T O P SECRET//COMINT//REL T O USA, FVEY TUTELAGE T O P SECRET//COMINT//REL T O USA, 1 T O P SECRET//COMINT//REL T O USA, FVEY Before TUTELAGE... AFTERL INTRUSION' Manual Analysis of Reporting Logs Intrusion by Adversary Reporting Process Intrusion Event Logged Victim Notification (Response?) / BEFORE INTRUSION MON r TUE WED T O P SECRET//COMINT//REL T O USA, THU FRI 2 T O P SECRET//COMINT//REL T O USA, FVEY BttfftoheTI C EEJMSEE. AFTERL INTRUSION' Adversary Malwafe Design Infusion by . /ersary P M h h i s s I Analysis of Reporting Logs Intrusior /ent Logged Reporting Process Victim Notification (Response?) TIMEi Adversary Malware — / r BEFORE l y INTRUSION T O P SECRET//COMINT//REL T O USA, 3 T O P SECRET//COMINT//REL T O USA, FVEY With TUTELAGE.. Adversary Malware Design Process SIGINT-Enabled Countermeasure Mitigates Adversary Intrusion PLAN • Discovery of Adversary Tools & Tradecraft T-H y DEPLOY ^ • >- ATTACK v • Adversary Malware Decision Loop Tailored Countermeasure Developed & Deployed Discovery of Adversary Intentions Countermeasure Development T O P SECRET//COMINT//REL T O USA, BEFORE INTRUSION 4 T O P SECRET//COMINT//REL T O USA, FVE/ Application of Capabilities SECRET//COMINT//REL TO USA, TUTELAGE Mission Flow Discovery & Characterization of Cyber Adversary Tradecraft CYBERQUEST 5 Foreign Adversary Launches XKEYSCORE PQI&&V U.S. Foreign > Adversr.y GNOMEVISION fi Deto&tt&Mitimtee > • POPQUIZ Sensors %\GMStGINT Coll<©iWtftf/oA7 Foreign Adversary Launches Attack Alert! 7 r t f i ? \ m v e SIGINT U.S. f * . Boundary I Sensors Bimmviiritiiii ft «Ä5W.V- , aavkjß&mtmmeasures n i s m m DoD Boundary Sensors mm? - 5 ^ • ^ N e w Signatures, I G W Q B i " m ^ - r m & N e w ymmmUng witfLPartners - SECRET//COMINT//RELlOTlSArFVEY iCountermeasures Signatures 3 with and Partners to UNCLASSIFIED//FOUO Operational Landscape Foreign Intel Service Threat Observability Email Phishing Threat Sophistication UNCLASSIFIED//FOUO SECRET//COMINT//REL T O USA, FVEY TUTELAGE Capabilities Redirect Alert/Tip Passive Sensor Generates Alert "What's My Destination? Storage Intercept Redirect to Safe Server Infected Host's Information Block Malicious Activity Blocks Entry/Exit Activity "Activity Successful" Substitute 'Attack" Latency Speed Adjusted 'Sleep" SECRET//COMINT//REL T O USA, FVEY SKIP TO APPLICATION • 8 SECRET//COMINT//REL T O USA, FVEY TUTELAGE Capabilities Alert/Tip Passive Sensor Generates Alert ^jpli' Sensor: f S ( Data Request Generates Alerts Collects Data for Analysis Runs Applications C storage Decision Logic SIGINT Tasking Decision Logic: Requests Data Establishes Correlations Sends Out Tasks Sends Alerts to SIGINT Tasking (S//REL TO USA, FVEY) Alert/Tip indicates the presence of malicious activity and communicates this information with the rest of the TUTELAGE enterprise and/or the SIGINT (passive/active) enterprise. Rule and Decision Logic determine whether data is stored. SECRET//COMINT//REL T O USA, FVEY SKIP TO APPLICATION • 9 SECRET//COMINT//REL T O USA, FVEY «MENU TUTELAGE Capabilities Intercept "Successful" In-Line Packet Processor: Re-routes traffic dynamically Modify inbound & outbound packets Insert and/or delete packets (S//REL TO USA, FVEY) Intercept is the means by which the TUTELAGE in-line packet processor can transparently intervene in adversarial activities, permitting the activity to appear to complete without disclosing that it did not reach/affect the intended target. SECRET//COMINT//REL T O USA, FVEY SKIP TO APPLICATION • 1° SECRET//COMINT//REL TO USA, FVEY 4 TUTELAGE Capabilities Unable to Decrypt 00111010011 10101110101 01101010010 11010011011 (S//REL TO USA, FVEY) Substitute is the TUTELAGE in-line packet processor's ability to perform bidirectional content detection and replacement. SECRET//COMINT//REL TO USA, FVEY SKIP TO APPLICATION • TOP SECRET//COMINT//REL T O USA, FVE/ TUTELAGE Capabilities Redirect p g g i y - 'l¡Sj|# s o m m e t Herejqstead J^R ^ ¿á / I pjgj^T What's My £ Destination? % Redirect to Safe Server R Infected Host's Information B Ä Ö i o n IP Decision Tip SIGINT if Foreign LogiC (S//REL TO USA, FVEY) Redirect is the TUTELAGE in-line packet processor's ability to change the course or direction of an adversarial (or adversarial induced) activity. SKIP TO APPLICATION • 12 SECRET//COMINT//REL T O USA, FVEY TUTELAGE Capabilities «MENU ta Block r- : Blocks Entry/Exit Activity (S//REL TO USA, FVEY) Block is the means by which the TUTELAGE in-line packet processor can deny entry/exit of network activity at the Internet Access Points (lAPs) based initially on source and/or destination Internet Protocol (IP) addresses and ports. SECRET//COMINT//REL T O USA, FVEY SKIP TO APPLICATION • 1° SECRET//COMINT//REL T O USA, FVEY «MENU TUTELAGE Capabilities Latency Speed Adjusted (S//REL TO USA, FVEY) Latency is the means by which the TUTELAGE in-line packet processor can stealthily vary the in/outbound speed of an adversary's activities traversing the lAPs to provide a diminished quality of service. This creates more time for other TUTELAGE capabilities to be executed. SECRET//COMINT//REL T O USA, FVEY SKIP TO APPLICATION • 1° T O P SECRET//COMINT//REL T O USA, FVEY How Many, How Often TUTELAGE currently o p e r a t e s against 28 major t h r e a t c a t e g o r i e s , using a total of 794 operational effects e n c o m p a s s e d in s e v e n capabilities (alerting/tipping, blocking, interception, sidelining, substitution, redirection and latency). Cyber Activity Ops Adversarial Recon 3 AlertJTip I Block ^Qj Intercept SMTP Bishop Knight 10 Black Energy Bot 24 Blind M a r k s m e n 77 Byzantine Foothold 96 Byzantine Viking 36 Carbon Peptide 6 Confiokor 3 C r o s s - D o m a i n Violations 77 Dancing Panda 2 Discovery 123 Eleonore Exploit Kit (TEC) 5 Q Latency Redirect HTTP HTTP r Substitute y 1 TCP DNS 3 10 24 1 77 1 1 12 83 31 4 6 3 77 77 2 116 4 1 2 5 Email 8 GnorneFisher 4 8 GnorneVision 1 1 MakersMark 8 8 4 Maverick Church 12 4 8 Native Dancer 26 S 18 Non Attributed Malware 13 13 Other 3 3 Phoenix Exploit Kit 1 1 Technology 7 6 WeaselVVaggle/SubtleSnow 58 1 57 Widowkey 26 1 25 Zeus 17 1 16 TOTAL 794 81 2 61 TUTELAGE 3 posture against T O P SECRET//COMINT//REL T O USA, 77 major threats 552 1 95 as of 11 February 2011 L5 UNCLASSIFIED//FOUO FUTURE CAPABILITIES UNCLASSIFIED//FOUO 1 6 SECRET//COMINT//REL T O USA, Upgrades & What They Mean Upgrade to 10G Sensor provides additional capabilities and enables future upgrades: •Immediate Benefits: - Increased speed and capacity - TS//SI signatures - Full Snort (Current sensors use packet-based Snort. 10G sensors use session-based Snort.) - Multi-event Snort •Future Upgrades: - POPQUIZ: Real-time behavioral analytics - GNOMEVISION: De-obfuscation of malicious packages - Cryptanalytic Capabilities - Netflow: Traffic analysis with GHOSTMACHINE SECRET//COMINT//REL T O USA, FVEY 1 7 SECRET//COMINT//REL T O USA, L3 t e £u*wre TUTELAGE Capability (S//SI//REL TO USA, FVEY) TCP Reset prevents malicious activity by breaking the connection. SECRET//COMINT//REL T O USA, FVEY SECRET//COMINT//REL T O USA, FVEY Future TUTELAGE Capabilities Sideline for Session Analysis » [IBI • ife; A • Analysis Sideline Infrastructure http://. ' A Continue On? Quarantine? Decision Logic (S//REL TO USA, FVEY) Sidelining is an intentional redirection of an activity to a secondary level of intervention where an intermediate host(s) (e.g. Listening Post, Quarantine, etc.) is staged to provide additional processing/manipulation to better engage and/or thwart adversarial activity. SECRET//COMINT//REL T O USA, FVEY 1 9 SECRET//COMINT//REL T O USA, FVEY Future TUTELAGE Capabilities Sideline for Listening Posts Listening H List ™ ^ o s t s jj] Physical Servers (S//REL TO USA, FVEY) Sidelining is an intentional redirection of an activity to a secondary level of intervention where an intermediate host(s) (e.g. Listening Post, Quarantine, etc.) is staged to provide additional processing/manipulation to better engage and/or thwart adversarial activity. SECRET//COMINT//REL T O USA, FVEY 2 0 SECRET//COMINT//REL T O USA, FVEY Future TUTELAGE Capabilities HBSS Integration Adversarial C2 Request Remote i Server 3 HBSS Enabled Endpoint Substitution/Redirection to Deliver Payload Detailed Alerts (S//SI//REL TO USA, FVEY) Integrating with the DOD's Host-Based Security System allows malicious activity detected through classified signatures in TUTELAGE to be dealt with at the host level. Using HBSS, TUTELAGE can trigger less sensitive alerts to local network administrators. SECRET//COMINT//REL T O USA, FVEY T O P SECRET//COMINT//REL T O USA, FVEY Future TUTELAGE Capabilities Quantum Tip 'one PANDORAS MAYHEM ,01 OK Injector Quantum Tip © T U R B I N E (TS//SI//REL TO USA, FVEY) TUTELAGE can tip QUANTUM to enable offensive action in adversary space. T O P SECRET//COMINT//REL T O USA, 2 2 T O P SECRET//COMINT//REL T O USA, FVEY Future TUTELAGE Capabilities Quantum Shooter Injector - Sensor xSL V • S B (PANDORAS MAYHEM Quantum Tip ^ / ( Ç T î j R ç r N E (TS//SI//REL TO USA, FVEY) TUTELAGE can tip QUANTUM to enable offensive action in adversary space. T O P SECRET//COMINT//REL T O USA, 2 3 T O P SECRET//COMINT//REL T O USA, FVEY Future TUTELAGE Capabilities Real Time Cryptanalytics g I Cryptanalytics (TS//SI//REL TO USA, FVEY) Real-time cryptanalytics allows Quantum operations to take place at net-speed. T O P SECRET//COMINT//REL T O USA, 2 4 UNCLASSIFIED//FOUO OPS SUCCESS STORIES UNCLASSIFIED//FOUO 2 5 SECRET//REL T O USA, FVEY U.S. Military Leaders Defended BYZANTINE HADES SIGINT • Based on information from SIGINT collection, a TUTELAGE countermeasure was developed and deployed in 2009 for a particular BYZANTINE HADES attack. •On October 21st and 22nd 2010, the spear-phishing attack was launched. The attack targeted four users, including the Chairman of the Joint Chiefs of Staff and the Chief of Naval Operations, with a carefully disguised malicious PDF. •NTOC operated the countermeasure and the attack was thwarted. SECRET//REL T O USA, FVEY 26 SECRET//REL T O USA, FVEY WAG Attempts to Deliver Holiday Present to DoD 23 December • NTOC-TX calls ops center advising of phishing campaign with "Merry Christmas" subject associated with WAG actors • WAG actors attempted to use ZEUS malware to exfiltrate documents • NTOC-TX did malware analysis and identified 2 new callback domains • In < 3 hours, received CyberCommand approval and plpce ' domains on DNS interdiction A ^ ^ A 9 1 30 December • NTOC-TX notices new spike in WAG mail signature • NTOC-TX discovers new callback domain • In < 20 minutes, received approval and placed domain on DNS interdiction • NTOC-W confirmed same malware from Xmas themed event SECRET//REL T O USA, FVEY 2 7 TOP SECRET//COMINT//REL TO USA, FVEY AMULETSTELLAR Spearphishing... Trying to Make New Friends In SIGINT, NTOC observed AMULETSTELLAR use of §)yahoo.com email account On Christmas Day, account was used to generated Linkedln requests to 10 general and flag grade officers NTOC leveraged TUTELAGE and SIGINT for further discovery of activity In coordination with CyberCommand, • Published 10 advisories • Identified 2 additional Linkedln accounts • Deployed 4 countermeasures • Intercepted over 2000 emails from AMULETSTELLAR actors TOP SECRET/fCOMINT/fREL TO USA, FVEY SECRET//REL T O USA, FVEY Combating the Low Orbit Ion Cannon (LOIC) The open-source LOIC tool has been used by "Anonymous" and others in several DDoS attacks. NTOC developed signatures to detect specific content strings generated by this tool. t j laoBtream - op-winxpv11 -13.Dp.n1oc.ric - P.emoa l Dutktap I ID TUTELAGE CVBBRWATCH:TCDLQIC_DEFflLLT_C0NTEM2_UDP- Mozila Frefou 1 View 2011/03/06 07 19 35 26376S 83 udp LS~-994QL 2 View 2011/03/06 07 19 35.26376S 83 Udp IS~-9940L 3 View 2011/03/06 07 19 35.263765 83 Uljp LS~-9940L am 5 View ioiwooop 2011/03/06 — 03 07 •s-^^yswiTHTwn" For example, for packets containing the string "Sweet_dreams_from_AnonOPs" TUTELAGE will perform an ACL Block against the offending IP once a threshold is met. \ SECRETJ/REL TO USA, ACGU/fNS f. II ShOUb U/lihL IO USA HVLY II LI l.G~-9940L —F— 7 V/ew 2011/03/06 07 10 35.26376? 83 udp L?~-9940L 3 U e a 2011/03/06 07 19 35.26376S 83 udp l.S~-9940L 3 View 2011/03/06 07 83 udp l.S~-9940L 10 View 2011/03/06 07 83 ujp l.S~-9940L 07 03 udp LG"-9940L udp LS"-'3940L 11 Vew 2011/03/06 12 Wow 2011/03/06 07 83 13 Vfew 2011/03/06 07 83 udp LS~-9940L U View 7011/03/06 07 83 udp 1.3--9940i 15 View 2011/03/06 0/ 83 udp 1.8 -9940L 16 View 2011/03/06 07 83 udp l.S~-9940L 17 View 2011/03/06 07 83 udp l.S~-9940L IS View 2011/03/06 07 S3 udp LS~-M40L 19 View 2011/03/06 07 S3 udp LS~-9940L 20 View 201 1 / 0 3 / 0 6 07 83 udp 1 .S~-9940i 21 View 2011/03/06 0/ 83 udp LS -994UL Observed here is traffic from an ongoing DDoS against several DoD IPs. TUTELAGE is blocking the malicious IP from communicating with any DoD machines. SECRET//REL ^^Wsrarlcn I TO ..r. :• UNCLASSIFIED//FOUO QUESTIONS? UNCLASSIFIED//FOUO 3 0
© Copyright 2024 Paperzz