Cyber Genome Project

From Project PM
Jump to: navigation, search

The Cyber Genome Project is an initiative of DARPA (Defense Advanced Research Projects Agency[1] which, in conjunction with private contractors, aimed to analyse a broad range of data in order to create what what interpreted as a 'digital DNA' of the creator.[2] More recent information released from the Project clarifies the focus as analysing malware source code to gain information on its origins.[3] This 'malware' aspect was discussed by contractors HBGary and possible contracting partners in private emails during the bidding process.


Initial Announcement

On January 28, 2010, DARPA releases the synopsis for a 'Cyber Genome Program' describing it as:

'...revolutionary cyber defense and investigatory technologies for the collection, identification, characterization, and presentation of properties and relationships from collected digital artifacts of software, data, and/or users to support DoD law enforcement, counter intelligence, and cyber defense teams.'[4]

The accompanying 49 page 'DARPA-BAA-10-36_Cyber_Genome _01.28.2010.docx' set out the requirements for potential private contractors in detail. There were three main 'Technical Areas of Interest' to the Project (the fourth 'Other', was to support the broader aims of the Project):

Cyber Genetics (or TA1) - 'This technical area will identify the lineage and provenance of digital artifacts from the properties and behavior of the digital artifacts. Performers will develop automated technologies to gain a revolutionary understanding of the relationships between the elements of a set of artifacts, or to place artifacts into performer-defined categories.
Examples of revolutionary technologies include but are not limited to:
  • Creation of lineage trees for a class of digital artifacts to gain a better understanding of software evolution.
  • Identification and categorization of new variants of previously seen digital artifacts to reduce the threat of new “zero-day” attacks that are variants of previously seen attacks.
  • Determination or characterization of digital artifact developers or development environments to aid in software and/or malware attribution.'
Cyber Anthropology and Sociology (or TA2):
'This technical area will investigate the social relationships between artifacts, binaries, and/or users. Performers will develop automated technologies to gain a revolutionary understanding of the interactions between user, software, and/or other elements on a system or systems.
Examples of revolutionary technologies include but are not limited to:
  • Identification and/or validation of DoD users from their host and/or network behavior. “Something you do” may augment existing identification and/or authentication technologies to discover “insiders” within DoD networks with malicious goals or objectives.'
Cyber Physiology (or TA3):
'This technical area will investigate automated analysis and visualization of computer binary (machine language) functionality and behaviors (reverse engineering). Performers will develop technologies to conduct automated analysis of binary software of interest to assist analysts in understanding the software’s function and intent.
Examples of revolutionary technologies include but are not limited to:
  • Automatically generated execution trees from submitted malware that include automated analysis of software dependencies.'


Proposers' Day Workshop & Participants

The original 'Proposers' Day Workshop' on Feb 9, 2010 was 'cancelled due to inclement weather' and rescheduled for Feb 22. The event took place at 'Ballston Hilton, 950 North Stafford Street, Arlington, VA 22203 from 8:00 am to 6:00 pm EST' and DARPA described its purpose as:

' to provide information on the CYBER GENOME PROGRAM; promote additional discussion on this topic; address questions from potential proposers; and provide a forum for potential proposers to present their capabilities for teaming opportunities. This is the final Proposer's Day for the Cyber Genome Program.'[5]

DARPA employee Renee Moore ([email protected]) sent out an email to participants advising of the cancellation of the first 'Proposers' Day Workshop' on February 8.[6] She did not, however, 'Blind Carbon Copy' the participants. As noted by Greg Hoglund, founder and current CEO of HBGary, in an email to colleagues[7] - "Looks like she screwed up. Lol..."

The participants were:

  • '[email protected]'<[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • [email protected] <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]' <[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]'<[email protected]>
  • '[email protected]'<email@stefanoforesti.com>
  • 'matthew_elder@symantec.com'<matthew_elder@symantec.com>
  • 'raj.rajagopalan@hp.com'<raj.rajagopalan@hp.com>
  • 'troy.swinehart@sypris.com'<troy.swinehart@sypris.com>
  • 'hal.aldridge@sypris.com'<hal.aldridge@sypris.com>
  • 'gshannon@setcorp.com' <gshannon@setcorp.com>
  • 'vijay@ciphersolutions.com' <vijay@ciphersolutions.com>
  • 'george@roguegenius.com' <george@roguegenius.com>
  • 'patrick.w.phillips@saic.com' <patrick.w.phillips@saic.com>
  • 'richard.arnold@macb.com' <richard.arnold@macb.com>
  • 'preston.werntz@dhs.gov' <preston.werntz@dhs.gov>
  • 'dihrie@semandex.net'<dihrie@semandex.net>
  • 'jason.upchurch@gd-ais.com'<jason.upchurch@gd-ais.com>
  • 'danstevenson@rti.org' <danstevenson@rti.org>
  • 'michael.harbison@gd-ais.com' <michael.harbison@gd-ais.com>
  • 'harold.Rodriguez@gd-asi.com' <harold.Rodriguez@gd-asi.com>
  • 'mccusker@sonalysts.com' <mccusker@sonalysts.com>
  • 'scottso@sonalysts.com' <scottso@sonalysts.com>
  • 'marc.zbinden@nisc-llc.com' <marc.zbinden@nisc-llc.com>
  • 'patrick@tripledex.com' <patrick@tripledex.com>
  • 'ebasu@sentekglobal.com'<ebasu@sentekglobal.com>
  • 'kevin.morrison@parsons.com'<kevin.morrison@parsons.com>
  • 'ltinnel@globalinfotek.com'<ltinnel@globalinfotek.com>
  • 'rick.mcgeer@hp.com' <rick.mcgeer@hp.com>
  • 'stephen.barish@macb.com' <stephen.barish@macb.com>
  • 'patrick.crago@nisc-llc.com' <patrick.crago@nisc-llc.com>
  • 'dxu@cs.purdue.edu' <dxu@cs.purdue.edu>
  • 'dave_m_gursky@raytheon.com'<dave_m_gursky@raytheon.com>
  • 'guttman@us.ibm.com' <guttman@us.ibm.com>
  • 'toweissy@vt.edu' <toweissy@vt.edu>
  • 'ccramer@siginnovations.com'<ccramer@siginnovations.com>
  • 'lkennedy@siginnovations.com'<lkennedy@siginnovations.com>
  • 'lbengfort@cengen.com'<lbengfort@cengen.com>
  • 'lkain@cra.com' <lkain@cra.com>
  • 'aghosh1@gmu.edu' <aghosh1@gmu.edu>
  • 'joshua.davis@gtri.gatech.edu'<joshua.davis@gtri.gatech.edu>
  • 'zmitchell@logostech.net'<zmitchell@logostech.net>
  • 'j@appranger.com' <j@appranger.com>
  • 'kane@referentia.com' <kane@referentia.com>
  • 'jsmith@referentia.com'<jsmith@referentia.com>
  • 'twilliams@referentia.com'<twilliams@referentia.com>
  • 'dchang@referentia.com'<dchang@referentia.com>
  • 'kphillips@overwatch.textron.com'<kphillips@overwatch.textron.com>
  • 'sdynes@dartmouth.edu'<sdynes@dartmouth.edu>
  • 'michael.collins@redjack.com'<michael.collins@redjack.com>
  • 'greg.virgin@redjack.com'<greg.virgin@redjack.com>
  • 'john.mchugh@redjack.com'<john.mchugh@redjack.com>
  • 'jeff.janies@redjack.com'<jeff.janies@redjack.com>
  • 'sang.chin@jhuapl.edu' <sang.chin@jhuapl.edu>
  • 'paul.b.jaynes@raytheon.com' <paul.b.jaynes@raytheon.com>
  • 'rlinge@sei.cmu.edu' <rlinge@sei.cmu.edu>
  • 'soswald@sigovs.com'<soswald@sigovs.com>
  • 'kppande@msn.com' <kppande@msn.com>
  • 'steve@atc-nycorp.com' <steve@atc-nycorp.com>
  • 'hinoue@atc-nycorp.com'<hinoue@atc-nycorp.com>
  • 'jadavis4@rockwellcollins.com'<jadavis4@rockwellcollins.com>
  • 'tburgess@securedsciences.com'<tburgess@securedsciences.com>
  • 'jeehye@securedsciences.com'<jeehye@securedsciences.com>
  • 'walczak@avi.com' <walczak@avi.com>
  • 'caguerreri@gmail.com' <caguerreri@gmail.com>
  • 'raj.kant@baesystems.com'<raj.kant@baesystems.com>
  • 'rlevy@i-a-i.com' <rlevy@i-a-i.com>
  • 'ONeillDon@aol.com' <ONeillDon@aol.com>
  • 'Rod.Tjoelker@Boeing.com'<Rod.Tjoelker@Boeing.com>
  • 'dmatsunaga@referentia.com'<dmatsunaga@referentia.com>
  • 'gratson@research.ge.com'<gratson@research.ge.com>
  • 'matarazzo1@llnl.gov' <matarazzo1@llnl.gov>
  • 'christian.espinosa@eads-na-security.com'<christian.espinosa@eads-na-security.com>
  • 'geaton@milcord.com'<geaton@milcord.com>
  • 'tom@mccabetech.com' <tom@mccabetech.com>
  • 'pc@mitre.org' <pc@mitre.org>
  • 'michael.zeberlein@harris.com'<michael.zeberlein@harris.com>
  • 'sbarnum@cigital.com'<sbarnum@cigital.com>
  • 'evans@ge.com' <evans@ge.com>
  • 'judith.c.spering@boeing.com' <judith.c.spering@Boeing.com>
  • 'philippe.byrnes@ddefend.com' <philippe.byrnes@ddefend.com>
  • 'adinaburg@sigovs.cm' <adinaburg@sigovs.cm>
  • 'christopher.jones@harris.com' <christopher.jones@harris.com>
  • 'kvanbure@harris.com' <kvanbure@harris.com>
  • 'fpound@sigovs.com'<fpound@sigovs.com>
  • 'roelker@gmail.com' <roelker@gmail.com>
  • 'pwilson@securedsciences.com' <pwilson@securedsciences.com>
  • 'adahnert@overwatch.textron.com' <adahnert@overwatch.textron.com>
  • 'Brian.Masterson@ngc.com' <Brian.Masterson@ngc.com>
  • 'irby@pikewerks.com'<irby@pikewerks.com>
  • 'melski@grammatech.com' melski@grammatech.com

Project 'Q & A'

In an announcement on March 10, 2010, DARPA extended the deadline for 'proposals' from private contractors. It also released a 'Q & A' document which, assumedly, addressed questions that had been raised by contractors during the 'Proposers' Day Workshop' and other contact.[8] Of note:

20. What interests does DARPA have related to establishing the lineage of documents, as opposed to malware?
'DARPA is interested in the challenges associated with malware. Performers may suggest other classes of documents or files and must demonstrate why this is a Department of Defense (DoD) problem in the proposal.'


26. Would a record of a reputation metric associated with a network entity (e.g., domain name, etc.) meet the definition of an artifact? For example, would a history of activity associated with an IP address, where that history may be in form of a Web-accessible database record or 'threat intelligence alert' be considered an artifact?
'Yes.'


27. Would a blog post describing entities and associations be considered an artifact?
'Yes.'


45. What is a reasonable start time for this effort?
'DARPA intends to have performers on contract on or about July 1, 2010.'


HBGary Emails

The following exchange between Aaron Barr, CEO of HBGary, and colleague Bob Slapnik, Vice-President of Sales, that the company's main focus was TA1 'Cyber Genetics' as they believed that they had already developed the software required for TA3 'Cyber Physiology'.

Aaron,

I would be impressed if DARPA chooses to fund no one on TA3 due to our largely solving the problem.     
After all, they say they want to fund things that industry wouldn't otherwise take on.
But if they fund somebody else for TA3 who is starting from scratch then they would be proving they     
have their heads up their butts.

Fingers crossed for TA1.......

Bob
Three was about automated malware analysis which our approach was through a genome, 
fuller execution tracing, and reasoning models. 

-Aaron

The emails indicate that HBGary submitted proposals to DARPA for both TA1 & TA3 with discussions taking place with a variety of potential partners,

In a 'Statement of Work' (SoW) 'developed for the DARPA Cyber Genome (DCG) Program' HBGary lists the following contracting partners[.DOC][9]:

HBGary also teleconferenced with General Dynamics Advanced Information Systems on Feb 05, 2010.[10] And there is evidence of email discussions with Cobham Analytic Solutions and Harris Corporation.

They also worked on their TA3 proposal with 'MB Toth' of R.B. Toth Associates of Oakton, Virginia.[11]

HBGary's proposal to DARPA for Technical Area III: Cyber Physiology.[PDF][12]


Successful Contractors

A HBGary email exchange regarding another DARPA project (CINDER)indicates that QinetiQ put forward the successful proposal for TA3:

Aaron, Ted:

The CINDER proposal was successfully submitted to DARPA this morning.  Thanks for your quick    
response to the data calls and technical support on the proposal effort – we’re all looking 
forward to the win party….

Vernon.

Vernon R Joyner
Director, Business Development
Mission Solutions Group, Qinetiq North America
Office:   703.852.3583
Mobile:  703.310.9752
Vernon.Joyner@QinetiQ-NA.com
Hi Vernon,

Do you have any estimates on award date for CINDER?  Also if you don't mind me asking which   
technical area of cyber genome did you guys win?  We submitted a proposal for TA3 and were not 
selected which we were kind of shocked by given our technology.  When debriefed though it was our 
technology and IP restrictions that hurt us.  Anyway, just curious.  And wondering if there is an 
overlap with our area of expertise if its worth a conversation. 

--Aaron

The website GovWinIQ makes no mention of QintetiQ but does state that a 'Partial Award' of 'Value($K): 43000' for the 'CYBER GENOME PROGRAM'. Adding : 'Latest News: The Contracting Office made an award on June 29, 2010 to Lockheed-Martin Corporation, under contract # FA8750-10-C0170, for a value of $4,658,267..' This 'Partial Award' may be for TA1.

The Cyber Genome Project appears to now be operational and, on Nov 8, 2011, was described as:

'Another new program is named Cyber Genome. Its goal is to apply analysis to strains of malware to track their origins, said Program Manager Timothy Fraser. Malware writers often reuse pieces of code in their programs. By studying different bits of old code in malware, Cyber Genome may help analysts determine the origins and pedigrees of different strains of malware, he said.'[13]


Lockheed-Martin

Successful contractor Lockheed-Martin held a 'Cyber Genome Kickoff Meeting' at the Marriott Williamsburg, Williamsburg, VA., on 17 August 2010. The following participants were named in the agenda and some may represent companies associated with Lockheed-Martin's bid [PDF][14]:

  • Dr. Gregory Frazier - BAE
  • Dr. Ari Pfeffer - Charles River Analytics 
  • Samuel Hamilton - Distributed Infinity
  • Dr. Scott Evans - GE
  • Alex Butler - Lockheed Martin ATL 
  • Dr. John Everett - Raytheon BBN
  • Dr. Anup Gnos - Secure Command

The company covered the Cyber Genome Project in its 2nd quarter, 2011 'Connect' magazine:

'In addition to human neurological research, Security is also undertaking a project awarded by DARPA, known as Cyber Genome. A joint effort between Lockheed Martin, GE Global Research and the University of California Riverside, Cyber Genome is a project to develop revolutionary cyber defense and investigatory technologies that will collect, identify and track cyber attack lineage in order to support DoD law enforcement, counter intelligence and cyber defense teams.
“In essence, we are working to map the ‘DNA’ of a cyber attack,” said John Morrison, program lead for Cyber Genome. “The goal is that Cyber Genome will allow us to track incidents on a network, differentiate them from prior incidents, determine if they are harmful and assess their origin.”
This program comes as cyber attacks aimed at critical infrastructure, such as nuclear power plants, the electrical grid and high-value military and infrastructure assets, continue to grow and become more sophisticated to combat. [PDF][15]


Links