TOP SECRETHCOMINTHREL TO USA, 

 

OSINT FUSION PROJECT


Lockheed Martin Intelligence

 

 



TOP SECRETHGOMINTHHEL 

TOP SECRETHCOMINTHREL TO USA, 

Traditional OSINT

q.



frag? 
 
a


- Traditional OSINT is mostly from main
stream news, compiled summaries, and
information put out by venders.

Good for situational awareness

Some excellent analysis on attacks and
exploits

Information can be days or weeks old
Doesn?t normally contain strong selectors

TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

TOP SECRETHCOMINTHREL TO USA, 



Research Objectives

I
q.

I

I

To compile OSINT information that
enables CNO operations analysis

Emerging threats
Situational awareness

Identification of the following:
- Victims - Capabilities

- Adversaries - Infrastructure

TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL TO USA, 

.:  
 Research Objectives
To identify strong selectors and unique
strings from OSINT that can be used

within SIGINT:

To build XKEYSCORE Fingerprints to identify
the an adversaries capabilities being used
within SIGINT Collection

To identify and task adversaries and their
infrastructure within SIGINT

To identify victims for Party Collection
Opportunities

TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

 TOP To USA,  

  a
Hacker Forums

- A clever way to collect OSINT information
from Hacker Forums

RSS Feeds 
- Automated collection of new and historical posts
- Allows quicker analysis of posts
- Leaves no tracks on the forum unlike AIRGAP

- If enabled, can also get feeds from closed (login
required) forums.

- Enables analyst to prioritize other sites without
RSS feeds for other access operations

TOP SECRETHCOMINTHREL TO USA, F?lr'E?t?r

TOP SECRETHCOMINTHREL TO USA, 

3.
..

-- as

ital?a 

Hacker Forums

- Allows for the identification of:

Adversaries
- Those who are building capabilities
- Those who are selling capabilities
- Those who are using the capabilities
- Those who are selling information (Cyber Crime)
Capabilities
- Profiling and understanding of emerging tactics, techniques,
and procedures used by our adversaries
- Identification of locations where capabilities can be obtained

TOP SECRETHCOMINTHHEL TO USA, FVEY

 TOP SECRETHCOMINTHREL TO USA, mm.? un?t;

Hacker Forums

 

 

BalchEnergy title-3 Bet
by 

nuclear stealth mechanisms fiudertr suppert muititargeting and - if the purpese fer the attack indicates
the demain name is created by a greup cf flaws tc attack: each lP-address attached tp this dcmain [rezeluing
repeated euery15 minutes}

Slayer??l 5'3 HEAT '1 -2 Final

lay slayer?'i 

Heel.Ir Guy's,

lhE ?rst Final Htliid. After sear-rte hard wars: i fit-red tilts: ea little Bugs and added Heyiegging Function Better GUI
FlagEysten-it

Senate-miner 
Ea. Slay-erul? Huwrs?- - Lemma an - EH  firBundles esptcit [yes Expieit System}
by Saint

Weleeme ferumehan! i. -
Sell splpiteti ligament. Create ?1 ZIP ?rfIDE?th

Test mist, iframe traffic:

?i'euur brewser tersicn prehiva Percent P??t?d it}? X.l:i.l1.0
trite-net 5U - ?ll-T5931:
hie-?rial Emu? 5-1 ?t z_ip hetnh, alse human as a Zip at Death, is a malieietts archive ?le designed te crash er

t'iternet Esplarer 5.5 - Ell-90%
t'itE?I'ia?t 5J3 - 35-59%
hte'net TD Jill-15%

render useless the er system readng it. it is alien used by _?fil?lls writers te
disable anti'rirus sp llware__ set that a mere traditienal 1rirus sent a?ensatds eeuld get inte

mimic [-mlmr an system undetected. nip hemp is usually a small file {up te a ?ew hundred ltilehjrtes} tel?
Gpera ail?9.25 30% ease Ur transpert and in areid suspieien. I-lewerer, when the tile is tatpaelted its eentents
{Jeers 13?1 5% are mere than the system can handleffeu can make yeur awn zip heath tn yeur

10.0 - B-1D?te lriends er just put pf euriesity (er wilderness] te experiment with it. Make sure yea den't

IeFus - 15-20%
.Z'trchi-i - 
Eli-t 3st ?Itjl?li:
t'u'rlrr't'l a 

detenate it an 

 

TOP SECRETHOOMINTHHEL TO USA, 

 

TOP SECRETHCOMINTHREL To use, FVEY w, .

Hacker Forums

'an The Fella-wing Heet Heme wee requested frern a hnet ?etabaee:
1? 

There wee registered attempt te establish calm?  re?ection deteiis .
 [m {server [whats
  here! in Emu "It:
etiem

niekesin?lmad Hum

  

r. mete Heet F'ert -

     

Fri. DRSEH . CUM EIEJ 

    
 
 

  
  
 
 

333 euthanqu traffic [petentieily malicious}

 

 

I11 Attentien! There was new em I -

  
  

.egemitme 
 ?ee?e 55Eel-and
Analysis  :1

TOP SEGHETHCOMINTHFEEL To'use, We?

TOP SECRETHCOMINTHREL TO USA,  

it? 4*
3.5a- Hacker Forums

You need tn he nperatnr tn net the tnnic. Default ia taper the hat; but if they have changed it, attach it with year hate
and make sure that yen are the ti rat tn jain!

If yen happen to get intn a channel with a tan cf hate: and the an iant there? change year nick tn a hate name, at similar, and wait.
The}t ahculd type like .lngin 
thate 1ahen you dc the same! haha.

type Jegin {password}
then npdate httpeh?anawi 

TOP SECRETHCOMINTHHEL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA, 

a:
 Malicious Emails

- Leverage OSINT to identify the
infrastructure and source of top virus email
senders by IP address

Based on CISCO Iron Port view of 25-30% of
the worlds email

Identifies infrastructure used by adversaries to
deliver capability

Allows SIGINT profiling of activity on the IP

TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL To USA. FVEY   .

Malicious Emails

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

l?E virus by ip last day l? HEY .
change I
1.
  
ENS issue;  
:1 0.2111923 Csmmunisstisns 
217.57.123.22; 11.14959 49:1.541i3tandby 113::- range
2111311115151 Aditama
- i- --rss?s. {Nation-a1 IntEsEE-sF-iaisri_-.
59.71.203.33?? 111m?  0.01513'333113 259.337 1131' Tsur
Eggs-131. 14 CID 
55.191.129J _l imam-Iii ?54.35?3 H?Dptissm 
125.139.311.124: I i (1.0115515?i "135-999 
92.518.118.11? [1.111115415; HIE-EBB Psun?Hsst Internet Services
Hem-s.-
195.311.9.15 i  aim-11131149 12.2101 Interns: 
CHTD. Cs. . Ltd.
194.223.41.114 I if Tsls-ssm a.s.
swans-:15 -s.34us4 ?srss 
11-34 arr-94 mamas-net mssas-sr
FIT-11314335 sh-?idEI-UEE-sg-?sl-hg i [1.11115111113?1 951.1?df?avidsv Hist PI spa-rs

 

 

 

 

 

 

TOP SEGHETHCOMINTHFEEL Friar

  TOP SECRETHCOMINTHREL To usa,  
 




q.

Malicious Connections

- An effort to identify the latest emerging
threats that are not yet detected by anti-
virus or signatures
Malicious Binary MD5 (track capability)

The adversaries infrastructure that exploited
systems connect to after being compromised

Traffic generated by compromised systems to
build XKEYSCORE fingerprints

TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

 TOP SECRETHCOMINTHREL To USA, FVEY  

Malicious Connections

MI-ISCND Connections Report

18 LMAY 2009

The fellewing ?call heme" IPefDemaine eheuld he eeneidere?
and eenneetivity te them eheuld he investigated-
Hyatema initiating a eenneetien with IPeIDemaine

eheuld be treated as eem remieed until '9
Mme-wed- Fc-c: 


File 
Filesize: 108,032 bytes

 

 

     

Eategery: trejan heree er bet that may
represent riek her the eempremieed systEm andfer
i 5 me twee-k; :11! i lit

The fellewihg Heet'mame wee requeeted frem a best ?atabaee:
- bf.burimehe.net

There wee Legietered attempt te eetahlieh een?ectien with
the rennet-F: heat- The eenneetieze ?etaile are:

Remete Heet Pert Number
hf.hurimehe.net e244
where was a new cenneetien established with a remete THC

Server? The generate? eutbeund IRE traffie ie ptevided
beme:

PASS hf
HIDE 
USER 

 

TOP SECRETHCOMINTHHEL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA, 



I
q.

I

I

Malicious Connections

- NTOC Signatures for Sensors
BLUESASH
TUTELAGE (TURBULENCE Defensive)
CROSSBONES

NSA TAO GCHQ CNE Counter CNE Ops
IVIHS NDIST 4th Party Collection

JCMA Cyber Customer focused CND
GOVCERT UK UK Government CND

TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

TOP SECRETHCOMINTHREL TO USA, 

Malicious Connections

The following statistics show the number of NTOC DNS
Alerts that were an exact match for a malicious connection reported in
the Malicious Connections Report.

Date

51114109
51113109
51"1 2?09
511 1109
5110109
51103109
51031109
5107109
51'06l?09
5104109
51031109
5101109
41130109
41125009

Total DNS Alerts

Exact MCFI Match
TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

Percentage
59.7  It
Malicious Connections

- Government Email addresses
passed to exploit server 17 email accounts

Discovered using an MHS developed XKEYSCORE
Fingerprint that was written to identify a malicious
connection while searching for MENA 4"h Party
Collection opportunities.

TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

TOP SECRETHGOMINTHREL To USA, Fva  

TOP SECRETHCOMINTHREL TO USA, 

ShadowServer Data

1
q.

I

I

- Sinkhole HTTP Drone Report - All the IP
addresses that joined the sinkhole server that did
not join via a referral URL. Since the Sinkhole server
is only accessed through previously malicious
domain names only infected systems are in the
report.

Victims I Infrastructure I Command Strings

TOP SECRETHCOMINTHREL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA, 

q.


ShadowServer Data

- Sandbox URL Report - These are UFth that were

access by malware.

Binary MD5 Hashes Infrastructure HTTP Command
Strings

- Botnet Drone Report - All the IP addresses that
were seen joining a known Botnet Command and

Control Server.

Victims Infrastructure

- 25 US Government (Federal State Local) systems
communicating with botnets between 5?7 June 2009

TOP SECRETHCOMINTHREL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA, 

ShadowServer Data

q.
I
I

- Botnet URL Report - Any URL that was seen in a
botnet channel is reported. The URL could be an
update, complaint, or information related to the
criminals. Everything is included in case there is

something of value in the URL.
Infrastructure Capabilities HTTP Command Strings

- DDOS Report - Any attack is reported
whether the country is the target or the source of the

attack.
Victims I Infrastructure I Capabilities

TOP SECRETHCOMINTHREL TO USA, F?sl'E?t?r



State Sponsored

I
q.

I

I

Example 1 (FBI CN Intrusion Set)

Identified MALWARE report for known
domain.

Found another binary which was an exact
match that revealed a previously
unassociated domain to this intrusion set 9
months before first known activity of this
intrusion set.

- Infrastructure/ Registration Timeline MD5 hash

TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL TO USA, Hm}-

TOP SECRETHCOMINTHREL TO USA, 

q.

7  
State Sponsored

- Example 2 (JTF-GNO CN Intrusion Set)

6 different reports noted the use of a specific
Chinese developed standalone web server
software package.

Identified 3 new binaries in OSINT malware
research that also used this exact software
package.

- 3 new domains (infrastructure registration time
line MD5 Hashes)

TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL TO USA, Hm}-



State Sponsored

I
q.

I

I

- Example 3 (NSA CN Intrusion Set)

Identified 2 binaries in OSINT that matched
those called out in a report with their
associated malware analysis and MD5
hashes.

TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL TO USA, 

Collaboration

TOP SECRETHCOMINTHREL TO USA, FVEY

 

TOP SECRETHCOMINTHREL TO USA, FVEY

Questions?

TOP SECRETHCOMINTHHEL TO USA, FVEY