CSEC SIGINT Cyber Discovery
Transcription
CSEC SIGINT Cyber Discovery
TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada CSEC SIGINT Cyber Discovery: Summary of the current effort Communications Security Establishment Canada Covert Network Threats Cyber-Counterintelligence Discovery Conference GCHQ - November 2010 Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canada TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Outline CSEC SIGINT Cyber - KOG (CCNE) - GA4 (GND) - CNT1 (CCI) CSEC SIGINT Cyber - Operational Discovery - Network Based Anomaly Detection - Host Based Anomaly Detection Contacts Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information v y d l m / ^ n Idvld. TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada CSEC Cyber Counterintelligence ttribute ersona haracterize Target development rack Collection Signatures Active collection Safeguarding Canada's security through information Préserver la sécurité du Canada par la supériorité de superiority l'information Canadá TOP SECRET II COMINT 4*1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Counter CNE (KOG) • Part of CSEC CNE operations (KO) • Recently formed matrix team • Analysts and operators from CNE Operations, CyberCounterintelligence and Global Network Detection • Mandate: - Provide situational awareness to CNE operators - Discover unknown actors on existing CNE targets - Detect known actors on covert infrastructure - Pursue known actors through CNE - Review OPSEC of CNE operations Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Global Network Detection (GND) • Develop capabilities to improve the ability of the SIGI NT collection system to detect Computer Network Exploitation and Computer Network Attack • Help enable CSEC's CNE program through timely identification of vulnerable computer systems and foreign CNE methodologies/activities • Act as technical liaison between IT Security and SIGINT for CNO issues Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá 5 TOP SECRET II COMINT 6*1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Cyber Counterintelligence (CNT1) • Covert Network Threats (New Directorate within CSEC) - C N T l (Cyber Counterintelligence) - CNT2 (Traditional Counterintelligence) • C N T l Mission - To produce intelligence on the capabilities, intentions and activities of Hostile Intelligence Services to support Counterintelligence activities at home and abroad. • Fusion of Cyber Analytic Skills with Traditional Counterintelligence Analytic Skills - All Cyber-Counterintelligence Investigations should lead to Traditional Counterintelligence investigations. Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada V CSEC SIGINT CCI Discovery Character! Attribute Passive Pursuit Active Pursuit Safeguarding Canada's security through information Préserver la sécurité du Canada par la supériorité de Report superiority l'information Canadá TOP SECRET II COMINT 8*1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada CSEC CNE (K) - WARRIORPRIDE • WARRIORPRIDE (WP): - • Scalable, Flexible, Portable CNE platform Unified framework within CSEC and across the 5 eyes WARRIORPRIDE@CSE/etc. == DAREDEVIL@GCHQ xml command output to operators Several plugins used for machine recon / OPSEC assessment Several WP plugins are useful for CCNE: - Slipstream : machine reconnaissance ImplantDetector: implant detection RootkitDetector: rootkit detection Chordflier/U ftp : file identification / retrieval NameDropper: DNS WormWood : network sniffing and characterization Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá TOP SECRET II COMINT 9*1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada KOG - ReplicantFarm • Created to leverage the WP XML output in a meaningful way • Module based parser/alert system running on real-time CNE operational data • Custom/module based analysis: - Actors - Implant technology - Host based signatures - Network based signatures Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá TOP SECRET II COMINT Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada REPLICANTFARM generic modules • Cloaked • Recycler • Rar password • Tmp executable Packed Peb modification Privileges MS pretender System32 "variables" Strange DLL extensions Safeguarding Canada's security through information Préserver la sécurité du Canada par la supériorité de • • • • Kernel cloaking Schedule at Ntuninstall execution hidden Other ideas superiority l'information Canada TOP SECRET II COMINT J Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Generic modules : example my @runningProcs = xml_isProcessRunning( $xml, 'svchost.{l,3}\\.exe', 'winlogon.{l,3}\\.exe\ 'services.il.SJW.exe', 'Isass-ll^jWexe', 'spoolsv.{l,3}\\.exe', , autochk.{l,3}\\.exe\ 'logon.-fl^Wscr', 'rundll32.il,3}\\.exe\ , chkdsk.{lI3}\\.exe', 'chkntfs.{l,3}\\.exe' , 'logonui.-fl^JW.exe', 'ntoskrnl.{l,3}\\.exe', , ntvdm.{lI3}\\.exe'l 'rdpclip.il.SJW.exe', 'taskmgr.{l,3}\\.exe', 'userinit.{l,3}\\.exe', 'wscntfy.{l,3}\\.exe', 'tcpmon.{l,3}\\.dir ); foreach my $runningProc (@runningProcs) { SalertText .= "Suspicious process detected, legitimate exe named appended with string: ". $runningProc . "An"; Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information v y d l ldvld. 11 TOP SECRET II COMINT ¡CCNE/Opsec WPID Alerts - Mozilla Firefox File Edit View History Bookmarks Tools Most Visited p Getting Started • Help Latest Headlines J . LTT < Operations < TW.., CCNE/Opsec WPJD Alerts Exploits 3 Opsec - klsvn -Trac [ j CCNE/Opsec Systems ,_, httpttfobelix/ CCNE/Opsec WPID Alerts Note that the search is done with the fields as perl regular expressions.. CCNE/Opsec WPID Alerts REPLICANTFARM CCNE/Opsec WPID Al eri s * Examples: • Dotât) ars ¿mdecharactar TCildtafda * Dot-Star (. *) Current MadulssL 74 ECp -r 1 r i l l a.pî m-xt 304 UVE TMNTA ' CT.pj mod 310 "JNK V.TDOWCEYjjirtic me i 1 lOOVOIinpl nit £ t niM 13_prct?arint i.pl m«i_2flO_SD_MI2fl _pl mtx!_l C0i>j™_lmpliiiLFl maans any m nä_3 0 5 _UNK__IASEX p 1 tt\r;i_l l_cltKlaMi.pl moiJW l_SD_ME5FTP_pl ftioi_2 ! jf.'.'il egea .pi tnoJ_m_Um_CIVE.TCAT.pl nie modi flO_MM_EHEPHEED.pl msmb-r of nMd_306jmCiv.TNUPDATE.iil tti£ mod_1200_AP_ALOOFNESS|)I trn>£_ 17 _ t mp sx ic. p L ituxi_2 C _psbm ft-" i t Loa.pl mo4_300_UNK_TCP5RV32 p 1 mod_ 5 _i u iprst -t pi fiinn_101_MM_CAEBOX.pl characters 11 .C-L 1 S_pZ=E-^Drdflll StE.pl mü iuoi_21_s£hsdvlszl .pi iuc<i_3C 1_UKK_BL AZEiGAKGEL .pimod_307JEJWEJJUTVERINGSQUAB pi moi_400_S5_WlKEEE.pl } 02_MM_BEGBACKUP.pttioi_ 1 12_=ys [stn3 2 v h\ p L • EngleWPIEt mod_ 1 Q3_MM_DOGHOUSE .pituo d_ 13_r aïpas^n'oni. pi aie mcOffiJTINYWEB.pl 0 S _UNK_\VIND 0 pi nini_iC l_S5_SSLINST.pl nie mnd_303_UN£_CYDLL.pl mrf_309JiHiK_DIESELflATTLE.pt mod_402_SS_thaipE. pi m od_2 3 LLiLd-j L. pi 1_WALKER. pi lBod_14_Eti anjjedlleil • CbisC WTID: Sl'.S'.ll. * înira^lnactTîr^: "Jff-,. Type: UTE) SiEHj: SloduliRsgeip: M M Höstonc: ^ Live: I Submit Query j ALERTS |\1TID: Module: 0 3 M M D O GHOUSEpt modi Date: 2Q1Q-Q1-2 IT 15:36:39.968 Details: Possible MM DOGHOUSE driver file: C:\m7sT\SNtUninstallQ244598S. Possible MM DOGHOUSE driver file: CrA\TKNT'.SNtUiiinsta]lQ:4459ES'afd.sys. Possible MM DOGHOUSE driver file: C:^\TN>.T',SNtUnmsta]lQ24459ES'iietbt.sys. Possible MM DOGHOUSE driver fie C:\WINim$NtUninstaIlQ24459Rt\tcpq) sys Possible MM DOGHOUSE driver fie: C:^ INW'SNtUninsta]lQ24459SS' Iiotgxinf_ i •==PULLEDPORK=- 1 Tas: MM File uanie;. .•' daiastoic'àrchh^O10,'01/2l.'IS • T X I D 0 0 0 0 2 7 2 4 8 5 _ 18_Y201QMQ1D21 _H 15M2E S 59_MS64 2MU5 QONS Q_RXID05 Q_Ü00_0 TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada EONBLUE CSEC cyber threat detection platform Over 8 years of development effort Scales to backbone internet speeds Over 200 sensors deployed across the globe Defence at the core of the Internet Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information i Canada 13 TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Safeguarding Canada's security through information Préserver la sécurité du Canada par la supériorité de superiority l'information Canadá TOP SECRET II COMINT Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Anomaly Detection Tools • There are currently over 50 modules in Slipstream - RFC Validation Heuristic Checks Periodicity Simple Encryption Streaming Attack Detection Analyst Utilities • Not all of these tools are 'YES/NO', some will require some work. Safeguarding Canada's security through information Préserver la sécurité du Canada par la supériorité de superiority l'information Canada TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Heuristic Example • QUANTUM - It's no lie, quantum is cool. • But its easy to find - Analyze first content carrying packet • Check for sequence number duplication, but different data size • If content differs within the first 10% of the pkt payload, alert. Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá 16 TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada What's Next? • Anomaly Discovery at scale - Multi-10G anomaly detection • Cross Agency communication of anomalies - Sometimes signatures aren't enough • DONUTS! - Everyone likes them: - 5-eyes accessible DONUTS • Discovery of New Unidentified Threats • C S E C / G C H Q right now Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá 17 TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada CLASSIFICATION: TOP SECRET // COMINT // REL TO FVEY G l o b a l A c c e s s R o a d m a ? s u p p o r t i n g SRSG a n d W I S D E N S c e n a r i o s Calendar Year: 2 0 1 0 Topic Metadata Sharing Desired! O u t c o m e s - Shared Situa:lonal Awareness - Assess v a l u e o f m e t a d a t a sharing D e v e l o p Use Cases f o r sharing - Develop Requirments for NRT L i p p i n g July Activity # 5«p (Q3) Oct - Dsc (Qd) | C a l e n d a r Year 2 0 1 1 Jan - Mir (Ql) Apr - Jun (Q2) July - Sap (Q3) i Oct - D»c (Q4) •m. B u l k d a l l y s h a r i n g o f C y b e r E v e n t M e t a d a t a w i t h 5 m.2 R e c e i v e M e t a d a t a f r o m p a r t n e r a g e n c i e s | m.3 R e p o r t o n v a l u e of m e t a d a t a s h a r i n g m.4 I n s t r u m e n t NRT s n a r i n g o f CSEC C y b e r E v e n t M e t a d a t a m.5 R e p o r t o n NRT s h a r i n g ( v a l u e / l e s s o n s l e a r n e d / r e q t ' s ) M.e E n r i c h NRT f e e d w i t h G e o l o c a t i c n / A S M m.7 A d d I m p a c t i n f o r m a t i o n t o e v e n t m e t a d a t a m.8 E x t e n d D e a d s e a L i v e f e e d f r o m CSEC t o GCHQ M.9 R e c e i v e F a s t F l u x m e t a d a t a ( t i p } b/w G H C Q / C S E C ( s e e T . 6 / T . 7 ) - Replace c u r r e n t S i g n a t u r e Management system - I m p a c t s to s u p p o r t ActionS i g n a t u r e s on / C u e i n g and e n h a n c e and Metadata feed Target - Provide c o n t e x t to m e t a d a t a Knowledge - E x p e r i m e n t w i t h TKB to gather requirments - Create baseline of Cyber knowledge Sharing Cyber Content - Create a shared e n v i r o n m e n t to e x p e r i m e n t with content sharing - Develop requirments / lessons learned on s h a r i n g content - Illustrate equitable p r o c e s s i n g in C y b e r c a p a b i l i t y - Trial XKS for c o n t e n t sharing built on existing metadata - L e v e r a g e EONBLUE's n a t i v e messaging to extend national capability (within S I G I N T / with ITS) - Based on existing bilateral partnerships trial tipping / c u e i n g to e n h a n c e c o n t e n t Tipping and sharing / metadata sharing Cueing - C u e i n t e r n a t i o n a l EONBLUE and similar components with FASTFLUX as t r i a l - T i p i n NRT S I G I N T e v e n t s related to partner countries L R e p l a c e e x i s t i n g s i g n a t u r e m a n a g e m e n t w i t h Ha t e r H i t c h | - I m p l e m e n t I m p a c t s w i t h D G I f o r S i g n a t u r e s [ r e - e n t e r in H H ) » D e c o m m i s s i o n c u r r e n t L a r g e t l i n g p r o c e s s arid r e p l a c e w i t h H H >• R e p o r t o n HIH ( v a l u e / lessosn l e a r n e d / r e q u i r m e n t s / e t c ) ' O p e n SIGINIT HH r e p o s i t o r y t o I T S f o r S i g n a t u r e S h a r i n g » O p e n S I G I M T HIH r e p o s i t o r y t o 5 - e y e s t o r e t r i e v e s i g n a t u r e s ' T r i a l n S p a c e s w i t h CTEC f T A C / NAC / D G I ! • R e p o r t o n v a l u e of n S p a c e s t o s u p p o r t T a r g e t K n o w l e d g e ' S e t - u p Collaborative Web Environment Establish Cyber Play-Pen U p g r a d e EONBLUE for use in C y b e r P l a y - P e n I GTE / CND |gte/gnd A s s i s t in p o r t i n g EONBLUE c a p a b i l i t y t o PPF P r o m o t e EONBLUE / PPF c o n t e n : t o s h a r e d X K S GTE/GND I GTE / GND E v a l u a t e r e t r i e v i n g GHCO c o n t e n t b a s e d o n e v e n t s f r o m X K S T r i a l f e e d i n g FONRI IJF e v e n t s a t C S F C t o a l o c a l X K S E v a l u a t e o p e n i n g CSEC C y b e r - X K S t o GCHQ I GTE / GND E x p o s e CSEC C y b e r - X K S i n t e r f a c e t o 5 - e y e s Report on c o n t e n t sharing e x p e r i m e n t s T . i S e n d EONBLUE c u e ' s a c r o s s C a n a d i a n S S O S i t e s S e n d EONBLUE c u e ' s b e t w e e n C a n a d i a n Passive P r o g r a m s t.3 I n s t r u m e n t C y b e r S e s s i o n C o l l e c t i o n D o m e s t i c a l l y t.4 S e n d t i p s o n GoC a c t i v i t y t o I T S e c u r i t y t.5 S e n d EONBLUE c u e ' s f r o m C a n a d i a n S S O t o I T S S e n s o r s t.6 I n t r o d u c e a n d d e v e l o p C y b e r S e s s i o n C o l l e c t i o n E x p e r i m e n t t.7 T i p FASTFLUX e v e n t s f r o m CSEC t o G C H Q t.8 E x t e n d E O N B L J E FastFlux c u e ' s t o G C H Q F a s i F l u x S o f t w a r e t.9 R e c e i v e c u e ' s f r o m G C H Q ' s FastFlux S o f t w a r e a t EONBLUE T . i c M a k e FASTFLUX t i p s a v a i l a b l e t o o t h e r 5 - e y e s a g e n c i e s i . n T i j p in NRT EONBLUE m e s s a g e s t o 5 - e y e s b a s e d o n I P - G e u t . i : S e n d EONBLUE c u e ' s f r o m CSEC EONBLUE t o D S D EONBLUE t . i : B a s e d o n e q u i t a b l e p r o c e s s i n g (C.3) s e n d c u e ' s t p GCHQ t.i* Prepare r e p o r t o n T i p p i n g / C u e i n g ( r e q u i r m e n t s / v a l u e / e t c ) Safeguarding Canada's security through information Préserver la sécurité du Canada par la supériorité de superiority l'information Canada 18 TOP SECRET II COMINT Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada CNT1 - Analysis Triage leads from KOG and GA4 - Links to existing intrusion sets? Pursue interesting leads - Passive SIGINT collection - Technical analysis Produce reporting Attribute Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Vvdl n o r l o I d L l d 19 TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Analytic Approach 1. Begin with lead Adversary 2. Apply to SIGINT 3. Apply to CCNE 4. Track, research and report // / \ \ / // infrastructure Capability \ 5. Generate persona lead 6. Coordinate with traditional CI Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Victim Canada 20 TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada Cyber-Specifics of the Analytic Approach w Network Traffic Analysis - We have access to Special Source, Warranted and 2nd Party collection in raw, unprocessed form - Work very closely with protocol and crypt analysts Malware Analysis and Reverse Engineering - Samples are received through passive collection and human sources Forensic Analysis - Assist traditional CI investigations and others Safeguarding Canada's security through information superiority Préserver la sécurité du Canada par la supériorité de l'information Canadá 21 TOP SECRET II COMINT 1 * 1 Communications Security Establishment Canada Centre de la sécurité des télécommunications Canada CSEC Contacts CCI (CNTl) CCNE (KOG) cse cse GND (GA4) |@cse @cse cse Safeguarding Canada's security through information Préserver la sécurité du Canada par la supériorité de @cse superiority l'information Canadá