UNCLASSIFIED FOUO Defense Security Service Defense Security Service Cybersecurity Operations Division Counterintelligence UNCLASSIFIED FOUO UNCLASSIFIED Defense Security Service DSS Mission DSS Supports national security and the warfighter secures the nation's technological base and oversees the protection of U S and foreign classified information in the hands of Industry CI Mission DSS CI identifies unlawful penetrators of cleared U S defense industry and articulates the threat for industry and government leaders Scope - 10K firms 13K facilities 1 2m personnel - 1 CI professional 261 facilities - 10 5% of facilities report Capability o U 11 personnel conducting analysis liaison field support strategic development and program management o U Wide range of skill sets - CI CT LE Cyber Security Intel IA CNO and more o U Direct access to cleared industry across 25 DSS field offices nationwide o U Large roles at U S Cyber Command National Security Agency National Cyber Investigative Joint Task Force and the Department of Homeland Security UNCLASSIFIED UNCLASSIFIED Defense Security Service Challenges o U Secure sharing of threat information with industry partners o U Identifying and reporting suspicious network activity o U Limited resources to execute for an quickly expanding mission area Significant Achievements and Notable Events o U Since September 2009 - Assessed over 3 000 cyber-related suspicious contact reports from Industry and the Intelligence Community facilitating action on over 170 federal investigations operations o U Developed four benchmark product lines for Industry and the Intelligence Community to include the 3rd edition of the DSS Cyber Trends o U Briefed at 24 venues and over 1 000 personnel in FY12 on the cyber threat o U In FY12 delivered over 350 threat notifications to industry detailing adversary activity occurring on their networks UNCLASSIFIED UNCLASSIFIED SCR Assessment Life Cycle Suspicious Contact Report Educate Threat o U Fundamental building block of industry intelligence analysis o U Highlights various methods of contact and approach Exploit o U Provides vital insight to military programs and key facility programs SCR Assessment Life Cycle Refer Report Analyze UNCLASSIFIED Collect UNCLASSIFIED Evaluating Suspicious Contacts Method of Operation o Attempted Acquisition of Technology o Conferences Conventions Trade Shows o Criminal o Exploitation of Relationships o Seeking Employment o Solicitation or Marketing Services o Student Requests - Academic Solicitation o Suspicious Network Activity Collector Affiliation o Commercial Government Government Associated Individual Technologies and Programs Targeted o Military Critical Technology List UNCLASSIFIED UNCLASSIFIED FOUO Way Ahead o U Continue to grow and expand DSS's cyber capability o U Increase Opportunities for sharing of timely threat information and actionable data o U Continue to build partnerships throughout cleared industry intelligence and federal government communities UNCLASSIFIED FOUO BREAK UNCLASSIFIED FOUO Defense Security Service U Cyber Threats to the Defense Industrial Base UNCLASSIFIED FOUO UNCLASSIFIED U Agenda o U Fiscal Year 2012 Industry Cyber Reporting o U Threat Overview o U Where We Are Vulnerable o U Methods of Operation o U A New Approach to Threat Modeling o U Reporting o U Getting Ahead UNCLASSIFIED UNCLASSIFIED FOUO U FY12 Industry Cyber Reporting o U FOUO 1 678 suspicious contact reports SCR categorized as cyber incidents 102% from FY11 o U FOUO 1 322 of these were assessed as having a counterintelligence CI nexus or were of some positive intelligence PI value 186% increase from FY11 o U FOUO 263 were categorized as successful intrusions 78% increase from FY11 o U FOUO 82 SCRs resulted in an official investigation or operation by an action agency 37% increase from FY11 UNCLASSIFIED FOUO UNCLASSIFIED FOUO U FY12 Technologies Targeted by Cyber 5% 4% 3% 2% Unknown 6% Aeronautics Information Systems 8% Other Marine Systems 8% 64% Information Security Space Systems Lasers Optics Sensors UNCLASSIFIED FOUO UNCLASSIFIED FOUO U FY12 Cyber Incident by Category 6% 1% 1% Unsuccessful Attempt 13% Root Level Intrusion Suspicious Network Activity Exploitation User Level Intrusion 13% 66% Reconnaissance Malicious Logic UNCLASSIFIED FOUO UNCLASSIFIED U Cyber Threats U Nation states foreign governments o U Terrorist groups extremists sympathizers o U Insiders o o o U Recruited o U Disgruntled Employee U Hackers criminals o U Organized individuals UNCLASSIFIED UNCLASSIFIED U Where We Are Vulnerable U Bottom Line Up-Front Everywhere o U Application vulnerabilities e g Internet Explorer Adobe o U Operating systems o U Web-based applications e g JavaScript Flash o U Removable media o U Network-enabled devices o U The end user o UNCLASSIFIED UNCLASSIFIED U Methods of Operation o o U Open source research o U Passive collection U Vulnerabilities and exploits o U Socially engineered email attacks o U 0-Day Zero Day application vulnerabilities o U Credentials o U Exploitation of trusted relationships IT o U Poor security practices configurations o U Lack of end user education UNCLASSIFIED UNCLASSIFIED o Threat Modeling U The model for handling threats MUST change Conventional incident response methods fail to mitigate the risk posed by APTs because they make two flawed assumptions response should happen after the point of compromise and the compromise was the result of a fixable flaw o U Intelligence-driven computer network defense is a necessity o U Address the threat component of risk incorporating adversary analysis their capabilities objectives doctrine and limitations UNCLASSIFIED UNCLASSIFIED o o Recon o Threat Modeling U Intrusions must be studied from the adversary's perspective - analyzing the kill chain to inform actionable security intelligence U An adversary must progress successfully through each stage of the chain before it can achieve its desired objective Weapon Delivery Exploit Install Command and Control Actions on Objectives U Just one mitigation disrupts the chain and the adversary UNCLASSIFIED UNCLASSIFIED FOUO o Recon Threat Modeling U Moving detection and mitigation to earlier phases of the kill chain is essential in defending today's networks Weapon Delivery Exploit UNCLASSIFIED FOUO Install Command and Control Actions on Objectives UNCLASSIFIED FOUO Why Your Reporting Matters o U FOUO Reporting establishes and or confirms Foreign Intelligence Entities activities throughout Industry o U FOUO Provides leads for investigations and operations o U FOUO Provides high quality information to the Intelligence Community o U FOUO Provides valuable information that aides the Intelligence Community in articulating the threat to the highest levels of the U S Government o U FOUO Stolen unclassified DoD U S Government data aids the adversary strategically operationally tactically diplomatically economically research and development etc etc UNCLASSIFIED FOUO UNCLASSIFIED o U Your DSS Community - ISR ISSP FCIS o U Community Partnerships o U Analytical Products o Getting Ahead U SCR Responses Cyber Activity Bulletin Cyber Threat Advisories Cyber Special Assessments Crimson Shield Scarlet Sentinel Annual Cyber Trends o U Homeland Security Information Network HSIN o U DSS Cyber Security web-based training o http www dss mil cdse catalog counterintelligence html o http cdsetrain dtic mil cybersecurity UNCLASSIFIED BREAK UNCLASSIFIED FOUO Defense Security Service U Spear Phishing and Malware Submissions UNCLASSIFIED FOUO To USPER From USPER@gmail com Recipient Cleared Contractor A 4 Cleared Contractor Name Spoofed Sent Wednesday September 12 2012 7 36 AM Subject Pay Raise Dear Given your recent excellent performance We decided to increase your salary Please access the Salary at the link below Thank You Cleared USPER CFO Email USPER@gmail com I Phone Cleared Contractor Exact Number Malicious Hyperlink Attempting to Entice Recipient to Click on Hyperlink by Adding Cleared Contractor Facility Name Note Adversary used the condensed URL to obfuscate the true malicious hyperlink Signature Spoofed Cleared Contractor Name Attempted to Use Exact Signature Block Except Gmail Email Address Stood Out U When the condensed URL is clicked the user is redirected to the following link that hosts a suspected malicious le M9 8 8 7AikxyLIj Pay_Raise zip download psid l 2 Threat Advisory TA 12-020 was created on this incident Found on HSIN Portal UNCLASSIFIED Recipient Cleared Contractor To USPER From Danny Cho@email com Originating Email Address Sent Tuesday October 15 2012 Subject The New Strategic Pricing Capability All 3 Note Punctuation Errors attached is an advance copy of the PowerPoint slides for The New Strategic Pricing Capability Thanks Danny I Included a Malicious Attachment The New Strategic Pricing I When PPT is opened system is compromised and beaconed to the following malicious URL I The email header provided the originating email address which had been linked to nation state actors I Details of Incident were provided in Cyber Activity Bulletin 9 Nov 2012 UNCLASSIFIED To USPER 4 Recipient Cleared ontractor From Aimm isiraiyal28@gmail com Sent Sunday October 30 2012 Subject REQUEST FOR VISIT Body of Email Password lqaz@WSX please refer to the attached document for details Regards Aimee Included a Malicious Attachment Originating Email Address Note Punctuation Errors 8 Email is Not Addressed to the Individual When zipped le is opened system compromised and beacons to two command and control domains C2 The C2 Domains have been linked to nation state actors Details of Incident were provided in ICyber Activity Bulletin 26 Oct 2012 UNCLASSIFIED UNCLASSIFIED GOV lg a Google - i A - - File Edit 1View Favorites Tools Help 2 Favorites 33 g DSSIntranet-Infolink a Web Slice Gallery 33 x a Pagev Safetyv Toolsv Safe Access File Exchange Home Help Supp-art grid-slice UNCLASSIFIED USE ONLY TO INCLUDE PRIVACY DATA Personal Information Your Narrie Your Email Address HELP Confirm Your Email Address HELP File lnlon'nation 0f Flleis Files 25 Maximum Files total size-cannot exceed File s Deletion Date 11i07i20 12 max is days from today- Recipient Information Provide an email address to give access to ManuallyI Enter Email Address a Trusted sites Protected Mode Off 5110336 UNCLA Recipient lntonriation Provide an email address to give access to Grant access to these people Manually Enter Email Address Email Address Email setting Caveats FOUO Other I El email message when ssihlelj Notify me when les are download Require CAO tor Pick-up all recipients will need to log in with a CAD to download les File Submission 1 4 If Trusted sites Protected Mode OH 411 $110056 UNCLA le 11 - - File Edit 1ll iew Favorites Tools Help A IGoogie pv Favorites SAFE-SafeAccess File Exchange I'l El rm Page7 Safety' Tool if 7 HELP 25 Maximum Files ltotal size cannot exceed 253 SAFE Usage Policy Privacy Act Data Delete I understand that the SAFE application is intended for Deletion Date max is 14 days from today- l Cial AMRDEC 593 or and that it i3 NOT in be Recipient Information Provide an email address to give access to Grant access 10 these people Email Setting Caveats NONE FOUO Other email message when possible used for transfering personal les or any classi ed material I further understand that this is a Department of Defense interest computer system All interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems to prevent unauthorized use and violations of statutes and security regulations to deter criminal activity and for other similar purposes If monitoring of this or any other interest computer system reveals possible evidence ofviolation of criminal statutes this evidence and any other related information including identi cation information about the user may be provided to law enforcement of cials Manually Enter Email Address Email Address jon stevenson@dss mi HELP Use ofthis computer system constitutes a consent to monitoring at all times If monitoring reveals possible criminal activities or violations of security regulations appropriate disciplinary action will be taken UNCLASSIFIED USE ONLY TO INCLUDE PRIVACY DATA Notify me when les are downloaded Require CAC for Pick up all recipients will need to log in with a CAC to download les File Submission 5 Trusted sites Protected Mode Off 1 3V 100% 111 UNCLA mam - i 8 Mtps- sale Amrdec anny mil SAFEI Ddauh 33 a L 9 a 5009 File sun View Favorites tools Help Faults WCSAFE-S eAccesstEuMnge Page' Sdety' Tool-5' 0' a 50 Access Filz Exchan-e IMPORTANT Your files cannot be downloaded by recipients until verify your email address lease check your email for further instructions The les were successfully uploaded YOU a con nnahon email shomy lnfonnauon on The Uploaded File File Nam File Size 27 K8 00C Total lo 20 27 KB mestedsitalPtotededMoch 5 UNCLA From WEBTeam@amrdec army mil Sent Wednesday October 24 2012 2 27 PM To Recipient Subject VERIFICATION IS REQUIRED - AMRDEC Safe Access File Exchange Submittal Notice - VERIFICATION IS REQUIRED Importance High NOT Please note IAW Para and 4-12 c AR 25-2 it is a violation of SAFE security policy to share forwa rd Package passwords You must contact the Package originator to have the Package re-sent via SAFE to other users Your Package has not yet been sent You MUST verify your email address in order for your recipients to download the file s Please use the link below to login and verify that you are the sender of this package AMRDEC C ick Link to Verify Ema Address If you did not send these files please notify WebTeam@amrdec army mil ASAP You have uploaded the following file s This is a test file for Christina by Christina Package ID 835595 The file will be available until 11 7 2012 You can check the status of the files uploaded at AM RDEC SAFE The Password is BGyB 7t# de5v 9 Password Needed NOTICE This e-mail message is intended solely for the use of the addressee If the reader of this message is not the intended recipient you are hereby notified that any reading dissemination distribution copying or other use of this message or its attachments is strictly prohibited If you have received this message in error please notify the sender immediately Thank you message may be forwarded to webteam@amrdec army mil for technical support UNCLA AMRDEC SAFE -Chec c I - Windows - a Defense Security E-E 00 lg I 6999 File Edit View Favorites Tools Help 2 Favorites 9 AM RDEC SAFE - Check Status Safe Access File Exchange 51 Si Pagev Safetyv Toolsv Home Help Supp-art Note This page is only for checking the package status You cannot download files from this page To check the status ofyour package enter your password noun-nun AMRDEC SAFE - Status '1de Intern lg 7 File Edit View Favorites Tools Help l Googt'e 9 3 Favorites 33 e AMRDEC SAFE - Check 9 AMRDEC SAFE - Status amt A 11 a 51 Page' Safety' Tools' Safe Access FHE Exchange Help Elu pip-3n This package has not yet been sent You must verify your email address by clicking the button below AMRDEC SAFE Status - 9 la Sdieamrdecarmymil 53er 3 I j l 3' 9 File Edit View Favorites Tools Help - Favorites SAFE-Status h P39ev Safety' Safe Access File Exchange lt llt ltlt e ISalute UNCLA a AMRDEC SAFE - Sta - ows Googi's valal dx pv File Edit View Favorites Tools Help 12 Favorites 38 AMRDEC SAFE - Check 9 AMRDEC SAFE - Status AMRDEC Package ID 679357 Senders Name Sender's Email Date Uploaded 8 1 2012 10 53 02 AM Description test Delete Date 8 15 2012 File s Privacy Act Data 0c 27 KB No Upload more files to Package New Recipient Safe Access File Exchan a 9 35 Pagev Safetyv Toolsv 0v Eieciirit Hallie iE'alute UNCLA DResend Delivery Notice To --Select Option-- j False Done Trusted sites Piotected ModeOff 9 10096 Questions jon Stevenson ion stevenson@dss mil UNCLA                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu