20150117-Spiegel-NSA Program TUTELAGE to Instrumentalize

T O P SECRET//COMINT//REL T O USA,
FVEY
TUTELAGE
T O P SECRET//COMINT//REL T O USA, 1
T O P SECRET//COMINT//REL T O USA,
FVEY
Before TUTELAGE...
AFTERL
INTRUSION'
Manual Analysis of Reporting Logs
Intrusion by
Adversary
Reporting Process
Intrusion Event
Logged
Victim Notification
(Response?)
/
BEFORE
INTRUSION MON
r
TUE
WED
T O P SECRET//COMINT//REL T O USA,
THU
FRI
2
T O P SECRET//COMINT//REL T O USA,
FVEY
BttfftoheTI C EEJMSEE.
AFTERL
INTRUSION'
Adversary Malwafe Design
Infusion by
. /ersary
P M h h i s s I
Analysis of Reporting Logs
Intrusior /ent
Logged
Reporting Process
Victim Notification
(Response?)
TIMEi
Adversary Malware
—
/
r
BEFORE
l
y
INTRUSION
T O P SECRET//COMINT//REL T O USA,
3
T O P SECRET//COMINT//REL T O USA,
FVEY
With TUTELAGE..
Adversary Malware Design Process
SIGINT-Enabled
Countermeasure
Mitigates Adversary
Intrusion
PLAN
•
Discovery of
Adversary
Tools & Tradecraft
T-H
y
DEPLOY
^
•
>-
ATTACK
v
•
Adversary Malware
Decision Loop
Tailored Countermeasure
Developed & Deployed
Discovery of
Adversary Intentions
Countermeasure Development
T O P SECRET//COMINT//REL T O USA,
BEFORE
INTRUSION
4
T O P SECRET//COMINT//REL T O USA,
FVE/
Application of Capabilities
SECRET//COMINT//REL TO USA,
TUTELAGE Mission Flow
Discovery &
Characterization of
Cyber Adversary Tradecraft
CYBERQUEST
5
Foreign
Adversary
Launches
XKEYSCORE
PQI&&V
U.S. Foreign
>
Adversr.y
GNOMEVISION
fi
Deto&tt&Mitimtee
>
•
POPQUIZ
Sensors
%\GMStGINT
Coll<©iWtftf/oA7
Foreign Adversary
Launches Attack
Alert!
7 r t f i ? \ m v e
SIGINT
U.S.
f * . Boundary
I
Sensors
Bimmviiritiiii
ft «Ä5W.V- ,
aavkjß&mtmmeasures
n i s m m
DoD
Boundary
Sensors
mm?
-
5
^ • ^ N e w Signatures,
I G W Q B i "
m
^ -
r
m & N e w
ymmmUng witfLPartners
-
SECRET//COMINT//RELlOTlSArFVEY
iCountermeasures
Signatures
3
with
and
Partners
to
UNCLASSIFIED//FOUO
Operational Landscape
Foreign Intel
Service
Threat
Observability
Email Phishing
Threat Sophistication
UNCLASSIFIED//FOUO
SECRET//COMINT//REL T O USA,
FVEY
TUTELAGE Capabilities
Redirect
Alert/Tip
Passive Sensor
Generates Alert
"What's My
Destination?
Storage
Intercept
Redirect to
Safe Server
Infected Host's
Information
Block
Malicious
Activity
Blocks Entry/Exit
Activity
"Activity
Successful"
Substitute
'Attack"
Latency
Speed
Adjusted
'Sleep"
SECRET//COMINT//REL T O USA, FVEY
SKIP TO APPLICATION •
8
SECRET//COMINT//REL T O USA,
FVEY
TUTELAGE Capabilities
Alert/Tip
Passive Sensor
Generates Alert
^jpli'
Sensor:
f
S
(
Data
Request
Generates Alerts
Collects Data for Analysis
Runs Applications
C
storage
Decision
Logic
SIGINT
Tasking
Decision Logic:
Requests Data
Establishes Correlations
Sends Out Tasks
Sends Alerts to SIGINT Tasking
(S//REL TO USA, FVEY)
Alert/Tip indicates the presence of malicious activity
and communicates this information with the rest of
the TUTELAGE enterprise and/or the SIGINT
(passive/active) enterprise. Rule and Decision Logic
determine whether data is stored.
SECRET//COMINT//REL T O USA, FVEY
SKIP TO APPLICATION •
9
SECRET//COMINT//REL T O USA,
FVEY
«MENU
TUTELAGE Capabilities
Intercept
"Successful"
In-Line Packet Processor:
Re-routes traffic dynamically
Modify inbound & outbound packets
Insert and/or delete packets
(S//REL TO USA, FVEY)
Intercept is the means by which the TUTELAGE in-line
packet processor can transparently intervene in
adversarial activities, permitting the activity to appear
to complete without disclosing that it did not
reach/affect the intended target.
SECRET//COMINT//REL T O USA, FVEY
SKIP TO APPLICATION •
1°
SECRET//COMINT//REL TO USA,
FVEY
4
TUTELAGE Capabilities
Unable to
Decrypt
00111010011
10101110101
01101010010
11010011011
(S//REL TO USA, FVEY)
Substitute is the TUTELAGE in-line packet
processor's ability to perform bidirectional content
detection and replacement.
SECRET//COMINT//REL TO USA, FVEY
SKIP TO APPLICATION •
TOP
SECRET//COMINT//REL T O USA,
FVE/
TUTELAGE Capabilities
Redirect
p g g i y
-
'l¡Sj|#
s o m m e t
Herejqstead
J^R ^
¿á
/ I
pjgj^T
What's My
£ Destination?
%
Redirect to
Safe Server
R
Infected Host's
Information
B Ä Ö i o n IP
Decision
Tip SIGINT
if Foreign
LogiC
(S//REL TO USA, FVEY)
Redirect is the TUTELAGE in-line packet processor's
ability to change the course or direction of an
adversarial (or adversarial induced) activity.
SKIP TO APPLICATION •
12
SECRET//COMINT//REL T O USA,
FVEY
TUTELAGE Capabilities
«MENU
ta
Block
r-
:
Blocks Entry/Exit
Activity
(S//REL TO USA, FVEY)
Block is the means by which the TUTELAGE in-line
packet processor can deny entry/exit of network
activity at the Internet Access Points (lAPs) based
initially on source and/or destination Internet Protocol
(IP) addresses and ports.
SECRET//COMINT//REL T O USA, FVEY
SKIP TO APPLICATION •
1°
SECRET//COMINT//REL T O USA,
FVEY
«MENU
TUTELAGE Capabilities
Latency
Speed
Adjusted
(S//REL TO USA, FVEY)
Latency is the means by which the TUTELAGE in-line
packet processor can stealthily vary the in/outbound speed
of an adversary's activities traversing the lAPs to provide a
diminished quality of service. This creates more time for
other TUTELAGE capabilities to be executed.
SECRET//COMINT//REL T O USA, FVEY
SKIP TO APPLICATION • 1°
T O P SECRET//COMINT//REL T O USA,
FVEY
How Many, How Often
TUTELAGE currently o p e r a t e s against 28 major t h r e a t c a t e g o r i e s , using a total of 794 operational
effects e n c o m p a s s e d in s e v e n capabilities (alerting/tipping, blocking, interception, sidelining,
substitution, redirection and latency).
Cyber Activity
Ops
Adversarial Recon
3
AlertJTip
I
Block
^Qj
Intercept
SMTP
Bishop Knight
10
Black Energy Bot
24
Blind M a r k s m e n
77
Byzantine
Foothold
96
Byzantine Viking
36
Carbon Peptide
6
Confiokor
3
C r o s s - D o m a i n Violations
77
Dancing Panda
2
Discovery
123
Eleonore Exploit Kit (TEC)
5
Q
Latency
Redirect
HTTP
HTTP
r
Substitute
y
1
TCP
DNS
3
10
24
1
77
1
1
12
83
31
4
6
3
77
77
2
116
4
1
2
5
Email
8
GnorneFisher
4
8
GnorneVision
1
1
MakersMark
8
8
4
Maverick Church
12
4
8
Native Dancer
26
S
18
Non Attributed Malware
13
13
Other
3
3
Phoenix Exploit Kit
1
1
Technology
7
6
WeaselVVaggle/SubtleSnow
58
1
57
Widowkey
26
1
25
Zeus
17
1
16
TOTAL
794
81
2
61
TUTELAGE
3
posture
against
T O P SECRET//COMINT//REL T O USA,
77
major
threats
552
1
95
as of 11 February
2011
L5
UNCLASSIFIED//FOUO
FUTURE CAPABILITIES
UNCLASSIFIED//FOUO
1 6
SECRET//COMINT//REL T O USA,
Upgrades & What They Mean
Upgrade to 10G Sensor provides additional capabilities and
enables future upgrades:
•Immediate Benefits:
- Increased speed and capacity
-
TS//SI signatures
-
Full Snort (Current sensors use packet-based Snort. 10G sensors
use session-based Snort.)
-
Multi-event Snort
•Future Upgrades:
-
POPQUIZ: Real-time behavioral analytics
-
GNOMEVISION: De-obfuscation of malicious packages
-
Cryptanalytic Capabilities
-
Netflow: Traffic analysis with GHOSTMACHINE
SECRET//COMINT//REL T O USA, FVEY
1 7
SECRET//COMINT//REL T O USA,
L3 t e £u*wre TUTELAGE Capability
(S//SI//REL TO USA, FVEY)
TCP Reset prevents malicious activity by breaking the
connection.
SECRET//COMINT//REL T O USA, FVEY
SECRET//COMINT//REL T O USA,
FVEY
Future TUTELAGE Capabilities
Sideline for Session Analysis
»
[IBI
•
ife;
A •
Analysis
Sideline
Infrastructure
http://.
' A
Continue On?
Quarantine?
Decision
Logic
(S//REL TO USA, FVEY)
Sidelining is an intentional redirection of an activity to
a secondary level of intervention where an intermediate
host(s) (e.g. Listening Post, Quarantine, etc.) is staged
to provide additional processing/manipulation to better
engage and/or thwart adversarial activity.
SECRET//COMINT//REL T O USA, FVEY
1 9
SECRET//COMINT//REL T O USA,
FVEY
Future TUTELAGE Capabilities
Sideline for Listening Posts
Listening H
List
™ ^
o s t s
jj]
Physical
Servers
(S//REL TO USA, FVEY)
Sidelining is an intentional redirection of an activity to
a secondary level of intervention where an intermediate
host(s) (e.g. Listening Post, Quarantine, etc.) is staged
to provide additional processing/manipulation to better
engage and/or thwart adversarial activity.
SECRET//COMINT//REL T O USA, FVEY
2 0
SECRET//COMINT//REL T O USA,
FVEY
Future TUTELAGE Capabilities
HBSS Integration
Adversarial
C2 Request
Remote i
Server 3
HBSS
Enabled
Endpoint
Substitution/Redirection
to Deliver Payload
Detailed
Alerts
(S//SI//REL TO USA, FVEY)
Integrating with the DOD's Host-Based Security System
allows malicious activity detected through classified
signatures in TUTELAGE to be dealt with at the host
level. Using HBSS, TUTELAGE can trigger less
sensitive alerts to local network administrators.
SECRET//COMINT//REL T O USA, FVEY
T O P SECRET//COMINT//REL T O USA,
FVEY
Future TUTELAGE Capabilities
Quantum Tip
'one
PANDORAS
MAYHEM
,01 OK
Injector
Quantum
Tip
© T U R B I N E
(TS//SI//REL TO USA, FVEY)
TUTELAGE can tip QUANTUM to enable offensive
action in adversary space.
T O P SECRET//COMINT//REL T O USA,
2 2
T O P SECRET//COMINT//REL T O USA,
FVEY
Future TUTELAGE Capabilities
Quantum Shooter
Injector
-
Sensor xSL
V
•
S B
(PANDORAS
MAYHEM
Quantum
Tip
^ / ( Ç T î j R ç r N E
(TS//SI//REL TO USA, FVEY)
TUTELAGE can tip QUANTUM to enable offensive
action in adversary space.
T O P SECRET//COMINT//REL T O USA,
2 3
T O P SECRET//COMINT//REL T O USA,
FVEY
Future TUTELAGE Capabilities
Real Time Cryptanalytics
g
I
Cryptanalytics
(TS//SI//REL TO USA, FVEY)
Real-time cryptanalytics allows Quantum operations to
take place at net-speed.
T O P SECRET//COMINT//REL T O USA,
2 4
UNCLASSIFIED//FOUO
OPS SUCCESS STORIES
UNCLASSIFIED//FOUO
2 5
SECRET//REL T O USA, FVEY
U.S. Military Leaders Defended
BYZANTINE
HADES
SIGINT
• Based on information from SIGINT
collection, a TUTELAGE
countermeasure was developed and
deployed in 2009 for a particular
BYZANTINE HADES attack.
•On October 21st and 22nd 2010, the
spear-phishing attack was
launched. The attack targeted four
users, including the Chairman of the
Joint Chiefs of Staff and the Chief of
Naval Operations, with a carefully
disguised malicious PDF.
•NTOC operated the countermeasure
and the attack was thwarted.
SECRET//REL T O USA, FVEY 26
SECRET//REL T O USA, FVEY
WAG Attempts to Deliver Holiday Present to DoD
23 December
• NTOC-TX calls ops center advising of phishing campaign with
"Merry Christmas" subject associated with WAG actors
• WAG actors attempted to use ZEUS malware to exfiltrate
documents
• NTOC-TX did malware analysis and identified 2 new callback
domains
• In < 3 hours, received CyberCommand approval and plpce '
domains on DNS interdiction
A
^ ^
A 9 1
30 December
• NTOC-TX notices new spike in WAG mail signature
• NTOC-TX discovers new callback domain
• In < 20 minutes, received approval and placed domain on DNS
interdiction
• NTOC-W confirmed same malware from Xmas themed event
SECRET//REL T O USA, FVEY
2 7
TOP SECRET//COMINT//REL TO USA, FVEY
AMULETSTELLAR Spearphishing... Trying to Make New
Friends
In SIGINT, NTOC observed
AMULETSTELLAR use of
§)yahoo.com email account
On Christmas Day, account was used to
generated Linkedln requests to 10
general and flag grade officers
NTOC leveraged TUTELAGE and SIGINT
for further discovery of activity
In coordination with CyberCommand,
• Published 10 advisories
• Identified 2 additional Linkedln accounts
• Deployed 4 countermeasures
• Intercepted over 2000 emails from
AMULETSTELLAR actors
TOP SECRET/fCOMINT/fREL TO USA, FVEY
SECRET//REL T O USA, FVEY
Combating the Low Orbit Ion Cannon (LOIC)
The open-source LOIC tool has
been used by "Anonymous" and
others in several DDoS attacks.
NTOC developed signatures to
detect specific content strings
generated by this tool.
t j laoBtream - op-winxpv11 -13.Dp.n1oc.ric - P.emoa
l Dutktap
I ID TUTELAGE CVBBRWATCH:TCDLQIC_DEFflLLT_C0NTEM2_UDP- Mozila Frefou
1
View
2011/03/06 07 19 35
26376S
83
udp
LS~-994QL
2
View
2011/03/06
07 19
35.26376S
83
Udp
IS~-9940L
3
View
2011/03/06
07 19
35.263765
83
Uljp
LS~-9940L
am
5
View
ioiwooop
2011/03/06
—
03
07
•s-^^yswiTHTwn"
For example, for packets
containing the string
"Sweet_dreams_from_AnonOPs"
TUTELAGE will perform an ACL
Block against the offending IP
once a threshold is met.
\ SECRETJ/REL TO USA, ACGU/fNS f.
II ShOUb U/lihL IO USA HVLY II
LI
l.G~-9940L
—F—
7
V/ew
2011/03/06
07 10
35.26376?
83
udp
L?~-9940L
3
U e a
2011/03/06
07 19
35.26376S
83
udp
l.S~-9940L
3
View
2011/03/06
07
83
udp
l.S~-9940L
10
View
2011/03/06
07
83
ujp
l.S~-9940L
07
03
udp
LG"-9940L
udp
LS"-'3940L
11
Vew
2011/03/06
12
Wow
2011/03/06
07
83
13
Vfew
2011/03/06
07
83
udp
LS~-9940L
U
View
7011/03/06
07
83
udp
1.3--9940i
15
View
2011/03/06
0/
83
udp
1.8 -9940L
16
View
2011/03/06
07
83
udp
l.S~-9940L
17
View
2011/03/06
07
83
udp
l.S~-9940L
IS
View
2011/03/06
07
S3
udp
LS~-M40L
19
View
2011/03/06
07
S3
udp
LS~-9940L
20
View
201 1 / 0 3 / 0 6
07
83
udp
1 .S~-9940i
21
View
2011/03/06
0/
83
udp
LS -994UL
Observed here is traffic from an
ongoing DDoS against several
DoD IPs. TUTELAGE is blocking
the malicious IP from
communicating with any DoD
machines.
SECRET//REL
^^Wsrarlcn
I
TO
..r. :•
UNCLASSIFIED//FOUO
QUESTIONS?
UNCLASSIFIED//FOUO
3 0