Title: Net Defense from Encrypted Communications

Release Date: 2014-12-28

Description: This February 2012 presentation from NSA’s Technology Directorate describes a system codenamed BLUESNORT and its relationship to associated systems: see the Der Spiegel story Prying Eyes: Inside the NSA’s War on Internet Security, 28 December 2014.

Document: (U//FOUO) Net Defense
from Encrypted Communications

irt i ir\ / 1 HI 1

SECRET//SI//REL TO USA, FVEY

Increment 3 Requirement

SYSREQ10322.2

(S//REL) TURMOIL shall reinject decrypted
IP traffic into BLUESNORT for malicious

network activity detection.

2

SECRET//SI//REL TO USA, FVEY

TOP SECRET//SI//REL TO USA, FVEY

Three-Feather Solution

GALLANTWAVE application

- Same module supports NetDef and SIGINT

- Supports dynamic update of targeting via UTT

- Supports static target updates

GALLANTWAVE Reinjection application
Same module supports NetDef and SIGINT

Supports re-injection of decrypt into TURMOIL for detection by BLUESNORT

BLUESNORT in Stage 1 Prime application
Emits events off decrypted, re-packetized, reinjected data

TOP SECRET//SI//REL TO USA, FVEY

SECRET//SI//REL TO USA, FVEY

HIGH Level Data Flow

Net Defense and SIGINT sites

TIPS (Bluesnort Events)

SECRET//SI//REL TO USA, FVEY

SECRET//SI//REL TO USA, FVEY

Status

Running on MHS DEV ESO T5 and T22

Transform, Reinjection, Signature Hits
confirmed

Signatures need further development
to produce true hits vs. false positives

NTOC POC reviewing XKS hits to
generate new signatures.

SECRET//SI//REL TO USA, FVEY

SECRET//SI//REL TO USA, FVEY

Issues/Risks

1. CA Servers at Net Defense Sites

,> ITx Connectivity to LONCHAUL

w NTOC requires stand-up of separate dev and live ITx fabric
¡. - H/W funding may be needed

a. - Need paperwork for update to firewall - submission expected by 25 Feb
o Expected completion was 29 Feb; now delayed to TBD
di SSH connectivity

& Short term: via BLUEBOX CA Servers at Pentagon - done

o Longer term: via deployment of servers within the NTOC enclave that connect to CA Servers in the field

2. GALLANTWAVE Targeting Challenges

MAILORDER/Ni-FI not yet available

m Mitigation: Manually load static targeting files

6

SECRET//SI//REL TO USA, FVEY

SECRET//SI//REL TO USA, FVEY

CA Capabilities Planned for NCC-3 Test

Events

Capability DT/OA 2 (June 2012) DT/OA 3 ) (June 2013
Defensive Sensor SIGINT Sensor Defensive Sensor SIGINT Sensor
CA Reinjection No DGO TTENT DGO

SECRET//SI//REL TO USA, FVEY

SECRET//SI//REL TO USA, FVEY

Near-term Schedule

Capability Date
GW-R Gate 2 Done (15 Feb)
GW-R Gate 3 Done (29 Feb)
GW-R Gate 5 31 Mar
GW-R Deploy to U sites May
ITx Dev Fabric at NetDef sites 29 Feb +
CA Server ssh connectivity Done via Bluebox
Initial Live Dev Test TURTLEZOO -May
GW-R Core 4.0 May
GW Core 4.0 May
ITx Live Fabric TBD

SECRET//SI//REL TO USA, FVEY

SECRET//SI//REL TO USA, FVEY

Players

BACKUP SUDES

SECRET//SI//REL TO USA, FVEY

CCA Capabilities Planned for NCC-3 Test

Events

Capability DT/OA 2 (June 2012) DT/OA 3 (June 2013)
Defensive Sensor SIGINT Sensor Defensive Sensor SIGINT Sensor
NETFLOW Full Netflow Pretty Good Netflow Full Netflow Full Netflow
BLUESNORT (updates) Yes No Yes Yes
FULL SNORT Yes No (Core 4) Yes Yes
POPQUIZ No No Yes Yes
Performance Testing Yes No Yes Yes
Wireless reinjection N/A Yes N/A Yes
CA Reinjection No Yes Yes Yes
Cyber Tasking Yes Partial Yes Partial
Updated Cloudshield Interface Partial N/A Yes Yes
Metrics and Monitoring Yes No Yes Yes

Orange items are being revisited. Requirements without explicit TML Core 4 dependency
need mission documentation to justify not being covered in DT/OA 2.

SECRET//SI//REL TO USA, FVEY

(S//REL) Dynamic Defense Logical Diagram

CD

INTERNET

(S//REL)

Active Response

Block,

Reroute,

Alter

Network

Interface

Normalized

Packets

Detect

?
COMMAND Action BUSINESS
DISTRIBUTION LOGIC

Alert

Decide

Protected Internal Network

Legend:

TUMULT TURMOIL TUTELAGE NTOC
(T113) (Til 2) (Till) (VSPO)

12

TOP SECRET//COMINT//REL TO
---------JSAr:¥E* -

tRout

Core SSC

SessionFilte
r

(ApJjid)
GW

FragmentFilte
r

D FA Proxy



(IOPort64)

GW-MI

(Metadatalnjecto

TE-STAGE1-
GALLANTWAVE.xxx

GW-

LoadManager

I



#{GALLANTWAV

E-SERVICE}

V

CAServer

X
H>

TargetManager

/ I _ 11 |

\ I I I I

CoreSSC gets UTT updates, tri^{^AhiA©1Erl§ets |
GW-TargetManager responds to IbâdTargets request
from CoreSSC, pulls the GW IP addresses from the
Targeting database; issues control-flow messages
for each IP:Port combination and sends periodic
updates for those.

FCP responds to control-flow messages by
promoting all packets to/from the targeted IP:port
combinations, and PacketRouter ensures these
packets are sent to GW-FIP for sessionization. GW-
FIP outputs 'raw' SOTF session-fragments to the
TE-GW service on the same host.

GW-SessionFilter identifies sessions containing
target technology-of-interest by applying an
appropriate appld tag to each session-fragment.
GW-FragmentFilter removes session-fragments not
containing an appropriate appld for the target
technology-of-interest. Additionally, as a work-
around for an issue in FIP 3.1.10, erroneous
session-fragments missing a specific metadata
filed are removed. GW-MI applies SRI obtained
from Dfid Allocator.

SECRET//COMINT//fRE(EWGMI applies SRI obtained from the DFID
RE USA, FVEY allocator.

SECRET//COMINT//REL TO USA, FVEY

CAServer

Delivery to both XKEYSCORE and
Stage 1 Prime Reinjection

GW-SessionMa nager

GW-

SessionDistributor

TURMOIL SessionReinjection i i
D FA Proxy ,

Desessioniz

er

Packet Injector

Stage 1 Prime

XKS-Sessions

XKSSessionlnterface



r>I XKEYSCORE

SECRET//COMINT//REL TO USA, FVEY

TURMOIL

Stage 1 Prime Reinjection

¡Stage 1 Prime

Decrypted flow

Reinjection

BLUESNORT



DNS
Inspecto

HiddenSalama ider

etc ...

Events

Collect

SECRET//COMINT//REL TO USA, FVEY

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh