Pierluigi Paganini October 13, 2015

The NSA SHARKSEER Program is a project that aims to detect and mitigate web-based malware Zero-Day and Advanced Persistent Threats using COTS technology.

Every day, thousands of cyber attack rely on exploitation of zero-day exploits, even more sophisticated ATP groups trigger unknown vulnerabilities to compromise systems across the world.

Intelligence agencies and research groups are investing a significant effort in order to develop methods that could allow to identify and mitigate malicious codes that are able to exploit zero-day vulnerabilities.

The US Government has published the slides related to the NSA SHARKSEER Program, a project that aims to detect and mitigate web-based malware Zero-Day and Advanced Persistent Threats using the COTS technology.

The approach leverages global threat knowledge to rapidly protect the targeted networks.

“Program Definition: Detects and mitigates web-based malware Zero-Day and Advanced Persistent Threats using COTS technology by leveraging, dynamically producing, and enhancing global threat knowledge to rapidly protect the networks.” states the description provided for the NSA SHARKSEER Program.

The goals of the SHARKSEER program are the IAP protection and the Cyber Situational Awareness and Data Sharing, below the description  provided in the slides.

• IAP Protection: Provide highly available and reliable automated sensing and mitigation capabilities to all 10 DOD IAPs. Commercial behavioral and heuristic analytics and threat data enriched with NSA unique knowledge, through automated data analysis processes, form the basis for discovery and mitigation.
• Cyber Situational Awareness and Data Sharing: Consume public malware threat data, enrich with NSA unique knowledge and processes. Share with partners through automation systems, for example the SHARKSEER Global Threat Intelligence (GTI) and SPLUNK systems. The data will be shared in real time with stakeholders and network defenders on UNCLASSIFIED, U//FOUO, SECRET, and TOP SECRET networks.

The principal problem when dealing with malware detection is that current defenses rely heavily on a signature based approach, this means that it is possible to analyze the threat only after its detection. Another problem highlighted by the experts participating to the SHARKSEER is that DAT files are usually updated manually taking weeks or months.

The NSA SHARKSEER provided an Automated Community Cyber Analysis Environment that will allow the production of Alerts, Reports and Machine Redeable Data that could be managed by Top Secret Cyber Analyst such as Unclassified Cyber Analysts.

The NSA SHARKSEE program was mentioned for the first time last year, when highlights from the Senate Armed Services Committee’s new defense policy bill reported that lawmakers would like assign $30 million to a National Security Agency cyber security program called Sharkseer.

“Provides $30 million to the National Security Agency for deployment of advanced commercial cybersecurity products to defend Department of Defense networks from previously unknown threats under the Sharkseer program.” reported a document issued by the SENATE COMMITTEE ON ARMED SERVICES.

Pierluigi Paganini

(Security Affairs – SHARKSEER NSA Program , cyber security)