Title: TUTELAGE
Release Date: 2015-01-17
Description: This undated NSA presentation describes techniques for repurposing third party attack tools: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.
Document:
TOP SECRET//COMINT//REL TO USA,
FVEY
TOP SECRET//COMINT//REL TO USA,
TOP SECRET//COMINT//REL TO USA,
FVEY
Before TUTELAGE...
AFTERk
INTRUSION
Manual Analysis of Reporting Logs Reporting Process
Intrusion by Adversary
Intrusion Event Logged Victim Notification (Response?)
i BEFORE!
INTRUSION : MON
TOP SECRET//COMINT//REL TO USA,
FRI
2
TOP SECRET//COMINT//REL TO USA,
_________ FVEY
BMIMheTHTEEIQ/BEE....
AFTERL
INTRUSION
Adversary Malwafe Design PMhibssI Analysis of Reporting Logs Reporting Process
I
I ' " .. ' V------------------------N s---------------------
Intrusion by
A=/yersary ' Intrusior^/ent
Logged
TIIVIEi
Victim Notification
(Response?)
BEFORE
INTRUSION
TOP SECRET//COMINT//REL TO USA,
3
TOP SECRET//COMINT//REL TO USA,
. . FVEY
With TUTELAGE...
Adversary Malware Design Process
TIME
SIGINT-Enabled
Countermeasure
Mitigates Adversary
Intrusion
Discovery of
Adversary
Tools & Tradecraft
T-T-t
Q
•.•
Tailored Countermeasure
Developed & Deployed
Adversary Malware
Decision Loop
Discovery of
Adversary Intentions
Countermeasure Development BEFORE
INTRUSION
TOP SECRET//COMINT//REL TO USA,
4
TOP SECRET//COMINT//REL TO USA,
FVEY
Application of Capabilities
SECRET//COMINT//REL TO USA,
FVFY
TUTELAGE Mission Flow
Lii
Discovery &
Characterization of
Cyber Aflversary Tradecraft
V
CYBERQUEST
XKEYSCORE
i
5 Foreign Adversary
LaunchedIVM
Adverse.
GNOMEVISION
POPQUIZ
etc.
Alert!
DoD
Foreign Adversary
Launches Attack
%\C\lStGiNT
Coll®jW»ftf/on
U.S. Foreign
rffctftfgence
simQ&?nce
Sensors
Trtfip&Gve SIGINT
U.S.
Boundary
■ Sensors
Boundary J
Sensors umr
DoD Matvc®KLs
■^^New Signatures,
m^A^ur
■^■■ng witirPartners
Countermeasures with Partners
anMOwatwmeasures to
u.&m&tiimvmgefice
smw?
Signatures and
SECRET//COMINT//REL TO USA, FVEY
6
UNCLASSIFIED//FOUO
Operational Landscape
Foreign Intel
Service
Threat
Observability
Script
Kiddie
t
Email Phishing
Zero Day Exploit
Threat Sophistication
U NC LAS SIFIE D//FOU O
7
SECRET//COMINT//REL TO USA,
TUTELAGEFVdapabilities
Storage
Redirect
“What’s My
Destination?”
Infected Host’s
Information
Alert/Tip
Passive Sensor
Generates Alert
ffl
Intercept
m Block
Blocks Entry/Exit
Activity
Substitute
Latency
©
‘Attack" “Sleep” Speed Adjusted
SECRET//COMINT//REL TO USA, FVEY
SKIP TO APPLICATION ►
8
◄ MENU
SECRET//COMINT//REL TO USA,
FVEY
TUTELAGE Capabilities
DoD
Decision Logic:
Requests Data
Establishes Correlations
Sends Out Tasks
Sends Alerts to SIGINT Tasking
Sensor:
Generates Alerts
Collects Data for Analysis
Runs Applications
Data
Request
SIGINT
Decision
Logic
Alert/Tip
Passive Sensor
Generates Alert
Tasking
(S//REL TO USA, FVEY)
Alert/Tip indicates the presence of malicious activity
and communicates this information with the rest of
the TUTELAGE enterprise and/or the SIGINT
(passive/active) enterprise. Rule and Decision Logic
determine whether data is stored.
SECRET//COMINT//REL TO USA, FVEY
SKIP TO APPLICATION ►
9
4MENU
SECRET//COMINT//REL TO USA,
FVEY
TUTELAGE Capabilities
Intercept
DoD
In-Line Packet Processor:
“Successful’
Re-routes traffic dynamically
Modify inbound & outbound packets
Insert and/or delete packets
(S//REL TO USA, FVEY)
Intercept is the means by which the TUTELAGE in-line
packet processor can transparently intervene in
adversarial activities, permitting the activity to appear
to complete without disclosing that it did not
reach/affect the intended target.
SECRET//COMINT//REL TO USA, FVEY
SKIP TO APPLICATION ► 10
4MENU
SECRET//COMIHT//REL TO USA,
TUTELAGEFCapabilities
Substitute
“Attack” “Sleep”
Unable to
Decrypt
00111010011
10101110101
01101010010
11010011011
(S//REL TO USA, FVEY)
Substitute is the TUTELAGE in-line packet
processor's ability to perform bidirectional content
detection and replacement.
DoD
SECRET//COMINT//REL TO USA, FVEY
SKIP TO APPLICATION ► u
◄ MENU
SECRET//COMINT//REL TO USA,
FVEY
TUTELAGE Capabilities
What’s My
£ Destination?
/ Here^jjstead
Redirect to
Safe Server
Infected Host’s
Information
Tip SIGINT
if Foreign
(S//REL TO USA, FVEY)
Redirect is the TUTELAGE in-line packet processor’s
ability to change the course or direction of an
adversarial (or adversarial induced) activity.
SECRET//COMINT//REL TO USA, FVEY
SKIP TO APPLICATION ► 12
4MENU
SECRET//COMINT//REL TO USA,
FVEY
TUTELAGE Capabilities
Block
Blocks Entry/Exit
Activity
DoD
(S//REL TO USA, FVEY)
Block is the means by which the TUTELAGE in-line
packet processor can deny entry/exit of network
activity at the Internet Access Points (lAPs) based
initially on source and/or destination Internet Protocol
(IP) addresses and ports.
SECRET//COMINT//REL TO USA, FVEY
SKIP TO APPLICATION ► ™
4MENU
SECRET//COMINT//REL TO USA,
FVEY
TUTELAGE Capabilities
Latency
Speed
Adjusted
(S//REL TO USA, FVEY)
Latency is the means by which the TUTELAGE in-line
packet processor can stealthily vary the in/outbound speed
of an adversary’s activities traversing the lAPs to provide a
diminished quality of service. This creates more time for
other TUTELAGE capabilities to be executed.
SECRET//COMINT//REL TO USA, FVEY
SKIP TO APPLICATION ► m
UNCLASS IFIED//FOUO
FUTURE CAPABILITIES
UNCLASSIFIED//FOUO
16
SECRET//COMINT//REL TO USA,
FVFY
Upgrades & What They Mean
Upgrade to 10G Sensor provides additional capabilities and
enables future upgrades:
•Immediate Benefits:
- Increased speed and capacity
- TS//SI signatures
- Full Snort (Current sensors use packet-based Snort. 10G sensors
use session-based Snort.)
- Multi-event Snort
•Future Upgrades:
- POPQUIZ: Real-time behavioral analytics
- GNOMEVISION: De-obfuscation of malicious packages
- Cryptanalytic Capabilities
- Netflow: Traffic analysis with GHOSTMACHINE
SECRET//COMINT//REL TO USA, FVEY
17
SECRET//COMINT//REL TO USA,
L.atetw*wreTUTELAGE Capability
The page cannot
be found
404 - File not found
TCP Reset
Connection
(S//SI//REL TO USA, FVEY)
TCP Reset prevents malicious activity by breaking the
connection.
SECRET//COMINT//REL TO USA^FVEY
18
SECRET//COMINT//REL TO USA,
Future TUTELAGE Capabilities
(S//REL TO USA, FVEY)
Sidelining is an intentional redirection of an activity to
a secondary level of intervention where an intermediate
host(s) (e.g. Listening Post, Quarantine, etc.) is staged
to provide additional processing/manipulation to better
engage and/or thwart adversarial activity.
SECRET//COMINT//REL TO USA, FVEY
19
SECRET//COMINT//REL TO USA,
FVEY
Future TUTELAGE Capabilities
O
Sideline for Listening Posts
►
DoD
(S//REL TO USA, FVEY)
Sidelining is an intentional redirection of an activity to
a secondary level of intervention where an intermediate
host(s) (e.g. Listening Post, Quarantine, etc.) is staged
to provide additional processing/manipulation to better
engage and/or thwart adversarial activity.
SECRET//COMINT//REL TO USA, FVEY
20
SECRET//COMINT//REL TO USA,
Future TUTELAGE Capabilities
Adversarial
C2 Request
Substitution/Redirection
to Deliver Payload
HBSS
Enabled
Endpoint
Detailed
Alerts
Remote
Server
HBSS Integration
(S//SI//REL TO USA, FVEY)
Integrating with the DOD’s Host-Based Security System
allows malicious activity detected through classified
signatures in TUTELAGE to be dealt with at the host
level. Using HBSS, TUTELAGE can trigger less
sensitive alerts to local network administrators.
DoD
ePO
Server
SECRET//COMINT//REL TO USA, FVEY
21
TOP SECRET//COMINT//REL TO USA,
Future TUTELAGE Capabilities
3
rano
.3101 f
* -wr
Injector
Quantum Tip
, O'..
2#
§§h
Sensor I
j PANDORAS
MAYHEM
Quantum
■I\
[
(^TURBrNE
DoD
(TS//SI//REL TO USA, FVEY)
TUTELAGE can tip QUANTUM to enable offensive
action in adversary space.
TOP SECRET//COMINT//REL TO USA,
22
TOP SECRET//COMINT//REL TO USA,
FVEY
Future TUTELAGE Capabilities
Quantum Shooter
Injector
Sensor
Quantum
Tip
(^TURBINE
(TS//SI//REL TO USA, FVEY)
TUTELAGE can tip QUANTUM to enable offensive
action in adversary space.
TOP SECRET//COMINT//REL TO USA,
23
TOP SECRET//COMINT//REL TO USA,
FVEY
Future TUTELAGE Capabilities
Real Time Cryptanalytics
?..i
-imam*
| Cryptanalytics
(TS//SI//REL TO USA, FVEY)
Real-time cryptanalytics allows Quantum operations to
take place at net-speed.
TOP SECRET//COMINT//REL TO USA.
24
UNCLASS IFIED//FOUO
OPS SUCCESS STORIES
UNCLASSIFIED//FOUO
25
SECRET//REL TO USA, FVEY
U.S. Military Leaders Defended
•Based on information from SIGINT
collection, a TUTELAGE
countermeasure was developed and
deployed in 2009 for a particular
BYZANTINE HADES attack.
•On October 21st and 22nd 2010, the
spear-phishing attack was
launched. The attack targeted four
users, including the Chairman of the
Joint Chiefs of Staff and the Chief of
Naval Operations, with a carefully
disguised malicious PDF.
• NTOC operated the countermeasure
and the attack was thwarted.
SECRET//REL TO USA, FVEY
SECRET//REL TO USA, FVEY
WAG Attempts to Deliver Holiday Present to DoD
23 December
* NTOC-TX calls ops center advising of phishing campaign with
“Merry Christmas” subject associated with WAG actors
* WAG actors attempted to use ZEUS malware to exfiltrate
documents
NTOC-TX did malware analysis and identified 2 new callback
domains
In < 3 hours, received CyberCommand approval and piece '
domains on DNS interdiction
30 December
* NTOC-TX notices new spike in WAG mail signature
* NTOC-TX discovers new callback domain
* In < 20 minutes, received approval and placed domain on DNS
interdiction
* NTOC-W confirmed same malware from Xmas themed event
SECRET//REL TO USA, FVEY
27
TOP SECRET//COMINT//REL TO USA, FVEY
AMULETSTELLAR Spearphishing... Trying to Make New
Friends
Linkedln
This is 3 reminder that on Df„
her professional ner*o,k stuntedfe**- eeo'8eV" ser,w
hollow this link to accept Geo'geWs iwnatipn.
• In SIGINT, NTOC observed
AMULETSTELLAR use of
§)yahoo.com email account
• On Christmas Day, account was used to
generated Linkedln requests to 10
general and flag grade officers
• NTOC leveraged TUTELAGE and SIGINT
for further discovery of activity
• In coordination with CyberCommand,
* Published 10 advisories
* Identified 2 additional Linkedln accounts
* Deployed 4 countermeasures
* Intercepted over 2000 emails from
AMULETSTELLAR actors
TOP SECRETHCOMINTHRELTO USA, FVEY
SECRET//REL TO USA, FVEY
Combating the Low Orbit Ion Cannon (LOIC)
•The open-source LOIC tool has
been used by “Anonymous” and
others in several DDoS attacks.
•NTOC developed signatures to
detect specific content strings
generated by this tool.
(j loDElro-i_T -op-winip*1 1-13.D|).nloc.nc -P.emole Datklap
TUTELAGE CVBEB.WATCH: 1EDLHIC_DEFJUJLT_C0NTEM2_IJDP - Mozilla Frefow
_J SECRETJ/RELTO USA. ACG U//NS |._
~~l SbUUblJ/llhL’ lOUSA hVhY I ”
■m
r<2
Hbuhze
[ k i-L ;y> i, w'.T
1 V lew 2011 /03/06 07:19 35.263768
2 Vjew 20] 1/03/06 07'19 35.263768
3 View 2011/03/06 07 19 35.263768
—e?^*-*»w**—
5 VLew 2011/03/06 07.lv 35 IV- 3 '6;
J ms JJ11AJJJUUUJ 1 1 ■ J JJ. LI
83
83
83
udp LS_-9S4QL
Udp LS--9Q40L
Udp LS“-9940L
•For example, for packets
containing the string
“Sweet_dreams_from_AnonOPs”
TUTELAGE will perform an ACL
Block against the offending IP
once a threshold is met.
7 View 2011/03/06 07 19 35.263768
3 View 2011/03/06 07:19 35.26376S
9 View 2011/03/06 07 1 9 if. 76.376/5
10 View 2011/03/06 07: L'J
11 View 2011/03/06 07.19 25 263753
12 View 2011/03/06 07-19 35 262753
13 View 2011/03/06 07.10 35 263753
U View 2011/03/06 07:19 .'5 TfiATn/i
IP View 2011/03/06 0/ 19 iP
16 View 2011/03/06 07: L'J .l1^
17 View 2011/03/06 07:19 35 >rV:.\,::
18 View 2011/03/06 07-L'J JKS/ji
19 View 2011/03/06 07-14 75s
83 udp LS“-9940L
83 udp LS~-9940L
83 udp LS“-9S40L
83 udp LS_-9S40L
03 udp L3~-9940L
83 udp LS--9940L
83 udp LS“-9940L
83 udp l .3“-99 401
83 udp L3 -9S4UL
83 udp LS_-9S40L
83 udp LS_-9940L
83 udp LS_-9040L
83 udp LS_-9940L
•Observed here is traffic from an
ongoing DDoS against several
DoD IPs. TUTELAGE is blocking
the malicious IP from
communicating with any DoD
machines.
20 View 2011/03/06 07 I'-J
21 View 2U11 /U3.'16 ij/ • J. y
-ijljli.cl f~ ricU.li.4vr
83 udp l.S--93401
5ECRET//REL TO USA, FVEY