Title: Automated NOC Detection

Release Date: 2014-12-13

Document Date: 2011-01-01

Description: This 2011 presentation, created by GCHQ’s Network Analysis Centre describes new techniques for gathering reconnaissance on the IT personnel of targeted organisations (their “Network Operations Centres”), using Belgacom as an example in several slides: see the Intercept article Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco, 13 December 2014. Download […]

Document: TOP SECRET STRAP 2

Automated NOC
Detection

, Head of GCHQ NAC

Senior Network Analyst, CSEC NAC

n/\c

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to GCHQ or I

TOP SECRET STRAP 2

Challenge

• SDC 2009 - Challenged the Network
Analysis community to automate the
detection of Network Operations

Centres

n/\c

This information is exempt from disclosure under exemption under other UK information

legislation. Refer disclosure requests to GCHQ o

TOP SECRET STRAP 2

Phase 1: Intelligent Router Configuration File Parsing

• Routers have numerous services running on them that help

identify the NOC IP ranges:

- SSH

- TELNET/VTY

- SNMP

- SYSLOG

- DNS

- TACACS

- RADIUS

• Access to these services tends to be locked down by the use of
Access Control Lists (ACLs)

• Configuration files provide details of how services are
configured.

n/\c

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to GCHQ or I

TOP SECRET STRAP 2

NOCTURNAL SURGE

• GCHQ response to challenge.

• Early Prototype that looks at only:

- ACLs for SSH/TELNET

- ACLs for VTY

NOCTURNAL SURGE

aka Find my NOC

n/\c

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to GCHQ o

NOCTURNAL SURGE: Homepage - Mozilla Firefox HtaJE
Fíe ÿew rtjtory Bookmarks look Help
OB- c & H & '! ■ fn> ~p\
gchq-web research sigdev search task-tgbng Analysts tools PROGRAMMES press | Discover Gforge-UK Gforge | GTAC Tasking D6 f~\ OpsTracker RTC & RT NacShack Investor . NAClOUNSRCs ■ 1112-FTE 1_J CHAINGUARD »
NOCTURNAL SURGE::HomePage fej B FIVE ALIVE B FIVE ALIVE J FKB IPv4 AS Search

n/\<

Corp Directory "Change Password" Login

Global Database

AS query

© ACLs for TELNET/SSH (Ports 23/22)
• ACLs applied to VTY Lines

Enter an AS

Project Database

Project Query

* ACLs for TELNET/SSH (Ports 23/22)
© ACLs applied to VTY Lines

Select Project: ______________

Recent Updates:

20110118 - vO 2

- Added Server Information from TIDAL SURGE 'Services Used' Data for Projects and Global DB

- Added collapsible sections for above where number of Servers > 5

- Changed colour scheme to hi-light unrecognised ACL bitmasks that do not convert to CIDR in


and CIDR blocks in YELLOW



NOCTURNAL SURGE A

Mozilla Firefox

U

File Edit i/iew History Boosmarls Tools Heb

C X Ü3 1 i ill

ù H

___gchq-web research _____sigjev___search ,__task-tgting ,_| Analysis _tods _PROGRAMMES _____press Q Discover j Gforge-l)K [Z] Gforge J GTACTaskingDB t \ OpsT'acker RTC ^ RT |_j NacShack Investor . hAClCllNSRCs . 1112-FTE J Ct-AINGUARD

B FIVE ALIVE

NOCTURNAL SURGE:: Ai I

B FIVE ALIVE

LJ FKB IPv4 AS Search

n/v

NETWORK CBTMTFTE

ECRET STRAP1 COMINT

NOCTURNAL

SURGE

aka Find my NOC in As[


NOCTURNAL SURGE: Homepage - Mozilla Firefox HtaJE
Fíe ÿew rtjtory Bookmarks look Help
OB- c & H & -I ■ m> ~p\
gchq-web research sigdev search task-tgbng Analysts tools PROGRAMMES press | Discover Gforge-UK Gforge | GTAC Tasking D6 OpsTracker RTC & RT NacShack Investor . NAClOllNSRCs ■ 1112-FTE J CHAINGUARD »
NOCTURNAL SURGE::HomePage fej B FIVE ALIVE B FIVE ALIVE |J) FKB IPv4 AS Search

n/\<

Corp Directory "Change Password" Login

[(OPD-NAC)
ÏBusiness Ur

Recent Updates:



NOCTURNAL SURGE

aka Find my NOC

Global Database

AS query

© ACLs for TELNET/SSH (Ports 23/22)
ACLs applied to VTY Lines

Enter an AS :

itabase

LNET/SSH (Ports 23122)
1 to VTY Lines

20110118 - vO 2 -----------------------------------------------------------

- Added Server Information from TIDAL SURGE 'Services Used' Data for Projects and Global DB

- Added collapsible sections for above where number of Servers > 5

- Changed colour scheme to hi-light unrecognised ACL bitmasks that do not convert to CIDR in


and CIDR blocks in YELLOW

NOCTURNAL SURGE: AS

Mozilla Firofox

'QBE

File Edit View History Bookmarks Tools Help

0 c tir

Û

p\

gchq-web _j research _j slgdev j j search _ task-tgtlng Analysis _ tools _j PPOGRWli^ES i press [J DIsodver [_3 Gforge-UK (J jfcrge |_J GTAC TaskngDB Ops~r acker J PTC ^ PT |_3 NecShacI; Investor - NACiOiiMSPCs 1112-F_E |_J CHAIN GJARD

NOCTURNAL SURGE : AS I

0 B FIVE ALIVE

B FIVE ALIVE

n/v

j_J FKB IPv4 AS Search



-

s-- Back to Query Page
Summary Results

NOCTURNAL

SURGE

aka Find my NOC

in A J ~

TOP SECRET STRAP 2

GCHQ / CSEC NAC Joint tradecraft development

• During March 2011 GCHQ Analysts visited CSEC to look at the
using PENTAHO for tradecraft modelling working with CSEC
NAC and CSEC/H3 software developers to see if could model
NOCTURNAL SURGE in PENTAHO and then implement in

OLYMPIA.

• Only possible to attempt because:

- GCHQ NAC use PENTAHO

- CSEC NAC/H3 use PENTAHO

- CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database
Schema (DSD also have this..)

• GCHQ approach based on AS

• CSEC approach based on Country

n/\c

This information is exempt from disclosure under other UK information

legislation. Refer disclosure requests to GC

TOP SECRET STRAP 2

Pentaho - NOC Auto Detection



Remove private IP addresses

Dedupe exact range, merod

Dummy (do nothing)

Input country atari

Trim whitespace from descriptions Select values Calculate number of IP addresses in range Filter t=/16

tummy (do nothing) 3 Filter on input country Select values A Merge Join with geo data Sort on 1 st ip Convert decimal IPto String Dedupe

on first ip

mmy (do nothing) A Group interseping IP ranges Sort on|1 st ip 2 Country digraphto lowercase 2

Output raw results

P + Subnet Mask

Count by grou^ Sort orjroup id Merge Join group!; with company info Sort by groupcbyjit

Output NOC ranges for input country, sorted by confidence

Merge Join group ids with count Sort by first ip

n/\c

This information is exempt from disclosure under thpFr££domfnioïmajonAi2020S.™m2y£e«uL££l«o exemption under other UK information

legislation. Refer disclosure requests to GCHQ on

TOP SECRET STRAP 2

Phase 2: Intelligent use of Metadata

• We do not always get full configuration files to parse.

• Services between routers and NOCs run on IP/TCP/UDP

• We do create 5-TUPLE metadata from our collection

- GCHQ have prototype database - 5-Alive

- CSEC have database - HYPERION

n/\c

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to GCHQ o

TOP SECRET STRAP 2

SNMP Protocol

n/\c

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to

TOP SECRET STRAP 2

SNMP Protocol in 5-Alive

Diarised Events j Activity Graphs
Options

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to GCHQ

TOP SECRET STRAP 2

Further drill down on activity for identified IP

This information is exempt from disclosure under theFi2£domfnioïm2ijoilAi2020S.™m2y£e«uL££l«o exemption under other UK information

legislation. Refer disclosure requests to GCHQ o

TOP SECRET STRAP 2

Phase 3: Intelligent use of TELNET traffic

• Again we do not always get full configuration files. Phase 1 is
based on full (or as near to full) configuration files

• GCHQ NAC collect TELNET Sessions into TERMINAL SURGE

- Collection based on TCP Port 23 (TELNET)

- Other protocols use TCP Port 23 (YMSG)

• Interaction with Routers over TCP Port 23 maybe nefarious:

- Scanning

- Password guessing

• Need to separate legitimate use from nefarious activity

• Look for signs of legitimate use.

- Successful login

- Follow on commands

n/\c

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to GCHQ

TOP SECRET STRAP 2

From TCP Port 23 (Echo)

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to GCHQ

TOP SECRET STRAP 2

To TCP Port 23

This information is exempt from disclosure und exemption under other UK information

legislation. Refer disclosure requests to GCHQ |____________________________________________________________________

TOP SECRET STRAP 2

Intelligent analysis of TELNET traffic

The fact that login was successful for both examples means the

following:

- From TCP Port 23

• To IP address is Network Management Terminal (in the

NOC ?)

To TCP Port 23

• From IP address is Network Management Terminal (in

the NOC ?)

9

W

n/\c

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to GCHQ

TOP SECRET STRAP 2

Phase 4: Bulk Port Scanning

We know the key services/servers running in the NOC

• Utilise HACIENDA, GCHQ’s bulk port scanning capability to
identify what IPs have these service ports open - additional
logic to build up confidence required.

n/\c

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to GCHQ

TOP SECRET STRAP 2

Fusion of sources

Aim is to bring all sources that help identify NOC IP ranges
together with associated confidence.

Different techniques provide different results due to the nature of
passive access (international v’s in-country for instance)

Different techniques have different levels of reliability - therefore
looking to develop aggregation with overlay of smart

intelligence.

Solution can work on not just ISP
NOCs but also Mobile OMCs.

‘5k

n/\c

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to GCHQ o

TOP SECRET STRAP 2

And then....enabling CNE on NOCs

• We now have IP ranges - need selectors of NOC Staff to
enable QUANTUM INSERT attack against them.

• Use of GCHQ TDI capability to identify selectors coming out of
IP ranges and/or identification of proxy/NAT within NOC range.

n/\c

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to GCHCl

TOP SECRET STRAP 2

NOC IP range search in MUTANT BROTH

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information

legislation. Refer disclosure requests to GCH

TOP SECRET STRAP 2

NOC IP range - Target identifiers for QUANTUM INSERT

This information is exempt from disclosure und . exemption under other UK information

legislation. Refer disclosure requests to GCHQ

TOP SECRET STRAP 2

Real-time picture of QI

This information is exempt from disclosure under theFreedomoflnformatio^exemption under other UK information

legislation. Refer disclosure requests to GCHQ on

TOP SECRET STRAP 2

Questions ?

This information is exempt from disclosure under thpFreedom£linioim2^ii™£l2020«ïim2^be«ubj££liifxemption under other UK information

legislation. Refer disclosure requests to GCHQ on

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh