Title: CSEC SIGINT Cyber Discovery: Summary of the current effort

Release Date: 2015-01-17

Document Date: 2010-11-18

Description: This CSEC presentation for a November 2010 conference outlines CSEC capabilities in the recognition of trojans and other “network based anomolies”: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.

Document: TOP SECRET II COMINT

■ Communications Security

Establishment Canada

Centre de la sécurité

des télécommunications Canada

CSEC SIGINT Cyber Discovery:
Summary of the current effort

Communications Security Establishment Canada
Covert Network Threats
Cyber-Counterintelligence

Discovery Conference
GCHQ - November 2010

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

i

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Outline

• CSEC SIGINT Cyber

- KOG (CCNE)

- G A4 (GND)

- CNT1 (CCI)

• CSEC SIGINT Cyber - Operational Discovery

- Network Based Anomaly Detection

- Host Based Anomaly Detection

• Contacts

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

2

Canada

TOP SECRET II COMINT

l+l

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

CSEC Cyber Counterintelligence

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

TOP SECRET II COMINT

4u ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Counter CNE (KOG)

• Part of CSEC CNE operations (KO)

• Recently formed matrix team

• Analysts and operators from CNE Operations, Cyber-
Counterintelligence and Global Network Detection

• Mandate:

- Provide situational awareness to CNE operators

- Discover unknown actors on existing CNE targets

- Detect known actors on covert infrastructure

- Pursue known actors through CNE

- Review OPSEC of CNE operations

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

4

Canada

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Global Network Detection (GND)

• Develop capabilities to improve the
ability of the SIGINT collection system
to detect Computer Network Exploitation
and Computer Network Attack

• Help enable CSEC’s CNE program through timely identification of
vulnerable computer systems and foreign CNE
methodologies/activities

• Act as technical liaison between IT Security and SIGINT for CNO
issues

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

5

Canada

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Cyber Counterintelligence (CNT1)

• Covert Network Threats (New Directorate within CSEC)

- CNTl (Cyber Counterintelligence)

- CNT2 (Traditional Counterintelligence)

• CNTl Mission

- To produce intelligence on the capabilities, intentions and
activities of Hostile Intelligence Services to support
Counterintelligence activities at home and abroad.

• Fusion of Cyber Analytic Skills with Traditional
Counterintelligence Analytic Skills

- All Cyber-Counterintelligence Investigations should lead to Traditional
Counterintelligence investigations.

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

6

TOP SECRET II COMINT

l+l

Communications Security
Establishment Canada

Centre de la sécurité

des télécommunications Canada

CSEC SIGINT CCI Discovery

Attribute

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

CSEC CNE (K) - WARRIORPRIDE

• WARRIORPRIDE (WP):

- Scalable, Flexible, Portable CNE platform

- Unified framework within CSEC and across the 5 eyes

- WARRIORPRIDE@CSE/etc. == DAREDEVIL@GCHQ

- xml command output to operators

• Several plugins used for machine recon / OPSEC assessment
Several WP plugins are useful for CCNE:

- Slipstream : machine reconnaissance

- ImplantDetector: implant detection

- RootkitDetector: rootkit detection

- Chordflier/U ftp : file identification / retrieval

- NameDropper: DNS

- WormWood : network sniffing and characterization

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

KOG - ReplicantFarm

• Created to leverage the WP XML output in a
meaningful way

• Module based parser/alert system running on real-time
CNE operational data

• Custom/module based analysis:

- Actors

- Implant technology

- Host based signatures

- Network based signatures

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

9

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

REPLICANTFARM generic modules

Cloaked
Recycler
Rar password
Tmp executable
Packed

Peb modification

Privileges

MS pretender

System32 “variables”

Strange DLL
extensions

• Kernel cloaking

• Schedule at

• Ntuninstall execution

• hidden

Other ideas....

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

io

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Generic modules : example

my @runningProcs = xml_isProcessRunning( $xml, 'svchost.{l,3}\\.exe',

'winlogon.{l,3}\\.exe\

'services.{l,3}\\.exe',

'Isass.ll.SjW.exe',

'spoolsv.il.SjW.exe',

'autochk.il.SJW.exe',

'logon.-fl^Wscr',

,rundll32.{l,3}\\.exe',

'chkdsk.fl.SjW.exe',

'chkntfs.{l,3}\\.exe',

'logonui.ll.SIW.exe',

'ntoskrnl.il.SJW.exe',

'ntvdm.{l,3}\\.exe',

'rdpcIip.ll.SJW.exe',

'taskmgr.{l,3}\\.exe',

'userinit.ll.SIW.exe',

'wscntfy.{l,3JW.exe',

'tcpmon.{l,3}\\.dir );

foreach my SrunningProc (@runningProcs)

{

SalertText .= "Suspicious process detected, legitimate exe named appended with string: ".
SrunningProc . "An";

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

il

TOP SECRET II COMINT

CCNE/Opsec WPID Alerts - Mozilla Firefox

File Edit View History Bookmarks Tools Help

- c cm

ù ■ 1

Most Visited Q Getting Started Latest Headlines jl LTT < Operations < TW.., - Opsec - klsvn - Tran Q CCNE/Opsec Systems

_j CCNE/Opsec WPJD Alerts - [j Exploits

http://obeiix/

CCNE/Opsec WPID Alerts x Q CCNE/Opsec WPID Alerts x

CCNE/Opsec WPID Alerts

REPLICANTFARM

Note that the search is done with the fields as perl regular expressions ..

Examples:
• Dota ( ) ar= îinïls- ■zharactsr -roikleafds • I>a-t-Star (,*} means any number of characters • Singla WPID: 31LSUL13 • daw C WID: • In fr is truc ture: A5W. Current Modules; ttxoi£_ 3 000_WH_ImpLn t. pi modj ÜOM& l_SHEPHERD.pl mod_ 3 01 _b-IM_CARBON.pl mod_102_MBiLEEGBACEpP.pl tuo¿_3 03_MM_DOGHOUSE.pl moo_304_MM_W.yLKER.pl mo¿_ 1100_VO_ImpI inr pi TTtotl_l l_cloak:aô.pl mod_1200_AF_ALOOFNESS.pl moê_ 12_sys tem3 2 tit. pi inod_ 13_r arpas sword, pi mod_l 4_strangedllex t ensums.pl tnod_l 5_proeParait3.pl mo ¿_16_recyiclereat0c.pl mod_l 7_tmpes.ea.pl modi S_pa53wordrilters.pl mohc_19_kerfl.eleloakina .pi mo ¿_l_p20kea.pl mod_300_SD_m20.pl mod_201_SD_MI25FTP.pl mod_2 C_psbmodiiio21 ion.pl mod_21 _ rcheduleat. p l mo i_22_ntuoms taflffls.ac.pl mod_23 _hiàâen. pi mcd_24_ expec t edArgitm «irs.pl mod_2 5 _j*nYifeges .pi mod_30C_UNK_T CPSRV 3 2 ,pl £nod_301_UKK_ELAZINGANGEL .pi hl p á_3ü 2_TTNYWEB .pi mod_303_UNK_CYDLL.pl mod_504_UNK_\\TNPAC.Ppl mod_305_nN"K_lASEX F1 raod_305_UNK_WTNUFDATE.pl mod_307 UNKQU37.ERINC&QUAE ,pl mod_308_UNTC._WTNDO.pl m od!_3 09~UNK~D1E£ELRATTLE. pi mod J10_UlSIKJWIDOTiVKEY.pl mod J1 l_UNK_OVETCAT.pl mod_3 jmsprat ender. pi moa_400_SS_WINEEE.pl moâ_40 l_SS_SSLINST.pl mod_402_SS_Sh2rpR. pi

Type:
WPID Regexp: Module Regexp: MM Histone; ^
Live:

I SubmitQuery j

ALERTS

|\1TID: Module: Date: Tas: Tile name: .. ■'cklastoi& archived 010/01/21 /IS
modi 03_MM_DOGHOUSE.pt 2010-01-2 IT 15:36:39.968 MM ■'TXID0000272485_18_Y2010M01D21_H15M2ES59_MS642MU500NSQ_SX[D050_000_0

Details:

Possible MM DOGHOUSE driver file: &\WINNTlNtUninslaBQ2++59Bl.

Possible MM DOGHOUSE driver file: C:A\TNNT.SNtUmistallQi:4459SS'afd.sys.
Possible MM DOGHOUSE driver file: C:AmTsT'SNtUninstallQ244598S'netbt.sys.
Possible MM DOGHOUSE driver file C:\WINim$NtUninstaIlQ24+598i\tcpq> sys
Possible MM DOGHOUSE driver file: C:'ftrtNW'SNtUninsta]lQ244598Siiiotfix_inF_

--=PULLEDPORK:=—

TOP SECRET II COMINT

l+l

Communications Security Centre de la sécurité
Establishment Canada des télécommunications Canada

EONBLUE

CSEC cyber threat detection platform
Over 8 years of development effort
Scales to backbone internet speeds
Over 200 sensors deployed across the globe

Defence at
the core of
the Internet

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/O 11+1

Canada

13

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

TOP SECRET II COMINT

l+l

Communications Security
Establishment Canada

Centre de la sécurité

des télécommunications Canada

Anomaly Detection Tools

• There are currently over 50 modules in Slipstream

- RFC Validation

- Heuristic Checks

- Periodicity

- Simple Encryption

- Streaming Attack Detection

- Analyst Utilities

• Not all of these tools are ‘YES/NO’, some will require some
work.

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

TOP SECRET II COMINT

l+l

Communications Security
Establishment Canada

Centre de la sécurité

des télécommunications Canada

Heuristic Example

• QUANTUM

- It’s no lie, quantum is cool.

• But its easy to find

- Analyze first content carrying packet

• Check for sequence number duplication, but different data size

• If content differs within the first 10% of the pkt payload, alert.

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

What’s Next?

• Anomaly Discovery at scale

- Multi-IOG anomaly detection

• Cross Agency communication of anomalies

- Sometimes signatures aren’t enough

• DONUTS!

- Everyone likes them:

- 5-eyes accessible DONUTS

• Discovery of New Unidentified Threats

• CSEC / GCHQ right now

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

17

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

CLASSIFICATION: TOP SECRET // COMINT // REL TO FVEY

Globa! Access Roadman supporting SRSG and WISDEN Scenarios

Calendar Year: 2010 | 1 Calendar Year 2011 |
Topic Desired Outcomes # Activity July - Sep (Q3) Oct - Dec (Q4) Jen - Msr (Ql) Apr - Jun £Q2) July - Sep (Q3) Oct - Dec (Q4)

- Shared Situational
Awareness

- Assess vaiue of metadata
sharing

Metadata Develop Use Coses for
Sharing Sharing

- Develop Requirments for
NRT Lipping

m. Bulk dally sharing of Cyber Event Metadata with 5-
m.2 Receive Metadata from partner agencies

m. 3 Report on value of metadata sharing

n. 4 Instrument NRT snaring of CSEC Cyber Event Metadata

M.5 Report on NRT sharing (value / lessons learned / reqt's)
m.s Enrich NRT feed with Geo location / ASM
m 7 Add Tmnact ¡nrormation -o event metadata
M.s Extend Deadsea Live feed from CSEC to GCHQ m.9 Receive FastFlux metadata (tip) b/w GHCQ/CSEC (see T.6/T.7)

- Replace current Signature
Management system

- Impacts to support Action-
Slenatures on / Cueing and enhance

and Metadata feed
Target - Provide context to metadata
Knowledge - Experiment with TKB to
gather requirments

- Create baseline of Cyber

____________knowledge___________________

1 Replace existing signature management with HaiterHitch |___

■2 Implement Impacts with DGI for Signatures [re-enter in HH)

■3 Decommission currenL largelling process and replace with HH
-4 Report on HH (value / lessosn learned / requirments / etc)

5 Open SIGINT HH repository to ITS for Signature Sharing
■6 Open SIGINT HH repository to 5-eyes to retrieve signatures
■t Trial nSpaces with CTEC f TAC / NAC / DGI

8 Report on vaiue of nSpaces to support Target Knowledge ___

9 Set-up Collaborative Web Environment____________________|

Shar'ng

Cyber

Content

- Create a shared 1

environment to experiment <

with content sharing <

- Develop requirments / <

lessons learned on sharing ,

content (

- Illustrate equitable
processing in Cyber capability

- Trial XKS for content sharing

built on existing metadata 1

■l Establish Cyber Play-Pen
2 Upgrade EONBLUE for use in Cyber Play-Pen
■3 Assist in porting EONBLUE capability to PPF
■4 Promote EONBLUE / PPF conten: to shared XKS
■E Evaluate retrieving GHCQ content based on events from XKS
6 Trial feeding FONBi 1JF evenfs af CSFC to a local XKS
•7 Evaluate opening CSEC Cyber-XKS to GCHQ
■8 Expose CSEC Cyber-XKS interface :o 5-eyes
■9 Report on content sharing experiments

CTE/CND

Igte/gnd

Tipping and
Cueing

- Leverage EONBLUE's native
messaging to extend national
capability (within SIGINT /
with ITS)

- Based on existing bilateral
partnerships trial tipping /
cueing to enhance content
sharing / metadata sharing

- Cue international EONBLUE
and similar components with
FASTFLUX as trial

- Tip in NRT SIGINT events
related fo partner countries



t.i Send EONBLUE cue's across Canadian SSO Sites
r.2 Send EONBLUE cue's between Canadian Passive Pruyiams
t.3 Instrument Cyber Session Collection Domestically
t.4 Send tips on GoC activity to IT Security
t.5 Send EONBLUE cue's from Canadian SSO to ITS Sensors
t.6 Introduce and develop Cyber Session Collection Experiment
t.7 Tip FASTFLUX events from CSEC to GCHQ
t,8 Extend EONBLUE FastFlux cue's to GCHQ FastFlux Software
t.9 Receive cue's from GCHQ's FastFlux Software at EONBLUE
T.icMake FASTFLUX tips avaiiab e to other 5-eyes agencies
i.i:Tip in NRT EONBLUE messages Lo 5-eyes based on IR-Geu
t.i:Send EONBLUE cue's from CSEC EONBLUE to DSD EONBLUE
t.i: Based on equitable processing (C.3) send cue's tp GCHQ
T.i' Prepare report on Tipping / Cueing (requirments / value / etc)



I GTE / GND

I GTE / GND


GTE/GND

Safeguarding Canada's security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

CNT1 - Analysis

• Triage leads from KOG and GA4

- Links to existing intrusion sets?

• Pursue interesting leads

- Passive SIGINT collection

- Technical analysis

• Produce reporting

• Attribute

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

19

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Analytic Approach

1. Begin with lead

2. Apply to SIGINT

3. Apply to CCNE

4. Track, research and
report

5. Generate persona lead

6. Coordinate with
traditional Cl

infrastructure

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

Canada

20

TOP SECRET II COMINT

. v ■ Communications Security Centre de la sécurité

Establishment Canada des télécommunications Canada

Cyber-Specifics of the Analytic Approach

Network Traffic Analysis

- We have access to Special Source, Warranted and 2nd Party
collection in raw, unprocessed form

- Work very closely with protocol and crypt analysts

Malware Analysis and Reverse Engineering

- Samples are received through passive collection and human
sources

Forensic Analysis

- Assist traditional Cl investigations and others

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

21

Canada

TOP SECRET II COMINT

■ Communications Security

Establishment Canada

Centre de la sécurité

des télécommunications Canada

CSEC Contacts

CCI (CNTl)

^^^^(â)çse

CCNE (KOG)



GND (GA4)

Safeguarding Canada’s security through information superiority
Préserver la sécurité du Canada par la supériorité de l’information

/n 11*1

Canada

22

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh