Manned Information Security Adversary Pursuit and Active Network Defense root9b Technologies (RTNB) Presented By: John Harbaugh, COO
CONFIDENTIALITY NOTICE This briefing, including any attachments, is for the sole use of the intended recipients and contains proprietary information. Any unauthorized review, use, disclosure or distribution is prohibited. 2
Who We Are root9b is a global cybersecurity leader founded on the principles of technical innovation, tailored operations and professional excellence. Advanced cyber operations, tactics, development and training for Commercial, Department of Defense and Law Enforcement organizations world-wide. TS//SCI cleared personnel Innovative TTP Development National-level research Strategic Partnerships Community Contributor Staffed with certified Department of Defense Computer Network Operations (CNO) operators, granting unparalleled vision, expertise, and experience. Established agile principles, allowing quick response to a dynamic cyber security market. 3
Corporate Locations Colorado Springs, Colorado San Antonio, Texas New York, New York San Diego, California Charlotte, North Carolina State-of-the-art training Cyber Range Support Forensic Laboratory Herndon, Virginia Honolulu, Hawaii Strategic positioning across advanced technical operations Mobile Training Team (MTT) training suite prepared to serve training needs worldwide. 4
Advisory Board Joseph J. Grano, Jr Chairman & CEO Premier Alliance o Chairman and CEO of Centurion Holdings LLC o Former Chairman and CEO of UBS Financial Services (formerly UBS PaineWebber) o Former Chairman of the Board of Governors of NASD; Member, Executive Committee o Former Chairman of the Homeland Security Advisory Council (2002 2005) Richard A. Grasso o Former NYSE chairman and chief executive officer (1995 2003) Judge William Webster o Chairman of the Homeland Security Advisory Council o Former Director of the Federal Bureau of Investigation (1978 1987) o Former Director of Central Intelligence (1987 1991) Michele Malvesti (Chairperson) o Former Senior Director, Combating Terrorism National Security Council o Vice President in the National Security Sector at Science Applications International Corporation (SAIC) o Board member, Special Operations Warrior Foundation Lewis Merletti o Former Director of United States Secret Service o Special Agent in Charge, Presidential Protective Division o Sergeant, Special Forces Green Beret, United States Army 5
What We Do Emerging Technologies Focused on development, prototyping and delivery advanced technical capabilities and tools for Intelligence, Law Enforcement and Commercial organizations worldwide. Cyber Operations Focused on enabling full spectrum cyber and active defense operations across Defense, Civil, Intelligence and Commercial organizations worldwide. Training & Tactics Focused on the development, and delivery of operationally focused and advanced cyber, intelligence analysis, tool and tactics training to support offensive and defensive cyber personnel worldwide. Threat Intelligence Focused on the development and delivery of tactical, actionable cyber threat intelligence to drive near real-time adversary eradication from a client s enterprise. Full Life Cycle Cyber & Intelligence Support Services 6
Our Philosophy Cybersecurity is our mission, not just a capability. We have unique perspective, expertise, and experience with the most challenging missions. We are innovative, agile, and committed to securing our nation. 7
Adaptive Threat Tailored Solutions 8
Cybersecurity Landscape Global estimated losses from cyber attacks are more than $300 Billion USD annually. U.S. losses are estimated between $24 and $120 Billion USD annually. Estimated annual increase: - Center for Strategic and International Studies (McAfee, 2013) 9
Cybersecurity Landscape Malware is prevalent. And outpacing network defenses. 10
Cybersecurity Landscape Malware Trends 250,000 Malware Samples (Day) 200,000 150,000 100,000 50,000 0 Q1 2011 Q2 2011 Q3 2011 Q4 2011 Q1 2012 Q2 2012 Q3 2012 Q4 2012 Q1 2013 Q2 2013 - McAfee, Symantec, Kaspersky Reports (2011 2013) 11
Cybersecurity Landscape Known CVE Vulnerabilities 60,000 Disclosed Vulnerabilities 50,000 40,000 30,000 20,000 10,000 0 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 - Risk I/O (2013) 12
Cybersecurity Landscape percent of Cyber attacks take several months or years to remediate. 13
Cybersecurity Landscape The average unknown vulnerability is unidentified for 200-300 Days How many exist that have yet to be discovered? 14
Cybersecurity Landscape Current Defenses - Capabilities Malware Analysis 51% Traffic Analysis 41% Rogue Device Scanning IP Geolocation Threat Intelligence Feeds External Footprint Examination Deep Packet Inspection Don't Know / Not Sure Threat Modeling 34% 31% 30% 27% 27% 25% 21% Advanced Techniques 9% - Annual PWC Report (2013) 15
Cybersecurity Landscape We invest in hardware and rely on automated solutions to certify systems. 16
Cybersecurity Landscape - EY, root9b (2012, 2014) 17
Cybersecurity Landscape Traditional network security methodology Secure (Prepare for attack) Automate Post-Incident (Postmortem, increase automation) Reaction (Contain, Eradicate, Recover, Reimage) Monitor (Identify, Detect and Analyze) 18
Cybersecurity Landscape Traditional passive defense is not sufficient. Things must be different. 19
Rethinking The Industry The adversary is HUMAN Understand the adversary Think like the adversary Maneuver like the adversary Tailored and adaptive defenses 20
Adversary Pursuit Methodology Active defense Continuous networking monitoring Actionable threat intelligence Looking for low and slow (stealthy), vice already known indicators Humans HUNTING Humans 21
Adversary Pursuit Center Centralized execution Centralized oversight Centralized control Supports decentralized and partnership-enabled operations Integrated Operations Center Located in downtown Colorado Springs and San Antonio Hunt opportunities are not restricted to business day Networks are always on Adversary is active 24/7 No one is conducting remote 24/7 HUNT operations for industry Provides unique, client-specific threat intelligence opportunity Scales to support current and future requirements Develops, maximizes, and grows a community restricted skillset 22
ORION Operations Aggressive platform, remote real-time active defense operations Remote live memory analysis and enterprise-wide surveillance Supports onsite deployment and client-executed operations Tailored operational training 23
24
25