OCR of the Document

View the Document >>

National Security Agency, Case Studies of Integrated Cyber Operation Techniques, undated. Top Secret//Comint//Rel USA, FVEY.

TOP USA FVEY Case Studies of Integrated Cyber Operation Techniques Threat Operations Center VS TOP USA FVEY U FOU leDTECEA t mayn m ic Inbound ThreatsNeutered Interactive Threa Gontrolled Outbound Threat imrupted Adversary Neuter Exfiltrate Corrupt I I IL 9 Victim Adversary Web Server I PRN ET serVer TOP USA FVEY TOP USA FVEY Foreign Intelligence in Support of Dynamic Defe Foreign Intelligence Attribution 0 Access to their tools - so that we can dm other U S victims TOP USA FVEY Use CNE to penetrate the operations of foreign cyber actors U Two major classes of CNE techniques U Man-in-the-middle U Man-on-the-side Steal their tools tradecraft targets and take Adversary Penetrated Foreign Host Adversary Penetrated Foreign Infrastructure Adversary Home - TOP USA FVEY U Active Exploitation i ispii i Implant ed AnySite co TOP USA FVEY U Active Exploitation Network Defense Good Guys PAN DORAS MAYH AnySite co TU RMOI TUTELAGE TUTELAGE is a man-in-the-middle technique Using TUTELAGE to enable active exploitation is integrated cyber operations Concerted Use of both Passive Active SIGINT 5 Implant targets based on 'selectors and or behavior e g users of al Mehrab ISP Mosul who visit al Hezbah extremist website 0 Requires target webserver responses be visible to passive SIGINT - Requires sufficient delay in target web connection for the hook to beat the response back to the target typically means at least one 1 Target web connection request via SATCOM or Fibe satellite hop MHS ReqUires targe t's client to be vulnerable a DESTINATION In - 9 Insert hook in addition to requeste Hf - 9 SIGINT - Cycle 90 must get to the target before 2 occurs 0 Once 'hooked the target is exploited time constraints - Different QUANTUM effects have differ VVI Ighl I 6 Hook calls to Covert Listening Post LP I I ne 3 TOP USA FVEY TOP USA FVEY BOXINGRUMBLE Case Stud DNS requests entering domain Destination IP not a DNS server Domain name not within - DNS behavior of host is suspicious but not dangerous TAO uses QUANTUMDNS to redirect the requesting host INTERNET J g NSA and Q a9 TAO Covert lnfrastructu NIPRNET re 9 1 TOP USA FVEY 8 TOP USA FVEY QUANTUMDNS An Integrated Cyber Oer Root DNS IP is 1 2 3 4 SDNS Where's serVe ewe Anysite mil i Where's Server Wh Root DNS Server N mirrors Anysitemil ere's tam l'n - DNS quer nys'te'm I to this serVe' Talk to the root Server 2 Anysite mil DNS Server Local I don t know 5 DNS I Serve now ow to get I ll ask to Anysitemil Where s - DNS Anys'te m d TAO Shooter DNS query-- NIPRNET Anysite mil NSA If DNS Blocked Server DNS Found Serve PR ET C9 Anysite m Server Implant 6 Control I TOP USA FVEY TOP USA FVEY QUANTUMDNS As Used Against BOXING IP is 1 2 3 4 j TAO c2 mirrors Anysitemil C2 43 DNS query NIPRNET DNS answer A Anysite mi and it's p is 1 Connect to server 1 2 3 4 nYSite Com 234 Ound NIPRNET I I I t' TUDQWE 3 22 Control TOP USA FVEY TOP USA FVEY BOXINGRUMBLE Case Stud TAO c2 Server Open Web Proxies TAO establishes itself as a trusted C2 node Captured traffic indicates the existence of a bot net Command and control split into two layers C2 and C4 C2 layer has a peer-to-peer mesh network topology with direct connection to a C4 node C2 nodes connect directly to victims as well as through open web proxies NSA and TAO Covert lnfrastructu re TOP T0 USA AUS CAN GBR NZL TOP USA FVEY BOXINGRUMBLE Case Stud Bot Commander Nodes Trusted C4 2-3 Nodes TAO C2 Server Open Web Proxies Victims BotsN 200k Max CZ server can see all bot tasking TAO CZ server can push tasking BOXINGRUMBLE bots 45% Vietnamese dissidents 45% Chinese dissidents 10% Other Adding BOXINGRUMBLE bots t0 DEFIANTWARRIOR NSA and TAO Covert lnfrastructu re WFIANTWARRIOR Implant TOP USA FVEY QUANTUMINSERT QUANTUMBOT QUANTUMBISCUIT QUANTUMDNS QUANTUMHAND QUANTUMPHANTO QUANTUMSKY I QUANTUMCOPPER Description CNE - Man-on-the-Side technique - Briefly hi-jacks connections to a terrorist website - Re-directs the target to a TAO server FOXACID for implantation - Takes control of idle IRC bots - Finds computers belonging to botnets and hijacks the command and control channel - Enhances QUANTUMINSERT's man-on-the-side technique of exploitation - Motivated by the need to Ql targets that are behind large proxies lack predictable source addresses and have insufficient unique web activity - DNS injection redirection based off of A Record queries - Targets single hosts or caching name servers Exploits the computer of a target who uses Facebook Hijacks any IP on passive coverage to use as covert infrastructure CNA Denies access to a webpage through RST packet spoo ng File download upload disruption and corruption lnceptio Date 2005 Au92007 Dec 2007 Dec 2008 Oct 2010 Oct 2010 2004 Dec 2008 Status Operatio nal Operatio nal Operatio nal Operatio nal Operatio nal Live Tested Operatio nal Live Operational Success Highly Successful In 2010 300 TAO implants were deployed via QUANTUMINSERT to targets that were un-exploitable by any other means Highly Successful over 140 000 bots co-opted Limited success at NSAW due to high latency on passive access GCHQ uses technique for 80% of CNE accesses Successful High priority CCI target exploited Successful Successful TOP USA FVEY QUANTUMSMACKDOW Defensi ve NSA Spac NIPRNET REPOSITORY A client requests connection to malicious server Request is detected by TURMOIL CLOUDSHIELD terminates client-side connection A The malicious server s response is blocked by CLOUDSHIELD TURMOIL tips TURBINE which then tasks a shooter to send the acknowledgement to the malicious server Malicious server assumes connection and forwards TOP USA FVEY TOP USA FVEY Future Capability QUANTUMSAND Take enviro f - Allow NSA Space TOP USA FVEY TOP USA FVEY U Future Work Develop lower latency guards Use TUTELAGE inline devices as our shooter Push decision logic to the edge Identify more mission opportunities - Continue developing and deploying additional QUANTUM capabilities TOP USA FVEY 16 QUANTUMINSERT QUANTUMBOT QUANTUMBISCUIT QUANTUMDNS QUANTUMHAND QUANTUMPHANTO QUANTUMSKY I QUANTUMCOPPER Description CNE - Man-on-the-Side technique - Briefly hi-jacks connections to a terrorist website - Re-directs the target to a TAO server FOXACID for implantation - Takes control of idle IRC bots - Finds computers belonging to botnets and hijacks the command and control channel - Enhances QUANTUMINSERT's man-on-the-side technique of exploitation - Motivated by the need to Ql targets that are behind large proxies lack predictable source addresses and have insufficient unique web activity - DNS injection redirection based off of A Record queries - Targets single hosts or caching name servers Exploits the computer of a target who uses Facebook Hijacks any IP on passive coverage to use as covert infrastructure CNA Denies access to a webpage through RST packet spoo ng File download upload disruption and corruption lnceptio Date 2005 Au92007 Dec 2007 Dec 2008 Oct 2010 Oct 2010 2004 Dec 2008 Status Operatio nal Operatio nal Operatio nal Operatio nal Operatio nal Live Tested Operatio nal Live Operational Success Highly Successful In 2010 300 TAO implants were deployed via QUANTUMINSERT to targets that were un-exploitable by any other means Highly Successful over 140 000 bots co-opted Limited success at NSAW due to high latency on passive access GCHQ uses technique for 80% of CNE accesses Successful High priority CCI target exploited Successful Successful TOP USA FVEY For more information please contact - TUTELAGE VS - QUANTUM - S32X - TURBINE T1412 - BOXINGRUMBLE F22 TOP USA FVEY 18                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu