Gray Tier at Joint Service Provider (JSP)

Defensive Cyber Operations (DCO) Internal Defense Measures (IDM)

Project Summary:

Gray Tier’s work on the DCO IDM enables JSP to perform a wide variety of cybersecurity services and functions required to assure the operational, physical, and information security posture for Department of Defense (DOD) Services within CONUS and OCONUS. DCO IDM tasks are functionally grouped by End Point Security, Network Security, and Incident Handling; and include centrally managed technical subject matter expertise in the following security-related areas of responsibility: project management, malware protection, continuous monitoring, cyber incident handling, insider threat detection, and monitoring, and warning intelligence and attack, sensing, and warning (AS&W).

Incident Response and Intrusion Detection:

Gray Tier supports JSP with Tier 1, Tier 2, and Tier 3 SOC incident response and forensic personnel trained on the knowledge, skills, and abilities of the National Cyber Security Workforce Framework on a 24x7x365 basis at the Pentagon. We prepare and publish Situational Awareness Reports (SAR) for new and emerging threats, develop monthly targeted (i.e., spear phishing) activity reports on specific customers targeted by the adversary, prepare quarterly threat reports and Daily Cyber Intelligence and threat reports for senior leadership awareness, and developed a standard process for and support the correlation of incident activity to assess and direct operation and defense of Pentagon information systems and computer networks across strategic, operational, and tactical boundaries. Gray Tier responds to incidents for the unclassified and classified networks. Gray Tier manages triage, reporting, and escalation for Incident Case Management. volume averaging 35 cases per day at the Pentagon. We enter incidents as cases in the Computer Network Defense Division incident management system as soon as they are identified and develop Incident Handling Case Reports on significant incidents. Gray Tier also performs reverse engineering for malware analysis, forensics analysis, and reporting, and established and maintains an insider threat program. Gray Tier also delivers intrusion detection support services, including monitoring all Intrusion Detection Systems (IDS). We monitor the Pentagon backbone networks for network and computer intrusions or attacks and apply configurations to the detection systems to allow detection of signature-based and anomalous activity. Gray Tier provides 24x7x365 support to the JSP Active Detection and Prevention (ADP) team to manage and perform active defense and prevention network security monitoring functions for the Attack Sensing &Warning (AS&W) of JSP tenants and customers throughout the National Capital Region. The JSP sensor grid includes the IDS, Wireless IDS (WIDS), Intrusion Prevention Systems (IPS), Wireless Intrusion Prevention System (WIPS), web content filtering, enterprise proxy, Secure Sockets Layer (SSL) decryption, firewall, Packet Capture (PCAP), net flow, session, and system log data which is fed and correlated in the enterprise Security Information and Event Management (SIEM) System.

Penetration Testing:

Gray Tier Technologies LLC was contracted to provide subject matter expertise and direct support to the Pentagon Joint Service Provider (JSP) Red Team and the Vulnerability Research and Exploit Development (VRED) Team from March 2014 to June 2017. Support included conducting penetration tests of Pentagon backbone information systems and application security assessments of software deployed on Pentagon systems. During the period of performance Gray Tier personnel lead the Red Team to conduct over 23 onsite penetration tests on the Joint Base Pentagon backbone; an address space of over 35K IPs. Joint Base Pentagon backbone includes Windows Active Directory Domains, Server & Workstation Devices (Windows,Unix, & Linux), Network Devices (Routers, Switches, Video Teleconference), Storage Devices (Fibre Channel Switches, Network Attached Storage, Storage Controllers), Applications (Web, Database, Email, other COTS & GOTS), Security Devices (Firewalls, Intrusion Detection Systems, Web Content Filters), and wireless devices. Pentagon users were assessed via phishing campaigns and other social engineering techniques in conjunction with the enterprise user awareness training. Red Team missions were conducted in accordance with NIST 800-115, DISA STIGs, OWASP Testing methodology, and US Army Computer Defense Assistance Program (CDAP) guidelines. Gray Tier personnel also led the Pentagon JSP VRED program to provide advanced application security assessments of software deployed on Pentagon systems. During the period of performance, the VRED team conducted over 20 application security assessments. Applications assessed included binary executables, web applications, and mobile apps. VRED techniques consisted of static and dynamic analysis including fuzzing and reverse engineering. During the period of performance, Gray Tier personnel led the team to discover 14 previously undisclosed vulnerabilities in commercial software. The VRED Team coordinated with vendors and US-CERT to remediate new vulnerabilities and provide detailed reports to the government customer.

Notable Vulnerability Research

Using both static and dynamic analysis methods security researchers from Gray Tier Technologies are credited with finding numerous previously undisclosed vulnerabilities (0-day) in both commercial and government applications. Below is a list of Common Vulnerabilities and Exposures (CVE) numbers assigned to vulnerabilities discovered by Gray Tier researchers.

• CVE ID Product Vulnerability
• CVE-2015-2894 Up.time Agent Format string vulnerability
• CVE-2015-2895 Up.time Agent Buffer overflow
• CVE-2015-2896 Up.time Agent Information exposure
• CVE-2015-2910 EventSentry Directory Traversal
• CVE-2015-2911 EventSentry Information exposure
• CVE-2015-8277 Flexera Multiple buffer overflows in (1) lmgrd and (2) Vendor Daemon in Flexera FlexNet Publisher
• CVE-2016-1553 ArcGIS Buffer overflow
• CVE-2016-1554 ArcGIS Code injection from scripting
• CVE-2016-5061 Aternity Cross-Site Scripting (XSS)
• CVE-2016-5062 Aternity Remote Code Execution
• CVE-2017-8952 HPE SiteScope Authentication issue, Remote Arbitrary Code Execution
• CVE-2017-8949 HPE SiteScope Cryptographic Issue, Local Disclosure of Sensitive Information
• CVE-2017-8950 HPE SiteScope Cryptographic Issue, Local Disclosure of Sensitive Information
• CVE-2017-8951 HPE SiteScope HPE SiteScope Local Bypass Security Restrictions