TOP SECRET//COMINT

1*1 Communications Security Centre de la sécurité Establishment des télécommunications

I

Cyber Threat Detection

Passive Cyber Threat Detection Platform - EONBLUE

* Currently deployed alongside traditional DNI Collection (SPECIALSOURCE, Warranted Access, FORNSAT, etc)

* Packet Processing capability tailored to Cyber built over a 6+ year period

* Cyber Threat Tracking (Deep Packet Inspection signatures for 'known' intrusions)

* Cyber Threat Discovery (Anomaly Detection for discovering unknown intrusions)

In 2009 an average of 115,000 Traffic Items collected daily from Canadian and Allied Sources

* Collection from allies is crucial to success, but based on IP Address collection (causes over collect, sessionization corrupts data, difficult to analyze with Cyber toolkit)

P O C : H B H H B H G l o b a l Network Detection | ^ ^ |@cse-cs t .gc . ca )

Canada

TOP SECRET//COMINT Communications Security Centre de la sécurité Establishment des télécommunications

H H H B 1 _____ % WKÊSBBB

Holistic Cyber Threat Capability

Mitigation

Knowledge Transfer

Canada

TOP SECRET//COMINT Communications Security Centre de la sécurité Establishment des télécommunications

CSEC - SIGINT Supporting CND • Globally pervasive threat

- Covered by 5-Eyes network as one ...

- Subject to CSEC cryptographic attack

•• pfMtfttea iSlf^WaWttffgiiSfitl ional protocols ..'

awareness flf t l l f threat engineered at CSEC

•• n | | | i i t f t ( i » f f l of g O Y e r i W i i i l t f t l l r t W ^ i f e p a r t n e r linguistic

community Constantly^l iangi^modus , cgpg^j^ jVi tn tne^amlity to stop or

m i t i g a i t e c a t t o k & i a p d D i i i t r t f i s l o a s a i y t i c s

j . . and anomaly detection , « directed against networks of \ ExfiItrare,varuaDle intelligence use to enhance

our repositories • These operations are also directed

against GoC networks - Which we can detect and mitigate using

both SIGINT and domestic sensors

facebook SEEDSHERE Applications Inbox Home Settings Logout

SEEDSPHERE

I Search

¡s exfiltrating information from systems located across the globe and has no plans to stop anytime soon.

See All Photos of Me (230)

See All Friends (23)

Edit My Profile

SEEDSPHERE downloaded images from the Japanese Embassy in Romania 1:25PM

Share + SEEDSPHERE added the Poison Ivy Application 2:13PM

I am online now

Friends 23 Friends See All

8811 DIESELRATTLE SIENNABLUE DOWNGRADE

Places I've Been (125,234)

See All

'PM RBSI communicated using the Poison Ivy7

VGiipcyBpcy6iibiBlD{nNvZGVkIFN0cnilaZY6tJaGF0IF]!cXVpciTtV2lERlY3J5<

J^lll — SEEDSPHERE is abusing the DNS Protocol 4:36PM

Last Week

HH SEEDSPHERE is taking the day off on Chinese New Year 12:00AM

The Wall See All

Groups See All

Windows Internals, 3322.org, bosee.net, lovequintet.org, lovetrio.com, Chinese unrieromunri

Canada

TOP SECRET//COMINT

1 * 1 Communications Security Centre de la sécurité Establishment des télécommunications

Front-end Cyber Tradecraft Deployed high-speed clustered storage to our collection sites

* Enables extraction / storing and processing of all HTTP metadata to identify Cyber Threat

Anomalies

* Leveraged by CSEC's network knowledge engine to facilitate DNS Response harvesting and de-duplication

Cluster th roughput (f i le s y s t e m ) 400 Mb/s

06/11 06/14 06/16 06/18 06/21 06/23 06/25

• Inbound • Outbound

06/11 06/14 06/16 06/18 08/21 06/23 06/25

a System • User • Total

06.13 06/13 06/13 06/15 06/16 06/17 06)14 06/19 06/20 06/21 06/22 06/23 08/24 06/25

Black Line: Total data into the Cluster ^Blue Line: Data Outbound from S A N

Data deduplication at sight results in much better use of limited bandwidth

Data into the cluster is balanced across multiple nodes . Each color denotes a separate node, automatically dividing the load amongst all sys tems

Canada

TOP SECRET//COMINT

1 * 1 Communications Security Establishment

Centre de la sécurité des télécommunications

1

Joint Capability Development SIGINT I ITS - Cyber Threat Detection

* Fast Flux Botnet Detection - CROSSBOW

* A target-discovery algorithm deployed at CSEC SSO sites (currently operational)

* Detects botnets that use the DNS protocol for command and control (i.e. the

technique runs exclusively on metadata)

* Initial planning phase Tipping/Cueing trials between SIGINT/ITS and the 5Eyes

(stand-alone source code has been shared with 5Eyes, i.e. through T3IO)

* "Throw-away" Cyber Threat Detection Sensor - CRUCIBLE

* A low-cost, rapidly-deployed passive cyber threat detection sensor designed for

use with TS//SI signatures in a non-SCIF environment (cyber target-tracking

capability)

* Strength of the sensor is derived primarily by the logical countermeasures (i.e. cryptographic hashes and bloom filters)

* POC: ITS Operations

TOP SECRET//COMINT

1 * 1 Communications Security Centre de la sécurité | Establishment des télécommunications

A a

Sample of Fast Flux Activity Detected Square nodes: contacted by fast flux "bots" Diamond nodes: fast flux "bots" Oval nodes: suspected fast flux domain

• 1 week of detected fast flux activity for a particular fast flux domain at a CSEC access

Canada

TOP SECRET//COMINT Communications Security Centre de la sécurité

I w I Establishment des télécommunications

K §

Joint Capability Development SIGINT I ITS - Cyber Threat Detection

Scanning Detection - LODESTONE

Canada 7

TOP SECRET//COMINT là 1 * 1

Cyber Threat Detection

Passive Cyber Threat Detection Platform - EONBLUE

* Currently deployed alongside traditional DNI Collection

(SPECIALSOURCE, Warranted Access, FORNSAT, etc)

* Packet Processing capability tailored to Cyber built over a 6+ year period

* Cyber Threat Tracking (Deep Packet Inspection signatures for 'known' intrusions)

* Cyber Threat Discovery (Anomaly Detection for discovering unknown intrusions)

In 2009 an average of 115,000 Traffic Items collected daily from Canadian and Allied

Sources

* Collection from allies is crucial to success, but based on IP Address collection

(causes over collect, sessionization corrupts data, difficult to analyze with Cyber

toolkit)

P O C : H B H H H H | G l o b a l Network Detection ^ ^ B g c s e - c s t . g c . c a )

Canad'a

TOP SECRET//COMINT

1 * 1 Communications Socurity Contio do la sócyritó Establishment des lólécommunications

là

Holistic Cyber Threat Capability

Y % \ Mitigation

Canad'a

TOP SECRET//COMINT

• • I

CSEC - SIGINT Supporting CND • Globally pervasive threat

Covered by 5-Eyes network as one ...

- Subject to CSEC cryptographic attack

p W g g g j l j f l ^ M T i i i f t f § i t f f l» ional engineered at

CSEC

•• f f f l f f l p ^ W t o Of gover partner linguistic

community

• c g j ^ ^ ^ ^ i t f i ^ f i t ^ i M l i f y ^os top or mit igatoatt i icksinidi int irusionsi iyt ics , . , arid anomaly, detection

.dir^ctetf:agau).$t nefv -.Tiitrate'varuabie intelligence use to enhance

our repositories • These operations are also directed

against GoC networks - Which we can detect and mitigate using

both SIGINT and domestic sensors

SEEOSPHERE it rtunrtg lAmwit fnyn I,1.! 11 i mM K

SM M ftMndi (J J) Edit My Piofl»

8 * 1 SIENNAilUE DOWNGKADt

Hlnt'FMd See AH

Mlkir <Jown«i(Jed meet from ^ • • ! rr"

tne ucwic tfsv y ^

^ ytOSPtttiUadd#dlhePcfion!vy*p|l<elion ^ ^

' i4-Wf UjJ-HtlJL corrmncWM u*ng (he ff^SOTttlfWOl&tJJS»*'

^ C^ü snusfHi Rt K BW Wß •'ino

PlafM IV« Bfien (125,234)

Sf £ 06PHERI li takng toe (Oi di on CNw* !!•

rain •».V 'A3

Canada

Speaker: |

-Added the health and status of Government network bullet

-Removed '4th party' and instead mention how it enhances our repositories (will introduce 4th party here)

TOP SECRET//COMINT là • Communications Socurity Conilo do la sécurité • • Establishment des télécommunications

il J—li l iHl i l l 'HIHH "" |H

Front-end Cyber Tradecraft Deployed high-speed clustered storage to our collection sites

* Enables extraction / storing and processing of all HTTP metadata to identify Cyber Threat Anomalies

* Leveraged by CSEC's network knowledge engine to facilitate DNS Response harvesting

and de-duplication

/ - N A T V À / V V v v w v V N / Ì l)iil;i deduplicalion sit sigili results in niiicli better use of limited bandwidth

Canad'a

Black Line : To ta l da ta into t h e C l u s t e r Line : Da ta O u t b o u n d f r o m S A N

D a t a in to t he c lus te r is b a l a n c e d a c r o s s m u l t i p l e nodes , E a c h c o l o r d e n o t e s a s e p a r a t e node , a u t o m a t i c a l l y d i v i d i n g the l oad a m o n g s t all s y s t e m s

TOP SECRET//COMINT m Communications Socurity Contio do la s6curitd W f l i -

Establishment des telecommunications f r n f ' : ' . " - • . j j

Joint Capability Development SIGINT I ITS - Cyber Threat Detection

Fast Flux Botnet Detection - CROSSBOW

* A target-discovery algorithm deployed at CSEC SSO sites (currently operational)

* Detects botnets that use the DNS protocol for command and control (i.e. the

technique runs exclusively on metadata)

* Initial planning phase Tipping/Cueing trials between SIGINT/ITS and the 5Eyes

(stand-alone source code has been shared with 5Eyes, i.e. through T3IO)

"Throw-away" Cyber Threat Detection Sensor - CRUCIBLE

* A low-cost, rapidly-deployed passive cyber threat detection sensor designed for

use with TS//SI signatures in a non-SCIF environment (cyber target-tracking

capability)

* Strength of the sensor is derived primarily by the logical countermeasures (i.e.

cryptographic hashes and bloom filters)

P O C : H H m H H H DG ITS Operations | ^ H @ c s e ~ c s t

TOP SECRET//COMINT là des iólécommunications

Sample of Fast Flux Activity Detected Square nodes: contacted by fast flux "bots" Diamond nodes: fast flux "bots" Oval nodes: suspected fast flux domain

1 week of detected fast f lux activity for a part icular fast flux domain at a CSEC access

Canad'a

TOP SECRET//COMINT

1 * 1

Joint Capability Development SIGINT I ITS - Cyber Threat Detection

Scanning Detection - LODESTONE