Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF NOVEMBER 30, 2017 FBO #5851
SOURCES SOUGHT

R -- Cyber Threat Emulation (CTE) Training Course

Notice Date
11/28/2017
 
Notice Type
Sources Sought
 
NAICS
611420 — Computer Training
 
Contracting Office
Department of the Air Force, Air Force Space Command, 38 CONS, 4064 Hilltop Road, Tinker AFB, Oklahoma, 73145-2713, United States
 
ZIP Code
73145-2713
 
Solicitation Number
FA8773-18-R-8004
 
Archive Date
12/23/2017
 
Point of Contact
Rhonda Chavez, Phone: 210-977-3193, Katie.Cockerill,
 
E-Mail Address
rhonda.chavez@us.af.mil, Katie.cockerill@us.af.mil
(rhonda.chavez@us.af.mil, Katie.cockerill@us.af.mil)
 
Small Business Set-Aside
N/A
 
Description
The 836th Cyberspace Operations Squadron (COS) at JBSA Lackland, TX has a requirement to support Defensive Cyberspace Operations (DCO) mission for the Air Force (AF) and combatant command warfighting operators. BACKGROUND: The cyber threat emulation (CTE) squad generates the effects necessary to evaluate a mission's cyberspace security posture with a focus on non-permissive network access through the realistic replication of representative threats to mission owner's cyber key terrain. CTE capabilities work to primarily enable three direct actions: 1) the education and improvement of cyber defenders understanding of cyber threat tactics, techniques, and procedures (TTPs), 2) replication of representative threats to support risk mitigation efforts, and 3) guide cyber defense operations based on Red Cell perspective. The primary purpose of integrated CTE operations in the CPT is to cover the gap between what current defenders know of cyberspace defense to what defenders need to know about the art of attack and the ITPs of advanced cyberspace attack maneuver. The CTE squad develops representative threat packages and conducts initial targeting of a specified DOD mission and its cyber terrain from a threat perspective. CTE capabilities conduct threat emulation ranging from probing, exploitation, and data exfiltration through approved and coordinated disruption, degradation, or denial effects in order to evaluate and stress cyberspace operations and mission survivability. While not equivalent to DOD Red Teams, CTEs will be certified and accredited in accordance with DOD Red Team policies due to the effects and impact they can have to DOD cyberspace. Working directly with the other CPT squads on the team, with emphasis on Mission Protection and Discovery & Counter Infiltration (DCI), the CTE squad executes participative threat emulation to evaluate established risk mitigation capabilities. CTE squads recommend risk mitigation strategies to hinder threat. CTE squads also execute unannounced and non- cooperative threat emulation to allow for mission risk mitigation capability and TTP validation. Through the conduct of defensive operations the CTE squad provides Red Cell assessment guidance to the conduct of defensive cyber operations. The CTE squad monitors and coordinates threat effects with all other DOD CTE squads and DOD defensive cyber operations. CTE intelligence operators support the awareness and communication of threat capabilities to allow the CTE to maintain and generate realistic representative threat. CTE intelligence operators support the development and integration of intelligence requirements to sustain the mission owner's tasks and integrated cyber defenders. CTEs can be enabled to execute OPFOR objectives during exercise events for which their CPT is not a part of those exercises. SPECIFIC REQUIREMENTS: This contract will provide essential expertise and capabilities to support the 26 NOG and 26 OSS in DCO/DGO/DCA/OCO missions for the AF and combatant command warfighting operators. The support required is in the following functional areas: Cyber Threat Emulation Training A classroom training environment shall be utilized with access to private network infrastructure to conduct lecture and simulation exercises for the purpose of CTE concepts. The goal of the class is to give cyber operators, cyber architects, cyber managers the ability to conduct tactics, techniques, and procedures (TTPs) to emulate a real-world threat. At the conclusion of the training members should be able to have a deeper understanding of how an organization would perform against an actual threat, and identify where security strengths and weaknesses exist to give a security defense posture. The security defense posture includes people, processes, and technology. Government Furnished Equipment: Students shall bring or have government issued laptops in class for the purpose of conducting CTE training. The laptops shall have the following minimum specifications: • x86-compatible or x64-compatible 2.0 GHz CPU minimum or higher • 8 GB RAM minimum with 16 GB or higher recommended Ethernet adapter (a wired connection is required in class; if your laptop supports only wireless, please make sure to bring a USB Ethernet adapter with you) • 40 GB available hard-drive space • An available USB Port VMware shall be installed on each machine to run a Linux guest operating system. Each laptop shall have VMware Player 6 or later or the commercial VMware Workstation 10 or later installed. The training instructor shall provide all additional software to include virtual machines and hardware to include laptops, servers, routers, switches necessary to conduct CTE simulation in class. All training material shall be configured prior to arriving on site and any troubleshooting shall be the contractor's responsibility. The training course should last no more than six continuous days. Work days shall range from 0800 to 1600. A normal work week will start on a Monday and can extend into Saturday if necessary. OBJECTIVES TASK 1 - Core CTE Knowledge 1. Describe the following IOS commands and their emphasize their relevance to cyber operations: a. shut b. show c. show interface d. show configuration e. show IP route show run f. reload g. enable show history h. show IP interface brief i. show cdp neighbors 2. Discuss the following: how does each handle broadcast traffic, which OSI layer does each operate on, how each effect cyber operations for each device listed below a. Hub b. Switch c. Router d. Load balancer/gateway e. Proxy f. Firewall g. NIDS h. WAF 3. Describe the difference between the following Cisco password encryptions: a. Type 5 b. Type 7 4. Explain what an Autonomous System is, how Autonomous System are numbered, and how can this information be useful. 5. Describe VPN and discuss how they are most often used in a customer network. 6. Define the following terms and indicate how itis relevant to cyber operations: a. Cryptography b. OOB (Out-Of-Band) Network c. SSO (Sin le Sign-On) 7. Describe the function and information found when running Windows Resource Kit tools a. net group b. net local group administrators c. net session d. net share e. net start f. net stop g. net-time h. net use i. net user j. net view k. net statistics l. tlist/pulist m. kill n. nltest o. netdom p. sc srvinfo q. tasklist r. dsquery 8. State the purpose and significance of UNIX/LINUX directories in relation to cyber operations a. /etc b. /dev c. /bin d. /sbin e. /usr f. /tmp g. /home h. /var i. /var/www j. /root 9. Discuss the purpose and significance of the following files in relation to cyber operations a. /etc/passwd b. /etc/shadow c. /etc/services d. /etc/resolv.conf e. /etc/inetd.conf f. /etc/hosts g. /dev/null h..rhost 10. Describe the permissions of the /etc/passwd file and /etc/shadow file 11. Describe the following as they pertain to UNIX a. Gzip b. script c. pwd 12. Explain the following process commands: a. ps b. kill c. kill all d. grep e. ps aux f. ps -ef 13. Explain the following network commands: a. nslookup b. ifconfig c. mount d. show mount rpcinfo e. netstat 14. Explain the following in regards to vi: what is it, what is it used for, what are the two modes 15. Describe he following commands in vi: a. a b. o c. dd d. ESC e. :wq 16. Explain the following network commands: a. nslookup b. ifconfig 17. Describe OSR, the type of-information to look for, and how it is used in CTE operations. 18. Describe some of the features available in the Google Search Engine that can be used to refine search parameters for OSR/collection. 19. Define "Google Hacking" and describe how Google search parameters can be used to find information for a CTE operation. 20. Describe the information that can be gathered from messages posted to newsgroups and how this could be useful to a CTE operation. 21. Describe how to access satellite images of building and why this might be useful to a CTE 22. Discuss why fscan is considered a better tool than nmap to upload to a remote system. 23. Describe the following in regards to a UDP traceroute: a. What OS can the UDP protocol be used on to perform a traceroute b. Why is this useful to CTE operations? 24. Discuss how an insecurely configured DNS server that allows external, untrusted zone transfers could provide information to an attacker. 25. Discuss the concepts of and "Stealth" and how noise can affect CTE operations. 26. Explain what banner grabbing is and what useful information it would provide 27. Describe the information you can enumerate from a Windows host through a null session and the IPC$ share 28. Explain how HTTP requests work and how the telnet command can be used to grab banner information. 29. Describe the common techniques to enumerate RPC information 30. Explain what vulnerability scanners the benefits and limitations of their use during a CTE operation 31. Discuss the Nmap Scripting Engine and some of the different NSE script categories. 32. Describe the difference between a phishing email and a spear phishing email and describe the circumstances in which to use each. 33. Explain the difference between an unauthenticated attack and an authenticated attack and the requirements to perform them. 34. Define how each of the following authentication attacks work and what is required for each: a. Default password use b. Brute force login c. Password reuse 35. Explain what a CVE is and the purpose of the National Vulnerability Database 36. Explain the difference between a local and remote attack. 37. Describe the advantages of having physical access to a workstation that is not present. 38. Knowledge of different types of logging and logged events including the locations that logs are kept. 39. Discuss the importance of a CTE operator keeping accurate logs of any activity that touches or may affect a targeted network 40. Describe the three types of events that are logged in a Windows and Unix environment 41. Describe the types-of CTE activity may be logged by a targeted Windows and Unix workstation. List the procedures and tools available to record all attack sessions during an operation. Discuss the importance of recording all attack sessions during a mission. Explain how you would handle a remote logging server while exploiting a network. List the procedures and tools available to record all attack sessions during a mission. 42. Maintaining/Expanding Access: Understanding the use of back doors. 43. Explain the difference between a backdoor and a reverse shell. 44. Define what port redirection is and how it can be useful to a CTE operator. 45. Discuss the function and usage of a rootkit including generic capabilities. 46. Describe the capabilities and limitations of using port redirection when dealing with firewalls and ACLs. 47. Describe the methods that CTE operators can use to obfuscate or hide our programs on compromised systems. 48. List the types of data that would be valuable to target during the post-exploitation phase of a CTE operation. 49. Describe the legal and privacy concerns to consider when targeting data during a CTE mission. Define the data that may not be targeted by CTE operators. 50. Describe the challenges associated with exfiltrating data from a network. 51. Discuss the following regarding the collection and retention of data: a. What two types of data may the CTE never retain? b. What is an easy way to initially identify personal or company proprietary files? c. What two types of data must always be maintained for deconfliction purposes? 52. Define and explain the significance of the following terms: a. Adapter Gateway Address b. Alternate Data Stream c. Device Object d. Driver Object e. Browser Help Object (BHC)) f. Global Descriptor Table g. Local Descriptor Table h. Import Address Table i. INI File j. Interrupt Object k. Handle l. PE Sections m. SYS n. Hooking o. Cryptographic Hashes p. Virtual Machine q. Portable Executable r. Dynamic-Link Library s. Statically-I-inked Library t. PE Strings u. Packed v. Obfuscate w. Entropy x. Heuristic y. Persistence z. Rootkit aa. DLL Injection bb. C2 Node cc. Botnet 53. Troubleshooting: Describe steps taken to troubleshoot a network when external network connectivity is lost or degraded. 54. Explain how to troubleshoot a DNS server and verify that hosts can utilize DNS services. 55. Explain how to troubleshoot a DHCP server and verify that hosts can utilize DHCP services. 56. Describe steps taken to troubleshoot a Windows-based host that is unable to connect to a network. 57. Describe the use of firewalls, DMZ, and encryption. 58. Describe the difference between a local area network (LAN) and a wide area network (WAN). 59. Describe the concept of Defense-In-Depth. 60. Describe various secure configuration management techniques. 61. Describe software debugging principles. 62. List and describe various software design tools, methods, and techniques. 63. Describe the various software development models a. Waterfall b. Spiral 64. Describe various systems and application security threats and vulnerabilities. a. Buffer overflow b. Mobile code c. Cross-site Scripting d. PL/SQL and injections e. Race conditions f. Covert channels g. Replay h. Malicious code 65. Describe the below protocols and explain how they interact to provide network communications. a. DNS b. SMTP c. HTTP 66. Describe the following web services a. SOA b. SOAP c. WSDL 67. Demonstrate the ability to create, modify, and use a Virtual Machine in a production environment. 68. Given a set of requirements, research open source penetration testing tools that can be utilized by the CTE team. 69. Demonstrate the ability to incorporate open source penetration testing tools into a production Virtual Machine. 70. Demonstrate the ability to install Windows operating system and configure basic network services. 71. Demonstrate the ability to install Red Hat Enterprise Linux and configure basic network services. 72. Given a test environment, demonstrate the ability to test and refine a remote exploit against a vulnerable service. 73. Given MS08-067 as an example; identify the software/operating systems affected and identify an exploit that takes advantage of it. 74. Given a target, demonstrate the ability to conduct cross-sight scripting. 75. Given a target, demonstrate the ability to conduct SQL injection. 76. Given a mission; assess the findings from an assessment and develop recommendations and mitigations. 77. Given a mission, demonstrate the ability to follow up with the recommendations and mitigations. CONSTRAINTS This section lists laws, rules, regulations, standards, technology limitations and other constraints that the service and/or service provider must adhere to or work under. HSPD-12 Personnel Security Clearances Acquired services shall comply with the following regulations and requirements: Homeland Security Presidential Directive-12 requires that all federal entities ensure that all contractors have current and approved security background investigations that are equivalent to investigations performed on federal employees. The Contractor shall comply with GSA order 2100.1 - IT Security Policy, GSA Order ADM 9732.1C - Suitability and Personnel Security, and GSA Order CIO P 2181 - HSPD-12 Personal Identity Verification and Credentialing Handbook. GSA separates the risk levels for personnel working on federal computer systems into three categories: Low Risk, Moderate Risk, and High Risk. Criteria for determining which risk level a particular contract employee falls into are shown in Figure A-1 of GSA ADM 9732.1C. The Contractor shall ensure that only appropriately cleared personnel are assigned to positions that meet these criteria. Those contract personnel determined to be in a Low Risk position will require a National Agency Check with Written Inquiries (NACI) or equivalent investigation. Those Applicants determined to be in a Moderate Risk position will require either a Limited Background Investigation (LBI) or a Minimum Background Investigation (MBI) based on the Contracting Officer's (CO) determination. Those Applicants determined to be in a High Risk position will require a Background Investigation (BI). The Contracting Officer, through the Contracting Officer's Technical Representative or Program Manager will ensure that a completed Contractor Information Worksheet (CIW) for each Applicant is forwarded to the Federal Protective Service (FPS) in accordance with the GSA/FPS Contractor Suitability and Adjudication Program Implementation Plan dated 20 February 2007. FPS will then contact each Applicant with instructions for completing required forms and releases for the particular type of personnel investigation requested. Applicants will not be reinvestigated if a prior favorable adjudication is on file with FPS or GSA, there has been no break in service, and the position is identified at the same or lower risk level. After the required background investigations have been initiated, the Contractor may request authorization for employees whose investigations are pending to access systems supporting GSA e-mail and collaboration applications. The GSA Chief Information Officer may grant this authorization based on determination of risk to the government and operational need for the support of these applications.   38th Contracting Squadron (38 CONS) is requesting information from industry as part of market research to determine what qualified contractors exist. 1. THIS IS A SOURCES SOUGHT ONLY. It is not a Request for Proposal, a Request for Quotation, an Invitation for Bid, a solicitation, or an indication the US Air Force (AF) or 38 CONS will contract for the items contained in the sources sought. 38 CONS will not pay respondents for information provided in response to this sources sought. 2. This proposed contract is being considered for a set-aside under a small business set-aside program. The North American Industry Classification Systems (NAICS) Code proposed for this requirement is 611420. The size standard for NAICS 611420 is $15M. The Government is interested in all small businesses including 8(a), Historically Underutilized Business Zone (HUBZone), or Service Disabled Veteran Owned Small Businesses (SDVOSB) that are interested in performing this requirement. The Government requests interested parties submit a brief description of their company's business size (i.e., annual revenues and employee size), business status (i.e., 8(a), HUBZone, or SDVOSB, Women Owned Small Business, or small business), and any anticipated teaming arrangements. Any responses involving teaming agreements should delineate between the work that will be accomplished by the prime and the work accomplished by the teaming partners. Include any specialized work and warranty issues. Specify whether your teaming partners typically are large or small businesses. List any current contracting vehicles you are currently on, such as any GSA schedules and/or GWACS, NETCENTS, etc. The Government will use this information in determining its small business set-aside decision. 3. Submissions in response to this notice must include: a. Vendor name, Cage/DUNS Socioeconomic Status b. Identify your company's size status for each NAICS and any other socio-economic status. c. Provide your enrollment status in the System for Award Management (SAM). If you are enrolled, provide the expiration date. d. Physical location of vendor e. A Point of Contact's: name, phone number, fax number, e-mail address, and mailing address. f. Vendor capabilities statement related to the scope of Cyber Threat Emulation (CTE) Training Course Statement of Objectives (SOO) g. Any past performance related to the scope of Cyber Threat Emulation (CTE) Training h. Identify what business, trade, legal, political and other developments affect you as a vendor the market i. Do you have experience working with other Government agencies on similar requirements? If so, list agency names. 4. Interested contractors should address potential organizational conflicts of interests, reference FAR 9.505-1 and if applicable submit mitigation plans with capability statements. The mitigation plan is not part of the capability statement. 5. Request your provide responses electronically. All responses must be written, no more than five single-spaced pages, using 12-point, Times New Roman font, and minimum of one inch margins, in Microsoft Word format. Responses that only provide a company website will not be considered. Responses to this sources sought are requested by 12:00 PM, CDT, 8 Dec 2017. All responses shall be unclassified and reviewed to ensure consideration. All responses, correspondence, and/or questions related to this matter should be e-mailed to Rhonda Chavez @rhonda.chavez@us.af.mil 210-977-3193
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/notices/8345e88ed71126a901970dafe948f288)
 
Record
SN04750447-W 20171130/171128231411-8345e88ed71126a901970dafe948f288 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.