Title: TUTELAGE

Description: This undated NSA presentation describes techniques for repurposing third party attack tools: see the Der Spiegel article The Digital Arms Race: NSA Preps America for Future Battle, 17 January 2015.

Document:



TOP SECRET//COMINT//REL TO USA,

FVEY



TOP SECRET//COMINT//REL TO USA,



TOP SECRET//COMINT//REL TO USA,

FVEY



Before TUTELAGE...



AFTERk



INTRUSION



Manual Analysis of Reporting Logs Reporting Process



Intrusion by Adversary

Intrusion Event Logged Victim Notification (Response?)





i BEFORE!



INTRUSION : MON



TOP SECRET//COMINT//REL TO USA,



FRI



2



TOP SECRET//COMINT//REL TO USA,

_________ FVEY



BMIMheTHTEEIQ/BEE....



AFTERL



INTRUSION



Adversary Malwafe Design PMhibssI Analysis of Reporting Logs Reporting Process



I



I ' " .. ' V------------------------N s---------------------



Intrusion by



A=/yersary ' Intrusior^/ent



Logged



TIIVIEi



Victim Notification

(Response?)



BEFORE



INTRUSION



TOP SECRET//COMINT//REL TO USA,



3



TOP SECRET//COMINT//REL TO USA,



. . FVEY



With TUTELAGE...



Adversary Malware Design Process







TIME



SIGINT-Enabled

Countermeasure

Mitigates Adversary

Intrusion



Discovery of

Adversary

Tools & Tradecraft



T-T-t



Q







•.•



Tailored Countermeasure

Developed & Deployed



Adversary Malware

Decision Loop



Discovery of

Adversary Intentions



Countermeasure Development BEFORE



INTRUSION



TOP SECRET//COMINT//REL TO USA,



4



TOP SECRET//COMINT//REL TO USA,



FVEY



Application of Capabilities



SECRET//COMINT//REL TO USA,



FVFY



TUTELAGE Mission Flow



Lii



Discovery &

Characterization of

Cyber Aflversary Tradecraft



V



CYBERQUEST



XKEYSCORE



i







5 Foreign Adversary



LaunchedIVM

Adverse.



GNOMEVISION



POPQUIZ







etc.



Alert!



DoD



Foreign Adversary

Launches Attack



%\C\lStGiNT



Coll®jW»ftf/on



U.S. Foreign



rffctftfgence



simQ&?nce



Sensors



Trtfip&Gve SIGINT



U.S.

Boundary

■ Sensors



Boundary J

Sensors umr



DoD Matvc®KLs



■^^New Signatures,

m^A^ur



■^■■ng witirPartners



Countermeasures with Partners



anMOwatwmeasures to



u.&m&tiimvmgefice



smw?



Signatures and



SECRET//COMINT//REL TO USA, FVEY



6



UNCLASSIFIED//FOUO



Operational Landscape



Foreign Intel

Service



Threat



Observability



Script



Kiddie



t



Email Phishing



Zero Day Exploit



Threat Sophistication



U NC LAS SIFIE D//FOU O



7



SECRET//COMINT//REL TO USA,



TUTELAGEFVdapabilities



Storage



Redirect



“What’s My

Destination?”



Infected Host’s

Information



Alert/Tip



Passive Sensor

Generates Alert



ffl



Intercept



m Block



Blocks Entry/Exit

Activity



Substitute



Latency



©



‘Attack" “Sleep” Speed Adjusted



SECRET//COMINT//REL TO USA, FVEY



SKIP TO APPLICATION ►



8



◄ MENU



SECRET//COMINT//REL TO USA,



FVEY



TUTELAGE Capabilities



DoD



Decision Logic:



Requests Data

Establishes Correlations

Sends Out Tasks

Sends Alerts to SIGINT Tasking



Sensor:



Generates Alerts

Collects Data for Analysis

Runs Applications



Data



Request



SIGINT



Decision



Logic



Alert/Tip



Passive Sensor

Generates Alert



Tasking



(S//REL TO USA, FVEY)



Alert/Tip indicates the presence of malicious activity

and communicates this information with the rest of

the TUTELAGE enterprise and/or the SIGINT

(passive/active) enterprise. Rule and Decision Logic

determine whether data is stored.



SECRET//COMINT//REL TO USA, FVEY



SKIP TO APPLICATION ►



9



4MENU



SECRET//COMINT//REL TO USA,



FVEY



TUTELAGE Capabilities



Intercept



DoD



In-Line Packet Processor:



“Successful’



Re-routes traffic dynamically

Modify inbound & outbound packets

Insert and/or delete packets



(S//REL TO USA, FVEY)



Intercept is the means by which the TUTELAGE in-line

packet processor can transparently intervene in

adversarial activities, permitting the activity to appear

to complete without disclosing that it did not

reach/affect the intended target.



SECRET//COMINT//REL TO USA, FVEY



SKIP TO APPLICATION ► 10



4MENU



SECRET//COMIHT//REL TO USA,



TUTELAGEFCapabilities



Substitute



“Attack” “Sleep”



Unable to

Decrypt



00111010011



10101110101



01101010010



11010011011



(S//REL TO USA, FVEY)



Substitute is the TUTELAGE in-line packet

processor's ability to perform bidirectional content

detection and replacement.



DoD



SECRET//COMINT//REL TO USA, FVEY



SKIP TO APPLICATION ► u



◄ MENU



SECRET//COMINT//REL TO USA,



FVEY



TUTELAGE Capabilities



What’s My

£ Destination?



/ Here^jjstead



Redirect to

Safe Server



Infected Host’s

Information



Tip SIGINT

if Foreign



(S//REL TO USA, FVEY)



Redirect is the TUTELAGE in-line packet processor’s

ability to change the course or direction of an

adversarial (or adversarial induced) activity.



SECRET//COMINT//REL TO USA, FVEY



SKIP TO APPLICATION ► 12



4MENU



SECRET//COMINT//REL TO USA,



FVEY



TUTELAGE Capabilities



Block



Blocks Entry/Exit

Activity



DoD



(S//REL TO USA, FVEY)



Block is the means by which the TUTELAGE in-line

packet processor can deny entry/exit of network

activity at the Internet Access Points (lAPs) based

initially on source and/or destination Internet Protocol

(IP) addresses and ports.



SECRET//COMINT//REL TO USA, FVEY



SKIP TO APPLICATION ► ™



4MENU



SECRET//COMINT//REL TO USA,



FVEY



TUTELAGE Capabilities



Latency



Speed



Adjusted



(S//REL TO USA, FVEY)



Latency is the means by which the TUTELAGE in-line

packet processor can stealthily vary the in/outbound speed

of an adversary’s activities traversing the lAPs to provide a

diminished quality of service. This creates more time for

other TUTELAGE capabilities to be executed.



SECRET//COMINT//REL TO USA, FVEY



SKIP TO APPLICATION ► m



UNCLASS IFIED//FOUO



FUTURE CAPABILITIES



UNCLASSIFIED//FOUO



16



SECRET//COMINT//REL TO USA,



FVFY



Upgrades & What They Mean



Upgrade to 10G Sensor provides additional capabilities and

enables future upgrades:



•Immediate Benefits:



- Increased speed and capacity



- TS//SI signatures



- Full Snort (Current sensors use packet-based Snort. 10G sensors

use session-based Snort.)



- Multi-event Snort

•Future Upgrades:



- POPQUIZ: Real-time behavioral analytics



- GNOMEVISION: De-obfuscation of malicious packages



- Cryptanalytic Capabilities



- Netflow: Traffic analysis with GHOSTMACHINE



SECRET//COMINT//REL TO USA, FVEY



17



SECRET//COMINT//REL TO USA,



L.atetw*wreTUTELAGE Capability







The page cannot

be found



404 - File not found



TCP Reset



Connection



(S//SI//REL TO USA, FVEY)



TCP Reset prevents malicious activity by breaking the

connection.



SECRET//COMINT//REL TO USA^FVEY



18



SECRET//COMINT//REL TO USA,



Future TUTELAGE Capabilities



(S//REL TO USA, FVEY)



Sidelining is an intentional redirection of an activity to

a secondary level of intervention where an intermediate

host(s) (e.g. Listening Post, Quarantine, etc.) is staged

to provide additional processing/manipulation to better

engage and/or thwart adversarial activity.



SECRET//COMINT//REL TO USA, FVEY



19



SECRET//COMINT//REL TO USA,

FVEY



Future TUTELAGE Capabilities



O



Sideline for Listening Posts



►



DoD



(S//REL TO USA, FVEY)



Sidelining is an intentional redirection of an activity to

a secondary level of intervention where an intermediate

host(s) (e.g. Listening Post, Quarantine, etc.) is staged

to provide additional processing/manipulation to better

engage and/or thwart adversarial activity.



SECRET//COMINT//REL TO USA, FVEY



20



SECRET//COMINT//REL TO USA,



Future TUTELAGE Capabilities



Adversarial

C2 Request



Substitution/Redirection

to Deliver Payload



HBSS



Enabled



Endpoint







Detailed



Alerts



Remote



Server



HBSS Integration



(S//SI//REL TO USA, FVEY)



Integrating with the DOD’s Host-Based Security System

allows malicious activity detected through classified

signatures in TUTELAGE to be dealt with at the host

level. Using HBSS, TUTELAGE can trigger less

sensitive alerts to local network administrators.



DoD



ePO



Server



SECRET//COMINT//REL TO USA, FVEY



21



TOP SECRET//COMINT//REL TO USA,



Future TUTELAGE Capabilities







3



rano



.3101 f



* -wr



Injector



Quantum Tip



, O'..



2#



§§h



Sensor I



j PANDORAS

MAYHEM



Quantum



■I\



[



(^TURBrNE



DoD



(TS//SI//REL TO USA, FVEY)



TUTELAGE can tip QUANTUM to enable offensive

action in adversary space.



TOP SECRET//COMINT//REL TO USA,



22



TOP SECRET//COMINT//REL TO USA,



FVEY



Future TUTELAGE Capabilities



Quantum Shooter



Injector



Sensor



Quantum



Tip



(^TURBINE



(TS//SI//REL TO USA, FVEY)



TUTELAGE can tip QUANTUM to enable offensive

action in adversary space.



TOP SECRET//COMINT//REL TO USA,



23



TOP SECRET//COMINT//REL TO USA,



FVEY



Future TUTELAGE Capabilities



Real Time Cryptanalytics



?..i



-imam*



| Cryptanalytics



(TS//SI//REL TO USA, FVEY)



Real-time cryptanalytics allows Quantum operations to

take place at net-speed.



TOP SECRET//COMINT//REL TO USA.



24



UNCLASS IFIED//FOUO



OPS SUCCESS STORIES



UNCLASSIFIED//FOUO



25



SECRET//REL TO USA, FVEY



U.S. Military Leaders Defended



•Based on information from SIGINT

collection, a TUTELAGE

countermeasure was developed and

deployed in 2009 for a particular

BYZANTINE HADES attack.



•On October 21st and 22nd 2010, the

spear-phishing attack was

launched. The attack targeted four

users, including the Chairman of the

Joint Chiefs of Staff and the Chief of

Naval Operations, with a carefully

disguised malicious PDF.



• NTOC operated the countermeasure

and the attack was thwarted.



SECRET//REL TO USA, FVEY



SECRET//REL TO USA, FVEY



WAG Attempts to Deliver Holiday Present to DoD



23 December



* NTOC-TX calls ops center advising of phishing campaign with

“Merry Christmas” subject associated with WAG actors



* WAG actors attempted to use ZEUS malware to exfiltrate

documents



NTOC-TX did malware analysis and identified 2 new callback

domains



In < 3 hours, received CyberCommand approval and piece '

domains on DNS interdiction



30 December



* NTOC-TX notices new spike in WAG mail signature



* NTOC-TX discovers new callback domain



* In < 20 minutes, received approval and placed domain on DNS

interdiction



* NTOC-W confirmed same malware from Xmas themed event



SECRET//REL TO USA, FVEY



27



TOP SECRET//COMINT//REL TO USA, FVEY



AMULETSTELLAR Spearphishing... Trying to Make New



Friends



Linkedln



This is 3 reminder that on Df„



her professional ner*o,k stuntedfe**- eeo'8eV" ser,w



hollow this link to accept Geo'geWs iwnatipn.



• In SIGINT, NTOC observed

AMULETSTELLAR use of



§)yahoo.com email account



• On Christmas Day, account was used to

generated Linkedln requests to 10

general and flag grade officers



• NTOC leveraged TUTELAGE and SIGINT

for further discovery of activity



• In coordination with CyberCommand,



* Published 10 advisories



* Identified 2 additional Linkedln accounts



* Deployed 4 countermeasures



* Intercepted over 2000 emails from

AMULETSTELLAR actors



TOP SECRETHCOMINTHRELTO USA, FVEY



SECRET//REL TO USA, FVEY



Combating the Low Orbit Ion Cannon (LOIC)



•The open-source LOIC tool has

been used by “Anonymous” and

others in several DDoS attacks.



•NTOC developed signatures to

detect specific content strings

generated by this tool.



(j loDElro-i_T -op-winip*1 1-13.D|).nloc.nc -P.emole Datklap



TUTELAGE CVBEB.WATCH: 1EDLHIC_DEFJUJLT_C0NTEM2_IJDP - Mozilla Frefow



_J SECRETJ/RELTO USA. ACG U//NS |._

~~l SbUUblJ/llhL’ lOUSA hVhY I ”



■m

r<2

Hbuhze

[ k i-L ;y> i, w'.T



1 V lew 2011 /03/06 07:19 35.263768



2 Vjew 20] 1/03/06 07'19 35.263768



3 View 2011/03/06 07 19 35.263768



—e?^*-*»w**—



5 VLew 2011/03/06 07.lv 35 IV- 3 '6;



J ms JJ11AJJJUUUJ 1 1 ■ J JJ. LI



83



83



83



udp LS_-9S4QL

Udp LS--9Q40L

Udp LS“-9940L



•For example, for packets

containing the string

“Sweet_dreams_from_AnonOPs”

TUTELAGE will perform an ACL

Block against the offending IP

once a threshold is met.



7 View 2011/03/06 07 19 35.263768

3 View 2011/03/06 07:19 35.26376S

9 View 2011/03/06 07 1 9 if. 76.376/5

10 View 2011/03/06 07: L'J

11 View 2011/03/06 07.19 25 263753

12 View 2011/03/06 07-19 35 262753

13 View 2011/03/06 07.10 35 263753

U View 2011/03/06 07:19 .'5 TfiATn/i

IP View 2011/03/06 0/ 19 iP

16 View 2011/03/06 07: L'J .l1^

17 View 2011/03/06 07:19 35 >rV:.\,::

18 View 2011/03/06 07-L'J JKS/ji

19 View 2011/03/06 07-14 75s



83 udp LS“-9940L

83 udp LS~-9940L

83 udp LS“-9S40L

83 udp LS_-9S40L

03 udp L3~-9940L

83 udp LS--9940L

83 udp LS“-9940L

83 udp l .3“-99 401

83 udp L3 -9S4UL

83 udp LS_-9S40L

83 udp LS_-9940L

83 udp LS_-9040L

83 udp LS_-9940L



•Observed here is traffic from an

ongoing DDoS against several

DoD IPs. TUTELAGE is blocking

the malicious IP from

communicating with any DoD

machines.



20 View 2011/03/06 07 I'-J



21 View 2U11 /U3.'16 ij/ • J. y



-ijljli.cl f~ ricU.li.4vr



83 udp l.S--93401



5ECRET//REL TO USA, FVEY