communications securit centry de la sécurité e ...1 communications securit centry de la sécurité...
TRANSCRIPT
TOP SECRET//COMINT
1*1 Communications Security Centre de la sécurité Establishment des télécommunications
I
Cyber Threat Detection
Passive Cyber Threat Detection Platform - EONBLUE
* Currently deployed alongside traditional DNI Collection (SPECIALSOURCE, Warranted Access, FORNSAT, etc)
* Packet Processing capability tailored to Cyber built over a 6+ year period
* Cyber Threat Tracking (Deep Packet Inspection signatures for 'known' intrusions)
* Cyber Threat Discovery (Anomaly Detection for discovering unknown intrusions)
In 2009 an average of 115,000 Traffic Items collected daily from Canadian and Allied Sources
* Collection from allies is crucial to success, but based on IP Address collection (causes over collect, sessionization corrupts data, difficult to analyze with Cyber toolkit)
P O C : H B H H B H G l o b a l Network Detection | ^ ^ |@cse-cs t .gc . ca )
Canada
TOP SECRET//COMINT Communications Security Centre de la sécurité Establishment des télécommunications
H H H B 1 _____ % WKÊSBBB
Holistic Cyber Threat Capability
Mitigation
Knowledge Transfer
Canada
TOP SECRET//COMINT Communications Security Centre de la sécurité Establishment des télécommunications
CSEC - SIGINT Supporting CND • Globally pervasive threat
- Covered by 5-Eyes network as one ...
- Subject to CSEC cryptographic attack
•• pfMtfttea iSlf^WaWttffgiiSfitl ional protocols ..'
awareness flf t l l f threat engineered at CSEC
•• n | | | i i t f t ( i » f f l of g O Y e r i W i i i l t f t l l r t W ^ i f e p a r t n e r linguistic
community Constantly^l iangi^modus , cgpg^j^ jVi tn tne^amlity to stop or
m i t i g a i t e c a t t o k & i a p d D i i i t r t f i s l o a s a i y t i c s
j . . and anomaly detection , « directed against networks of \ ExfiItrare,varuaDle intelligence use to enhance
our repositories • These operations are also directed
against GoC networks - Which we can detect and mitigate using
both SIGINT and domestic sensors
facebook SEEDSHERE Applications Inbox Home Settings Logout
SEEDSPHERE
I Search
¡s exfiltrating information from systems located across the globe and has no plans to stop anytime soon.
See All Photos of Me (230)
See All Friends (23)
Edit My Profile
SEEDSPHERE downloaded images from the Japanese Embassy in Romania 1:25PM
Share + SEEDSPHERE added the Poison Ivy Application 2:13PM
I am online now
Friends 23 Friends See All
8811 DIESELRATTLE SIENNABLUE DOWNGRADE
Places I've Been (125,234)
See All
'PM RBSI communicated using the Poison Ivy7
VGiipcyBpcy6iibiBlD{nNvZGVkIFN0cnilaZY6tJaGF0IF]!cXVpciTtV2lERlY3J5<
J^lll — SEEDSPHERE is abusing the DNS Protocol 4:36PM
Last Week
HH SEEDSPHERE is taking the day off on Chinese New Year 12:00AM
The Wall See All
Groups See All
Windows Internals, 3322.org, bosee.net, lovequintet.org, lovetrio.com, Chinese unrieromunri
Canada
TOP SECRET//COMINT
1 * 1 Communications Security Centre de la sécurité Establishment des télécommunications
Front-end Cyber Tradecraft Deployed high-speed clustered storage to our collection sites
* Enables extraction / storing and processing of all HTTP metadata to identify Cyber Threat
Anomalies
* Leveraged by CSEC's network knowledge engine to facilitate DNS Response harvesting and de-duplication
Cluster th roughput (f i le s y s t e m ) 400 Mb/s
06/11 06/14 06/16 06/18 06/21 06/23 06/25
• Inbound • Outbound
06/11 06/14 06/16 06/18 08/21 06/23 06/25
a System • User • Total
06.13 06/13 06/13 06/15 06/16 06/17 06)14 06/19 06/20 06/21 06/22 06/23 08/24 06/25
Black Line: Total data into the Cluster ^Blue Line: Data Outbound from S A N
Data deduplication at sight results in much better use of limited bandwidth
Data into the cluster is balanced across multiple nodes . Each color denotes a separate node, automatically dividing the load amongst all sys tems
Canada
TOP SECRET//COMINT
1 * 1 Communications Security Establishment
Centre de la sécurité des télécommunications
1
Joint Capability Development SIGINT I ITS - Cyber Threat Detection
* Fast Flux Botnet Detection - CROSSBOW
* A target-discovery algorithm deployed at CSEC SSO sites (currently operational)
* Detects botnets that use the DNS protocol for command and control (i.e. the
technique runs exclusively on metadata)
* Initial planning phase Tipping/Cueing trials between SIGINT/ITS and the 5Eyes
(stand-alone source code has been shared with 5Eyes, i.e. through T3IO)
* "Throw-away" Cyber Threat Detection Sensor - CRUCIBLE
* A low-cost, rapidly-deployed passive cyber threat detection sensor designed for
use with TS//SI signatures in a non-SCIF environment (cyber target-tracking
capability)
* Strength of the sensor is derived primarily by the logical countermeasures (i.e. cryptographic hashes and bloom filters)
* POC: ITS Operations
TOP SECRET//COMINT
1 * 1 Communications Security Centre de la sécurité | Establishment des télécommunications
A a
Sample of Fast Flux Activity Detected Square nodes: contacted by fast flux "bots" Diamond nodes: fast flux "bots" Oval nodes: suspected fast flux domain
• 1 week of detected fast flux activity for a particular fast flux domain at a CSEC access
Canada
TOP SECRET//COMINT Communications Security Centre de la sécurité
I w I Establishment des télécommunications
K §
Joint Capability Development SIGINT I ITS - Cyber Threat Detection
Scanning Detection - LODESTONE
Canada 7
TOP SECRET//COMINT là 1 * 1
Cyber Threat Detection
Passive Cyber Threat Detection Platform - EONBLUE
* Currently deployed alongside traditional DNI Collection
(SPECIALSOURCE, Warranted Access, FORNSAT, etc)
* Packet Processing capability tailored to Cyber built over a 6+ year period
* Cyber Threat Tracking (Deep Packet Inspection signatures for 'known' intrusions)
* Cyber Threat Discovery (Anomaly Detection for discovering unknown intrusions)
In 2009 an average of 115,000 Traffic Items collected daily from Canadian and Allied
Sources
* Collection from allies is crucial to success, but based on IP Address collection
(causes over collect, sessionization corrupts data, difficult to analyze with Cyber
toolkit)
P O C : H B H H H H | G l o b a l Network Detection ^ ^ B g c s e - c s t . g c . c a )
Canad'a
TOP SECRET//COMINT
1 * 1 Communications Socurity Contio do la sócyritó Establishment des lólécommunications
là
Holistic Cyber Threat Capability
Y % \ Mitigation
Canad'a
TOP SECRET//COMINT
• • I
CSEC - SIGINT Supporting CND • Globally pervasive threat
Covered by 5-Eyes network as one ...
- Subject to CSEC cryptographic attack
p W g g g j l j f l ^ M T i i i f t f § i t f f l» ional engineered at
CSEC
•• f f f l f f l p ^ W t o Of gover partner linguistic
community
• c g j ^ ^ ^ ^ i t f i ^ f i t ^ i M l i f y ^os top or mit igatoatt i icksinidi int irusionsi iyt ics , . , arid anomaly, detection
.dir^ctetf:agau).$t nefv -.Tiitrate'varuabie intelligence use to enhance
our repositories • These operations are also directed
against GoC networks - Which we can detect and mitigate using
both SIGINT and domestic sensors
SEEOSPHERE it rtunrtg lAmwit fnyn I,1.! 11 i mM K
SM M ftMndi (J J) Edit My Piofl»
8 * 1 SIENNAilUE DOWNGKADt
Hlnt'FMd See AH
Mlkir <Jown«i(Jed meet from ^ • • ! rr"
tne ucwic tfsv y ^
^ ytOSPtttiUadd#dlhePcfion!vy*p|l<elion ^ ^
' i4-Wf UjJ-HtlJL corrmncWM u*ng (he ff^SOTttlfWOl&tJJS»*'
^ C^ü snusfHi Rt K BW Wß •'ino
PlafM IV« Bfien (125,234)
Sf £ 06PHERI li takng toe (Oi di on CNw* !!•
rain •».V 'A3
Canada
Speaker: |
-Added the health and status of Government network bullet
-Removed '4th party' and instead mention how it enhances our repositories (will introduce 4th party here)
TOP SECRET//COMINT là • Communications Socurity Conilo do la sécurité • • Establishment des télécommunications
il J—li l iHl i l l 'HIHH "" |H
Front-end Cyber Tradecraft Deployed high-speed clustered storage to our collection sites
* Enables extraction / storing and processing of all HTTP metadata to identify Cyber Threat Anomalies
* Leveraged by CSEC's network knowledge engine to facilitate DNS Response harvesting
and de-duplication
/ - N A T V À / V V v v w v V N / Ì l)iil;i deduplicalion sit sigili results in niiicli better use of limited bandwidth
Canad'a
Black Line : To ta l da ta into t h e C l u s t e r Line : Da ta O u t b o u n d f r o m S A N
D a t a in to t he c lus te r is b a l a n c e d a c r o s s m u l t i p l e nodes , E a c h c o l o r d e n o t e s a s e p a r a t e node , a u t o m a t i c a l l y d i v i d i n g the l oad a m o n g s t all s y s t e m s
TOP SECRET//COMINT m Communications Socurity Contio do la s6curitd W f l i -
Establishment des telecommunications f r n f ' : ' . " - • . j j
Joint Capability Development SIGINT I ITS - Cyber Threat Detection
Fast Flux Botnet Detection - CROSSBOW
* A target-discovery algorithm deployed at CSEC SSO sites (currently operational)
* Detects botnets that use the DNS protocol for command and control (i.e. the
technique runs exclusively on metadata)
* Initial planning phase Tipping/Cueing trials between SIGINT/ITS and the 5Eyes
(stand-alone source code has been shared with 5Eyes, i.e. through T3IO)
"Throw-away" Cyber Threat Detection Sensor - CRUCIBLE
* A low-cost, rapidly-deployed passive cyber threat detection sensor designed for
use with TS//SI signatures in a non-SCIF environment (cyber target-tracking
capability)
* Strength of the sensor is derived primarily by the logical countermeasures (i.e.
cryptographic hashes and bloom filters)
P O C : H H m H H H DG ITS Operations | ^ H @ c s e ~ c s t
TOP SECRET//COMINT là des iólécommunications
Sample of Fast Flux Activity Detected Square nodes: contacted by fast flux "bots" Diamond nodes: fast flux "bots" Oval nodes: suspected fast flux domain
1 week of detected fast f lux activity for a part icular fast flux domain at a CSEC access
Canad'a