SECRET I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Cyber Network Defence Activities SIARC 2010 CSEC N30 Safeguarding Canada s security through information superiority dl l Pr server la s curit du Canada par la sup riorit de I information 21113 a SECRET I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada I - Most cyber defence reSIdes in Cyber Defence Futures DCITS - Not a static picture Cyber Defence Cyber Protection I Cyber Defence Operations and Cyber Threat Capabilities Development Evaluation Centre I I Security Posture Technical Threat Cyber Defence Assessment and Analysis Futures I I I I Safeguarding Canada s security through information superiority Pr server la s curit du Canada par la sup riorit de I information canada SECRET I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Current Focus - Current operations are passive Photonic Prism aka P2 - Slipstream - Popquiz - Email attachment scanning via Pony Express Snon Host based intrusion detection - Soon deploying dynamic defence COTS hardware platform Safeguarding Canada s security through information superiority Pr server la s curit du Canada par la sup riorit de I information Elna a - SECRET W- I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada NgReggarch - N3 is mostly a consumer of research Given our resources this is an appropriate model - Very much relationship based SIGINT R23 Defence Research and Development Canada DRDC Royal Military College of Canada RMC Communications Research Centre CRC - lntegrees DRDC CRC Safeguarding Canada s security through information superiority dl Pr server la s curit du Canada par la sup riorit de I information 311a SECRET I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada 31 i External Partners R23 SIGINT DRDC RMC CRC Safeguarding Canada s security through information superiority Pr server la s curit du Canada par la sup riorit de I information Elna a UNCLASSIFIED WV Defence Research and Development Canada DRDC L - AssetRank - Joint Network Defence and Management Systems ARMOUR UNCLASSIFIED Defence Canada 0 et pour la d fense Canada UNCLASSIFIED Linux security behavior Windows security behavior ommon attack technio u- Information about data assets Informatio Attack graph Ion CER advisory UNCLASSIFIED Defence Canada 0 et pour la d fense Canada Mulval AssetRank - Mulasses a 1Qig2 meaphofamugg i 15 a l lES mzunh-hnp accejgMore dangerous UNCLASSIFIED Defence Canada 0 et pour la d fense Canada SECRET I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada myRoyal ll lilitary College - Support 1 grad student per year - Sliding Window Anomaly Detection SWAD Models normal traffic Applies the concept of hidden Markov model HMM Used to detect covert channels Safeguarding Canada 3 security through information superiority dl Pr server la s curit du Canada par la sup riorit de I information Elna SECRET I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada a CND Development - Mix of internal development and external collaboration Current CND projects Some Pony Express Software modules for COTS hardware dynamic defence Streaming 10 Gb s sensor P2 Analyst data mining tools Safeguarding Canada 5 security through information superiority dl Pre'server la s curit du Canada par la sup riorit de I information ana a SECRET I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Unencoded attachments Scan results Metadata Scan results PoolTable Scanning Framework Formatted Alerts Safeguarding Canada s security through information superiority ada Pr server la s curit du Canada par la sup riorit de I information 04' SECRET I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Ponies of the PonyExpress FlowPony fIOWp TCP Session reconstruction SMTP Parsing Header Extraction - MailPony mailp RF0822 E-mail Parsing MIME Attachment Extraction - MetaPony metap Evaluation Scoring of Parsed Metadata - ScanPony scanp Analysis Pre-Processing Scan Dispatching AQQPOHY aggp Scan Result Aggregation - Transfers buffered output from local disk to the SAN Safeguarding Canada s security through information superiority dl Pr server la s curit du Canada par la sup riorit de I'information 3113 a SECRET I I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Ongoing Sensor Development Photonic Prism - Integration of In- h ouse and external partner anomaly detection tools and signature based detection Popquiz Snort Updating our sensors for multiple 10 Gb s sources - Moving to full streaming with full capture Data analysis Improved analyst interface that fuse data from many sources Custom GUI based on Eclipse framework Safeguarding Canada s security through information superiority dl Pr server la s curit du Canada par la sup riorit de I information Elna SECRET I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Zw gnaw On 212 Rum going Sensor Developmen Photonic Prism Improved Analytics Better facilities for collaboration Near real time access to anomaly data Improved alert pcap performance Knowledge database Safeguarding Canada s security through information superiority - Pr server la s curit du Canada par la sup riorit de I information ana a 1 SECRET I Communications Security Centre de la s curit Establishment Canada des telecommunications Canada Software modules on COTS Hardware Dynamic Defence Internal but close collaboration with NSA ActiveDynamic defence inline device - Modules for based device miniSSL passive SSquzzer DNS Data Extractor - Legal and policy work ongoing Safeguarding Canada s security through information superiority Pr server la s curit du Canada par la sup riorit de I information 3113 a SECRET I Communications Security Centre de la s curit Establishment Canada des t l communications Canada Challenges Lots of standard development work to do - Resources to pull through available research - Length of Research Activities - Translating classified requirements to an unclassified domain - Properly engaging Industry and Academia Focusing external partners on that is most valuable to us - Po my Safeguarding Canada 5 security through information superiority di Pr server la s curit du Canada par la sup riorit de I information ana a I SECRET I Communications Security Centre de la securil Establishmanl Canada des I lecommunications Canada Cyber Network Defence Activities 2010 CSEC N3C 5 ilngiraidiny Canada's security through superiority dl i I msr-rvm In secum rlu pm in suprnimim IH i'im mmalimv Elna a Within the Cyber Protection Branch there is an Architecture and Engineering Directorate where most of the Research and Development Activities takes place SECRET I Communications Security Centre de la s curit Canada des l lecommunlcalions Canada mow CND CSE - Most cyber defence resides I in Cyber Defence Futures DCITS - Not a static picture DG ber Defence DG Cyber Protection Cyber Defence Operations and Cyber Threat Evaluation Centre Capabilities Development I I I Security Posture Technical Threat Cyber Defence Assessment and Analysis Futures I I I I I security Uliotiili l inlommriun superiority lo I I I Prime rm in In sum-Hull In I'mminrririun The purpose of my talk is to characterize the within CND at CSEC I can not give a complete picture This is just to provide some context of where cyber defence research resides with CSEC This is a recent partial picture It is not static however the org chart is evolving CTEC is very new and still defining its role Some future changes It is anticipated that Cyber Defence Operations and Capabilities Development will be become 2 separate directorates Cyber defence futures will be split into 2 sections Eventually those sections will for the start of the Capabilities Development directorate SECRET I I Comrrurnrcatrons Security Centre de la s curii Canada des i l communrcations Canada 33 Current Focus we - Current operations are passive Photonic Prism aka P2 - Slipstream - Popquiz - Email attachment scanning via Pony Express 0 Snon Host based intrusion detection - Soon deploying dynamic defence COTS hardware platform Safeguarding Canada's through superiority Presmver la Lunerrla par in srrp r'rnr'rrv ri a Cdnada At the moment most of our efforts are on incremental improvements on the current sensor Making it ready for 10 Gb s systems and beyond Our detection capabilities are based on 4 frameworks l Slipstream 2 Popquiz 3 Pony Express 4 Snort We should soon have our first dynamic defence deployment SECRET I I Commumcalions Centre de la securit Eslablishrnenl Canada das l l conimumcalions Canada me N3 Research my - N3 is mostly a consumer of research Given our resources this is an appropriate model 0 Very much relationship based SIGINT R23 Defence Research and Development Canada DRDC Royal Military College of Canada RMC Communications Research Centre CRC - Integrees DRDC w-r'miiy ihmilgii invHr rlly dl l l'iif-wiur-i lir ammili- ulnar n pm in do l'mlulmnlivii Ell-3 42 - 5 It s difficult to speak about a research program that is virtual We are a small group but growing trying to look at a lot of data Given our size our best return on investment would not come from using current resources for low level research It make more sense to leverage the of some external partners There is already a large body of work out there that we can benefit from before we need to push it ourselves This means our program is mostly a relationship based program In fact this model has already proven to be extremely valuable via the success of popquiz developed by R23 and our email attachment scanner from GCHQ In between in house and external is the use of integrees SECRET I Communicalions Security Centre de la securite Eslablishmenl Canada des I l communicalions Canada External Partners R23 SIGINT DRDC RMC CRC Sal'eyurm'ling Canada s security through information supminrity Pin-sums In s mrrilu tlu Canada par In sup rlmir Ir ana a The next set of slides provides some overview of the research done by our external partners that we are following tracking consumin g Some is in use popquiz Some will shortly be in production Popeyesear Many are for the future Some chosen examples follow lWl LASSIl llil my Defence Research and 4 Development Canada DRDC MuIVal AssetRank - Joint Network Defence and Management Systems ARMOUR UNCLASSIFIED Defence Canada 0 at pour la d fense Canada Defence Research and Development Canada is arm of the Department of National Defence Within DRDC Ottawa is the Network Information Operations NIO section Within the Attack Detection and Analysis group there are 3 projects of particular interest to us Mulasses and ARMOUR DRDC also provides us a mechanism for working on NATO projects as they already have a well established relationship with NATO HM Information Linux security behavior 'nformat'o about data Windows security behavior about assets mon attack techni- US v Attack graph 192% System admin Security expert etwork configuration Host configuration sz CERT advisory UNCLASSIFIED Defence Canada I et pour la d fense Canada Network based vulnerability analysis project Pure logical based reasoning engine that generates attack graphs These attack graphs can be huge A system to prioritize them needed to be created Based on Xinming Simon Ou Dissertation from Princeton Simon is currently a professor at Kansa state University where he continues development of Mulval and related projects These are the 5 classes of input that go into 1 User and data asset information 2 Network configuration hacls Basically describe which computers can talk and on which ports 3 Host configuration software running on machines within the netwok 4 CERT or other advisories that contain information about vulnerabilites 5 Security expert information Logic to describe what can be accomplished on a computer given credentials This input goes into a reasoning system MulVal which can then generate attack paths Mulval AssetRank - Mulasses 11159iw-mmz-wi rw'mn iw mm 6 More dangerous UNCLASSIFIED - Defence Canada 0 at pour la d fense Canada Asset rank is an adaptation of the original Google page rank algorithm that can prioritize nodes of an attack graph or any other logic based graph It is used to prioritize which network conditions facts are the most important to fix first in order to harden the network Attack graph Ellipse AND nodes True if all the dependencies are true Diamond OR nodes True if any of the children nodes are true Box facts network host configuration installed running software vulnerabilities Together Mulval AssetRank - Mulasses Mulasses output is a prioritized list of network configuration properties to be modified to harden the network This project has potential value in network vulnerability shop SECRET I Communications Security Centre de la securil Eslablishmenl Canada des l l communicalions Canada rm Royal Military College - Support 1 grad student per year - Sliding Window Anomaly Detection SWAD Models normal traffic Applies the concept of hidden Markov model HMM Used to detect covert channels safeguarding Canada's security through information supwimily C Pr sra ver In securrle rlu Canada 1m In sup riorilr i Ira dna a Hidden Markov model State of the system is not visible to the observer only the output System is assumed to be a Markov process Markov process A stochastic process with the Markov property Markov property random phenomenon depends only on the present state of the system does not depend on the past or future state Why we are interested Detecting covert channels is our business If it is successful it may prove to be a very valuable tool Other benefits of RMC collaborations People Several RMC students have become CSEC employees They are cleared and have a education centred on our mutual interests The current phase of the SWAD project is to built a user interface that is analyst friendly Much of the work to date has been proof of concept work SECRET I I Communications Security Centre de la securit Canada des l l commumcalions Canada 41 5 CND Development MISU- - Mix of internal development and external collaboration - Current CND projects Some Pony Express Software modules for COTS hardware dynamic defence Streaming 10 Gb s sensor P2 Analyst data mining tools Siting lamina Canada's wamiry information superiority dl in securlre rm Canada pm In wpminum In l'infmmulmn dna For the next couple of slides I will show some of our recent in house development efforts We really do not have what I would characterize as research within Cyber Defence We do hope to get there 10