088 2011 REDACT

8/10/2019 088 2011 REDACT

1/25

TOP SECRET STRAP 2

Automated NOC

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK informationlegislation. Refer disclosure requests to GCHQ o

Detection, Head of GCHQ NAC

, Senior Network Analyst, CSEC NAC

8/10/2019 088 2011 REDACT

2/25

TOP SECRET STRAP 2

Challenge

SDC 2009 Challenged the Network Analysis community to automate thedetection of Network Operations

This information is exempt from disclosure under the Freedom of Information Act 2000 and ma be subect to exemption under other UK informationlegislation. Refer disclosure requests to GCHQ o

8/10/2019 088 2011 REDACT

3/25

TOP SECRET STRAP 2Phase 1: Intelligent Router Configuration File Parsing

Routers have numerous services running on them that helpidentify the NOC IP ranges: SSH TELNET/VTY SNMP


DNS TACACS RADIUS

Access to these services tends to be locked down by the use of Access Control Lists (ACLs)

Configuration files provide details of how services areconfigured.

8/10/2019 088 2011 REDACT

4/25

TOP SECRET STRAP 2NOCTURNAL SURGE

GCHQ response to challenge. Early Prototype that looks at only:

ACLs for SSH/TELNET ACLs for VTY


8/10/2019 088 2011 REDACT

5/25

TOP SECRET STRAP 2NOCTURNAL SURGE

SCREEN SHOT 1

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK informationlegislation. Refer disclosure requests to GCHQ on 01242 221491 x30306 (non-sec ) or email infoleg@gchq

8/10/2019 088 2011 REDACT

6/25

T STRAP 2 AL SURGE

SNAPSHOT SLIDE 2

disclosure under the Freedom of Information Act 2000 and may be subject to exemption under other UK informationuests to GCHQ on 01242 221491 x30306 (non-sec) or email i nfoleg@gchq

8/10/2019 088 2011 REDACT

7/25

TOP SECRET STRAP 2


8/10/2019 088 2011 REDACT

8/25

ET STRAP 2


8/10/2019 088 2011 REDACT

9/25

TOP SECRET STRAP 2GCHQ / CSEC NAC Joint tradecraft development

During March 2011 GCHQ Analysts visited CSEC to look at theusing PENTAHO for tradecraft modelling working with CSECNAC and CSEC/H3 software developers to see if could modelNOCTURNAL SURGE in PENTAHO and then implement inOLYMPIA.

This information is exempt from disclosure under the Freedom of Information Act 2000 and ma be subect to exemption under other UK informationlegislation. Refer disclosure requests to GC

n y poss e o a emp ecause: GCHQ NAC use PENTAHO CSEC NAC/H3 use PENTAHO CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database

Schema (DSD also have this..)

GCHQ approach based on AS

CSEC approach based on Country

8/10/2019 088 2011 REDACT

10/25

TOP SECRET STRAP 2Pentaho - NOC Auto Detection


8/10/2019 088 2011 REDACT

11/25

TOP SECRET STRAP 2Phase 2: Intelligent use of Metadata

We do not always get full configuration files to parse. Services between routers and NOCs run on IP/TCP/UDP We do create 5-TUPLE metadata from our collection

GCHQ have prototype database 5-Alive CSEC have database - HYPERION


8/10/2019 088 2011 REDACT

12/25

TOP SECRET STRAP 2SNMP Protocol

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK informationlegislation. Refer disclosure requests to GCH

8/10/2019 088 2011 REDACT

13/25

TOP SECRET STRAP 2SNMP Protocol in 5-Alive

This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK informationlegislation. Refer disclosure requests to GCHQ

8/10/2019 088 2011 REDACT

14/25

8/10/2019 088 2011 REDACT

15/25

TOP SECRET STRAP 2Phase 3: Intelligent use of TELNET traffic

Again we do not always get full configuration files. Phase 1 isbased on full (or as near to full) configuration files

GCHQ NAC collect TELNET Sessions into TERMINAL SURGE Collection based on TCP Port 23 (TELNET) Other protocols use TCP Port 23 (YMSG)


n erac on w ou ers over or may e ne ar ous: Scanning Password guessing

Need to separate legitimate use from nefarious activity Look for signs of legitimate use.

Successful login Follow on commands

8/10/2019 088 2011 REDACT

16/25

TOP SECRET STRAP 2From TCP Port 23 (Echo)


8/10/2019 088 2011 REDACT

17/25

8/10/2019 088 2011 REDACT

18/25

TOP SECRET STRAP 2Intelligent analysis of TELNET traffic

The fact that login was successful for both examples means thefollowing: From TCP Port 23

To IP address is Network Management Terminal (in theNOC ?)


To TCP Port 23 From IP address is Network Management Terminal (in

the NOC ?)

8/10/2019 088 2011 REDACT

19/25

TOP SECRET STRAP 2Phase 4: Bulk Port Scanning

We know the key services/servers running in the NOC Utilise HACIENDA, GCHQs bulk port scanning capability to

identify what IPs have these service ports open additionallogic to build up confidence required.


8/10/2019 088 2011 REDACT

20/25

8/10/2019 088 2011 REDACT

21/25

TOP SECRET STRAP 2 And then.enabling CNE on NOCs

We now have IP ranges need selectors of NOC Staff toenable QUANTUM INSERT attack against them.

Use of GCHQ TDI capability to identify selectors coming out of IP ranges and/or identification of proxy/NAT within NOC range.


8/10/2019 088 2011 REDACT

22/25

TOP SECRET STRAP 2NOC IP range search in MUTANT BROTH


8/10/2019 088 2011 REDACT

23/25

TOP SECRET STRAP 2NOC IP range Target identifiers for QUANTUM INSERT

This information is exempt from disclosure und xemption under other UK informationlegislation. Refer disclosure requests to GCH

8/10/2019 088 2011 REDACT

24/25

8/10/2019 088 2011 REDACT

25/25

TOP SECRET STRAP 2Questions ?


Date post:	02-Jun-2018
Category:	Documents
Upload:	nrc
View:	219 times
Download:	0 times

088 2011 REDACT

Documents