TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada CSEC SIGINT Cyber Discovery Summary of the current effort Communications Security Establishment Canada Covert Network Threats Cyber-Counterintelligence Discovery Conference GCHQ - November 2010 Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information Canada TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada Outline CSEC SIGINT Cyber - KOG CCNE - GA4 GND - CNT1 CCI CSEC SIGINT Cyber - Operational Discovery - Network Based Anomaly Detection - Host Based Anomaly Detection Contacts Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information v y d l m n Idvld TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada CSEC Cyber Counterintelligence ttribute ersona haracterize Target development rack Collection Signatures Active collection Safeguarding Canada's security through information Preserver la securite du Canada par la superiorite de superiority l'information Canada TOP SECRET II COMINT 4 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada Counter CNE KOG o Part of CSEC CNE operations KO o Recently formed matrix team o Analysts and operators from CNE Operations CyberCounterintelligence and Global Network Detection o Mandate - Provide situational awareness to CNE operators - Discover unknown actors on existing CNE targets - Detect known actors on covert infrastructure - Pursue known actors through CNE - Review OPSEC of CNE operations Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information Canada TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada Global Network Detection GND o Develop capabilities to improve the ability of the SIGI NT collection system to detect Computer Network Exploitation and Computer Network Attack o Help enable CSEC's CNE program through timely identification of vulnerable computer systems and foreign CNE methodologies activities o Act as technical liaison between IT Security and SIGINT for CNO issues Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information Canada 5 TOP SECRET II COMINT 6 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada Cyber Counterintelligence CNT1 o Covert Network Threats New Directorate within CSEC - C N T l Cyber Counterintelligence - CNT2 Traditional Counterintelligence o C N T l Mission - To produce intelligence on the capabilities intentions and activities of Hostile Intelligence Services to support Counterintelligence activities at home and abroad o Fusion of Cyber Analytic Skills with Traditional Counterintelligence Analytic Skills - All Cyber-Counterintelligence Investigations should lead to Traditional Counterintelligence investigations Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information Canada TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada V CSEC SIGINT CCI Discovery Character Attribute Passive Pursuit Active Pursuit Safeguarding Canada's security through information Preserver la securite du Canada par la superiorite de Report superiority l'information Canada TOP SECRET II COMINT 8 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada CSEC CNE K - WARRIORPRIDE o WARRIORPRIDE WP - o Scalable Flexible Portable CNE platform Unified framework within CSEC and across the 5 eyes WARRIORPRIDE@CSE etc DAREDEVIL@GCHQ xml command output to operators Several plugins used for machine recon OPSEC assessment Several WP plugins are useful for CCNE - Slipstream machine reconnaissance ImplantDetector implant detection RootkitDetector rootkit detection Chordflier U ftp file identification retrieval NameDropper DNS WormWood network sniffing and characterization Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information Canada TOP SECRET II COMINT 9 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada KOG - ReplicantFarm o Created to leverage the WP XML output in a meaningful way o Module based parser alert system running on real-time CNE operational data o Custom module based analysis - Actors - Implant technology - Host based signatures - Network based signatures Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information Canada TOP SECRET II COMINT Communications Security Establishment Canada Centre de la securite des telecommunications Canada REPLICANTFARM generic modules o Cloaked o Recycler o Rar password o Tmp executable Packed Peb modification Privileges MS pretender System32 variables Strange DLL extensions Safeguarding Canada's security through information Preserver la securite du Canada par la superiorite de o o o o Kernel cloaking Schedule at Ntuninstall execution hidden Other ideas superiority l'information Canada TOP SECRET II COMINT J Communications Security Establishment Canada Centre de la securite des telecommunications Canada Generic modules example my @runningProcs xml_isProcessRunning $xml 'svchost l 3 exe' 'winlogon l 3 exe 'services il SJW exe' 'Isass-ll jWexe' 'spoolsv l 3 exe' autochk l 3 exe 'logon -fl Wscr' 'rundll32 il 3 exe chkdsk lI3 exe' 'chkntfs l 3 exe' 'logonui -fl JW exe' 'ntoskrnl l 3 exe' ntvdm lI3 exe'l 'rdpclip il SJW exe' 'taskmgr l 3 exe' 'userinit l 3 exe' 'wscntfy l 3 exe' 'tcpmon l 3 dir foreach my $runningProc @runningProcs SalertText Suspicious process detected legitimate exe named appended with string $runningProc An Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information v y d l ldvld 11 TOP SECRET II COMINT CCNE Opsec WPID Alerts - Mozilla Firefox File Edit View History Bookmarks Tools Most Visited p Getting Started o Help Latest Headlines J LTT Operations TW CCNE Opsec WPJD Alerts Exploits 3 Opsec - klsvn -Trac j CCNE Opsec Systems _ httpttfobelix CCNE Opsec WPID Alerts Note that the search is done with the fields as perl regular expressions CCNE Opsec WPID Alerts REPLICANTFARM CCNE Opsec WPID Al eri s Examples o Dotat ars mdecharactar TCildtafda Dot-Star Current MadulssL 74 ECp -r 1 r i l l a pi m-xt 304 UVE TMNTA ' CT pj mod 310 JNK V TDOWCEYjjirtic me i 1 lOOVOIinpl nit t niM 13_prct arint i pl m i_2flO_SD_MI2fl _pl mtx _l C0i j TM _lmpliiiLFl maans any m na_3 0 5 _UNK__IASEX p 1 tt r i_l l_cltKlaMi pl moiJW l_SD_ME5FTP_pl ftioi_2 jf ' 'il egea pi tnoJ_m_Um_CIVE TCAT pl nie modi flO_MM_EHEPHEED pl msmb-r of nMd_306jmCiv TNUPDATE iil tti mod_1200_AP_ALOOFNESS I trn _ 17 _ t mp sx ic p L ituxi_2 C _psbm ft- i t Loa pl mo4_300_UNK_TCP5RV32 p 1 mod_ 5 _i u iprst -t pi fiinn_101_MM_CAEBOX pl characters 11 C-L 1 S_pZ E- Drdflll StE pl mu iuoi_21_s hsdvlszl pi iuc i_3C 1_UKK_BL AZEiGAKGEL pimod_307JEJWEJJUTVERINGSQUAB pi moi_400_S5_WlKEEE pl 02_MM_BEGBACKUP pttioi_ 1 12_ ys stn3 2 v h p L o EngleWPIEt mod_ 1 Q3_MM_DOGHOUSE pituo d_ 13_r aipas n'oni pi aie mcOffiJTINYWEB pl 0 S _UNK_ VIND 0 pi nini_iC l_S5_SSLINST pl nie mnd_303_UN _CYDLL pl mrf_309JiHiK_DIESELflATTLE pt mod_402_SS_thaipE pi m od_2 3 LLiLd-j L pi 1_WALKER pi lBod_14_Eti anjjedlleil o CbisC WTID Sl' S' ll inira lnactTir Jff- Type UTE SiEHj SloduliRsgeip M M Hostonc Live I Submit Query j ALERTS 1TID Module 0 3 M M D O GHOUSEpt modi Date 2Q1Q-Q1-2 IT 15 36 39 968 Details Possible MM DOGHOUSE driver file C m7sT SNtUninstallQ244598S Possible MM DOGHOUSE driver file CrA TKNT' SNtUiiinsta lQ 4459ES'afd sys Possible MM DOGHOUSE driver file C TN T' SNtUnmsta lQ24459ES'iietbt sys Possible MM DOGHOUSE driver fie C WINim$NtUninstaIlQ24459Rt tcpq sys Possible MM DOGHOUSE driver fie C INW'SNtUninsta lQ24459SS' Iiotgxinf_ i o PULLEDPORK - 1 Tas MM File uanie o' daiastoic'archh O10 '01 2l 'IS o T X I D 0 0 0 0 2 7 2 4 8 5 _ 18_Y201QMQ1D21 _H 15M2E S 59_MS64 2MU5 QONS Q_RXID05 Q_U00_0 TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada EONBLUE CSEC cyber threat detection platform Over 8 years of development effort Scales to backbone internet speeds Over 200 sensors deployed across the globe Defence at the core of the Internet Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information i Canada 13 TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada Safeguarding Canada's security through information Preserver la securite du Canada par la superiorite de superiority l'information Canada TOP SECRET II COMINT Communications Security Establishment Canada Centre de la securite des telecommunications Canada Anomaly Detection Tools o There are currently over 50 modules in Slipstream - RFC Validation Heuristic Checks Periodicity Simple Encryption Streaming Attack Detection Analyst Utilities o Not all of these tools are 'YES NO' some will require some work Safeguarding Canada's security through information Preserver la securite du Canada par la superiorite de superiority l'information Canada TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada Heuristic Example o QUANTUM - It's no lie quantum is cool o But its easy to find - Analyze first content carrying packet o Check for sequence number duplication but different data size o If content differs within the first 10% of the pkt payload alert Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information Canada 16 TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada What's Next o Anomaly Discovery at scale - Multi-10G anomaly detection o Cross Agency communication of anomalies - Sometimes signatures aren't enough o DONUTS - Everyone likes them - 5-eyes accessible DONUTS o Discovery of New Unidentified Threats o C S E C G C H Q right now Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information Canada 17 TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada CLASSIFICATION TOP SECRET COMINT REL TO FVEY G l o b a l A c c e s s R o a d m a s u p p o r t i n g SRSG a n d W I S D E N S c e n a r i o s Calendar Year 2 0 1 0 Topic Metadata Sharing Desired O u t c o m e s - Shared Situa lonal Awareness - Assess v a l u e o f m e t a d a t a sharing D e v e l o p Use Cases f o r sharing - Develop Requirments for NRT L i p p i n g July Activity # 5 p Q3 Oct - Dsc Qd C a l e n d a r Year 2 0 1 1 Jan - Mir Ql Apr - Jun Q2 July - Sap Q3 i Oct - D c Q4 om B u l k d a l l y s h a r i n g o f C y b e r E v e n t M e t a d a t a w i t h 5 m 2 R e c e i v e M e t a d a t a f r o m p a r t n e r a g e n c i e s m 3 R e p o r t o n v a l u e of m e t a d a t a s h a r i n g m 4 I n s t r u m e n t NRT s n a r i n g o f CSEC C y b e r E v e n t M e t a d a t a m 5 R e p o r t o n NRT s h a r i n g v a l u e l e s s o n s l e a r n e d r e q t ' s M e E n r i c h NRT f e e d w i t h G e o l o c a t i c n A S M m 7 A d d I m p a c t i n f o r m a t i o n t o e v e n t m e t a d a t a m 8 E x t e n d D e a d s e a L i v e f e e d f r o m CSEC t o GCHQ M 9 R e c e i v e F a s t F l u x m e t a d a t a t i p b w G H C Q C S E C s e e T 6 T 7 - Replace c u r r e n t S i g n a t u r e Management system - I m p a c t s to s u p p o r t ActionS i g n a t u r e s on C u e i n g and e n h a n c e and Metadata feed Target - Provide c o n t e x t to m e t a d a t a Knowledge - E x p e r i m e n t w i t h TKB to gather requirments - Create baseline of Cyber knowledge Sharing Cyber Content - Create a shared e n v i r o n m e n t to e x p e r i m e n t with content sharing - Develop requirments lessons learned on s h a r i n g content - Illustrate equitable p r o c e s s i n g in C y b e r c a p a b i l i t y - Trial XKS for c o n t e n t sharing built on existing metadata - L e v e r a g e EONBLUE's n a t i v e messaging to extend national capability within S I G I N T with ITS - Based on existing bilateral partnerships trial tipping c u e i n g to e n h a n c e c o n t e n t Tipping and sharing metadata sharing Cueing - C u e i n t e r n a t i o n a l EONBLUE and similar components with FASTFLUX as t r i a l - T i p i n NRT S I G I N T e v e n t s related to partner countries L R e p l a c e e x i s t i n g s i g n a t u r e m a n a g e m e n t w i t h Ha t e r H i t c h - I m p l e m e n t I m p a c t s w i t h D G I f o r S i g n a t u r e s r e - e n t e r in H H D e c o m m i s s i o n c u r r e n t L a r g e t l i n g p r o c e s s arid r e p l a c e w i t h H H o R e p o r t o n HIH v a l u e lessosn l e a r n e d r e q u i r m e n t s e t c ' O p e n SIGINIT HH r e p o s i t o r y t o I T S f o r S i g n a t u r e S h a r i n g O p e n S I G I M T HIH r e p o s i t o r y t o 5 - e y e s t o r e t r i e v e s i g n a t u r e s ' T r i a l n S p a c e s w i t h CTEC f T A C NAC D G I o R e p o r t o n v a l u e of n S p a c e s t o s u p p o r t T a r g e t K n o w l e d g e ' S e t - u p Collaborative Web Environment Establish Cyber Play-Pen U p g r a d e EONBLUE for use in C y b e r P l a y - P e n I GTE CND gte gnd A s s i s t in p o r t i n g EONBLUE c a p a b i l i t y t o PPF P r o m o t e EONBLUE PPF c o n t e n t o s h a r e d X K S GTE GND I GTE GND E v a l u a t e r e t r i e v i n g GHCO c o n t e n t b a s e d o n e v e n t s f r o m X K S T r i a l f e e d i n g FONRI IJF e v e n t s a t C S F C t o a l o c a l X K S E v a l u a t e o p e n i n g CSEC C y b e r - X K S t o GCHQ I GTE GND E x p o s e CSEC C y b e r - X K S i n t e r f a c e t o 5 - e y e s Report on c o n t e n t sharing e x p e r i m e n t s T i S e n d EONBLUE c u e ' s a c r o s s C a n a d i a n S S O S i t e s S e n d EONBLUE c u e ' s b e t w e e n C a n a d i a n Passive P r o g r a m s t 3 I n s t r u m e n t C y b e r S e s s i o n C o l l e c t i o n D o m e s t i c a l l y t 4 S e n d t i p s o n GoC a c t i v i t y t o I T S e c u r i t y t 5 S e n d EONBLUE c u e ' s f r o m C a n a d i a n S S O t o I T S S e n s o r s t 6 I n t r o d u c e a n d d e v e l o p C y b e r S e s s i o n C o l l e c t i o n E x p e r i m e n t t 7 T i p FASTFLUX e v e n t s f r o m CSEC t o G C H Q t 8 E x t e n d E O N B L J E FastFlux c u e ' s t o G C H Q F a s i F l u x S o f t w a r e t 9 R e c e i v e c u e ' s f r o m G C H Q ' s FastFlux S o f t w a r e a t EONBLUE T i c M a k e FASTFLUX t i p s a v a i l a b l e t o o t h e r 5 - e y e s a g e n c i e s i n T i j p in NRT EONBLUE m e s s a g e s t o 5 - e y e s b a s e d o n I P - G e u t i S e n d EONBLUE c u e ' s f r o m CSEC EONBLUE t o D S D EONBLUE t i B a s e d o n e q u i t a b l e p r o c e s s i n g C 3 s e n d c u e ' s t p GCHQ t i Prepare r e p o r t o n T i p p i n g C u e i n g r e q u i r m e n t s v a l u e e t c Safeguarding Canada's security through information Preserver la securite du Canada par la superiorite de superiority l'information Canada 18 TOP SECRET II COMINT Communications Security Establishment Canada Centre de la securite des telecommunications Canada CNT1 - Analysis Triage leads from KOG and GA4 - Links to existing intrusion sets Pursue interesting leads - Passive SIGINT collection - Technical analysis Produce reporting Attribute Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information Vvdl n o r l o I d L l d 19 TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada Analytic Approach 1 Begin with lead Adversary 2 Apply to SIGINT 3 Apply to CCNE 4 Track research and report infrastructure Capability 5 Generate persona lead 6 Coordinate with traditional CI Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information Victim Canada 20 TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada Cyber-Specifics of the Analytic Approach w Network Traffic Analysis - We have access to Special Source Warranted and 2nd Party collection in raw unprocessed form - Work very closely with protocol and crypt analysts Malware Analysis and Reverse Engineering - Samples are received through passive collection and human sources Forensic Analysis - Assist traditional CI investigations and others Safeguarding Canada's security through information superiority Preserver la securite du Canada par la superiorite de l'information Canada 21 TOP SECRET II COMINT 1 1 Communications Security Establishment Canada Centre de la securite des telecommunications Canada CSEC Contacts CCI CNTl CCNE KOG cse cse GND GA4 @cse @cse cse Safeguarding Canada's security through information Preserver la securite du Canada par la superiorite de @cse superiority l'information Canada
OCR of the Document
View the Document >>