Synergising Network Analysis Tradecraft Network Tradecraft Advancement Team (,nllolyomlm- flupuwming PiunL-elmg Overview What is the own saw-mm Smirpr Bunny pon scan maul: '1 LQI Com Add ponkioun (ATHENA) Runame ?eld: In Imam name: 1093 Tradecraft? Tradecraft Network Tradecraft - ?The development of methods, - Usable knowledge about how to techniques, algorithms and acquire intelligence FROM the processes in order to generate network Intelligence, and developing the ability to apply this knowledge either manually or through automation. Tradecraft is developed from experience, research, intuition and by the reapplication and redefinition of existing techniques. Industrial- Scale Tradecraft involves data on a large scale.? tyi-Cl-zE. The NTAT Create repeatable, sustainable shareable a tradecraft to enable i network analysis Facilitate knowledge 3. collaboration and interchange across the 5- Eyes SIGDEV community r? ifziu? The Process .. Findin Stage 2 Define Fo'cu?s (basedarrinStage 5 Test Documented Tradecraft and Refine TOP SECRETHSI Network Convergence - .. I .1, .w . . A ?er? ?a Technological convergence where voice and data services interact with each other on a single device Tradecraft to enable the targeting of handsets in telephony space and CNE exploitation in IP space Improved algorithms for mobile gateway identification and implementation of these algorithms DSD Workshop November 2011 . ch; . g?ur1.4g: ., 1:3. 2 weeks CSE, DSD, GCHQ Virtually, via chat room, NSA GCSB Focus on data, techniques analytic outcomes DSD Workshop Outcomes Technique developed to identify wide variety of potential converged data, unique for specific country or mobile network operator potentially lead to convergence correlation dataset to help profile targets on-line activity Documentation of techniques to identify specific components of raw HTTP activity that alludes to the browsing, downloading and installation of smartphone applications identified the presence of application servers for mobile network operators and geographical areas DSD implementation of mobile gateway identification analytic based on FRETTING YETI 0 three agencies now running the same analytic provides a richer dataset of mobile gateways CRAFTY SHACK trial 0 NTAT now using CRAFTY SHACK for tradecraft documentation XKS Mioroplugin: Samsung Protocol ?rI 51mm ?Huh Actona' Recons- Vew' Qumvnn HITFRE- sun- 0 (CIC Devajlodei HTTP_Uaer_Agant Ind Mac MungeJd Huugojyoo Hetwortjy Odc_Vers'n Mat Penman-L Pun-mu Phlodeth Vmon Adm uum Cannot-m I TKSA 07.117000 412 2306-8 checkAppUpgmde Request 50 0 2 5.054 mm mun-a nap :mungnmoz I a: ?900me 1 HI Am GT P1600 ?usuus And "aqua" 0? 10'0" 1.0 Emlm 4 I IAUT 61-97500 250 2306-1 checkAppUpgrade Request 01 0 3.0.021 1.0 5 11? ?Aur GT-P1600 150 21004: manWnue nequau 01 0 3.0.021 ?m?m a I 1211 1 1.0 EWLW I TAUT 51.97500 250 2306-3 Request 01 0 1.0.021 I I 111-1 TAUT GT-Pisoo 260 2306-4 checkAppUpgrade Requut 01 0 3.0.021 Mllecm?d-Awsunlump 1.0. 9 1 3.0 ?0011me I GT-P1500 250 2106-5 checkAppUpgudo Request 01 0 3.0.021 tulm . 5112 GT49100 412 2306-0 chockAppUpgrade Request 20 0 2.6.14! 10 not-1W ?1 ?xss (ST-19100 112 23500 germ-hmuuonuuwe Re 20 3? EWLWW I m1 1 3.0 ?0111.00000qu I GT49100 412 2350-0 Re 20 0 ,3 15 1110 61-19100 412 2309-0 getDownloadList Requeu 20 0 33 16 I 111:1 I I I 1.0. 10011me .1 IXSG Gum? "2 2 mm 20 0 map.? 11: 1.0. 19011me .3 . 3; H156 GT-IS100 412 2301-0 notUpgrade?KiIICount Request 20 0 w. tutm ?9 I 1? 0149100 412 2301-0 Request 50 0 [?lm 20 112 I umme 11: manommuwmmou 1.0: no.1me lMill 412 2309-0 gemovmloadual Request 50 0 to. I 1.14 ITHR 61-85612 412 2306-5 Request 40 2.6.122 W- Emil-Wm 2: 19 I . w- noume 11151; 61-19100 SAMSUNG Android 412 2302-2 upgradeLutEx Request 20 0 2.6.104 m. [?lm ?5 1 1X56 4?2 2160-0 purchaseDetniE: 20 0 Lg. "mum to I 13!! ?xsc 01.19100 230m checItAppUpgrode Request 20 0 2.6.0411 ?mlm 1 1m 1101- nun-num- cult?1:941 1.32:? ?Inn-u tun-I on mum-a: new? a I: am comJeandIoldeJamlunolpu 1.0: [?lm 1. a 10? minus? mus" wont 20124011005327 ?tor 2012-06-13 0mm 11 mum: 0mm 12.0.1 mums-mu mu 1.0 ?1011me 1 ,3 mp 1012.05.11 mus .. 2012-0541 on?: ?1 sun um mu 1. 2.6.011 to EMLW CSE Workshop ?February 2012 2 weeks CSE, DSD, GCHQ, GCSB, NSA everyone wanted to experience a Canadian winter! Build on the work started at DSD The Reality! CSE Workshop Outcomes Refinement of XKS fingerprints to identify mobile bearers, Samsung and Android Marketplace servers 17 XKS fingerprints deployed Documentation of analytics in CRAFTY SHACK These analytics are now being implemented across the 5 Eyes Proving the tradecraft actually works! 6 Scenario to test the tradecraft and analytics Op HORN TOP zmoI no Op IRRITANT HORN Does the tradecraft work? Another Arab Spring (only this time, different countries) Goal: identify aggregation points for the mobile networks in the countries of interest using the tradecraft developed during the workshops Did it work? YES the team was able to identify connections from the countries to application and vendor servers in non 5- Eyes countries 80 what? We found some Potential Effects Harvesting data at rest 9 Harvesting data in transit at n. Finding mobile application vendo update servers ?3 TC Init Geolocation and Network Informati (ATLAS): Date Range. IP Range Reverse DNS (DANAUS): IP Range D9 . a a i . RowN maliser ?3 IPI put Bitterness Filterrows a4 :x-O A Select valuesIP-lP Communication Summaties (HYPERION): Date Range. IP Range Tfadecra? Nawgamr ompm TOP g? Finding mobile application 7 (W yin-mate ennui a 100% Geobca?onanc lPipm Congo Sudan france france france france france cuba cuba senegal morocco switzerland bahamas cuba netherlands russia pdate servers android-market.l.google.com android?market.l.google.com android?market.l.google.com android?market.l.google.com android?market.l.google.com store.cubava.cu store.cubava.cu srv_applis.sar.sn boungeontelephone.com download-force.com supportapple.com store.cubava.cu mobile.ero?advertising.com lady.marketgid.info Change view 0 0 -3cse-cst 9: ca Q: ,myz?r '7 Search this wrki Browse Search Create Help MerllaWiki Identity Suva: mnrnuntcl?m Monk mural Ontologylp address OnlelogyASll, Ontologyllehvork block. Ontologyi?lostnanie, OntologyUser Agent String. a I Find public IP space used byMobrle Dances and Related Servers on the lnternel Page Drscussron History /Edit Inpulls): rad cr Wkes I an 0 Finding Mobile lnlernetGater-rays 5EYES CSEC DSD GCHO GCSB NSA Factbox Alternatives: 0 Idemly Serve? communlcamg a Moblle network ..1 4 Metadata What does the tradecralt achieveEYES Ttadocraft Stops [document underlying do not Include tools) 0 This tradecra? Will provrde alistofservers lhathave been seen communicating wrthamobrle neMorkranges utilized lorthe initial implementatiim olthis badeaa? were the Inter PLW Backbone IP ranges obtain ed lrom documents For . other methods otiden mobile IP blocks. see the invoked tradecraft listed above In wha sluatlons would tradecraft be most uselul? 9 5tep1)Take lPrangee or indeual addresses identi?ed as being related to mobile network communications T0 identifymobile application sewers for a Step 2) Obtain geolocabon informanon and nelwotkownership Inlormation for each IP address This should include Network Owner name 0 To identilyany sewer that may be useful forcollection purposes Carn?er name,ASN,Cnnunent,Couniry, Region CityLauLong. and anyotherrelated details thatyour system can obtain Step 3) Obtain lntornetcommunication events related to the IP addresses These events should source inlormatron.To IF, From Direction. and HTTPUeer-Agent Step 4) Sortthe results and dedup them This step depends on your collection sources 0 The list ofservers returned depends on the the IP range and collection sources utilized Success of this tradecra? may require additional Step 5) Filter out server communications thathave user-agents that aren't useful Further l5 needed to non-useful research to identifyotherlP ranges orrequesting other agencies to check theircollection to identifydifterent sewers. ?may? (?93?5"99?Mededl mend't?scann? Step 6) Check the TCP Direction ?eld - ltSeiverto Clientigrab the From lPinlormation - "Client to Server? grab the To IP information HServerto Server, grab bath the To and From IP information I ttUnknown,capture in an error log Describe any problems ,caveeta or things to watch out for thatcan help you to Implement this tradecrelt Creded by: Step7) Sortand dedup again based on ServerlP information TCP Direction info is no longernesded. Acceptance Step!) Obtain geolacatron information and network ownership information loread'i Server IP This Is done for the sewers thalwere notin Agency. NSA Y) 9 slate: L'm'tEd the Blocks Email Address: Step 9) Removie anyaervors that are not useful This S?Eyes servers Step10) Output I ListolServers List olretated UserAgents gnu)ng addlisbsl? Okmgogll' 0 List olrelated hostnames mo 0 eh-mr 0i: . nto ostname. liiputls): Ontologylletwork blockrOntologylp address Outpills): 9? 9y OntologyUser Agent String, OrilologyGeographic selector .- - -: Find public space used byMobile Devices and Related Servers on the Internet Calegmy madman Invokes Tradecra?: I Finding Mobile InternetGateways CRAFTY SHACK - "It's not rradecrafr until it's documenrecl - Identifying servers ommunicating with an MNO . have"? @nJlEi b, asset"; 4; Start CSV File Input [a a tea Remove II uplicateNormahse, osu?elecwalues i El HE I Mux Enriched? Distribute Luokup DstiP Enrichment Bob TDI Online (PEITHO) El ATLAS Geo and Network Info Dedup Is User - - nlfrien . canne? - I. ATLAS Geo a - 2 Select Ines 2 Umq 3 Is Serv - erver?? initial 1P and delete extras US - friendly-scanner :2 FE ea ea De ux2 Flange? Split Fields Sortrews Serv Server erve Sewe? as a Reformat 2 Reformat Combine Copy data Unknown_Direction 2 I: emove 5-E SonU Blocks Unique Blocks El a a1 [3 a 5-Eye places Iggy Selectvalues 3 UserAgentData 33m,st Unique SonrowsZ 'uerows convert create dash conc 'nate Sort: 22 a is: GooglEanh Semen; convertz Reverse DNS (DANAUS): IP Range . TOP Profiling mobile application servers .I Stan De?ne lhampul CSV?leInpul - S) Hoslname Dummy (do naming) Geolocauun and (ATLAS) Dale Range. IP Range Onllna Evanls Date Range, IP Range A I a Flue. om 2 Gaolocalon and Nolwurk - Client to Server Comma Gen and Network of chem: TDI Events lmApps Servers Dummy (do noun-n9) 2 TOP Profiling mobile application servers. rim-y 1m Hap -c -- 7 Ana-@- 9mm mtmw?xm _mh_Wa_-manm msmun mumsan ?Sula-3%? alum-?aw?! ll" cum :t?cvuh' Hay-Irina: :56 it: Isusz :5?:ch ISIAIMGW itinm?l tuuoonw Ian?:an ISIHMW has?! 21m [sumo-cw usung I 1 memmu ?1-!er Chut? mm lawman Appeu? W. one-urn Umnun. 1 gin-aux . Dunc Profiling mobile application Field discovery 13: I