traceback to developers,
  120. toolkit authors, and the source attacker. This is like a digital fingerprint
  121. that can be used to identify the attacker. While Digital DNA can be managed
  122. like a hash, remember that it's fuzzy and it's based on behaviors - this
  123. means you can identify new emerging threats without having any existing
  124. signatures. This fuzzy behavior is what sets it apart from anti-virus.
  125. Instead of tracking specific malware variants, HBGary is tracking the root
  126. sources of the attack, and calculating Digital DNA that identifies the human
  127. behind the malware. When that human or organization develops new variants,
  128. Digital DNA still detects it. There are upwards of 50,000 new malware
  129. released on the Internet daily. Obviously the developers aren't rewriting
  130. 50,000 new malware programs every day. The new malware is rebuilt from
  131. toolkits and components using automated systems. Those root components
  132. don't change, even though the malware's specific signature is different
  133. now.
  134.  
  135. There are several factors that can be used to track back who is operating a
  136. malware attack.
  137.  
  138. - Communications
  139. Certain organized groups use predictable or known dropsites for data and
  140. command/control. Use of these dropsites is an indicator of who is operating
  141. an attack. Another contributor to this is the protocol used - certain
  142. protocol features might be specific to an attacker's back end systems.
  143.  
  144. - Command and Control
  145. The logic of the command/control loop in the malware can be very specific.
  146. Even when a developer makes modifications to an existing malware strain,
  147. they usually won't change this central control portion. It's very much like
  148. a fingerprint.
  149.  
  150. - Development Environment
  151. Malware and toolkit authors all use of certain compilers, libraries, cut and
  152. paste code, and more - all can be identified. When combined together this
  153. reveals a great deal about the development environment - something very
  154. specific to the computer and the programmer who built the weapons package.
  155.  
  156. - Computer Network Attack (CNA)
  157. CNA components (i.e., the stuff that attacks windows networks, USB
  158. thumb-drives, etc.) are re-used alot in malware development - think of it as
  159. cut-and-paste code. Much of this is custom code sequences that are specific
  160. to the developer - or perhaps shared amongst a small group of developers.
  161. We can draw inferences about relationships and code-sources from this
  162. information.
  163.  
  164. - Information Security Threats
  165. The Digital DNA can provide alot of information about keylogging systems,
  166. file exfiltration, keyword searching, and other methods used by the
  167. attacker. This represents a set of capabilities and reveals some of the
  168. attacker's intent - especially when combined with any volatile runtime
  169. behaviors. It can give some damage assessment as well, since it reveals
  170. what information has been stolen from the Enterprise.
  171.  
  172. - Stealth and Antiforensics
  173. Most malware has some method to remain undetected. Alot of this capability
  174. can be traced back to malware toolkits, such as rootkits, that are privately
  175. traded or sold for money. Regardless, most malware doesn't hide very well
  176. when Digital DNA is calculated. The tricks used by malware to hide on a
  177. system are actually anomolies - things that stand out very clearly when
  178. Digital DNA is calculated. The harder rootkits try to hide, the more
  179. clearly they become visible.
  180.  
  181. - Installation and Deployment
  182. There are several hundred methods for a malware to survive reboot. There
  183. are established ways to inject code into other processes, or decrypt hidden
  184. payloads to the system. These methods are all obvious to Digital DNA and
  185. when combined with other factors create a complete fingerprint of malicious
  186. activity that can be traced back to individuals or organizations.
  187.  
  188. Bringing the malware problem back to a human problem is a huge step forward
  189. in threat detection. There are perhaps 100+ top tier developers who are
  190. selling malware into the underground. Think of this as a digital arms
  191. bazaar. From these, there are thousands of middle-men that purchase the
  192. weaponry and use it for nefarious purposes. There are three main groups -
  193. Organized Crime, Foreign Intelligence, and Corporate Actors. They all
  194. operate differently, and have different goals, but all three groups use
  195. largely similar cyber-attack technology. Focusing on the malware itself is
  196. short sighted - the real threat comes from the human factors behind the
  197. malware. The malware is just the tip of the spear, an automaton - the
  198. attacker's intent, and thus the real threat, it represented by the human or
  199. organization that is attacking you. You obviously need to detect their
  200. malware, and Digital DNA can do that, but you also need to understand the
  201. threat - what capabilities they have, how often are they upgrading their
  202. attack technology, are they using bargain basement toolkits or high-grade
  203. rootkits? What are they stealing? Are they well funded? This is real
  204. intelligence, stuff you can use to gauge the threat against your
  205. Enterprise. Traditional IDS and AV can't give you any of this information.
  206. HBGary fills a massive gap in the defense-in-depth strategy. When something
  207. gets into your Enterprise, it means that the attacker's technology is
  208. superior to yours. It means the attacker has bypassed your security systems
  209. and is now on the inside. That is the ground truth intelligence that HBGary
  210. can provide you - a hard fact about who is in your network right now,
  211. stealing from you right now.
  212.  
  213. ----
  214.  
  215. Other:
  216.  
  217. Kneber Botnet: http://hbgary.anonleaks.ch/greg_hbgary_com/19210.html
  218.  
  219. ...
  220. whose tasks include searching through the computer hard drive for
  221. Word, Excel and PDF documents and sending them to a server located in
  222. Belarus
  223. ...
  224. This underscores my stance that "it doesn't matter who is at the other
  225. end of the keyboard" - when there is direct interaction with the host
  226. the compromise should be classified as APT. Most of stuff attacking
  227. your networking is not in this category - about 80% is external
  228. non-targeted, which most people associate with botnets. These
  229. attacks, once analyzed, will not show any interaction with the host -
  230. they are hard coded to steal credentials and such, and for the most
  231. part haven't done any damage. However, around 2-3% of these
  232. infections reveal interaction with the host - this means a command
  233. shell was launched and commands were typed, extra utilities were
  234. downloaded to the host and used, etc. Now everything is different, I
  235. suggest that in this case you have no choice but to treat this as APT.
  236. It doesn't matter if the hacker at the other end of the keyboard is
  237. Russian or Chinese. If you must adhere to the strictest definition of
  238. APT=CSST (Chinese State Sponsored Threat) you still have to consider
  239. the underground market of information trade and access trade. The
  240. hacker may be Eastern European, but the data can still reach the PRC.
  241. The key differentiator between non-targeted and targeted is
  242. interaction with the host. You can detect interaction primarily
  243. through timeline analysis on the target machine. I should mention
  244. that I have analyzed many different botnet infections and found that
  245. the botnet malware contains capability to interact with the host, even
  246. remote control and shells, but that no evidence of such interaction
  247. was found forensically on the machine - so in this case I wouldn't
  248. consider the attack targeted unless I already knew one of the threat
  249. groups were using it (or, found the same malware elsewhere on the
  250. network in conjunction with said interaction). Finally, if I find a
  251. RAT (Remote Access Tool) then the attack is targeted - RAT's are
  252. designed for one purpose only, direct targeted interaction with the
  253. host. Making the call is important, because external non-targeted
  254. attacks should take your response team no more than 15 minutes/machine
  255. to deal with, while a targeted compromise will consume 4 hours or
  256. more/machine - sometimes days/machine if a great deal of evidence is
  257. uncovered. Managing this time is one of the most important challenges
  258. for an IR team, as cost if everything at the end of the day.
  259.  
  260. ---
  261.  
  262. Massive RSA PDF: http://hbgary.anonleaks.ch/greg_hbgary_com/6590.html
  263.  
  264. -----
  265.  
  266. Everything Soysauce: http://hbgary.anonleaks.ch/aaron_hbgary_com/15661.html http://hbgary.anonleaks.ch/greg_hbgary_com/26996.html
  267.  
  268. ---
  269.  
  270. Government CIO Summit: http://hbgary.anonleaks.ch/aaron_hbgary_com/14119.html
  271.  
  272. Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) - Rick Holgate, CIO
  273. Bureau of Economic Analysis - Alan Lorish, CIO
  274. Bureau of Land Management - Ronnie Levine, CIO
  275. CA National Guard - LT Col Keith Tresh, CIO
  276. Cook County Government Chicago, Illinois - Antonio Allan Hylton, CIO
  277. Cook County, Illinois - Antonio Hylton , CIO
  278. Department of Agriculture - Chris Smith, CIO
  279. Department of Commerce - Suzanne Hilding, CIO
  280. Department of Education - Danny Harris, CIO
  281. Department of Homeland Security - Joe Jarzombek, Director of Software Assurance
  282. Department of Homeland Security/TSA - Margie Graves, Deputy CIO
  283. Department of Housing & Urban Development - Jerry Williams, CIO
  284. Department of Justice - Vance Hitch, CIO
  285. Department of State - Gary Galloway, Deputy Director of the Office of Information Assurance
  286. Department of State - Charles Wisecarver, Deputy CIO for Operations and CTO
  287. Department of the Army - Michael Krieger, Deputy CIO
  288. Department of Transportation (DOT) - Jackie Patillo, Deputy CIO
  289. Department of Transportation (DOT) - Nitin Pradhan, CIO
  290. Deputy CTO for Open Government - Beth Noveck,
  291. Environmental Protection Agency - Myra Galbreath, Acting CTO
  292. Federal Aviation Administration - Dave Bowen, CIO
  293. Federal Housing Finance Agency - Kevin Winkler, CIO
  294. Federal Reserve Board - Maureen Hannan, CIO
  295. Federal Trade Commission - Stan Lowe, CIO
  296. FERC (Federal Energy Regulatory Commission) - Sanjay Sardar, Deputy CIO
  297. Florida Board of Governors - Ramon Padilla Jr., CIO | AST Vice Chancellor
  298. General Services Administration (GSA) - Casey Coleman, CIO
  299. Hidalgo County, TX - Renan Ramirez, CIO
  300. Institute of Museum and Library Sciences - Derek Scarborough, CIO
  301. Library of Congress - James Gallagher, Director, Information Technology Services
  302. NASA - Jerry L. Davis, Deputy CIO
  303. NASA - Linda Cureton, CIO
  304. NASA AMES Research Center - Chris Kemp, CIO
  305. NASA Glenn Research Center - Sasi Kumar Pillay, CIO
  306. National Archives and Records Administration - Martha Morphy, CIO
  307. National Institutes of Health (NIH) - Kathryn Wimsatt, Executive Officer for Center for information Technology
  308. National Transportation Safety Board - Bob Scherer, CIO
  309. Office of Government Ethics (OGE) - Ty Cooper, CIO
  310. Small Business Administration - Robert Naylor, CIO
  311. Smithsonian Institution - Ann Speyer, CIO
  312. Social Security Administration - Franklin Baitman, CIO
  313. State of Missouri - Dan Lohrman, State CTO
  314. State of Missouri - Ken Thesis, State CIO
  315. State of New York - Melodie Mayberry-Stewart, CIO
  316. State of Ohio - Sam Orth, CIO
  317. State of Ohio Office of Budget & Management - Kumar Rachuri, CIO
  318. State of Utah - Stephen Fletcher, CIO
  319. U.S. Postal Service - John Edgar, VP IT Solutions
  320. United States Cyber Security Coordinator - Howard Schmidt,
  321. US Department of Energy - Pete Tseronis, Deputy Associate CIO
  322. US Patent and Trademark Office - John B. Owens, CIO
  323. Veterans Affairs - Roger Baker, CIO
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!