csec sigint cyber discovery: summary of the current effort...csec sigint cyber discovery: summary of...

TOP SECRET II COMINT

1 * 1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada

CSEC SIGINT Cyber Discovery: Summary of the current effort

Communications Security Establishment Canada Covert Network Threats

Cyber-Counterintelligence

Discovery Conference GCHQ - November 2010

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada


1 * 1 Communications Security Establishment Canada

Centre de la sécurité des télécommunications Canada

Outline

CSEC SIGINT Cyber - KOG (CCNE) - GA4 (GND) - CNT1 (CCI)

CSEC SIGINT Cyber - Operational Discovery - Network Based Anomaly Detection - Host Based Anomaly Detection

Contacts

Safeguarding Canada's security through information superiority m / ^ n Préserver la sécurité du Canada par la supériorité de l'information v y d l I d v l d .



CSEC Cyber Counterintelligence

ttribute

Target development

Active collection

ersona haracterize

rack Collection

Signatures

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá


4*1 Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada

Counter CNE (KOG)

• Part of CSEC CNE operations (KO) • Recently formed matrix team • Analysts and operators from CNE Operations, Cyber-

Counterintelligence and Global Network Detection • Mandate:

- Provide situational awareness to CNE operators - Discover unknown actors on existing CNE targets - Detect known actors on covert infrastructure - Pursue known actors through CNE - Review OPSEC of CNE operations





Global Network Detection (GND)

• Develop capabilities to improve the ability of the SIGI NT collection system to detect Computer Network Exploitation and Computer Network Attack

• Help enable CSEC's CNE program through timely identification of vulnerable computer systems and foreign CNE methodologies/activities

• Act as technical liaison between IT Security and SIGINT for CNO issues

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information

5

Canadá



Cyber Counterintelligence (CNT1)

• Covert Network Threats (New Directorate within CSEC) - CNTl (Cyber Counterintelligence) - CNT2 (Traditional Counterintelligence)

• CNTl Mission - To produce intelligence on the capabilities, intentions and

activities of Hostile Intelligence Services to support Counterintelligence activities at home and abroad.

• Fusion of Cyber Analytic Skills with Traditional Counterintelligence Analytic Skills - All Cyber-Counterintelligence Investigations should lead to Traditional

Counterintelligence investigations.




V

CSEC SIGINT CCI Discovery

Attribute Character!

Active Pursuit

Report

Passive Pursuit




CSEC CNE (K) - WARRIORPRIDE

• WARRIORPRIDE (WP): - Scalable, Flexible, Portable CNE platform - Unified framework within CSEC and across the 5 eyes - WARRIORPRIDE@CSE/etc. == DAREDEVIL@GCHQ - xml command output to operators

• Several plugins used for machine recon / OPSEC assessment Several WP plugins are useful for CCNE: - Slipstream : machine reconnaissance - ImplantDetector: implant detection - RootkitDetector: rootkit detection - Chordflier/U ftp : file identification / retrieval - NameDropper: DNS - WormWood : network sniffing and characterization




KOG - ReplicantFarm

• Created to leverage the WP XML output in a meaningful way

• Module based parser/alert system running on real-time CNE operational data

• Custom/module based analysis: - Actors - Implant technology - Host based signatures - Network based signatures


TOP SECRET II COMINT Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada

REPLICANTFARM generic modules

Packed Peb modification Privileges MS pretender System32 "variables" Other ideas Strange DLL extensions

• Cloaked • Recycler • Rar password • Tmp executable

• Kernel cloaking • Schedule at • Ntuninstall execution • hidden



Establishment Canada des télécommunications Canada J Communications Security Centre de la sécurité

Generic modules : example my @runningProcs = xml_isProcessRunning( $xml, 'svchost.{l,3}\\.exe',

'winlogon.{l,3}\\.exe\ 'services.il.SJW.exe', 'Isass-ll^jWexe', 'spoolsv.{l,3}\\.exe', ,autochk.{l,3}\\.exe\ 'logon.-fl^Wscr', 'rundll32.il,3}\\.exe\ ,chkdsk.{lI3}\\.exe', 'chkntfs.{l,3}\\.exe' , 'logonui.-fl^JW.exe', 'ntoskrnl.{l,3}\\.exe', ,ntvdm.{lI3}\\.exe'l 'rdpclip.il.SJW.exe', 'taskmgr.{l,3}\\.exe', 'userinit.{l,3}\\.exe', 'wscntfy.{l,3}\\.exe', 'tcpmon.{l,3}\\.dir );

foreach my $runningProc (@runningProcs) {

SalertText .= "Suspicious process detected, legitimate exe named appended with string: " . $runningProc . "An";

Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information v y d l l d v l d .

11


¡CCNE/Opsec WPID Alerts - Mozi l la Firefox

File Edit View History Bookmarks Tools Help

Most Visited p Getting Started Latest Headlines J. LTT < Operations < TW.., 3 Opsec - klsvn -Trac [ j CCNE/Opsec Systems ,_,

• CCNE/Opsec WPJD Alerts Exploits httpttfobelix/ CCNE/Opsec WPID Alerts CCNE/Opsec WPID Al eri s *

CCNE/Opsec WPID Alerts Note that the search is done with the fields as perl regular expressions..

REPLICANTFARM Examples:

• Dotât) ars ¿mde-charactar TCildtafda

* Dot-Star (. *) maans any msmb-r of characters

• EngleWPIEt

• CbisC WTID: Sl'.S'.ll.

* înira lnactTîr : "Jff-,.

Current MadulssL mtx!_l C0i>j™_lmpliiiLFl modi flO_MM_EHEPHEED.pl fiinn_101_MM_CAEBOX.pl

} 02_MM_BEGBACKUP.p 1 mod_ 1 Q3_MM_DOGHOUSE .pi

1_WALKER. pi

me i 1 lOOVOIinpl nit £ t tt\r;i_l l_cltKlaMi.pl mod_1200_AP_ALOOFNESS|)I ttioi_ 12_=ys [stn3 2 v h\ p L tuo d_ 13_r aïpas n'oni. pi lBod_14_Eti anjjedlleil

niM 13_prct?arint i.pl

trn>£_ 17 _ t mp sx ic. p L 1.1C-L 1 S_pZ=E-Drdflll StE.pl

m«i_2flO_SD_MI2fl _pl moiJW l_SD_ME5FTP_pl ituxi_2 C _psbm ft-" i t Loa.pl iuoi_21_s£hsdvlszl .pi

m od_2 3 LLiLd-j L. pi

74 ECp -r 1 r i l l a.pî ftioi_2 ! jf.'.'il egea .pi mo4_300_UNK_TCP5RV32 p 1 iuc<i_3C 1_UKK_BL AZEiGAKGEL .pi mcOffiJTINYWEB.pl mnd_303_UN£_CYDLL.pl

m-xt 304 UVE TMNT'ACT.pj m nä_3 0 5 _UNK__IASEX p 1 nMd_306jmCiv.TNUPDATE.iil mod_307JEJWEJJUTVERINGSQUAB pi

0 S _UNK_\VIND 0 pi mrf_309JiHiK_DIESELflATTLE.pt

mod 310 "JNK V.TDOWCEYjji tnoJ_m_Um_CIVE.TCAT.pl mod_ 5 _i u iprst -t pi moi_400_S5_WlKEEE.pl nini_iC l_S5_SSLINST.pl mod_402_SS_thaipE. pi

rtic nie tti£ mü aie nie

T y p e :

U T E ) S i E H j : S l o d u l i R s g e i p : M M Höstonc: ^

L i ve :

I Submit Query j

ALERTS | \1TID: Module: Date: Tas: File uanie;. .•' daiastoic'àrchh^O10,'01/2l.'IS

modi 0 3 M M D O GHOUSEpt 2Q1Q-Q1-2 IT 15:36:39.968 M M • T X I D 0 0 0 0 2 7 2 4 8 5 _ 18_Y201QMQ1D21 _H 15M2E S 59_MS64 2MU5 QONS Q_RXID05 Q _ Ü 0 0 _ 0

Details: Possible MM DOGHOUSE driver file: C:\m7sT\SNtUninstallQ244598S. Possible MM DOGHOUSE driver file: CrA\TKNT'.SNtUiiinsta]lQ:4459ES'afd.sys. Possible MM DOGHOUSE driver file: C:^\TN>.T',SNtUnmsta]lQ24459ES'iietbt.sys. Possible MM DOGHOUSE driver fie C:\WINim$NtUninstaIlQ24459Rt\tcpq) sys Possible MM DOGHOUSE driver fie: C:^ iINW'SNtUninsta]lQ24459SS'1Iiotgxinf_

•==PULLEDPORK=-



EONBLUE CSEC cyber threat detection platform Over 8 years of development effort Scales to backbone internet speeds Over 200 sensors deployed across the globe

Defence at the core of the Internet i


13

TOP SECRET II COMINT Communications Security Centre de la sécurité Establishment Canada des télécommunications Canada

Anomaly Detection Tools

• There are currently over 50 modules in Slipstream - RFC Validation - Heuristic Checks - Periodicity - Simple Encryption - Streaming Attack Detection - Analyst Utilities

• Not all of these tools are 'YES/NO', some will require some work.




Heuristic Example

• QUANTUM - It's no lie, quantum is cool.

• But its easy to find

- Analyze first content carrying packet • Check for sequence number duplication, but different data size • If content differs within the first 10% of the pkt payload, alert.


16



What's Next?

• Anomaly Discovery at scale - Multi-10G anomaly detection

• Cross Agency communication of anomalies - Sometimes signatures aren't enough

• DONUTS! - Everyone likes them:

- 5-eyes accessible DONUTS • Discovery of New Unidentified Threats • CSEC/GCHQ right now


17




CLASSIFICATION: TOP SECRET // COMINT // REL TO FVEY Global Access R o a d m a ? s u p p o r t i n g SRSG and W I S D E N Scenar ios

Calendar Year: 2 0 1 0 | Ca lendar Year 2 0 1 1 i

T o p i c Desired! O u t c o m e s # A c t i v i t y July 5«p (Q3) Oct - Dsc (Qd) Jan - Mir (Ql) Apr - Jun (Q2) July - Sap (Q3) Oct - D»c (Q4)

- Shared S i tua : l ona l Awareness - Assess va lue o f m e t a d a t a shar ing

Metada ta Deve lop Use Cases for Sha r i ng s h a r i n g

- Deve lop R e q u i r m e n t s for NRT L ipping

•m. Bu lk da l l y sha r i ng o f Cyber Even t Metadata w i t h 5 -m.2 Receive Metada ta f r o m pa r tne r agenc ies |

m.3 Repor t on va lue of m e t a d a t a sha r i ng m.4 I n s t r u m e n t NRT snar ing o f CSEC Cyber Event Me tada ta m.5 Repor t on NRT shar ing (va lue / lessons learned / req t ' s ) M.e Enr ich NRT feed w i t h Geo loca t i cn / ASM m.7 A d d I m p a c t i n f o r m a t i o n to e v e n t m e t a d a t a m.8 Ex tend Deadsea Live feed f r o m CSEC to GCHQ M.9 Receive FastF lux m e t a d a t a ( t i p } b/w GHCQ/CSEC (see T .6 /T .7 )

- Replace c u r r e n t S i g n a t u r e M a n a g e m e n t s y s t e m - I m p a c t s to s u p p o r t Ac t i on -

S i g n a t u r e s on / Cue ing and enhance a n d Metadata feed

Ta rge t - Provide c o n t e x t to m e t a d a t a Know ledge - E x p e r i m e n t w i t h TKB to

g a t h e r r e q u i r m e n t s - Crea te base l ine o f Cyber k n o w l e d g e

L Replace ex i s t i ng s i gna tu re m a n a g e m e n t w i t h Ha t e r H i t c h | - I m p l e m e n t I m p a c t s w i t h DGI for S i g n a t u r e s [ r e - e n t e r in HH) » D e c o m m i s s i o n c u r r e n t Larget l ing process ar id rep lace w i t h HH >• Repor t on HIH (va lue / lessosn learned / r e q u i r m e n t s / e t c ) ' Open SIGINIT HH repos i to ry t o ITS fo r S i g n a t u r e S h a r i n g » Open S I G I M T HIH repos i to ry t o 5 -eyes to re t r ieve s i gna tu res ' Tr ia l nSpaces w i t h CTEC f TAC / NAC / DGI ! Repor t on va lue of nSpaces to s u p p o r t T a r g e t Know ledge ' S e t - u p Co l labora t i ve Web E n v i r o n m e n t

Sha r i ng Cyber

C o n t e n t

- Crea te a shared e n v i r o n m e n t to e x p e r i m e n t w i t h c o n t e n t shar ing - Deve lop r e q u i r m e n t s / lessons learned on sha r i ng c o n t e n t - I l l u s t r a t e equ i t ab l e process ing in Cyber capab i l i t y - Tr ia l XKS for c o n t e n t sha r i ng bu i l t on ex i s t i ng m e t a d a t a

Estab l ish Cyber Play-Pen Upgrade EONBLUE for use in Cybe r Play-Pen Ass is t in po r t i ng EONBLUE capab i l i t y to PPF Promote EONBLUE / PPF c o n t e n : to shared XKS Evaluate re t r i ev ing GHCO c o n t e n t based on even t s f r o m XKS Tr ia l f eed ing FONRI IJF even ts a t CSFC t o a local XKS Eva lua te o p e n i n g CSEC Cyber -XKS to GCHQ Expose CSEC Cybe r -XKS in te r face to 5 -eyes Repor t on c o n t e n t shar ing e x p e r i m e n t s

I GTE / CND |gte/gnd

T ipp ing and Cue ing

- Leverage EONBLUE's na t i ve m e s s a g i n g to e x t e n d na t iona l capab i l i t y ( w i t h i n S I G I N T / w i t h ITS) - Based on ex i s t i ng b i l a te ra l pa r tne rsh ips t r i a l t i p p i n g / cue ing to enhance c o n t e n t sha r i ng / m e t a d a t a sha r i ng - Cue in te rna t iona l EONBLUE and s im i l a r c o m p o n e n t s w i t h FASTFLUX as t r i a l - T i p in NRT S I G I N T even t s re la ted to pa r tne r coun t r i es

T . i Send EONBLUE cue 's across Canad ian SSO S i tes Send EONBLUE cue 's b e t w e e n Canad ian Passive Programs

t.3 I n s t r u m e n t Cybe r Sess ion Co l lec t ion Domes t i ca l l y t.4 Send t i p s on GoC ac t i v i t y t o I T Secur i t y t.5 Send EONBLUE cue 's f r o m Canad ian SSO to I T S Sensors t.6 I n t r o d u c e and deve lop Cyber Sess ion Co l lec t ion E x p e r i m e n t t .7 T ip FASTFLUX even ts f r o m CSEC to GCHQ t.8 Ex tend EONBLJE FastFlux cue 's t o GCHQ FasiF lux So f tware t.9 Receive cue 's f r o m GCHQ's FastFlux So f twa re a t EONBLUE T . icMake FASTFLUX t i p s ava i lab le to o t h e r 5 -eyes agenc ies i .nTi jp in NRT EONBLUE m e s s a g e s to 5 - e y e s based on IP-Geu t . i : S e n d EONBLUE cue 's f r o m CSEC EONBLUE to DSD EONBLUE t . i : Based on equ i t ab le process ing (C.3) send cue 's t p GCHQ t.i* Prepare repo r t o n T ipp ing / Cue ing ( r e q u i r m e n t s / va lue / e tc )

•

GTE/GND I GTE / GND

I GTE / GND


18


Establishment Canada des télécommunications Canada Communications Security Centre de la sécurité

CNT1 - Analysis

Triage leads from KOG and GA4 - Links to existing intrusion sets?

Pursue interesting leads - Passive SIGINT collection - Technical analysis

Produce reporting Attribute

Safeguarding Canada's security through information superiority n o r l o Préserver la sécurité du Canada par la supériorité de l'information Vvdl I d L l d

19



Analytic Approach

1. Begin with lead 2. Apply to SIGINT 3. Apply to CCNE 4. Track, research and

report 5. Generate persona lead 6. Coordinate with

traditional CI

in f ras t ruc ture

Adversary /

/ /

/ / /

\

\

\

Victim

Capability


20



Cyber-Specifics of the Analytic Approach w

Network Traffic Analysis - We have access to Special Source, Warranted and 2nd Party

collection in raw, unprocessed form - Work very closely with protocol and crypt analysts

Malware Analysis and Reverse Engineering - Samples are received through passive collection and human

sources

Forensic Analysis - Assist traditional CI investigations and others


21



CSEC Contacts

CCI (CNTl) CCNE (KOG) GND (GA4)

cse

cse

cse

@cse

|@cse

@cse


csec sigint cyber discovery: summary of the current effort...csec sigint cyber discovery: summary of...

Documents