Synergising Network Analysis Tradecraft Network Tradecraft Advancement Team NTAT Overview What is the 1c WHIPFI-Ilu-mhr-uI-w u 2011 2012 work ant accomplishments h-I-b Ill- Hepar- I m Hi I d-m Ir Mira TUP SECRETSISI Trad ecraft Tradecraft Network Tradecraft - The development of methods - Usable knowledge about how to techniques algorithms and acquire intelligence FROM the processes in order to generate network Intelligence and developing the ability to apva this knowledge either manually or through automation Tradecraft is developed from experience research intuition and by the reapplication and rede nition of existing techniques Industrial- Scale Tradecraft involves data on a large scale 1 r l- a i as The NTAT Create repeatable sustainable ti share-able tradecraft to enable 9 I network analysis 1 Facilitate knowledge collaboration and interchange across the 5 Eyes SIGDEV community SECHE il-I'El The Process -- 519i Stage 5 Test Documented Tradecraft and Re ne TOP Network Convergence Tradecraft Technological convergence where voice and data services interact with each other on a single device Tradecraft to enable the targeting of handsets in telephony space and CNE exploitation in IP space Improved algorithms for mobile gateway identification and implementation of these algorithms DSD Workshop November 201 weeks CSE DSD GCHQ Virtually via chat room NSA GCSB Focus on data techniques analytic outcomes DSD Workshop Outcomes Technique developed to identify wide variety of potential converged data unique for specific country or mobile network operator El potentiallyr lead to convergence correlation dataset to help pro le targets on-line activity Documentation of techniques to identify speci c components of raw HTTP activity that alludes to the browsing downloading and installation of smartphone applications El identi ed the presence of application servers for mobile network operators and geographical areas BSD implementation of mobile gateway identi cation analytic based on FRETTING YETI El three agencies now running the same analytic provides a richer dataset of mobile gateways CRAFTY SHACK trial El NTAT now using SHACK for tradecraft documentation - IUP at LH I XKS Microplugin Samsung Protocol Hm Hr up-Id r-I II I an IEI-IE mm HE it'll-Jpn In Hill-1 mm m_ Ml lI'l-Il m 01 m 5 wa I Ema mmvulm Ml Kl-m H un t um In - I NIH 5 I'll 1m ll-null II Ill a nun ful l-mm El Ill-i HWHIWII II I MM Euclid-min - Iii-m I I an Jul-mun I'll-hm I llT-I'l m mil II Jl l n 1 13- mm in Milk-Ill II in Lu mu ET-IIH lm mu- m I ill-J HI mum 'usr man-u ant-u mumm- I um I Iiimuggy-I m II- 13 m M In I In 21me It him Ilk- G-Tll illu-Im In lewl 1h In '1 Jill iml mun-H14 1 ELY-HM Hummus W ht HI I In II q Hr-I-qu r In - r luvli IJT-IH autumn-5mm mm i will 1 WII I Hill I- 1-H think it Wyn-g is ill- H'w m I-I Palm-Inn I-IHI-I- - In In mill-Hull ill I n- Hi- lm Iii-M 4 harm-Inu- Mlullmu min-um mu win-u I I'll- ruin-r-II Jul-ulna J-I HI 3 I ruin-up Min- Iain Hill-II-mlr h-rn-Iu u-u-Inm-I I ru- 1' CSE Workshop February 2012 2 weeks CSE DSD GCHQ GCSB NSA everyone wanted tn experience a Canadian winter Build on the work started at DSD Water Ninran The Reality CSE Workshop Outcomes Re nement of ngerprints to identify mobile bearers Samsung and Android Marketplace servers 1 XKS ngerprints deployed Documentation of analytics in CRAFTY SHACK El These analytics are now being implemented across the 5 Eyes Proving the tradecraft actually works El Scenario to test the tradecraft and analytics 0p HORN TOP 3 RE Op IRRITANT HORN Op IRRITANT HORN Does the tradecraft work Another Arab Spring only this time different countries Goal identify aggregation points for the mobile networks in the countries of interest using the tradecraft developed during the workshops Did it work YES the team was able to identify connections from the countries to application and vendor servers in non 5- Eyes countries So what We found some a Potential E5 Effects Qt Harvesting data at rest 9 Harvesting data in transit 1 rt 53' a a - Finding mobile application vendor update servers Ill-Inn Erna-E in 100% I I Ti i Seawater-31d Data Fianna IF Hing Raver 51F Ranga 1 5 liar Humans FIHE I -ir - - Salacl valm P-lP Conwumcalinn Summaries Data Flanga Flange Traduml mlgam TOP SECRETHSI 4 Finding mobile application vendor update servers hill twirl Eartha- Th 1m - I i ange TE nil Ganmtahanam france 1 france android-market 1 quogle com france franca france android-market 1 guuqle cum mupm cuba sture cubava cu cuba stare cubava cu senegal sru_applis sar sn I _l Sudan bounqeontelephane com 5am uahagpqp gamma 5141 1e 1 an 1 dawnl cad fn rce cam hahamas cuba anare cubava cu netherlands russia lady marketgid info ll-JL'Lc Halt-ml gruff II I I I I dull- H i- - lwr nilmmirl zhm will I - - Hun- - x Huh-dink imp- 1 - Idele 5mm communicating a Mable Elm-I Irllrul -I Inna-1H 7 - ur- I 2115 LEI-L ad'th minim-r -I I 'w Hil ili HIT-tin urinal-1 I i a I- huh I I mu lul uf Int have him Inn mutual-cling Inn I mobil- HIHIIHIZ Inn Ilia-ug- I nun-u arm mul unplug-mun n In I lullI-Iri un- Im- FUJI Eur-anu- M4111 alum-d MMHH man Fun- cu- imam-unhi- Puma EII alumni-mud Ill-t hull alum I'mld'lhl uni-nil n I hp II Ill-q n1 Minn-u mulls-d tun-pound nun-ah murmur- lm l l 9 lF hm HIT Pit-H- a in Clint-WM Ida-um mu aquamam-nuH-Hm-Ilu ch I m TI-I Hunt 1 Tu I'fll l h u hl hi uhd n pg Elm-r null ml build Court rpm huh II fun 1 mm nil-id In In IF In In at-H mam-Idol um nit-Immu- Tn duh Inuitth l'l fm-i- Aim ul l rlluh tad lIdup I'llrn II- If in a flu- hl a mu Humid lop-Md an IM 1M lPurI- 4m nah-cum jaunt gill-d Emu cl my qu admin-Id 51qu Far pd nu mum-mural lullm mug-rm um undu- Fun 1mm r ran-Ind banal-flu Ian mm Inna-gull mill El i'lp hui I I i SIAM In in IF I I lurth Eln- Ill Tu Linda-n I I Elnll In in I d Ilalulu bl ldll plil lif IF Tl lii i uid-H1 Eli tin-iri- Lilli rillde iull ulmiuun gum-dummqu-mumm tau-pun - rnhL -In mar-nan nu nun-nu dunno-- nu Sam-I 1 HM II n-u It iIf-i-ll Ian-nu In m r45 ll lquh '3 mm mm In Builder-n iyirn-n-m-I In In rutuI-IM Ill- Hulk 55y 3'1 G'le I Iii-Inn 4 I mar Mia I'vn- h lam-m ulala IL nan-l thlulw quj-hn Inclal mm mm E I 'Iul' ll I I and hi-u v1 all-5 Fl Q- tr- I F i or In rlr haiku II rule-cullCRAFTY SHACK - 1r rl-I'Jf - Identifying servers communicaing with an MNO pu-nt iruunn - 5 5 In Blur-u unm1' th - Erhard-n m_ LE 3 EH tan-nu mum DH 5hr r as a ltd-Ir a TD RE TRYSI Profiling mobile application serv_ers TOP SECRET-TSI Profiling mobile application servers an 45-9- '1'th mm mt 'lm mm Hill nih- insulin-hm annual mmls m i r H-I-ul- -uulv - I I - u rut-num- unintu- lull-yup u-I-mq run-h van undula- -1-IIH I-II l- I - Iii- Mun - - lu-vI-nrnauulu I-Iu r u Profiling mobile application Imam-11mm I- Hut 2 Mufti llml-Elullm- l l Emir tufts-Mon Ci r I lulu-l 15-111 - Lhr'Ltlr - I Comm Myth m '1 cm 13 noun om aBDmo - For-rushing echoing CIDECIT l- mum-mme Innuer servers 1 er Pi-gunman u c-l I - mm-Lnn rrn-lurlhl-ul mic-- I Ill WEN-M IDI 1 ion-u our 2 - Imuqu 1 - nonhum- 1 a - Hunks-ennui murmu mam - mvETrfi l-G 1 19' Hm T- ll fl-prun- Him-Hill Elam-I Vim-Hm rift-Ilium- lrllul l ' l lt - l imam-H Lia-mm rug-mum tux r I thlil' i l i I54 5 Until-mil ALI-pun In 1W5 nl rum - Ethos Lev- 1 I'd e-J L-e'ecl r 1 Iilr- fl n a 2D Tap mu curt-1h min- Haul SF IQ IS Top value EEC-T 1C IE EEQOF1G Results based on mobile application servers seen in CSE collection We have a list of the most popular smartphones for Warid Congo customers and their a - Success Stories mobile browser identification Discovered by GCHQ analyst during DSD workshop Chinese mobile web browser leaks IMSI MSISDN IMEI and device characteristics Toe SECRETHSI Led to discovery of active comma channel from SffSiffREi TO USA VE Y The CONVERGENCE team hei ed discover an active communication channei oni inatin from that is associated a they are known within th ierarchy area of is for covert activities in Europe North America and South America The customer ieveraged a Convergence Discovery that enabied the discovery of a covert channei associated with smart phone browser activity in passive cottection The covert channei originates from users who use UCBrowser mohiie phone compact web browser The covert channei tasks the iMSi Device Characteristics and hack to server s in nitiai investigation has determined that erha maiware can be associated when the covert channei is estabtished iovert exfii activity identi es opportunity where potentiaiiy none may have existed before Target of ces that have access to X-KEFSEQRE can search within this type of traffic on their iMRi or tMFi to determine temet nresenne XKS Microplugin ham-HI- FH-Idl'll' 'u'Iw' Sl- 0 MIN Wt mm F fnm Ada-I lamina-n 1 1 1 inn u Iran Bli nu t Ill 11mm - mull- 1 In- W 3 I Mill- m m -u-1 mum MHF 1m M1 I-hl- Imam 1 4 Nil-I51 liltli mus-u- -Jmi Lil- 11 11 13 1 - mm mm 1 1 I Him-H1 mm Mina IH 1mm I I aura Hum J alum-1 1m mu Ill- mum-um a I nuu-nwnu mm It 1 I HIE-Halth Iii-15W mm Di SEQJHE si-i Vision of Success Shared convergence database with numerous different sources methods tradecraft feeding into it Ultimately correlating telephony and Internet with some degree ofoon dence '1