Title: TUTELAGE

Release Date: 2015-01-17

Description: This undated NSA presentation describes techniques for repurposing third party attack tools: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.

Document:

TOP SECRET//COMINT//REL TO USA,
FVEY

TOP SECRET//COMINT//REL TO USA,

TOP SECRET//COMINT//REL TO USA,
FVEY

Before TUTELAGE...

AFTERk

INTRUSION

Manual Analysis of Reporting Logs Reporting Process

Intrusion by Adversary
Intrusion Event Logged Victim Notification (Response?)


i BEFORE!

INTRUSION : MON

TOP SECRET//COMINT//REL TO USA,

FRI

2

TOP SECRET//COMINT//REL TO USA,
_________ FVEY

BMIMheTHTEEIQ/BEE....

AFTERL

INTRUSION

Adversary Malwafe Design PMhibssI Analysis of Reporting Logs Reporting Process

I

I ' " .. ' V------------------------N s---------------------

Intrusion by

A=/yersary ' Intrusior^/ent

Logged

TIIVIEi

Victim Notification
(Response?)

BEFORE

INTRUSION

TOP SECRET//COMINT//REL TO USA,

3

TOP SECRET//COMINT//REL TO USA,

. . FVEY

With TUTELAGE...

Adversary Malware Design Process



TIME

SIGINT-Enabled
Countermeasure
Mitigates Adversary
Intrusion

Discovery of
Adversary
Tools & Tradecraft

T-T-t

Q



•.•

Tailored Countermeasure
Developed & Deployed

Adversary Malware
Decision Loop

Discovery of
Adversary Intentions

Countermeasure Development BEFORE

INTRUSION

TOP SECRET//COMINT//REL TO USA,

4

TOP SECRET//COMINT//REL TO USA,

FVEY

Application of Capabilities

SECRET//COMINT//REL TO USA,

FVFY

TUTELAGE Mission Flow

Lii

Discovery &
Characterization of
Cyber Aflversary Tradecraft

V

CYBERQUEST

XKEYSCORE

i



5 Foreign Adversary

LaunchedIVM
Adverse.

GNOMEVISION

POPQUIZ



etc.

Alert!

DoD

Foreign Adversary
Launches Attack

%\C\lStGiNT

Coll®jW»ftf/on

U.S. Foreign

rffctftfgence

simQ&?nce

Sensors

Trtfip&Gve SIGINT

U.S.
Boundary
■ Sensors

Boundary J
Sensors umr

DoD Matvc®KLs

■^^New Signatures,
m^A^ur

■^■■ng witirPartners

Countermeasures with Partners

anMOwatwmeasures to

u.&m&tiimvmgefice

smw?

Signatures and

SECRET//COMINT//REL TO USA, FVEY

6

UNCLASSIFIED//FOUO

Operational Landscape

Foreign Intel
Service

Threat

Observability

Script

Kiddie

t

Email Phishing

Zero Day Exploit

Threat Sophistication

U NC LAS SIFIE D//FOU O

7

SECRET//COMINT//REL TO USA,

TUTELAGEFVdapabilities

Storage

Redirect

“What’s My
Destination?”

Infected Host’s
Information

Alert/Tip

Passive Sensor
Generates Alert

ffl

Intercept

m Block

Blocks Entry/Exit
Activity

Substitute

Latency

©

‘Attack" “Sleep” Speed Adjusted

SECRET//COMINT//REL TO USA, FVEY

SKIP TO APPLICATION ►

8

◄ MENU

SECRET//COMINT//REL TO USA,

FVEY

TUTELAGE Capabilities

DoD

Decision Logic:

Requests Data
Establishes Correlations
Sends Out Tasks
Sends Alerts to SIGINT Tasking

Sensor:

Generates Alerts
Collects Data for Analysis
Runs Applications

Data

Request

SIGINT

Decision

Logic

Alert/Tip

Passive Sensor
Generates Alert

Tasking

(S//REL TO USA, FVEY)

Alert/Tip indicates the presence of malicious activity
and communicates this information with the rest of
the TUTELAGE enterprise and/or the SIGINT
(passive/active) enterprise. Rule and Decision Logic
determine whether data is stored.

SECRET//COMINT//REL TO USA, FVEY

SKIP TO APPLICATION ►

9

4MENU

SECRET//COMINT//REL TO USA,

FVEY

TUTELAGE Capabilities

Intercept

DoD

In-Line Packet Processor:

“Successful’

Re-routes traffic dynamically
Modify inbound & outbound packets
Insert and/or delete packets

(S//REL TO USA, FVEY)

Intercept is the means by which the TUTELAGE in-line
packet processor can transparently intervene in
adversarial activities, permitting the activity to appear
to complete without disclosing that it did not
reach/affect the intended target.

SECRET//COMINT//REL TO USA, FVEY

SKIP TO APPLICATION ► 10

4MENU

SECRET//COMIHT//REL TO USA,

TUTELAGEFCapabilities

Substitute

“Attack” “Sleep”

Unable to
Decrypt

00111010011

10101110101

01101010010

11010011011

(S//REL TO USA, FVEY)

Substitute is the TUTELAGE in-line packet
processor's ability to perform bidirectional content
detection and replacement.

DoD

SECRET//COMINT//REL TO USA, FVEY

SKIP TO APPLICATION ► u

◄ MENU

SECRET//COMINT//REL TO USA,

FVEY

TUTELAGE Capabilities

What’s My
£ Destination?

/ Here^jjstead

Redirect to
Safe Server

Infected Host’s
Information

Tip SIGINT
if Foreign

(S//REL TO USA, FVEY)

Redirect is the TUTELAGE in-line packet processor’s
ability to change the course or direction of an
adversarial (or adversarial induced) activity.

SECRET//COMINT//REL TO USA, FVEY

SKIP TO APPLICATION ► 12

4MENU

SECRET//COMINT//REL TO USA,

FVEY

TUTELAGE Capabilities

Block

Blocks Entry/Exit
Activity

DoD

(S//REL TO USA, FVEY)

Block is the means by which the TUTELAGE in-line
packet processor can deny entry/exit of network
activity at the Internet Access Points (lAPs) based
initially on source and/or destination Internet Protocol
(IP) addresses and ports.

SECRET//COMINT//REL TO USA, FVEY

SKIP TO APPLICATION ► ™

4MENU

SECRET//COMINT//REL TO USA,

FVEY

TUTELAGE Capabilities

Latency

Speed

Adjusted

(S//REL TO USA, FVEY)

Latency is the means by which the TUTELAGE in-line
packet processor can stealthily vary the in/outbound speed
of an adversary’s activities traversing the lAPs to provide a
diminished quality of service. This creates more time for
other TUTELAGE capabilities to be executed.

SECRET//COMINT//REL TO USA, FVEY

SKIP TO APPLICATION ► m

UNCLASS IFIED//FOUO

FUTURE CAPABILITIES

UNCLASSIFIED//FOUO

16

SECRET//COMINT//REL TO USA,

FVFY

Upgrades & What They Mean

Upgrade to 10G Sensor provides additional capabilities and
enables future upgrades:

•Immediate Benefits:

- Increased speed and capacity

- TS//SI signatures

- Full Snort (Current sensors use packet-based Snort. 10G sensors
use session-based Snort.)

- Multi-event Snort
•Future Upgrades:

- POPQUIZ: Real-time behavioral analytics

- GNOMEVISION: De-obfuscation of malicious packages

- Cryptanalytic Capabilities

- Netflow: Traffic analysis with GHOSTMACHINE

SECRET//COMINT//REL TO USA, FVEY

17

SECRET//COMINT//REL TO USA,

L.atetw*wreTUTELAGE Capability



The page cannot
be found

404 - File not found

TCP Reset

Connection

(S//SI//REL TO USA, FVEY)

TCP Reset prevents malicious activity by breaking the
connection.

SECRET//COMINT//REL TO USA^FVEY

18

SECRET//COMINT//REL TO USA,

Future TUTELAGE Capabilities

(S//REL TO USA, FVEY)

Sidelining is an intentional redirection of an activity to
a secondary level of intervention where an intermediate
host(s) (e.g. Listening Post, Quarantine, etc.) is staged
to provide additional processing/manipulation to better
engage and/or thwart adversarial activity.

SECRET//COMINT//REL TO USA, FVEY

19

SECRET//COMINT//REL TO USA,
FVEY

Future TUTELAGE Capabilities

O

Sideline for Listening Posts



DoD

(S//REL TO USA, FVEY)

Sidelining is an intentional redirection of an activity to
a secondary level of intervention where an intermediate
host(s) (e.g. Listening Post, Quarantine, etc.) is staged
to provide additional processing/manipulation to better
engage and/or thwart adversarial activity.

SECRET//COMINT//REL TO USA, FVEY

20

SECRET//COMINT//REL TO USA,

Future TUTELAGE Capabilities

Adversarial
C2 Request

Substitution/Redirection
to Deliver Payload

HBSS

Enabled

Endpoint



Detailed

Alerts

Remote

Server

HBSS Integration

(S//SI//REL TO USA, FVEY)

Integrating with the DOD’s Host-Based Security System
allows malicious activity detected through classified
signatures in TUTELAGE to be dealt with at the host
level. Using HBSS, TUTELAGE can trigger less
sensitive alerts to local network administrators.

DoD

ePO

Server

SECRET//COMINT//REL TO USA, FVEY

21

TOP SECRET//COMINT//REL TO USA,

Future TUTELAGE Capabilities



3

rano

.3101 f

* -wr

Injector

Quantum Tip

, O'..

2#

§§h

Sensor I

j PANDORAS
MAYHEM

Quantum

■I\

[

(^TURBrNE

DoD

(TS//SI//REL TO USA, FVEY)

TUTELAGE can tip QUANTUM to enable offensive
action in adversary space.

TOP SECRET//COMINT//REL TO USA,

22

TOP SECRET//COMINT//REL TO USA,

FVEY

Future TUTELAGE Capabilities

Quantum Shooter

Injector

Sensor

Quantum

Tip

(^TURBINE

(TS//SI//REL TO USA, FVEY)

TUTELAGE can tip QUANTUM to enable offensive
action in adversary space.

TOP SECRET//COMINT//REL TO USA,

23

TOP SECRET//COMINT//REL TO USA,

FVEY

Future TUTELAGE Capabilities

Real Time Cryptanalytics

?..i

-imam*

| Cryptanalytics

(TS//SI//REL TO USA, FVEY)

Real-time cryptanalytics allows Quantum operations to
take place at net-speed.

TOP SECRET//COMINT//REL TO USA.

24

UNCLASS IFIED//FOUO

OPS SUCCESS STORIES

UNCLASSIFIED//FOUO

25

SECRET//REL TO USA, FVEY

U.S. Military Leaders Defended

•Based on information from SIGINT
collection, a TUTELAGE
countermeasure was developed and
deployed in 2009 for a particular
BYZANTINE HADES attack.

•On October 21st and 22nd 2010, the
spear-phishing attack was
launched. The attack targeted four
users, including the Chairman of the
Joint Chiefs of Staff and the Chief of
Naval Operations, with a carefully
disguised malicious PDF.

• NTOC operated the countermeasure
and the attack was thwarted.

SECRET//REL TO USA, FVEY

SECRET//REL TO USA, FVEY

WAG Attempts to Deliver Holiday Present to DoD

23 December

* NTOC-TX calls ops center advising of phishing campaign with
“Merry Christmas” subject associated with WAG actors

* WAG actors attempted to use ZEUS malware to exfiltrate
documents

NTOC-TX did malware analysis and identified 2 new callback
domains

In < 3 hours, received CyberCommand approval and piece '
domains on DNS interdiction

30 December

* NTOC-TX notices new spike in WAG mail signature

* NTOC-TX discovers new callback domain

* In < 20 minutes, received approval and placed domain on DNS
interdiction

* NTOC-W confirmed same malware from Xmas themed event

SECRET//REL TO USA, FVEY

27

TOP SECRET//COMINT//REL TO USA, FVEY

AMULETSTELLAR Spearphishing... Trying to Make New

Friends

Linkedln

This is 3 reminder that on Df„

her professional ner*o,k stuntedfe**- eeo'8eV" ser,w

hollow this link to accept Geo'geWs iwnatipn.

• In SIGINT, NTOC observed
AMULETSTELLAR use of

§)yahoo.com email account

• On Christmas Day, account was used to
generated Linkedln requests to 10
general and flag grade officers

• NTOC leveraged TUTELAGE and SIGINT
for further discovery of activity

• In coordination with CyberCommand,

* Published 10 advisories

* Identified 2 additional Linkedln accounts

* Deployed 4 countermeasures

* Intercepted over 2000 emails from
AMULETSTELLAR actors

TOP SECRETHCOMINTHRELTO USA, FVEY

SECRET//REL TO USA, FVEY

Combating the Low Orbit Ion Cannon (LOIC)

•The open-source LOIC tool has
been used by “Anonymous” and
others in several DDoS attacks.

•NTOC developed signatures to
detect specific content strings
generated by this tool.

(j loDElro-i_T -op-winip*1 1-13.D|).nloc.nc -P.emole Datklap

TUTELAGE CVBEB.WATCH: 1EDLHIC_DEFJUJLT_C0NTEM2_IJDP - Mozilla Frefow

_J SECRETJ/RELTO USA. ACG U//NS |._
~~l SbUUblJ/llhL’ lOUSA hVhY I ”

■m
r<2
Hbuhze
[ k i-L ;y> i, w'.T

1 V lew 2011 /03/06 07:19 35.263768

2 Vjew 20] 1/03/06 07'19 35.263768

3 View 2011/03/06 07 19 35.263768

—e?^*-*»w**—

5 VLew 2011/03/06 07.lv 35 IV- 3 '6;

J ms JJ11AJJJUUUJ 1 1 ■ J JJ. LI

83

83

83

udp LS_-9S4QL
Udp LS--9Q40L
Udp LS“-9940L

•For example, for packets
containing the string
“Sweet_dreams_from_AnonOPs”
TUTELAGE will perform an ACL
Block against the offending IP
once a threshold is met.

7 View 2011/03/06 07 19 35.263768
3 View 2011/03/06 07:19 35.26376S
9 View 2011/03/06 07 1 9 if. 76.376/5
10 View 2011/03/06 07: L'J
11 View 2011/03/06 07.19 25 263753
12 View 2011/03/06 07-19 35 262753
13 View 2011/03/06 07.10 35 263753
U View 2011/03/06 07:19 .'5 TfiATn/i
IP View 2011/03/06 0/ 19 iP
16 View 2011/03/06 07: L'J .l1^
17 View 2011/03/06 07:19 35 >rV:.\,::
18 View 2011/03/06 07-L'J JKS/ji
19 View 2011/03/06 07-14 75s

83 udp LS“-9940L
83 udp LS~-9940L
83 udp LS“-9S40L
83 udp LS_-9S40L
03 udp L3~-9940L
83 udp LS--9940L
83 udp LS“-9940L
83 udp l .3“-99 401
83 udp L3 -9S4UL
83 udp LS_-9S40L
83 udp LS_-9940L
83 udp LS_-9040L
83 udp LS_-9940L

•Observed here is traffic from an
ongoing DDoS against several
DoD IPs. TUTELAGE is blocking
the malicious IP from
communicating with any DoD
machines.

20 View 2011/03/06 07 I'-J

21 View 2U11 /U3.'16 ij/ • J. y

-ijljli.cl f~ ricU.li.4vr

83 udp l.S--93401

5ECRET//REL TO USA, FVEY

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh