TOP SECRET STRAP 2 Automated NOC Detection , Head of GCHQ NAC , Senior Network Analyst, CSEC NAC This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ on TOP SECRET STRAP 2 Challenge • SDC 2009 – Challenged the Network Analysis community to automate the detection of Network Operations Centres This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ o TOP SECRET STRAP 2 Phase 1: Intelligent Router Configuration File Parsing • Routers have numerous services running on them that help identify the NOC IP ranges: – – – – – – – SSH TELNET/VTY SNMP SYSLOG DNS TACACS RADIUS • Access to these services tends to be locked down by the use of Access Control Lists (ACLs) • Configuration files provide details of how services are configured. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ on TOP SECRET STRAP 2 NOCTURNAL SURGE • GCHQ response to challenge. • Early Prototype that looks at only: – ACLs for SSH/TELNET – ACLs for VTY This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ o TOP SECRET STRAP 2 NOCTURNAL SURGE SCREEN SHOT 1 This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq T STRAP 2 AL SURGE SNAPSHOT SLIDE 2 disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information uests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq TOP SECRET STRAP 2 This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq RET STRAP 2 This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq TOP SECRET STRAP 2 GCHQ / CSEC NAC Joint tradecraft development • During March 2011 GCHQ Analysts visited CSEC to look at the using PENTAHO for tradecraft modelling working with CSEC NAC and CSEC/H3 software developers to see if could model NOCTURNAL SURGE in PENTAHO and then implement in OLYMPIA. • Only possible to attempt because: – GCHQ NAC use PENTAHO – CSEC NAC/H3 use PENTAHO – CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database Schema (DSD also have this..) • GCHQ approach based on AS • CSEC approach based on Country This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GC TOP SECRET STRAP 2 Pentaho - NOC Auto Detection This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ on TOP SECRET STRAP 2 Phase 2: Intelligent use of Metadata • We do not always get full configuration files to parse. • Services between routers and NOCs run on IP/TCP/UDP • We do create 5-TUPLE metadata from our collection – GCHQ have prototype database – 5-Alive – CSEC have database - HYPERION This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ o TOP SECRET STRAP 2 SNMP Protocol This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ TOP SECRET STRAP 2 SNMP Protocol in 5-Alive This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ TOP SECRET STRAP 2 Further drill down on activity for identified IP This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ o TOP SECRET STRAP 2 Phase 3: Intelligent use of TELNET traffic • Again we do not always get full configuration files. Phase 1 is based on full (or as near to full) configuration files • GCHQ NAC collect TELNET Sessions into TERMINAL SURGE – Collection based on TCP Port 23 (TELNET) – Other protocols use TCP Port 23 (YMSG) • Interaction with Routers over TCP Port 23 maybe nefarious: – Scanning – Password guessing • Need to separate legitimate use from nefarious activity • Look for signs of legitimate use. – Successful login – Follow on commands This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ o TOP SECRET STRAP 2 From TCP Port 23 (Echo) This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ TOP SECRET STRAP 2 To TCP Port 23 This information is exempt from disclosure und legislation. Refer disclosure requests to GCHQ exemption under ot her UK information TOP SECRET STRAP 2 Intelligent analysis of TELNET traffic • The fact that login was successful for both examples means the following: – From TCP Port 23 • To IP address is Network Management Terminal (in the NOC ?) – To TCP Port 23 • From IP address is Network Management Terminal (in the NOC ?) This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ TOP SECRET STRAP 2 Phase 4: Bulk Port Scanning • We know the key services/servers running in the NOC • Utilise HACIENDA, GCHQ’s bulk port scanning capability to identify what IPs have these service ports open – additional logic to build up confidence required. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ TOP SECRET STRAP 2 Fusion of sources • Aim is to bring all sources that help identify NOC IP ranges together with associated confidence. • Different techniques provide different results due to the nature of passive access (international v’s in-country for instance) • Different techniques have different levels of reliability – therefore looking to develop aggregation with overlay of smart intelligence. • Solution can work on not just ISP NOCs but also Mobile OMCs. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ o TOP SECRET STRAP 2 And then….enabling CNE on NOCs • We now have IP ranges – need selectors of NOC Staff to enable QUANTUM INSERT attack against them. • Use of GCHQ TDI capability to identify selectors coming out of IP ranges and/or identification of proxy/NAT within NOC range. This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ TOP SECRET STRAP 2 NOC IP range search in MUTANT BROTH This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCH TOP SECRET STRAP 2 NOC IP range – Target identifiers for QUANTUM INSERT This information is exempt from disclosure und legislation. Refer disclosure requests to GCHQ exemption under ot her UK information TOP SECRET STRAP 2 Real-time picture of QI This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ on TOP SECRET STRAP 2 Questions ? This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information legislation. Refer disclosure requests to GCHQ on