csec sigint cyber discovery: summary of the current effort...csec sigint cyber discovery: summary of...
TRANSCRIPT
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
CSEC SIGINT Cyber Discovery: Summary of the current effort
Communications Security Establishment Canada Covert Network Threats
Cyber-Counterintelligence
Discovery Conference GCHQ - November 2010
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada
TOP SECRET II COMINT
1 * 1 Communications Security Establishment Canada
Centre de la sécurité des télécommunications Canada
Outline
CSEC SIGINT Cyber - KOG (CCNE) - GA4 (GND) - CNT1 (CCI)
CSEC SIGINT Cyber - Operational Discovery - Network Based Anomaly Detection - Host Based Anomaly Detection
Contacts
Safeguarding Canada's security through information superiority m / ^ n Préserver la sécurité du Canada par la supériorité de l'information v y d l I d v l d .
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
CSEC Cyber Counterintelligence
ttribute
Target development
Active collection
ersona haracterize
rack Collection
Signatures
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá
TOP SECRET II COMINT
4*1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
Counter CNE (KOG)
• Part of CSEC CNE operations (KO) • Recently formed matrix team • Analysts and operators from CNE Operations, Cyber-
Counterintelligence and Global Network Detection • Mandate:
- Provide situational awareness to CNE operators - Discover unknown actors on existing CNE targets - Detect known actors on covert infrastructure - Pursue known actors through CNE - Review OPSEC of CNE operations
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá
TOP SECRET II COMINT
1 * 1 Communications Security Establishment Canada
Centre de la sécurité des télécommunications Canada
Global Network Detection (GND)
• Develop capabilities to improve the ability of the SIGI NT collection system to detect Computer Network Exploitation and Computer Network Attack
• Help enable CSEC's CNE program through timely identification of vulnerable computer systems and foreign CNE methodologies/activities
• Act as technical liaison between IT Security and SIGINT for CNO issues
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information
5
Canadá
TOP SECRET II COMINT
6*1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
Cyber Counterintelligence (CNT1)
• Covert Network Threats (New Directorate within CSEC) - CNTl (Cyber Counterintelligence) - CNT2 (Traditional Counterintelligence)
• CNTl Mission - To produce intelligence on the capabilities, intentions and
activities of Hostile Intelligence Services to support Counterintelligence activities at home and abroad.
• Fusion of Cyber Analytic Skills with Traditional Counterintelligence Analytic Skills - All Cyber-Counterintelligence Investigations should lead to Traditional
Counterintelligence investigations.
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
V
CSEC SIGINT CCI Discovery
Attribute Character!
Active Pursuit
Report
Passive Pursuit
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá
TOP SECRET II COMINT
8*1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
CSEC CNE (K) - WARRIORPRIDE
• WARRIORPRIDE (WP): - Scalable, Flexible, Portable CNE platform - Unified framework within CSEC and across the 5 eyes - WARRIORPRIDE@CSE/etc. == DAREDEVIL@GCHQ - xml command output to operators
• Several plugins used for machine recon / OPSEC assessment Several WP plugins are useful for CCNE: - Slipstream : machine reconnaissance - ImplantDetector: implant detection - RootkitDetector: rootkit detection - Chordflier/U ftp : file identification / retrieval - NameDropper: DNS - WormWood : network sniffing and characterization
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá
TOP SECRET II COMINT
9*1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
KOG - ReplicantFarm
• Created to leverage the WP XML output in a meaningful way
• Module based parser/alert system running on real-time CNE operational data
• Custom/module based analysis: - Actors - Implant technology - Host based signatures - Network based signatures
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá
TOP SECRET II COMINT Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
REPLICANTFARM generic modules
Packed Peb modification Privileges MS pretender System32 "variables" Other ideas Strange DLL extensions
• Cloaked • Recycler • Rar password • Tmp executable
• Kernel cloaking • Schedule at • Ntuninstall execution • hidden
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada
TOP SECRET II COMINT
Establishment Canada des télécommunications Canada J Communications Security Centre de la sécurité
Generic modules : example my @runningProcs = xml_isProcessRunning( $xml, 'svchost.{l,3}\\.exe',
'winlogon.{l,3}\\.exe\ 'services.il.SJW.exe', 'Isass-ll^jWexe', 'spoolsv.{l,3}\\.exe', ,autochk.{l,3}\\.exe\ 'logon.-fl^Wscr', 'rundll32.il,3}\\.exe\ ,chkdsk.{lI3}\\.exe', 'chkntfs.{l,3}\\.exe' , 'logonui.-fl^JW.exe', 'ntoskrnl.{l,3}\\.exe', ,ntvdm.{lI3}\\.exe'l 'rdpclip.il.SJW.exe', 'taskmgr.{l,3}\\.exe', 'userinit.{l,3}\\.exe', 'wscntfy.{l,3}\\.exe', 'tcpmon.{l,3}\\.dir );
foreach my $runningProc (@runningProcs) {
SalertText .= "Suspicious process detected, legitimate exe named appended with string: " . $runningProc . "An";
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information v y d l l d v l d .
11
TOP SECRET II COMINT
¡CCNE/Opsec WPID Alerts - Mozi l la Firefox
File Edit View History Bookmarks Tools Help
Most Visited p Getting Started Latest Headlines J. LTT < Operations < TW.., 3 Opsec - klsvn -Trac [ j CCNE/Opsec Systems ,_,
• CCNE/Opsec WPJD Alerts Exploits httpttfobelix/ CCNE/Opsec WPID Alerts CCNE/Opsec WPID Al eri s *
CCNE/Opsec WPID Alerts Note that the search is done with the fields as perl regular expressions..
REPLICANTFARM Examples:
• Dotât) ars ¿mde-charactar TCildtafda
* Dot-Star (. *) maans any msmb-r of characters
• EngleWPIEt
• CbisC WTID: Sl'.S'.ll.
* înira lnactTîr : "Jff-,.
Current MadulssL mtx!_l C0i>j™_lmpliiiLFl modi flO_MM_EHEPHEED.pl fiinn_101_MM_CAEBOX.pl
} 02_MM_BEGBACKUP.p 1 mod_ 1 Q3_MM_DOGHOUSE .pi
1_WALKER. pi
me i 1 lOOVOIinpl nit £ t tt\r;i_l l_cltKlaMi.pl mod_1200_AP_ALOOFNESS|)I ttioi_ 12_=ys [stn3 2 v h\ p L tuo d_ 13_r aïpas n'oni. pi lBod_14_Eti anjjedlleil
niM 13_prct?arint i.pl
trn>£_ 17 _ t mp sx ic. p L 1.1C-L 1 S_pZ=E-Drdflll StE.pl
m«i_2flO_SD_MI2fl _pl moiJW l_SD_ME5FTP_pl ituxi_2 C _psbm ft-" i t Loa.pl iuoi_21_s£hsdvlszl .pi
m od_2 3 LLiLd-j L. pi
74 ECp -r 1 r i l l a.pî ftioi_2 ! jf.'.'il egea .pi mo4_300_UNK_TCP5RV32 p 1 iuc<i_3C 1_UKK_BL AZEiGAKGEL .pi mcOffiJTINYWEB.pl mnd_303_UN£_CYDLL.pl
m-xt 304 UVE TMNT'ACT.pj m nä_3 0 5 _UNK__IASEX p 1 nMd_306jmCiv.TNUPDATE.iil mod_307JEJWEJJUTVERINGSQUAB pi
0 S _UNK_\VIND 0 pi mrf_309JiHiK_DIESELflATTLE.pt
mod 310 "JNK V.TDOWCEYjji tnoJ_m_Um_CIVE.TCAT.pl mod_ 5 _i u iprst -t pi moi_400_S5_WlKEEE.pl nini_iC l_S5_SSLINST.pl mod_402_SS_thaipE. pi
rtic nie tti£ mü aie nie
T y p e :
U T E ) S i E H j : S l o d u l i R s g e i p : M M Höstonc: ^
L i ve :
I Submit Query j
ALERTS | \1TID: Module: Date: Tas: File uanie;. .•' daiastoic'àrchh^O10,'01/2l.'IS
modi 0 3 M M D O GHOUSEpt 2Q1Q-Q1-2 IT 15:36:39.968 M M • T X I D 0 0 0 0 2 7 2 4 8 5 _ 18_Y201QMQ1D21 _H 15M2E S 59_MS64 2MU5 QONS Q_RXID05 Q _ Ü 0 0 _ 0
Details: Possible MM DOGHOUSE driver file: C:\m7sT\SNtUninstallQ244598S. Possible MM DOGHOUSE driver file: CrA\TKNT'.SNtUiiinsta]lQ:4459ES'afd.sys. Possible MM DOGHOUSE driver file: C:^\TN>.T',SNtUnmsta]lQ24459ES'iietbt.sys. Possible MM DOGHOUSE driver fie C:\WINim$NtUninstaIlQ24459Rt\tcpq) sys Possible MM DOGHOUSE driver fie: C:^ iINW'SNtUninsta]lQ24459SS'1Iiotgxinf_
•==PULLEDPORK=-
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
EONBLUE CSEC cyber threat detection platform Over 8 years of development effort Scales to backbone internet speeds Over 200 sensors deployed across the globe
Defence at the core of the Internet i
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada
13
TOP SECRET II COMINT
1 * 1 Communications Security Establishment Canada
Centre de la sécurité des télécommunications Canada
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá
TOP SECRET II COMINT Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
Anomaly Detection Tools
• There are currently over 50 modules in Slipstream - RFC Validation - Heuristic Checks - Periodicity - Simple Encryption - Streaming Attack Detection - Analyst Utilities
• Not all of these tools are 'YES/NO', some will require some work.
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
Heuristic Example
• QUANTUM - It's no lie, quantum is cool.
• But its easy to find
- Analyze first content carrying packet • Check for sequence number duplication, but different data size • If content differs within the first 10% of the pkt payload, alert.
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá
16
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
What's Next?
• Anomaly Discovery at scale - Multi-10G anomaly detection
• Cross Agency communication of anomalies - Sometimes signatures aren't enough
• DONUTS! - Everyone likes them:
- 5-eyes accessible DONUTS • Discovery of New Unidentified Threats • CSEC/GCHQ right now
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá
17
TOP SECRET II COMINT
1 * 1 Communications Security Establishment Canada
Centre de la sécurité des télécommunications Canada
CLASSIFICATION: TOP SECRET // COMINT // REL TO FVEY Global Access R o a d m a ? s u p p o r t i n g SRSG and W I S D E N Scenar ios
Calendar Year: 2 0 1 0 | Ca lendar Year 2 0 1 1 i
T o p i c Desired! O u t c o m e s # A c t i v i t y July 5«p (Q3) Oct - Dsc (Qd) Jan - Mir (Ql) Apr - Jun (Q2) July - Sap (Q3) Oct - D»c (Q4)
- Shared S i tua : l ona l Awareness - Assess va lue o f m e t a d a t a shar ing
Metada ta Deve lop Use Cases for Sha r i ng s h a r i n g
- Deve lop R e q u i r m e n t s for NRT L ipping
•m. Bu lk da l l y sha r i ng o f Cyber Even t Metadata w i t h 5 -m.2 Receive Metada ta f r o m pa r tne r agenc ies |
m.3 Repor t on va lue of m e t a d a t a sha r i ng m.4 I n s t r u m e n t NRT snar ing o f CSEC Cyber Event Me tada ta m.5 Repor t on NRT shar ing (va lue / lessons learned / req t ' s ) M.e Enr ich NRT feed w i t h Geo loca t i cn / ASM m.7 A d d I m p a c t i n f o r m a t i o n to e v e n t m e t a d a t a m.8 Ex tend Deadsea Live feed f r o m CSEC to GCHQ M.9 Receive FastF lux m e t a d a t a ( t i p } b/w GHCQ/CSEC (see T .6 /T .7 )
- Replace c u r r e n t S i g n a t u r e M a n a g e m e n t s y s t e m - I m p a c t s to s u p p o r t Ac t i on -
S i g n a t u r e s on / Cue ing and enhance a n d Metadata feed
Ta rge t - Provide c o n t e x t to m e t a d a t a Know ledge - E x p e r i m e n t w i t h TKB to
g a t h e r r e q u i r m e n t s - Crea te base l ine o f Cyber k n o w l e d g e
L Replace ex i s t i ng s i gna tu re m a n a g e m e n t w i t h Ha t e r H i t c h | - I m p l e m e n t I m p a c t s w i t h DGI for S i g n a t u r e s [ r e - e n t e r in HH) » D e c o m m i s s i o n c u r r e n t Larget l ing process ar id rep lace w i t h HH >• Repor t on HIH (va lue / lessosn learned / r e q u i r m e n t s / e t c ) ' Open SIGINIT HH repos i to ry t o ITS fo r S i g n a t u r e S h a r i n g » Open S I G I M T HIH repos i to ry t o 5 -eyes to re t r ieve s i gna tu res ' Tr ia l nSpaces w i t h CTEC f TAC / NAC / DGI ! Repor t on va lue of nSpaces to s u p p o r t T a r g e t Know ledge ' S e t - u p Co l labora t i ve Web E n v i r o n m e n t
Sha r i ng Cyber
C o n t e n t
- Crea te a shared e n v i r o n m e n t to e x p e r i m e n t w i t h c o n t e n t shar ing - Deve lop r e q u i r m e n t s / lessons learned on sha r i ng c o n t e n t - I l l u s t r a t e equ i t ab l e process ing in Cyber capab i l i t y - Tr ia l XKS for c o n t e n t sha r i ng bu i l t on ex i s t i ng m e t a d a t a
Estab l ish Cyber Play-Pen Upgrade EONBLUE for use in Cybe r Play-Pen Ass is t in po r t i ng EONBLUE capab i l i t y to PPF Promote EONBLUE / PPF c o n t e n : to shared XKS Evaluate re t r i ev ing GHCO c o n t e n t based on even t s f r o m XKS Tr ia l f eed ing FONRI IJF even ts a t CSFC t o a local XKS Eva lua te o p e n i n g CSEC Cyber -XKS to GCHQ Expose CSEC Cybe r -XKS in te r face to 5 -eyes Repor t on c o n t e n t shar ing e x p e r i m e n t s
I GTE / CND |gte/gnd
T ipp ing and Cue ing
- Leverage EONBLUE's na t i ve m e s s a g i n g to e x t e n d na t iona l capab i l i t y ( w i t h i n S I G I N T / w i t h ITS) - Based on ex i s t i ng b i l a te ra l pa r tne rsh ips t r i a l t i p p i n g / cue ing to enhance c o n t e n t sha r i ng / m e t a d a t a sha r i ng - Cue in te rna t iona l EONBLUE and s im i l a r c o m p o n e n t s w i t h FASTFLUX as t r i a l - T i p in NRT S I G I N T even t s re la ted to pa r tne r coun t r i es
T . i Send EONBLUE cue 's across Canad ian SSO S i tes Send EONBLUE cue 's b e t w e e n Canad ian Passive Programs
t.3 I n s t r u m e n t Cybe r Sess ion Co l lec t ion Domes t i ca l l y t.4 Send t i p s on GoC ac t i v i t y t o I T Secur i t y t.5 Send EONBLUE cue 's f r o m Canad ian SSO to I T S Sensors t.6 I n t r o d u c e and deve lop Cyber Sess ion Co l lec t ion E x p e r i m e n t t .7 T ip FASTFLUX even ts f r o m CSEC to GCHQ t.8 Ex tend EONBLJE FastFlux cue 's t o GCHQ FasiF lux So f tware t.9 Receive cue 's f r o m GCHQ's FastFlux So f twa re a t EONBLUE T . icMake FASTFLUX t i p s ava i lab le to o t h e r 5 -eyes agenc ies i .nTi jp in NRT EONBLUE m e s s a g e s to 5 - e y e s based on IP-Geu t . i : S e n d EONBLUE cue 's f r o m CSEC EONBLUE to DSD EONBLUE t . i : Based on equ i t ab le process ing (C.3) send cue 's t p GCHQ t.i* Prepare repo r t o n T ipp ing / Cue ing ( r e q u i r m e n t s / va lue / e tc )
•
GTE/GND I GTE / GND
I GTE / GND
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada
18
TOP SECRET II COMINT
Establishment Canada des télécommunications Canada Communications Security Centre de la sécurité
CNT1 - Analysis
Triage leads from KOG and GA4 - Links to existing intrusion sets?
Pursue interesting leads - Passive SIGINT collection - Technical analysis
Produce reporting Attribute
Safeguarding Canada's security through information superiority n o r l o Préserver la sécurité du Canada par la supériorité de l'information Vvdl I d L l d
19
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
Analytic Approach
1. Begin with lead 2. Apply to SIGINT 3. Apply to CCNE 4. Track, research and
report 5. Generate persona lead 6. Coordinate with
traditional CI
in f ras t ruc ture
Adversary /
/ /
/ / /
\
\
\
Victim
Capability
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada
20
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
Cyber-Specifics of the Analytic Approach w
Network Traffic Analysis - We have access to Special Source, Warranted and 2nd Party
collection in raw, unprocessed form - Work very closely with protocol and crypt analysts
Malware Analysis and Reverse Engineering - Samples are received through passive collection and human
sources
Forensic Analysis - Assist traditional CI investigations and others
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá
21
TOP SECRET II COMINT
1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada
CSEC Contacts
CCI (CNTl) CCNE (KOG) GND (GA4)
cse
cse
cse
@cse
|@cse
@cse
Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá