Title: Making Network Sense of the encryption problem

Release Date: 2014-12-13

Document Date: 2011-01-01

Description: This 2011 presentation by the head of GCHQ’s Network Analysis Centre outlines the agency’s interest in exploiting telecommunications companies, namely to “get at the data before it is encrypted”: see the Intercept article Operation Socialist: The Inside Story of How British Spies Hacked Belgium’s Largest Telco, 13 December 2014.

Document: TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZL

------m/\cz

NETWORK ^IM^ySIS CSfSJTRe

Making Network Sense of
the encryption problem

Roundtable

Head of GCHQ NAC

This information is exempt from disclosure under the Freedom of Information Act 2000 and ma j ^ NETWORK yClINJ^H-ySIS CENTRE / be subiect to exemptionprivpH From- NSA/CSSM 1-52 Declassify On- 20360501


TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZL

GCHQ metadata

• GCHQ now creating metadata on:

- SSL/TLS

- IKE

- OpenVPN

- SSH

- SQUEAL signatures (Various crypt packages)

• Data available in BEARDED PIGGY and/or the
CLOUD

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information
legislation. Refer disclosure requests to GCHQ on I

TOP SECRET//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZL

How can Network Analysis help ?

• Can NAC help
make sense using
network

knowledge of the
volumes of data to
isolate that which
we want to
decrypt...

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information
legislation. Refer disclosure requests to GCHQ on I

TOP SECRET//REL TO USA, AUS, CAN, GBR, NZL

TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZL

The Seed Approach

• Intercepted documentation reveals details of VPN set up...

This information is exempt from disclosure under theFreedomofjnfOima^On^Cl2£22.and..ma^be.SUbieCLiO exemption under other UK information
legislation. Refer disclosure requests to GCHQ or

TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZL

The Seed Approach

• Turn Seed IP into network block

• Query on network block against metadata

• Chain outwards / fuzzy subnet logic

• Basis of NTAT developed tradecraft:

- IRASCIBLE HARE

- IRASCIBLE RABBIT

- IRASCIBLE MOOSE

- IRASCIBLE EMITT

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information
legislation. Refer disclosure requests to GCHQ

TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZL

Known usage

• Target known to use encryption

- Identify target subnet

- Select on subnet against metadata

• Or...

- Start with an AS - look for most interesting wheel

- BELGACOM - AS6774 - known to run GRX links to MNO

over VPN

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information
legislation. Refer disclosure requests to GCHQ c

f

flBBEgaaa

Rle- Edit Vew In;

SECRET//REL TO USA, AUS, CAN, GBR, NZL

-191

- l^l X1 *

1PT

j AS677‘t_VA_Customer_Copy jT Chart 1

/ 'T'
/ /

□ /'

Shfiim Êfiçi ll-
GRD





ftS6T7‘f_VA_QJS»m3r.

Dt JR AT FFSTIVAI CITY - RFSTP'FINTTA
O AMLAKt AE

"CMERS INTERNATIONA. LINKS
:0 CUSTOMERS IN-ER NAT IO NAL LINKS

ICELGRÜUP EL SALVADOR
GICELGROUP EL SALVADOR

„USED FOR ETISALA- MISR
'O uocD tor cticalat-m:cr

GLOBAL TRANSIT COMMUNICATIONS, v
O HITBSEC

SMART GSM NFTW
O SMART GSM NETA

lARRIER SERVICES 5 ACL 26..
:r SERVICES SA BELB0NE.3E

T3.COM SOMA. IA - ISP

O TFI COM SOMAI 1A - ISP

h h i i C'-

PACiriC TELEPORTS DACKDOLC
O PACIFIC TELEPORTS BACKBONE

ALLC COMMUNICATIONS LLC
C ALLOP HONE ,BIZ

AL TELECOMS LTD

III.COM

RED^LAID MANAGED HOSTING, LLC
O REDALA ID.COM

BOTSWANA TELECOMMUNICATIONS CORPORATION

ÜR1D

TOP SECRE



TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZL

Network Knowledge enrichment

• Internet Registry information

• IP Geolocation

• DNS

• Data derived from network device configuration files

(routers/Firewalls etc)

• Network information on surrounding IPs (i.e. rest of subnet is

MNO related)

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information
legislation. Refer disclosure requests to GCHQ

TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZL

Access Optimisation

• A given role of Network Analysis is optimising access for a given
problem - in this case enabling two-ended collection

• Or....Identifying opportunities to get at the data before it is

encrypted therefore no need to make sense of encrypted data.

Can do this both:

- Passive

- Active

This information is exempt from disclosure underthe_Freedom.OLlnÎOima^On^Cl2£22.and..ma^be.SUbieCLi0.exemption under other UK information
legislation. Refer disclosure requests to GCHQ

TOP SECRET STRAP 2 // REL TO USA, AUS, CAN, GBR, NZL

Your Idea’s Please

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK information
legislation. Refer disclosure requests to GCHQ o


e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh