Documents
GCHQ – Automated NOC detection (2011)
Dec. 13, 2014
TOP SECRET STRAP 2
Automated NOC
Detection
, Head of GCHQ NAC
, Senior Network Analyst, CSEC NAC
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on
TOP SECRET STRAP 2
Automated NOC
Detection
, Head of GCHQ NAC
, Senior Network Analyst, CSEC NAC
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on
TOP SECRET STRAP 2
Challenge
• SDC 2009 – Challenged the Network
Analysis community to automate the
detection of Network Operations
Centres
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2
Challenge
• SDC 2009 – Challenged the Network
Analysis community to automate the
detection of Network Operations
Centres
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2
Phase 1: Intelligent Router Configuration File Parsing
• Routers have numerous services running on them that help
identify the NOC IP ranges:
–
–
–
–
–
–
–
SSH
TELNET/VTY
SNMP
SYSLOG
DNS
TACACS
RADIUS
• Access to these services tends to be locked down by the use of
Access Control Lists (ACLs)
• Configuration files provide details of how services are
configured.
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on
TOP SECRET STRAP 2
Phase 1: Intelligent Router Configuration File Parsing
• Routers have numerous services running on them that help
identify the NOC IP ranges:
–
–
–
–
–
–
–
SSH
TELNET/VTY
SNMP
SYSLOG
DNS
TACACS
RADIUS
• Access to these services tends to be locked down by the use of
Access Control Lists (ACLs)
• Configuration files provide details of how services are
configured.
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on
TOP SECRET STRAP 2
NOCTURNAL SURGE
• GCHQ response to challenge.
• Early Prototype that looks at only:
– ACLs for SSH/TELNET
– ACLs for VTY
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2
NOCTURNAL SURGE
• GCHQ response to challenge.
• Early Prototype that looks at only:
– ACLs for SSH/TELNET
– ACLs for VTY
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2
NOCTURNAL
SURGE
SCREEN SHOT 1
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq
TOP SECRET STRAP 2
NOCTURNAL
SURGE
SCREEN SHOT 1
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq
T STRAP 2
AL
SURGE
SNAPSHOT SLIDE 2
disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
uests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq
T STRAP 2
AL
SURGE
SNAPSHOT SLIDE 2
disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
uests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq
TOP SECRET STRAP 2
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq
TOP SECRET STRAP 2
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq
RET STRAP 2
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq
RET STRAP 2
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306 (non-sec) or email infoleg@gchq
TOP SECRET STRAP 2
GCHQ / CSEC NAC Joint tradecraft development
• During March 2011 GCHQ Analysts visited CSEC to look at the
using PENTAHO for tradecraft modelling working with CSEC
NAC and CSEC/H3 software developers to see if could model
NOCTURNAL SURGE in PENTAHO and then implement in
OLYMPIA.
• Only possible to attempt because:
– GCHQ NAC use PENTAHO
– CSEC NAC/H3 use PENTAHO
– CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database
Schema (DSD also have this..)
• GCHQ approach based on AS
• CSEC approach based on Country
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GC
TOP SECRET STRAP 2
GCHQ / CSEC NAC Joint tradecraft development
• During March 2011 GCHQ Analysts visited CSEC to look at the
using PENTAHO for tradecraft modelling working with CSEC
NAC and CSEC/H3 software developers to see if could model
NOCTURNAL SURGE in PENTAHO and then implement in
OLYMPIA.
• Only possible to attempt because:
– GCHQ NAC use PENTAHO
– CSEC NAC/H3 use PENTAHO
– CSEC NAC have implemented GCHQ NAC TIDAL SURGE Database
Schema (DSD also have this..)
• GCHQ approach based on AS
• CSEC approach based on Country
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GC
TOP SECRET STRAP 2
Pentaho - NOC Auto Detection
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on
TOP SECRET STRAP 2
Pentaho - NOC Auto Detection
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on
TOP SECRET STRAP 2
Phase 2: Intelligent use of Metadata
• We do not always get full configuration files to parse.
• Services between routers and NOCs run on IP/TCP/UDP
• We do create 5-TUPLE metadata from our collection
– GCHQ have prototype database – 5-Alive
– CSEC have database - HYPERION
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2
Phase 2: Intelligent use of Metadata
• We do not always get full configuration files to parse.
• Services between routers and NOCs run on IP/TCP/UDP
• We do create 5-TUPLE metadata from our collection
– GCHQ have prototype database – 5-Alive
– CSEC have database - HYPERION
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2
SNMP Protocol
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2
SNMP Protocol
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2
SNMP Protocol in 5-Alive
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2
SNMP Protocol in 5-Alive
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2
Further drill down on activity for identified IP
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2
Further drill down on activity for identified IP
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2
Phase 3: Intelligent use of TELNET traffic
• Again we do not always get full configuration files. Phase 1 is
based on full (or as near to full) configuration files
• GCHQ NAC collect TELNET Sessions into TERMINAL SURGE
– Collection based on TCP Port 23 (TELNET)
– Other protocols use TCP Port 23 (YMSG)
• Interaction with Routers over TCP Port 23 maybe nefarious:
– Scanning
– Password guessing
• Need to separate legitimate use from nefarious activity
• Look for signs of legitimate use.
– Successful login
– Follow on commands
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2
Phase 3: Intelligent use of TELNET traffic
• Again we do not always get full configuration files. Phase 1 is
based on full (or as near to full) configuration files
• GCHQ NAC collect TELNET Sessions into TERMINAL SURGE
– Collection based on TCP Port 23 (TELNET)
– Other protocols use TCP Port 23 (YMSG)
• Interaction with Routers over TCP Port 23 maybe nefarious:
– Scanning
– Password guessing
• Need to separate legitimate use from nefarious activity
• Look for signs of legitimate use.
– Successful login
– Follow on commands
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2
From TCP Port 23 (Echo)
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2
From TCP Port 23 (Echo)
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2
To TCP Port 23
This information is exempt from disclosure und
legislation. Refer disclosure requests to GCHQ
exemption under ot her UK information
TOP SECRET STRAP 2
To TCP Port 23
This information is exempt from disclosure und
legislation. Refer disclosure requests to GCHQ
exemption under ot her UK information
TOP SECRET STRAP 2
Intelligent analysis of TELNET traffic
• The fact that login was successful for both examples means the
following:
– From TCP Port 23
• To IP address is Network Management Terminal (in the
NOC ?)
– To TCP Port 23
• From IP address is Network Management Terminal (in
the NOC ?)
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2
Intelligent analysis of TELNET traffic
• The fact that login was successful for both examples means the
following:
– From TCP Port 23
• To IP address is Network Management Terminal (in the
NOC ?)
– To TCP Port 23
• From IP address is Network Management Terminal (in
the NOC ?)
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2
Phase 4: Bulk Port Scanning
• We know the key services/servers running in the NOC
• Utilise HACIENDA, GCHQ’s bulk port scanning capability to
identify what IPs have these service ports open – additional
logic to build up confidence required.
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2
Phase 4: Bulk Port Scanning
• We know the key services/servers running in the NOC
• Utilise HACIENDA, GCHQ’s bulk port scanning capability to
identify what IPs have these service ports open – additional
logic to build up confidence required.
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2
Fusion of sources
• Aim is to bring all sources that help identify NOC IP ranges
together with associated confidence.
• Different techniques provide different results due to the nature of
passive access (international v’s in-country for instance)
• Different techniques have different levels of reliability – therefore
looking to develop aggregation with overlay of smart
intelligence.
• Solution can work on not just ISP
NOCs but also Mobile OMCs.
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2
Fusion of sources
• Aim is to bring all sources that help identify NOC IP ranges
together with associated confidence.
• Different techniques provide different results due to the nature of
passive access (international v’s in-country for instance)
• Different techniques have different levels of reliability – therefore
looking to develop aggregation with overlay of smart
intelligence.
• Solution can work on not just ISP
NOCs but also Mobile OMCs.
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ o
TOP SECRET STRAP 2
And then….enabling CNE on NOCs
• We now have IP ranges – need selectors of NOC Staff to
enable QUANTUM INSERT attack against them.
• Use of GCHQ TDI capability to identify selectors coming out of
IP ranges and/or identification of proxy/NAT within NOC range.
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2
And then….enabling CNE on NOCs
• We now have IP ranges – need selectors of NOC Staff to
enable QUANTUM INSERT attack against them.
• Use of GCHQ TDI capability to identify selectors coming out of
IP ranges and/or identification of proxy/NAT within NOC range.
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ
TOP SECRET STRAP 2
NOC IP range search in MUTANT BROTH
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCH
TOP SECRET STRAP 2
NOC IP range search in MUTANT BROTH
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCH
TOP SECRET STRAP 2
NOC IP range – Target identifiers for QUANTUM INSERT
This information is exempt from disclosure und
legislation. Refer disclosure requests to GCHQ
exemption under ot her UK information
TOP SECRET STRAP 2
NOC IP range – Target identifiers for QUANTUM INSERT
This information is exempt from disclosure und
legislation. Refer disclosure requests to GCHQ
exemption under ot her UK information
TOP SECRET STRAP 2
Real-time picture of QI
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on
TOP SECRET STRAP 2
Real-time picture of QI
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on
TOP SECRET STRAP 2
Questions ?
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on
TOP SECRET STRAP 2
Questions ?
This information is exempt from disclosure under the Freedom of Information Act 2000 and may be subject to exemption under ot her UK information
legislation. Refer disclosure requests to GCHQ on