“The Bureau of Diplomatic Security, Directorate of Cyber and Technology Security, Office of Cyber Monitoring and Operations, Cyber Operations (DS/CTS/CMO/CO) uses numerous tools and products to ensure the cybersecurity posture of the Department’s Sensitive but Unclassified (SBU) data network. The Department of State (DOS) has deployed these tools according to a comprehensive defense-in-depth strategy, and is continuously looking to augment that strategy with new or upgraded cyber capabilities. This document outlines the requirements to upgrade one of these capabilities: deep packet (also called full packet) capture and inspection.
Among the critical capabilities required by CTS is the ability to record every packet of traffic traversing the DOS’ network border for later analysis and reconstruction, while incurring the least impact on network bandwidth to SBU network services. DOS requires a deep packet capture and inspection solution that is easy to deploy in order to combat the next generation of Internet-based threats, including zero-day and targeted Advanced Persistent Threat (APT) attacks, while interoperating well with the existing DOS security tools infrastructure. This solution will be needed to optimize the efficiency of the DOS’ Cyber Network Defenders (CNDs), and must be able to generate detailed, actionable intelligence resulting from analyzed and reconstructed sessions.
The Cyber Protection (CP), a program within DS/CTS/CMO/CO division requires a solution refresh of the Deep Packet (also called Full Packet) Capture and Inspection system in order to ensure continued service.”
“DS/CTS/CMO/CO requires the following:
- Replacement of the existing Deep Packet (also called full packet) Capture and Inspection solution.
- Option to increase the quantities of listed requirements due to growth in order to ensure continuity of service throughout the prospective contract period of performance.
- Capture 100 % of all network packets traversing the borders of the DOS Points of Presence (POPs). The packet capture and analysis activity must take place within the perimeter of DOS’ SBU network, at DOS facilities. Outsourced or “cloud-based” traffic monitoring services are outside the scope of this solution.
- Perform rapid classification and analysis of these packets, for access by DOS Security Analysts.
- Recall selected network packets for Analyst to reconstruct sessions of interest.
- Apply signatures/patterns/queries to metadata, raw packet contents, and decoded session contents, to allow for investigating whether malcode is attempting to be infiltrated into the network.
- Create many sorts of queries and automated alerting on the collected packets, either ad hoc or predefined, to discover anomalous network traffic.
- Generate both low-level and high-level reports on network traffic based on a wide range of criteria, such as time period, source and/or destination IP address, IPv4 and IPv6 protocols, ports, and services, Internet domains, and e-mail addresses…”
The period of performance includes a base year with four option years.