CSEC SIGINT Cyber Discovery

Transcription

TOP SECRET II COMINT
1 * 1
Communications Security
Establishment Canada
Centre de la sécurité
des télécommunications Canada
CSEC SIGINT Cyber Discovery:
Summary of the current effort
Communications Security Establishment Canada
Covert Network Threats
Cyber-Counterintelligence
Discovery Conference
GCHQ - November 2010
Safeguarding Canada's security through information superiority
Préserver la sécurité du Canada par la supériorité de l'information
Canada
1 * 1
Outline
CSEC SIGINT Cyber
- KOG (CCNE)
- GA4 (GND)
- CNT1 (CCI)
CSEC SIGINT Cyber - Operational Discovery
- Network Based Anomaly Detection
- Host Based Anomaly Detection
Contacts
v y d l
m / ^ n
Idvld.
1 * 1
CSEC Cyber Counterintelligence
ttribute
ersona
haracterize
Target development
rack
Collection
Signatures
Active collection
Safeguarding Canada's security through information
Préserver la sécurité du Canada par la supériorité de
superiority
l'information
Canadá
4*1
Counter CNE (KOG)
• Part of CSEC CNE operations (KO)
• Recently formed matrix team
• Analysts and operators from CNE Operations, CyberCounterintelligence and Global Network Detection
•
Mandate:
- Provide situational awareness to CNE operators
- Discover unknown actors on existing CNE targets
- Detect known actors on covert infrastructure
- Pursue known actors through CNE
- Review OPSEC of CNE operations
Canadá
1 * 1
Global Network Detection (GND)
•
Develop capabilities to improve the
ability of the SIGI NT collection system
to detect Computer Network Exploitation
and Computer Network Attack
•
Help enable CSEC's CNE program through timely identification of
vulnerable computer systems and foreign CNE
methodologies/activities
•
Act as technical liaison between IT Security and SIGINT for CNO
issues
Canadá
5
6*1
Cyber Counterintelligence (CNT1)
• Covert Network Threats (New Directorate within CSEC)
- C N T l (Cyber Counterintelligence)
- CNT2 (Traditional Counterintelligence)
• C N T l Mission
- To produce intelligence on the capabilities, intentions and
activities of Hostile Intelligence Services to support
Counterintelligence activities at home and abroad.
• Fusion of Cyber Analytic Skills with Traditional
Counterintelligence Analytic Skills
-
All Cyber-Counterintelligence Investigations should lead to Traditional
Counterintelligence investigations.
Canadá
1 * 1
V
CSEC SIGINT CCI Discovery
Character!
Attribute
Passive Pursuit
Active Pursuit
Report
superiority
l'information
Canadá
8*1
CSEC CNE (K) - WARRIORPRIDE
•
WARRIORPRIDE (WP):
-
•
Scalable, Flexible, Portable CNE platform
Unified framework within CSEC and across the 5 eyes
WARRIORPRIDE@CSE/etc. == DAREDEVIL@GCHQ
xml command output to operators
Several plugins used for machine recon / OPSEC assessment
Several WP plugins are useful for CCNE:
-
Slipstream : machine reconnaissance
ImplantDetector: implant detection
RootkitDetector: rootkit detection
Chordflier/U ftp : file identification / retrieval
NameDropper: DNS
WormWood : network sniffing and characterization
Canadá
9*1
KOG - ReplicantFarm
• Created to leverage the WP XML output in a
meaningful way
• Module based parser/alert system running on real-time
CNE operational data
• Custom/module based analysis:
- Actors
- Implant technology
- Host based signatures
- Network based signatures
Canadá
REPLICANTFARM generic modules
• Cloaked
• Recycler
• Rar password
• Tmp executable
Packed
Peb modification
Privileges
MS pretender
System32 "variables"
Strange DLL
extensions
•
•
•
•
Kernel cloaking
Schedule at
Ntuninstall execution
hidden
Other ideas
superiority
l'information
Canada
J
Generic modules : example
my @runningProcs = xml_isProcessRunning( $xml, 'svchost.{l,3}\\.exe',
'winlogon.{l,3}\\.exe\
'services.il.SJW.exe',
'Isass-ll^jWexe',
'spoolsv.{l,3}\\.exe',
,
autochk.{l,3}\\.exe\
'logon.-fl^Wscr',
'rundll32.il,3}\\.exe\
,
chkdsk.{lI3}\\.exe',
'chkntfs.{l,3}\\.exe' ,
'logonui.-fl^JW.exe',
'ntoskrnl.{l,3}\\.exe',
,
ntvdm.{lI3}\\.exe'l
'rdpclip.il.SJW.exe',
'taskmgr.{l,3}\\.exe',
'userinit.{l,3}\\.exe',
'wscntfy.{l,3}\\.exe',
'tcpmon.{l,3}\\.dir );
foreach my $runningProc (@runningProcs)
{
SalertText .= "Suspicious process detected, legitimate exe named appended with string: ".
$runningProc . "An";
v y d l
ldvld.
11
¡CCNE/Opsec WPID Alerts - Mozilla Firefox
File
Edit View History Bookmarks Tools
Most Visited p Getting Started
•
Help
Latest Headlines J . LTT < Operations < TW..,
CCNE/Opsec WPJD Alerts
Exploits
3
Opsec - klsvn -Trac [ j CCNE/Opsec Systems ,_,
httpttfobelix/
CCNE/Opsec WPID Alerts
Note that the search is done with the fields as perl regular expressions..
CCNE/Opsec WPID Alerts
REPLICANTFARM
CCNE/Opsec WPID Al eri s
*
Examples:
• Dotât) ars
¿mdecharactar
TCildtafda
* Dot-Star (. *) Current MadulssL
74 ECp -r 1 r i l l a.pî
m-xt 304 UVE TMNTA
' CT.pj
mod 310 "JNK V.TDOWCEYjjirtic
me i 1 lOOVOIinpl nit £ t niM 13_prct?arint i.pl m«i_2flO_SD_MI2fl _pl
mtx!_l C0i>j™_lmpliiiLFl
maans any
m nä_3 0 5 _UNK__IASEX p 1
tt\r;i_l l_cltKlaMi.pl
moiJW l_SD_ME5FTP_pl ftioi_2 ! jf.'.'il egea .pi
tnoJ_m_Um_CIVE.TCAT.pl nie
modi
flO_MM_EHEPHEED.pl
msmb-r of
nMd_306jmCiv.TNUPDATE.iil
tti£
mod_1200_AP_ALOOFNESS|)I trn>£_ 17 _ t mp sx ic. p L ituxi_2 C _psbm ft-" i t Loa.pl
mo4_300_UNK_TCP5RV32 p 1
mod_ 5 _i u iprst -t pi
fiinn_101_MM_CAEBOX.pl
characters
11
.C-L 1 S_pZ=E-^Drdflll StE.pl
mü
iuoi_21_s£hsdvlszl .pi
iuc<i_3C 1_UKK_BL AZEiGAKGEL .pimod_307JEJWEJJUTVERINGSQUAB pi moi_400_S5_WlKEEE.pl
} 02_MM_BEGBACKUP.pttioi_
1 12_=ys [stn3 2 v h\ p L
• EngleWPIEt mod_ 1 Q3_MM_DOGHOUSE .pituo d_ 13_r aïpas^n'oni. pi
aie
mcOffiJTINYWEB.pl
0 S _UNK_\VIND 0 pi
nini_iC l_S5_SSLINST.pl
nie
mnd_303_UN£_CYDLL.pl
mrf_309JiHiK_DIESELflATTLE.pt mod_402_SS_thaipE. pi
m od_2 3 LLiLd-j L. pi
1_WALKER. pi lBod_14_Eti anjjedlleil
• CbisC
WTID:
Sl'.S'.ll.
* înira^lnactTîr^:
"Jff-,.
Type:
UTE)
SiEHj:
SloduliRsgeip: M M
Höstonc:
^
Live:
I Submit Query j
ALERTS
|\1TID:
Module:
0 3 M M D O GHOUSEpt
modi
Date:
2Q1Q-Q1-2 IT 15:36:39.968
Details:
Possible MM DOGHOUSE driver file: C:\m7sT\SNtUninstallQ244598S.
Possible MM DOGHOUSE driver file: CrA\TKNT'.SNtUiiinsta]lQ:4459ES'afd.sys.
Possible MM DOGHOUSE driver file: C:^\TN>.T',SNtUnmsta]lQ24459ES'iietbt.sys.
Possible MM DOGHOUSE driver fie C:\WINim$NtUninstaIlQ24459Rt\tcpq) sys
Possible MM DOGHOUSE driver fie: C:^ INW'SNtUninsta]lQ24459SS' Iiotgxinf_
i
•==PULLEDPORK=-
1
Tas:
MM
File uanie;. .•' daiastoic'àrchh^O10,'01/2l.'IS
• T X I D 0 0 0 0 2 7 2 4 8 5 _ 18_Y201QMQ1D21 _H 15M2E S 59_MS64 2MU5 QONS Q_RXID05
Q_Ü00_0
1 * 1
EONBLUE
CSEC cyber threat detection platform
Over 8 years of development effort
Scales to backbone internet speeds
Over 200 sensors deployed across the globe
Defence at
the core of
the Internet
i
Canada
13
1 * 1
superiority
l'information
Canadá
Anomaly Detection Tools
• There are currently over 50 modules in Slipstream
-
RFC Validation
Heuristic Checks
Periodicity
Simple Encryption
Streaming Attack Detection
Analyst Utilities
• Not all of these tools are 'YES/NO', some will require some
work.
superiority
l'information
Canada
1 * 1
Heuristic Example
• QUANTUM
- It's no lie, quantum is cool.
• But its easy to find
- Analyze first content carrying packet
• Check for sequence number duplication, but different data size
• If content differs within the first 10% of the pkt payload, alert.
Canadá
16
1 * 1
What's Next?
• Anomaly Discovery at scale
- Multi-10G anomaly detection
• Cross Agency communication of anomalies
- Sometimes signatures aren't enough
• DONUTS!
- Everyone likes them:
- 5-eyes accessible DONUTS
• Discovery of New Unidentified Threats
• C S E C / G C H Q right now
Canadá
17
1 * 1
CLASSIFICATION: TOP SECRET // COMINT // REL TO FVEY
G l o b a l A c c e s s R o a d m a ? s u p p o r t i n g SRSG a n d W I S D E N S c e n a r i o s
Calendar Year: 2 0 1 0
Topic
Metadata
Sharing
Desired! O u t c o m e s
- Shared Situa:lonal
Awareness
- Assess v a l u e o f m e t a d a t a
sharing
D e v e l o p Use Cases f o r
sharing
- Develop Requirments for
NRT L i p p i n g
July
Activity
#
5«p (Q3)
Oct - Dsc (Qd)
|
C a l e n d a r Year 2 0 1 1
Jan - Mir (Ql)
Apr - Jun (Q2)
July - Sap (Q3)
i
Oct - D»c (Q4)
•m. B u l k d a l l y s h a r i n g o f C y b e r E v e n t M e t a d a t a w i t h 5 m.2 R e c e i v e M e t a d a t a f r o m p a r t n e r a g e n c i e s
|
m.3 R e p o r t o n v a l u e of m e t a d a t a s h a r i n g
m.4 I n s t r u m e n t NRT s n a r i n g o f CSEC C y b e r E v e n t M e t a d a t a
m.5 R e p o r t o n NRT s h a r i n g ( v a l u e / l e s s o n s l e a r n e d / r e q t ' s )
M.e E n r i c h NRT f e e d w i t h G e o l o c a t i c n / A S M
m.7 A d d I m p a c t i n f o r m a t i o n t o e v e n t m e t a d a t a
m.8 E x t e n d D e a d s e a L i v e f e e d f r o m CSEC t o GCHQ
M.9 R e c e i v e F a s t F l u x m e t a d a t a ( t i p } b/w G H C Q / C S E C ( s e e T . 6 / T . 7 )
- Replace c u r r e n t S i g n a t u r e
Management system
- I m p a c t s to s u p p o r t ActionS i g n a t u r e s on / C u e i n g and e n h a n c e
and
Metadata feed
Target
- Provide c o n t e x t to m e t a d a t a
Knowledge - E x p e r i m e n t w i t h TKB to
gather requirments
- Create baseline of Cyber
knowledge
Sharing
Cyber
Content
- Create a shared
e n v i r o n m e n t to e x p e r i m e n t
with content sharing
- Develop requirments /
lessons learned on s h a r i n g
content
- Illustrate equitable
p r o c e s s i n g in C y b e r c a p a b i l i t y
- Trial XKS for c o n t e n t sharing
built on existing metadata
- L e v e r a g e EONBLUE's n a t i v e
messaging to extend national
capability (within S I G I N T /
with ITS)
- Based on existing bilateral
partnerships trial tipping /
c u e i n g to e n h a n c e c o n t e n t
Tipping and sharing / metadata sharing
Cueing
- C u e i n t e r n a t i o n a l EONBLUE
and similar components with
FASTFLUX as t r i a l
- T i p i n NRT S I G I N T e v e n t s
related to partner countries
L
R e p l a c e e x i s t i n g s i g n a t u r e m a n a g e m e n t w i t h Ha t e r H i t c h
|
- I m p l e m e n t I m p a c t s w i t h D G I f o r S i g n a t u r e s [ r e - e n t e r in H H )
» D e c o m m i s s i o n c u r r e n t L a r g e t l i n g p r o c e s s arid r e p l a c e w i t h H H
>• R e p o r t o n HIH ( v a l u e / lessosn l e a r n e d / r e q u i r m e n t s / e t c )
' O p e n SIGINIT HH r e p o s i t o r y t o I T S f o r S i g n a t u r e S h a r i n g
» O p e n S I G I M T HIH r e p o s i t o r y t o 5 - e y e s t o r e t r i e v e s i g n a t u r e s
' T r i a l n S p a c e s w i t h CTEC f T A C / NAC / D G I
!
•
R e p o r t o n v a l u e of n S p a c e s t o s u p p o r t T a r g e t K n o w l e d g e
' S e t - u p Collaborative Web Environment
Establish Cyber Play-Pen
U p g r a d e EONBLUE for use in C y b e r P l a y - P e n
I GTE / CND
|gte/gnd
A s s i s t in p o r t i n g EONBLUE c a p a b i l i t y t o PPF
P r o m o t e EONBLUE / PPF c o n t e n : t o s h a r e d X K S
GTE/GND
I GTE / GND
E v a l u a t e r e t r i e v i n g GHCO c o n t e n t b a s e d o n e v e n t s f r o m X K S
T r i a l f e e d i n g FONRI IJF e v e n t s a t C S F C t o a l o c a l X K S
E v a l u a t e o p e n i n g CSEC C y b e r - X K S t o GCHQ
I GTE / GND
E x p o s e CSEC C y b e r - X K S i n t e r f a c e t o 5 - e y e s
Report on c o n t e n t sharing e x p e r i m e n t s
T . i S e n d EONBLUE c u e ' s a c r o s s C a n a d i a n S S O S i t e s
S e n d EONBLUE c u e ' s b e t w e e n C a n a d i a n Passive P r o g r a m s
t.3 I n s t r u m e n t C y b e r S e s s i o n C o l l e c t i o n D o m e s t i c a l l y
t.4 S e n d t i p s o n GoC a c t i v i t y t o I T S e c u r i t y
t.5 S e n d EONBLUE c u e ' s f r o m C a n a d i a n S S O t o I T S S e n s o r s
t.6 I n t r o d u c e a n d d e v e l o p C y b e r S e s s i o n C o l l e c t i o n E x p e r i m e n t
t.7 T i p FASTFLUX e v e n t s f r o m CSEC t o G C H Q
t.8 E x t e n d E O N B L J E FastFlux c u e ' s t o G C H Q F a s i F l u x S o f t w a r e
t.9 R e c e i v e c u e ' s f r o m G C H Q ' s FastFlux S o f t w a r e a t EONBLUE
T . i c M a k e FASTFLUX t i p s a v a i l a b l e t o o t h e r 5 - e y e s a g e n c i e s
i . n T i j p in NRT EONBLUE m e s s a g e s t o 5 - e y e s b a s e d o n I P - G e u
t . i : S e n d EONBLUE c u e ' s f r o m CSEC EONBLUE t o D S D EONBLUE
t . i : B a s e d o n e q u i t a b l e p r o c e s s i n g (C.3) s e n d c u e ' s t p GCHQ
t.i* Prepare r e p o r t o n T i p p i n g / C u e i n g ( r e q u i r m e n t s / v a l u e / e t c )
superiority
l'information
Canada
18
CNT1 - Analysis
Triage leads from KOG and GA4
- Links to existing intrusion sets?
Pursue interesting leads
- Passive SIGINT collection
- Technical analysis
Produce reporting
Attribute
Vvdl
n o r l o
I d L l d
19
1 * 1
Analytic Approach
1. Begin with lead
Adversary
2. Apply to SIGINT
3. Apply to CCNE
4. Track, research and
report
//
/
\
\
/ //
infrastructure
Capability
\
5. Generate persona lead
6. Coordinate with
traditional CI
Victim
Canada
20
1 * 1
Cyber-Specifics of the Analytic Approach
w
Network Traffic Analysis
- We have access to Special Source, Warranted and 2nd Party
collection in raw, unprocessed form
- Work very closely with protocol and crypt analysts
Malware Analysis and Reverse Engineering
- Samples are received through passive collection and human
sources
Forensic Analysis
- Assist traditional CI investigations and others
Canadá
21
1 * 1
CSEC Contacts
CCI (CNTl)
CCNE (KOG)
cse
cse
GND (GA4)
|@cse
@cse
cse
@cse
superiority
l'information
Canadá

CSEC SIGINT Cyber Discovery

Transcription

Documents pareils

Télécharger

Hiring Process

AUX ETATS-UNIS Social Security 401k, 403b EN FRANCE Régime

Télécharger autant PDF - AV-Test

HEBERGEMENT WEB LUXEMBOURG

Data - Stormshield

Ayse Alyzée CEYHAN

Tableau comparatif

Solidarité internationale avec les femmes défenseures et tous ceux