Title: CASCADE – Joint Cyber Sensor Architecture

Release Date: 2015-03-23

Document Date: 2011-01-01

Description: This CSEC presentation from 2011 communicates Canada’s current and future cyberwar plans to their Five Eyes partners: see the article Communication Security Establishment’s cyberwarfare toolbox revealed, 23 March 2015.

Document: CLASSIFICATION:

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Project Overview
Current Status
Proposed Architecture
Towards 2015

CLASSIFICATION: TOP SECRET // COMINT // REL FYEY





Project Overview

Alignment of passive cyber sensor capabilities and
architecture in the SIGINT and ITS missions

Goals

Common sensor technology and architecture
Address scalability issues in sensor deployments

Scope

Passive sensors and supporting infrastructure are in scope

A Analytic tools are out of scope

%% Host based capability is out of scope (caveat: passive
messaging is in scope)

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Our Sensors

SIGINT / ITS

CLASSIFICATION: TOP SECRET // COMINT // REL FYEY

36 Monitoring of GC Networks

36 Includes:

36 Full-Take Packet Capture

36 Signature Based Detection

36 Anomaly Based Discovery

36 Analytic Environment
36 Oversight Compliance Tools

36 Monitoring in Passive SIGINT

36 Includes:

36 Full-Take (on specific accesses)

36 Signature Based Detection

36 Anomaly Based Discovery

36 Additional Functions are offloaded and exist further
downstream:

36 Analytic Environment
36 Dataflow / Targeting

36 Oversight and Compliance Tools

CLASSIFICATION: TOP SECRET // COMINT // REL FYEY

Shades of Blue

EONBLUE

DELL R610 1U Platform

- TS//SI Processing

- Tracking / Discovery

10Gbps

INDUCTION

Distributed Processing (Cloud)

- TS//SI Processing

- Tracking / Discovery

- PXE Boot Infrastructure

Multiple

10Gbps

THIRD-EYE

Cyber Metadata Processor

- UNCLASSIFIED Processing

- Metadata Production

Metadata

Multiple 1Gbps

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Special Source

100% INDUCTION coverage of main SSO sites + metadata production
THIRD-EYE metadata production at select new sites

CRUCIBLE deployments to newly emerging sites pre-SCIF environment (survey)
38 Increase in link speeds
38 Warranted Collection

38 EONBLUE sensor deployment - full take collection

38 FORNSAT

38 Recently upgraded to current EONBLUE code base, leveraging GCHQ
CHOKEPOINT solution to integrate with environment (Virtualized)

38 Working on SUNWHEEL / SMO

38 CHOKEPOINT system enroute to CASSIOPEIA

38 No SUNWHEEL presence as of yet, plans to leverage CHOKEPOINT capability

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

36 Deployment at 3 edge gateway GC departments
36 Dynamic defence is enabled at two of these sites

36 Deployment at the main government backbone
36 Dual lOGbps links (~3Gbps loading)

3§ Data volumes continue to increase due to Internet Access Point
aggregation

36 Currently performing full take and storage of all monitored
traffic

36 System performance issues, overall analyst usability issues

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

CLASSIFICATION:

Divergence - Sensor Deployments

V*”'S.

• While both ITS/SIGINT currently leverage EONBLUE
software:

o The architectures are not aligned
o Configuration differs greatly

o Software versions are not standard across programs
o The full capability of EONBLUE is not being leveraged equally
across programs

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

CLASSIFICATION:

OF SECRET / COMINT //

CLASSIFICATION:



CLASSIFICATION:

em Statement



it



36 Divergence

36 Sensor architectures have diverged between ITS/SIGINT
36 Within each area, versions are not standardized

36 Management and Scalability
36 Some configurations will not scale
36 Difficult to manage current sensor environment
36 High cost to grow existing solution (people, HW/SW costs)

36 Duplication of Effort

36 Divergence creates duplication of effort

36 Limited resources are not focused on innovation and new
challenges

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

1

Ensure that SIGINT /
ITS approach to
Tracking / Metadata
Production are aligned

Improve Query
Performance for Full-
Take Data

Develop / Implement
strategy to better do
Full-Take

Extend Native M

Messaging Between I Shared Mission Space
Business Lines 8

Ensure Targeting is H Single Interconnected
Unified ■ Sensor Grid

Simplify Version ■ Host / Network

Management H Interoperability

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

CLASSIFICATION:

Tracking and Metadata



Ensure EONBLUE is deployed in a standard fashion across all

environments

Upgrade SCNET to lOGbps
EONBLUE

Update all SIGINT collection
sites to latest code release

Produce Standard Metadata
DNS Response Harvesting HTTP Client / Server Headers IP-to-IP Flow Summarizations

CLASSIFICATION: TOP SECRET // COMINT // REL FYEY

Full-Take Strategy

<
Address SCNET Scalability

Reconfiguration / Design of Storage

Solution

Improved / Enforced data indexing and

quering

Leverage Third-Eye Architecture
Distributed Collection Grid (at multiple clients) Queries are Federated and Centrally Managed Enables unique data ingest at client department (i.e. Firewall Logs)

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Full-Take Strategy

CLASSIFICATION:

38 Benefits

38 Improve Performance

Better data indexing techniques
Federated queries across multiple systems
38 Reduced Cost (Storage local to client departments)

10,000$ -> 25,000$ per client
Re-use of back-end Storage

38 Enable departmental security officers / operators

Capability of Third-Eye exceeds what is commercially available

38 Cons

38 Requires network connections to each GC Department
38 Requires footprint within each departments datacenter
38 Complexity of distributed processing

CLASSIFICATION: TOP SECRET // COMINT // REL FYEY

CLASSIFICATION:

Sensor Interoperability

co«~a'N.

CLASSIFICATION: TOP SECRET // COMINT // REL FYEY

CLASSIFICATION

Interoperability enables Synchronization

s.

ITS access to data collected by SIGINT sensors

Outputs should be common to enable a common analyst platform
Sensor environment should be seamlessly integrated

38 Capability remains at cutting-edge

Single release for all collection programs in SIGINT, all points of
presence, and across both missions

Management is simplified for operators, focusing on sensor
expansions

Standardized OS Versions and Optimizations

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

CLASSIFICATION:

Unified Sensor Environment

/J

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

36 Where do you deploy sensors to maximize detection

capabilities for Foreign Intelligence collection and Network
Defence

36 Coverage-based deployment considerations - what are the
gaps?

36 Threat-based deployment considerations - what are the gaps?
36 Based on EPRs

36 Threat trends and forecasting reports
36 Adversary TTPs

CLASSIFICATION: TOP SECRET // COMINT // REL FYEY

CLASSIFICATION:

Canadian Cyber Sensor Grid

Foreign
Internet Space

Secure Channel

FORNSAT

Canadian Internet Space

Foreign Internet Space

System of
Importance

Foreign
Internet Space

Foreign Internet Space

Foreign
Internet Space

Defensive Monitoring

Special Source / Special Access
Warranted Access

i
i
i
i
i
i
i
i
i

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY





Strategic Priorities for CSEC

Strengthen “Team CSEC” and Prepare for Our New Facility

Adopt Innovative and Agile Business Solutions

Expand Our Access Footprint

Improve Analytic Tradecraft

%% Automate Manual Processes

Synchronize the Cryptologic Enterprise for Cyber Security
Mission

Enable “Effects” for Threat Mitigation

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

i

f

36 Expand Our Access Footprint

36 We will increase SPECIAL SOURCE access to include all
international gateways accessible from Canada.

36 We will deploy a sensor system that creates a protective grid at
multiple layers over Government operations in Canada, and at all
classification levels.

36 Improve Analytic Tradecraft

36 We will equip SIGINT and cyber defence analysts with tools for
flexible manipulation and customized analysis of large scale data
sets.

^ We will build analytic tradecraft that understands, anticipates,
and exploits the methodology of threat agents to provide
comprehensive cyber- situational awareness based on multiple
sources of cryptologic data.

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

CLASSIFICATION:

Cyber Sensor in 2015

Synchronize the Cryptologic Enterprise for the Cyber Security Mission

We will improve how we anticipate, identify, track and mitigate cyber threats on
government systems through new concepts of joint operations.

We will design and develop joint SIGINT-ITS systems, including common data
repositories, joint tasking and analytic systems.

We will increase operational capacity by ensuring SIGINT, ITS, and cryptologic
partner sensors interoperate seamlessly.

We will synchronize and use ITS and SIGINT capabilities and complementary
analyses to thwart cyber threats.

Enable “Effects” for Threat Mitigation

We will seek the authority to conduct a wide spectrum of Effects operations in
support of our mandates.

We will build the technical infrastructure, policy architecture and tradecraft
necessary to conduct Effects operations.

We will further integrate ITS and SIGINT authorities and operations to leverage
common sensors, systems and capabilities necessary for active and expanded
dynamic cyber defence measures.

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

CLASSIFICATION:

The Network Is The Sensor

Principles

r

Security needs to be j
transparent to the
user in order to be
effective

Security is a right for all
Canadians

• Federal Government

* Municipal / Provincial Gov

• Critical Infrastructure

* Industry

, * The Citizen

End-Users should
incur little cost for
security

IT Assets should be
distributed

Access is mandate /
authority agnostic

Goals

Detect threats as they
enter our national
networks, not at the
Gateway

Identify Exfiltration,
Command and
Control, anywhere in
our national networks

The network is your
defence for all
infrastructure

Rationale

r \ r
We can’t keep pace with our adversary Gateway / Device / End- Node protection is not sufficient (essential, yes) Rather than plugging one hole at a time, build better layered defence
i J \ a L. A



~\



CLASSIFICATION: TOP SECRET // COMINT // REL FVEY



Principles Explained

CLASSIFICATION:

36 Security is Transparent

If security inhibits functionality, or interferes with user experience
it will be bypassed

36 Security is a right

36 Attempting to protect everybody with end-node / gateway
defenses is not feasible.

36 IT Assets should be distributed

^ We run an open market, network providers will compete to
provide access

36 Consolidated gateways creates single points of failure
36 Cost / Redundancy considerations

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

36 Detection before attack hits target

3§ If we wish to enable defence we must have intelligence to know
when attacks enter our national infrastructure

36 Identify Exfiltration / Command and Control

36 Some attacks will slip through or can't be seen (i.e. shaping)

36 Exploit our temporal advantage - aggressively pursue these
implants as they will communicate ‘home' for instruction

36 The Network IS your Defence

36 In some cases, in cooperation with our partners we can affect
change at the CORE of the Internet on detection:

Modify traffic routes

Silently discard malicious traffic (hygiene filtering)

Insert payload to disrupt adversaries

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

26 Keeping pace with the Adversary

26 From the time a malicious PDF is opened, till SEEDSPHERE has
interactive control of a workstation is <3 minutes

26 There are countless malicious actors (state, crime, generic malware)

26 Gateway / End-Node Defence by itself is insufficient
26 It is only one part of the problem

26 Over 600,000 Apps in the iTunes AppStore (How do you secure that?)

26 Defence in Depth includes network monitoring, and network interaction

26 Build better Defence

26 Our current MO is to resolve one incident at a time

26 Automate the defence through a robust network capable of not only
detection, but manipulation of malicious traffic

CLASSIFICATION: TOP SECRET // COMINT // REL FYEY

38 EONBLUE will be integrated into the Network
38 Monitoring Government of Canada

38 Monitoring Core Infrastructure (Special Source) extending the
reach to view national infrastructure

38 Monitoring foreign Internet Space

38 EONBLUE will enable defensive operations

38 Through robust communication with host-based capabilities
38 Through direct manipulation of network communications
38 Through interaction with Teleco infrastructure to affect change

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY



CLASSIFICATION:

Changing the way we think

Tipping and Cueing

If the purpose is to enable defence of national infrastructure it becomes
unnecessary in a 5-eyes context

We have full visibility of our national infrastructure

The chance of heating’ the internet for latency of an attack is minimal

The network will perform the filtering

What if instead T&C enables intelligence collection (Cyber Session
Collection)?

Targeting and Tasking

We all share common targets and we will all target using our national capability
the cyber threats we know about

%% No need for 2nd party tasking / targeting requests. Instead expose cyber
information across the community

What if instead we focus on analytic collaboration and knowledge transfer
TEXPRO information, federated repositories (malware/traffic), etc

CLASSIFICATION: TOP SECRET // COMINT // REL FYEY

CLASSIFICATION:

Changing the way we think

36 Foreign SIGINT Intercept

36 Becomes the 'hunting ground’ for discovery of new threats

36 Enables attribution and counter-intelligence reporting

36 Defence is taken care of by The Network’

36 Mobile Platforms are the next frontier, what is their implication
on Cyber?

36 Domestic Defence

36 We will exhaust the treasury deploying network appliances to
perform dynamic defence

36 The same capabilities will be integrated into the CORE of the
Internet

36 Defence in Depth through complimentary capabilities on end-
nodes, at the gateway, and in the core of the Internet.

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

CLASSIFICATION:

Conclusion

CASCADE

The harmonization of ITS/SIGINT Sensor capabilities

Lays the foundation for long-term integration of Cyber within the
Cryptologic Enterprise

Towards 2015

The Network is the Sensor

Defence, Mitigation, Intelligence all formed from a single
comprehensive network creating a perimeter around Canada

Extending our reach through 5-eyes partnerships to ensure mutual
defence of national assets.

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Project Overview
Current Status
Proposed Architecture
Towards 2015

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Project Overview

Alignment of passive cyber sensor capabilities and
architecture in the S1GINT and ITS missions

Goals

36 Common sensor technology and architecture
36 Address scalability issues in sensor deployments

Scope

Passive sensors and supporting infrastructure are in scope
36 Analytic tools are out of scope

36 Host based capability is out of scope (caveat: passive
messaging is in scope)

CLASSIFICATION: POP SECRET // COMINT // REL FVEY

What is the project about?

Define the goal of this project

Is it similar to projects in the past or is it a new effort?

Define the scope of this project

Is it an independent project or is it related to other projects?

* Note that this slide is not necessary for weekly status meetings

3

Our Sensors

SIGINT / ITS

CLASSIFICATION: I'OP SECRET // COMINT // REL FVEY

Photonic Msm

Monitoring of GC Networks

38 Includes:

38 Full-Take Packet Capture
38 Signature Based Detection
38 Anomaly Based Discoveiy
38 Analytic Environment
38 Oversight Compliance Tools

# EOMBLUE

38 Monitoring in Passive SIGINT
38 Includes:

38 Full- l ake (on specific accesses)
38 Signature Based Detection
38 Anomaly Based Discoveiy

38 Additional Functions are offloaded and exist further
downstream:

i: Analytic Environment

38 Dataflow Targeting
38 Oversight and Compliance Tools

CLASSIFICATION: IOP SECRET // COMINT // REL FVEY

CLASSIFICATION:

Shades of Blue



Current Status - SIGINT Deployments

3€ Special Source

38 ioo% INDUCTION coverage of main SSO sites + metadata production
33 THIRD-EYE metadata production at select new sites

33 CRUCIBLE deployments to newly emerging sites pre-SCIF environment (survey)
33 Increase in link speeds
33 Warranted Collection

33 EONBLUE sensor deployment - full take collection

3« FORNSAT

33 Recently upgraded to current EONBLUE code base, leveraging GCHQ
CHOKEPOINT solution to integrate with environment (Virtualized)

33 Working on SUNWHEEL / SMO

33 CHOKEPOINT system enroute to CASSIOPEIA

33 No SUNWHEEL presence as of yet, plans to leverage CHOKEPOINT capability

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

* If any of these issues caused a schedule delay or need to be discussed further,
Include details in next slide.

6



LASS1FICATION:

Current Status - IT Security Deployments

Deployment at 3 edge gateway GC departments
Dynamic defence is enabled at two of these sites

Deployment at the main government backbone
3i Dual lOGbps links (~3Gbps loading)

Data volumes continue to increase due to Internet Access Point
aggregation

Currently performing full take and storage of all monitored
traffic

US System performance issues, overall analyst usability issues

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

OSSIFICATION:

Divergence - Sensor Deployments

• While both ITS/SIGINT currently leverage EONBLUE
software:

The architectures are not aligned

Configuration differs greatly

Software versions are not standard across programs

The full capability of EONBLUE is not being leveraged equally

across programs

CLASSIFICATION: I'OP SECRET // COMINT // REL FVEY

Problem Statement

CT

36 Divergence

36 Sensor architectures have diverged between ITS/SIGINT
36 Within each area, versions are not standardized

36 Management and Scalability
36 Some configurations will not scale
36 Difficult to manage current sensor environment
36 High cost to grow existing solution (people, HW/SW costs)

36 Duplication of Effort

36 Divergence creates duplication of effort

36 Limited resources are not focused on innovation and new
challenges

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Duplicate this slide as necessary if there is more than one issue.

This and related slides can be moved to the appendix or hidden if necessary.

10

A Phased Approach

Extend Native Messaging Between Business Lines Shared Mission Space

Ensure Targeting is Unified Single Interconnected Sensor Grid
u
Simplify Version Management Host / Network Interoperability

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Ensure EONBLUE is deployed in a standard fashion across all

environments

Upgrade SCNET to lOGbps
EONBLUE

Update all SIGINT collection
sites to latest code release

57

Produce Standard Metadata

DNS Response
Harvesting

HTTP Client /
Server Headers

IP-to-IP Flow
Summarizations

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

CLASSIFICATION:

Full-Take Strategy

Address SCNET Scalability

Reconfiguration / Design of Storage
Solution

Improved / Enforced data indexing and
quering

\ '

Leverage Third-Eye Architecture

Distributed Collection Grid
(at multiple clients)

Queries are Federated and
Centrally Managed

Enables unique data ingest
at client department (i.e.
Firewall Logs)

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY



CLASSIFICATION:

Full-Take Strategy

Benefits

Improve Performance

Better data indexing techniques
Federated queries across multiple systems
Reduced Cost (Storage local to client departments)

10,000$ -> 25,000$ per client
Re-use of back-end Storage

Enable departmental security officers / operators

Capability of Third-Eye exceeds what is commercially available

Cons

Requires network connections to each GC Department
Requires footprint within each departments datacenter
Complexity of distributed processing

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

I

38 ITS access to data collected by SIGINT sensors

38 Outputs should be common to enable a common analyst platform
38 Sensor environment should be seamlessly integrated

38 Capability remains at cutting-edge

;i Single release for all collection programs in SIGINT, all points of
presence, and across both missions

38 Management is simplified for operators, focusing on sensor
expansions

38 Standardized OS Versions and Optimizations

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Unified Sensor Environment

All Cyber Sensors form a complete eco-system

Access point is Mandate / Authority Agnostic Sensors are Multi-Modal (Defence or Intelligence from any sensor anvtimet

52

Extend Messaging to Host Based Capabilities

IT Security Host Based Agents CNE implants

Cyber Processing and analytic environments converge

Two-Tier Environment • Automated / GUI rich environment for operators •Command-Line Driven RAW uccess for Discovery Shared Network Resources for Common Services •Wiki/Blog/Chat • NIS / NIT / DNS / Messaging / etc

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

CLASSIFICATION:

Synchronized Deployment Strategy

38 Where do you deploy sensors to maximize detection

capabilities for Foreign Intelligence collection and Network
Defence

38 Coverage-based deployment considerations - what are the
gaps?

X
38
38

38 Threat-based deployment considerations - what are the gaps?
38 Based on EPRs

38 Threat trends and forecasting reports
38 Adversary TTPs

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Secure Channel

FORNSAT

Canadian Internet Space

Foreign Internet Space

System of
Importance

Foreign
Internet Space

Foreign Internet Space

Foreign
Internet Space

-

Defensive Monitoring

Special Source / Special Access
Warranted Access

GAZEBO Access

CLASSIFICATION: TOP SECRET // COMTNT // REL FVEY

Strategic Priorities for CSEC

38 Strengthen “Team CSEC” and Prepare for Our New Facility
38 Adopt Innovative and Agile Business Solutions
38 Expand Our Access Footprint
38 Improve Analytic Tradecraft

38 Automate Manual Processes

38 Synchronize the Cryptologic Enterprise for Cyber Security
Mission

38 Enable “Effects” for Threat Mitigation

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

LASSIFI CATION:

Cyber Sensor in 2015

36 Expand Our Access Footprint

36 Wc will increase SPECIAL SOURCE access to include all
international gateways accessible from Canada.

36 We will deploy a sensor system that creates a protective grid at
multiple layers over Government operations in Canada, and at all
classification levels.

36 Improve Analytic Tradecraft

36 We will equip SIGINT and cyber defence analysts with tools for
flexible manipulation and customized analysis of large scale data
sets.

36 We will build analytic tradecraft that understands, anticipates,
and exploits the methodology of threat agents to provide
comprehensive cyber- situational awareness based on multiple
sources of cryptologic data.

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY



CLASSIFICATION:

Cyber Sensor in 2015

‘V—S.

36 Synchronize the Cryptologic Enterprise for the Cyber Security Mission

36 We will improve how we anticipate, identify, track and mitigate cyber threats on
government systems through new concepts of joint operations.

36 We will design and develop joint SIGINT-ITS systems, including common data
repositories, joint tasking and analytic systems.

36 We will increase operational capacity by ensuring S1G1NT, ITS, and cryptologic
partner sensors interoperate seamlessly.

36 We will synchronize and use ITS and SIGINT capabilities and complementary
analyses to thwart cyber threats.

36 Enable “Effects” for Threat Mitigation

36 We will seek the authority to conduct a wide spectrum of Effects operations in
support of our mandates.

36 We will build the technical infrastructure, policy architecture and tradecraft
necessary to conduct Effects operations.

36 We will further integrate ITS and SIGINT authorities and operations to leverage
common sensors, systems and capabilities necessary for active and expanded
dynamic cyber defence measures.

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

LASSIFICATION :

The Network Is The Sensor

Principles

Security needs to be
transparent to the
user in order to be
effective

End-Users should
incur little cost for
security

IT Assets should be
distributed

Access is mandate /
authority agnostic

Goals

Detect threats as they
enter our national
networks, not at the
Gateway

Identify Exfiltration,
Command and
Control, anywhere in
our national networks

The network is your
defence for all
infrastructure

Rationale


We can’t keep pace with our adversary v J Gateway / Device / End- Node protection is not sufficient (essential, yes) Rather than plugging one hole at a time, build better layered defence




CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Principles Explained

36 Security is Transparent

36 If security inhibits functionality, or interferes with user experience
it will be bypassed

36 Security is a right

36 Attempting to protect everybody with end-node / gateway
defenses is not feasible.

36 IT Assets should be distributed

36 We run an open market, network providers will compete to
provide access

36 Consolidated gateways creates single points of failure

36 Cost / Redundancy considerations

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

36 Detection before attack hits target

36 If we wish to enable defence we must have intelligence to know
when attacks enter our national infrastructure

36 Identify Exfiltration / Command and Control

36 Some attacks will slip through or can’t be seen (i.e. shaping)

36 Exploit our temporal advantage - aggressively pursue these
implants as they will communicate ‘home’ for instruction

36 The Network IS your Defence

36 In some cases, in cooperation with our partners we can affect
change at the CORE of the Internet on detection:

Modify traffic routes

Silently discard malicious traffic (hygiene filtering)

Insert payload to disrupt adversaries

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

Rationale

36 Keeping pace with the Adversary

36 From the time a malicious PDF is opened, till SEEDSPHERE has
interactive control of a workstation is <3 minutes

36 There are countless malicious actors (state, crime, generic malware)

36 Gateway / End-Node Defence by itself is insufficient

36 It is only one part of the problem

36 Over 600,000 Apps in the iTunes Appstore (How do you secure that?)

36 Defence in Depth includes network monitoring, and network interaction

36 Build better Defence

36 Our current MO is to resolve one incident at a time
36 Automate the defence through a robust network capable of not only
detection, but manipulation of malicious traffic

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

ASSIFICATIO

What does it Mean?

36 EONBLUE will be integrated into the Network
36 Monitoring Government of Canada

36 Monitoring Core Infrastructure (Special Source) extending the
reach to view national infrastructure

36 Monitoring foreign Internet Space

36 EONBLUE will enable defensive operations

36 Through robust communication with host-based capabilities
36 Through direct manipulation of network communications
36 Through interaction with Teleco infrastructure to affect change

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY



Changing the way we think

IIMIlllWfflWMIl

96 Tipping and Cueing

36 If the purpose is to enable defence of national infrastructure it becomes
unnecessary in a 5-eyes context

Wc have full visibility of our national infrastructure

The chance of'beating' the internet for latency of an attack is minimal

The network will perform the filtering

96 What if instead T&C enables intelligence collection (Cyber Session
Collection)?

96 Targeting and Tasking

96 We all share common targets and we will all target using our national capability
the cyber threats we know about

96 No need for 2ml party tasking / targeting requests. Instead expose cyber
information across the community

96 What if instead we focus on analytic collaboration and knowledge transfer
TEXPRO information, federated repositories (malwarc/traffic), etc

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

I

Changing the way we think

36 Foreign SIGINT Intercept

36 Becomes the ‘hunting ground’ for discovery of new threats

36 Enables attribution and counter-intelligence reporting

36 Defence is taken care of by ‘The Network’

36 Mobile Platforms are the next frontier, what is their implication
on Cyber?

36 Domestic Defence

36 We will exhaust the treasury deploying network appliances to
perform dynamic defence

36 The same capabilities will be integrated into the CORE of the
Internet

36 Defence in Depth through complimentary capabilities on end-
nodes, at the gateway, and in the core of the Internet.

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

9« CASCADE

36 The harmonization ofITS/SIGINT Sensor capabilities

■ft Lays the foundation for long-term integration of Cyber within the
Cryptologic Enterprise

36 Towards 2015

36 The Network is the Sensor

Defence, Mitigation, Intelligence all formed from a single
comprehensive network creating a perimeter around Canada

Extending our reach through 5-eyes partnerships to ensure mutual
defence of national assets.

CLASSIFICATION: TOP SECRET // COMINT // REL FVEY

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh