OCR of the Document

View the Document >>

United Kingdom Government, Profiling SSL and Attributing Private Networks: An introduction to FLYING PIG and HUSH PUPPY

TOP TO USA AUS CAN GBR NZL PROFILING SSL AND ATTRIBUTING PRIVATE NETWORKS An introduction to FLYING PIG and HUSH PUPPY ICTR - Network Exploitation GCHQ TOP TO USA AUS CAN GBR NZL R im'l ge THIH 5 lF l ul ATIDN TOP TO USA AUS CAN GBR NZL Outline Two separate prototypes FLYING PIG and HUSH PUPPY Both are cloud analytics which work on bulk unselected data FLYING PIG is a knowledge base for investigating SSL traffic HUSH PUPPY is a tool for attributing private network traffic TOP TO USA AUS CAN GBR NZL TOP TO USA AUS CAN GBR NZL FLYING PIG - TLSISSL Background TLSISSL Transport Layer Security I Secure Sockets Layer provides communication over the internet Simple TLSISSL handshake Client Server Client hello Server hello 3 Certificate 7 7 Server hello done 5 Client key exchange Change cipher spec Handshake finished Change cipher spec Handshake finished Application data TOP TO USA AUS CAN GBR NZL HH mwmoo THIS Irnciigzgi Nro MAgW m TR 3 23 le PROPERTY OWNED MANAGED av BBHQA 37 BUT ECHO TOP TO USA AUS CAN GBR NZL Motivations for FLYING PIG More and more services used by GCHQ targets are moving to TLSISSL to increase user confidence e g Hotmail Yahoo Gmail etc Terrorists and cyber criminals are common users of TLSISSL to hide their comms not necessarily using the big providers A TLSISSL knowledge base could provide a means to extract as much information from the traffic as possible TOP TO USA AUS CAN GBR NZL TOP TO USA AUS CAN GBR NZL FLYING PIG implementation - Federated QFD approach WT Multiple separate cloud analytics each of which produce a QFD Query Focussed Dataset Analytics are run once a week on approximately 20 billion events A single query in the web interface results in calls to multiple QFDs which are returned to the user in separate panels Results in fast queries easy-to-maintain modular code and importantly easy to add future TLSISSL QFDs TOP TO USA AUS CAN GBR NZL TOP TO USA AUS CAN GBR NZL Query by certificate metadata LYI l3 KNOWLEDGE BASE mN HRA Justification Query FLYING PIG Query FLYING p16 - general SSL toolkit Query QUICK ANT - Tor events QFD Server certificate fields to search within IP network certificate field %mai rg common name Query 35 - - Client IP - - Server IP Both or Network 1230 24 Issuer organisation name 07 or 9 Server Certificate 3 foexamnle com use 0 for Wildcardsj RSA modulus Run Query Certificate field search 'hmaiLruI HTTP requests matching your query I I131 1-50f500items 1 IILIEServer IP Host name First seen Last seen Count wie Count all time 25th Nov 184 105 swa mai ru 2011-10-13 16 05 53 0 2011-11-25 21 11 59 0 6085663 42640739 184 104 swa mail ru 2011-10-13 17 29 18 0 2011-11-25 21 11 55 0 6073183 36825411 134 201 fc ef d4 cf bd al top ma l ru 2011 10 13 21 43 10 0 2011 11 25 21 10 49 0 4049743 19360920 135 13 t065 mail ru 2011-10-14 20 00 00 0 2011-11-25 21 12 05 0 3006868 14168963 135 12 to03 mai ru 2011 10 14 20 00 00 0 2011 11 25 21 10 48 0 2480950 12386999 certificates matching your query 511 Server IPs Tip 1 Right click on a row to find all server IPs that serve that certificate Tip 1 Right click on a server IP to Tip 2 Click on the disk icon in the title bar to download data in CSV format explore 't further Tip 3 Double-click on a field to enable copy and pasteChange displayed columns 'Basic' is default 'Advanced' adds R515 Modulus and cipher suite distribution columns Basic columns Advanced columns Items '3 If 7 Server IP Cert Cert 1 - 10 0f70 Items count count all wfe time Full First seen Last seen Count Count all Valid from Valid to Subject common Subject Subject org Issuer common Issuer Issuer org Self 25th Certificate wie time name country name name country name signe Nov 25th No Explore this sewer IP further 303203c03032i2011-09-22 2011-11-25 2952729 16633953 2011-01-31 2012-03-27 mail ru ru mai ru thawte ca us thawte inc 13 17 32 19 01 59 00 00 00 23 59 59 13 3 33 33 13232 3032036 1303212011-09-22 2011-11-25 249926 1035232 2010-01-21 2011-02-20 mail ru ru mai ru thawte premium za thawte 1' 1 14 05 50 13 53 32 00 00 00 23 59 59 server ca consulting cc 134-15 303599 2495915 30320303303212011-10-07 2011-11-25 10059 30520 2011-09-25 2013-11-23 monev mail ru ru mai ru thawte ca us thawte inc 134-17 297232 2225133 20 29 55 18 53 40 00 00 00 23 59 59 184 15 294437 2395012 308203513082E2011-09-23 2011-11-25 976 8517 2010-01-25 2012-01-27 mail ru is is mail ru is us eguifax 189-160 153414 659037 17 01 58 15 40 05 15 42 05 18 12 59 184 77 120533 560336 308202C83082l2011-08-22 2011-09-06 0 1482 2011-03-04 2012-03-03 mail ru-sib ru us us 134 74 113555 515159 303204383082t2011-10-17 2011-11-25 22 1236 2011-05-27 2012-07-25 mail ru-c0m ru thawte dv ca us thawte inc 14 09 52 18 50 10 00 00 00 23 59 59 132 $23325 233393 303203C43082i2011-10-08 2011-11-25 301 1150 2010-02-13 2012-11-03 mxl sh0g0-mail ru ru shogo shogo ru ru shogo 13566 3740 7353 00 05 24 17 04 02 14 19 06 14 19 06 30320415303212011-11-01 2011-11-25 246 693 2011-09-15 2012-09-14 imgs mai ru ru isp cegedim fr fr cegedim 134'151 3554 8499 07 36 53 14 26 29 11 47 51 11 47 51 63 121 2532 4887 30320224303212011-10-14 2011-11-21 201 306 2011-10-05 2014-10-04 moder foto mai ru ru mai ru moder foto mail ru ru mail ru 136-43 2523 9226 18 20 34 05 13 34 08 07 34 08 07 34 134 98 2360 9165 308204153082E2011-10-31 2011-11-25 99 259 2011-09-15 2012-09-14 auth mail ru ru isp cegedim fr fr cegedim 179 89 2227 7600 14 14 12 15 45 50 11 47 51 11 47 51 179 90 2051 7320 136 84 1981 8442 v- TOP TO USA AUS CAN GBR NZL THII INrunMA noN ll Kn-u UNDER THE FREEDOM or INFORMATION MFT r mr RMAYIUN LEGISLATION REFER ANV FDIA QUERIES TD ECHO DN CONTAINS INTELLECTUAL PROPERTY OWNED AND OR MANAGED BY THE MATERIAL MAY BE DISSEMINATEO THROUGHOUT THE RECIPIENT ORGANISATION BUT ECHO PERMISSION MUST BE OBTAINED FOR DISSEMINATION OUTSIDE THE ORGANISATION KNOWLEDGE BASE HRA Justification Querv FLYING PIG Query FLYING - general SSL toolkit TOP SECRETIISWREL TO USA AUS CAN GBR NZL Query by server IP Wise 61931 General 1P info Query QUICK ANT - Tor events QFD Server IP-specific panels SSL Server certificates seen on this IP Prototype owner ICTR-NE IP 1 network 1' certificate fiel 184 SSL client geos SSL Pattern of life Query ii tf i 58 29 3 24 Both Top 10 SSL server ports requests to this IP or Server Certificate c'Jv'aexamplecom use for wildcardsj Top 10 SSL case notations Top 100 SSL clients SSL Traffic stats Run Query Certificate field search %mail rul General IP info for server IP 134 14 Geolocation WHOIS info AS info DNS Tor node Country RU M Network 36 0 20 Network type No results Advertised by AS 4 764 Found within network No results No matches Company Mail Ru Domain mail ru 76 0 20 City MOSCOW L AS name Limited liability company Mail Ru 443 80 200 0 00 100 0 00 0 2011-11-04 2011-11-11 Unique clients with client-server Unique clients with server-client 2011-11-13 Top 10 SSL client geos Top 10 SSL server ports Top 10 SSL case notations SSL Traffic stats Overall Paired approximate For week ending 2011 12 23 10 0 No unique clients - 104317 100 10'3 client-server IPs with traffic seen in both directions 14 7% 2011-11-25 Unique clients with GFT tn mv mai rii THII INFORMATION II EXEMPT UNDER YHE FREEDOM Of INFORMATIO REFER ANY FDIA QUERIES TD ECHU ON THE MATERIAL MAY BE DIEBEMINATEO THROUGHOUT THE RECIPIENT ORGANISATION BUT TOP TO USA AUS CAN GBR NZL CONTAINS INTELLEETUAL - NFORHATION LEUIILAYIDNECHO PERMIBBIDN MUST BE OBTAINED Fun DISBEMINATION OUTSIDE THE ORGANISATION traffic onlyI traf c only bidirectional traf c SSL Certificates seen on this IP Tip 1 Right click on a certificate to explore it further 1-3of3items 1 First seen on this IP Last seen on this IP Count wle 25th Count all time Valid from Valid to Subject common name Issuer common name Nov 2011 09 22 13 31 06 2011 11 25 19 01 43 357543 23591 9 2011 01 31 00 00 00 2012 03 27 23 59 59 mail ru thawte SSI ca 2011-08-08 12 23 45 2011-11-25 07 50 03 1441 1443'304 2011-01-31 00 00 00 2012-03-27 23 59 59 mai ru thawte ca 2011-11-16 14 13 03 2011-11-16 14 13 03 0 1 2011-00-05 13 34 19 2014-03-05 10 34 19 ykontakte ru go daddy secure certification authority average pattern of life for a client seeded around SSL events to this server IP m requests to this IP top 100 mi Tip 1 Filter by min occurrences of event 1 Apply filtering Tip 1 Right click on a server IP to explore it as an SSL server 1 -Eiof 233 items 1-10 of 226 items Correlated event Event IP Event Percentage Server IP Host name requested First seen Last seen Count last Count all time port occurrences wee 1 L94 14 e mail ru 2911-19-14 2911-11-25 1999219 13992696 GET request to 30 23-1 194 14 m mai ru 2911-19-14 2911-11-25 99269 664199 GET request to topS-meiI-ru LBS-13 15-1 L94 14 194 14 2911 19 14 2911 11 29 17426 199536 GET request to dU cl-bf-a 14t99 maII-ru 64-253 80 142 194 14 auth mail ru 2911-19-14 2911-11-25 11139 79929 ind 14 I'nlrnailru 9n11-1n_14 9n11-11-9 9994 TOP TO USA AUS CAN GBR NZL Query by server I FLYING PIG KNOWLEDGE BASE HRA Justification Query FLYING p15 general SSL toolkit Query FLYING PIG IP network 1' certificate fiel Query QUICK ANT Tor events QFD Server IP-specific panels General 1P info SSL Server certificates seen on this IP L84 14 Top 10 SSL client geos SSL Pattern of life uer as - - Client IP Server IP - Both or' f Network 0 1 2 3 0 4 Top 10 SSL server ports HTTP requests to this IP - Top 10 SSL case notations Top 100 SSL clients 4 0 0 0r Server Certificate loexamplecom use lo for Wildcards SSL Traffic stats 7 Run Query lCert'rFicate field search %mail rLi Server I 184 14 Utl request t0 t003 mal ru 1333-12 UU 25-1 184 14 m mail ru 2811-18-14 2811-11-25 89268 664189 A GET request to tUP5 mall-I U 135-13 80 15-1 134 14 94 100 134 14 2011-10-14 2011-11-25 17423 103533 GET t0 d0 c1 0f el top mai ru 134253 39 14-2 184 14 auth mail ru 2011 10 14 2011 11 25 11738 70020 GET request to mvmaII-ru 184 40 EID 13 2 134 14 2011-10-14 2011-11-25 3994 35540 GET request to myma ru 184-41 80 12 9 134 14 e 2011-10-15 2011-11-25 307 313 GET request to stat my meil ru 184 40 30 10 8 134114 e mai 2011-10-14 2011-11_25 155 1101 GET request to statmvmallru 184 41 EIU 10-5 134 14 email 2011-10-14 2011-11-25 119 05 GET request to rnrimrakerlmailru 189 183 80 10 4 104_14 mail ru 2011-10-24 2011-11-23 110 357 184 14 e m 2011 10 15 2011 11 25 107 400 Top 100 SSL clients of serve L84 14 I1 Tip 1 Filter by country of client IP enter nothing to avoid filtering or to filter by multiple countries Only show clients in these countries 0 Remove clients in these countries Remove clients that also act as servers Number of results returned 100 Filter RESET Tip 2 Right click on a client or server IP to explore it further 1 200f100items 1 3 - Client IP Client Client company First seen Last seen Count wfe 25th Count all time Pairing status wie 25th Pairing status all time country Nov Nov conf 212 2011-10-16 2011-11-19 1415 50136 Server Client only Both directions 139 ESEH 2011-11-25 424 726 Client Server only Client Server only 111 DEW 2011 11 23 2011 11 23 417 417 Server Client only Server Client only 56 NOW 2011-11-21 2011-11-24 403 403 Server Client only Server Client only 38 IEW 2011-11-23 2011-11-23 330 330 Both directions Both directions 114 DEW 2011 11 23 329 329 Server Client only Server Client only 250 '3 Emma Hm IF mm 2011-11-13 2011-11-13 293 293 Both directions Both directions 152 2011 11 10 2011 11 25 290 291 Both directions Both directions 186 2811-11-28 2811-11-28 196 196 80th directions 80th directions 9 2011-89-83 2811-11-24 189 383 Both directions Both directions 153 KREM QRIXNETJUNKNOWN 2011 10 28 2811 11 25 181 198 Both directions Both directions 53 dancom com my 2011-11-19 2011-11-25 179 179 Both directions Both directions 121 2011-11-21 2011-11-21 177 177 Client Server only Client Server only 41 HEN 2011 11 19 2011 11 20 167 167 Both directions Both directions 237 KRNIC ktcu or kr 2011-09-03 2011-11-25 150 1007 Both directions Both directions 38 BRIZM 2011-11-23 2011-11-25 145 145 Server -2 Client only Server Client only 87 KREH 2011 10 16 2011 11 25 143 161 Both directions Both directions 155 2011-10-24 2011-11-24 138 583 Both directions Both directions 1 NEW 2011-11-18 2011-11-18 137 158 Client Server only Both directions WT'RmiomD A TOP TO USA AUS CAN GBR NZL Di ii liilii II ii INFORMATION LEUIILAYIDN PUBERTY AND UR MANAGED BY THII iNrunMA nuN II EXEMPT UNDER FREEDOM or INFDIMATI REFER mu FDIA TD GCHU cum-mu INTELLEETUAL - THE MATERIAL MAY EE DIBBEMINATED THnuuaHnuT THE RECIPIENT ORGANISATION BUT ECHO PERMIEBIDN Mus EE OBTAINED run DISBEMINATIDN OUTSIDE THE URBANIEATIDN 423 TOP TO USA AUS CAN GBR NZL Query by client I FLYING KNEIWLEDIEE BASE HRA Justification Query FLYING PIG - general SSL toolkit Query QUICK ANT -Tor events QFD owner I l Query FLYING PIG Client IP-specific panels 12 I network certificate field 12 General 1p info 4 Query as 9 Client IP Server IP 1 Both 55 Servers or Network 1 2 3 0 24 or Server Certificate use for wildcardsi Run Query ICerti cate field search %mai rul Server IP 134 1 Iient IP 127 General IP info for client IP 127 Geolocation WHOIS info n5 info DNS Tor node Country KR M Network le20 Network type No results Advertised by AS 4766 Found within network No results City SEOUL L Company Korea Telecom Domain groupon kr AS name Korea Telecom Top 100 55L servers visited by 127 Tip 1 Filter by country of server ID eg enter PK to filter by Pakistan only or to filter by multiple countries Only Show servers in these countries Remove servers in these countries RESET Tip 2 Right click on a client or server IP to explore it further 1 30f3items I 1 Client 1P Server IP Server Server company info from GEOFUSION export First seen Last seen Count wie 25th Count all time Pairing status wfe Pairing status all time country Nov 25th Nov conf 127 134 14 Mail Ru mail ru 04 09 11 02 23 55 25 11 11 13 47 52 325 2266 Both directions Both directions 127 134 1 Mail Ru mail ru D4-DQ-11 02 13 48 25-11-11 13 23 36 299 220 Both directions Both directions 127 134 16 RUEM Mail Ru mail ru 03-09-11 05 13 43 25-11-11 10 15 23 269 2240 Both directions Both directions 127 134 15 03 09 11 03 20 27 25 11 11 11 49 27 213 2354 Both directions Both directions 12 213 37 Mozilla_CorporatiI 99W 3 fume 09-10-11 os or 4e 06-11-11 22 33 5o No traffic wie 25th Nov Server Client only 127 131 127 RUIIM Mail Ru mail ru 16 10 11 19 05 16 13 11 11 21 31 31 0 13 No traffic wie 25th Nov Client -3 Server only 127 191 213 24 10 11 1 53 21 24 10 11 1 53 21 0 1 No traffic wii'e 25th Nov Client Server only TOP TO USA AUS CAN GBR NZL n-n Troll ll EXEMPT UNDER FREEDOM OF INFORMATION Arr 2000 AND MAY IE UNDER OTHER UK INKORMAYIEIN REFER ANY FDIA QUERIES TD ECHO CONTAIN INTELLEETUAL x '4 THE MATERIAL MAY EE DIESEMINATED THRDUGHDUT THE RECIPIENT DREAMEATIDN EUT ECHO FERMIBBIDN MUST BE DETAINED For DISBEMINATIDN OUTSIDE THE EIRBANIEATIDN FLYING PIG KNOWLEDGE BASE HRA Justification Query FLYING PIG Query FLYING p15 - general SSL toolkit TOP SECRETIISWREL TO USA AUS CAN GBR NZL Query by network range mid-i L119 71'7 1 QUICK - events QFD Network-specific panels network I certificate field 13 124 General info Query as Client ID Server IP Both 55 Cllents present 7 network SSL Servers present In network or -9- Network 1 2 3 0 24 IP or - Server Certificate %exarnple com use for wildcards reques 5 ne wor Run Query lCertificate field search lornail rul Eerver IP 104 14-I IClient IP 1271 etwork 0 24 General network info for 0I24 A Geolocation 1 WHOIS info as info DNS Country KR M Network No results Network type No results Advertised by AS No results Found within network No results No results City SEOUL L Company No results Domain No results AS name No results SSL clients In network 0l24 1 Tip 1 Right click on a client ID to explore it further 1-2oof57items 1 ILCIT 33 Client IP Client company info from GEOFUSION export First seen Last seen Total 55L traffic wle Total 55L traffic all Num unique servers Num unique servers 25th Nov time contacted wle 25th contacted all time Nov 9 2011 09 04 2011 09 04 0 1 0 1 23 2011-10-26 2011-11-fume 20 1 1 1 1 15 2o 1 1 11 13 1 2 1 2 36 2011 11 19 2011 11 22 3 7 1 1 38 2011-10-14 2011-11-16 0 21 0 5 41 2011-10-24 2011-10-26 0 2 0 2 42 2011 10 21 2011 10 21 0 1 0 1 2011-11-09 2011-11-11 0 3 0 2 62 2011-09-09 2011-09-09 0 1 0 1 64 2011 10 12 2011 10 12 0 1 0 1 70 2011 10 08 2011 10 31 0 18 0 5 76 2011-10-14 2011-11-07 0 14 0 1 82 2011-11-15 2011-11-15 0 2 0 1 86 2011 11 18 2011 11 13 1 1 1 1 87 2011-11-12 2011-11-12 0 1 1 93 2011-11-04 2011-11-04 0 2 0 1 99 2011-10-25 2011-11-21 3 12 2 5 103 2011 09 05 2011 09 05 0 1 0 1 105 2011-11-03 2011-11-03 0 1 0 1 All SSL servers in network 0f24 1 HITP requests to 195 in network Ol24 top 100 Tip 1 Right click on a server IP to explore it further Tip 1 Right click on a server IP to explore it as an SSL serverl 1v3of3items 1 1-1of1items I l 1 Server IP Server company info from Last week Va Paired Num Num Server IP Host name requested First seen Last seen Count last Count all time GEOFUSION export seen clients that unique unique week Chants that than a 40 4o 2o11-1o 3o 2011 1o 3o 5 week time 18 2011 11 11 0 0 1 1 205 test 2011-12-o9 0 0 1 1 vu- mq' leol L TOP TO USA AUS CAN GBR NZL THII INFUEMATIDN ll EXEMPT UNDER 'n-iE FREEDOM or INFORMATION Arr 2000 AND MAY IE XEMFT UNDER OTHER UK INFORMATION REFER ANV FDIA QUERIES T0 ECHO DN CONTAIN INTELLECTUAL awNEn AND an MANAGED av THE MATERIAL MAY BE DISSEMINATED THROUGHOUT THE RECIPIENT ORGANISATION BUT ECHO PERMISSION MUST BE OBTAINED FOR DISSEMINATION OUTSIDE THE ORGANISATION 63 9 hacken FLYING PIG was used to identify a FIS using them to launch a MITM against their own citizens TOP TO USA AUS CAN GBR NZL Cyber applications Diginotar certificate authority compromise Private keys of legitimate certificate authority Diginotar stolen by FLYING PIG screenshot showing fake certificate 308204303082039 2011-09-16 20 54 29 308205203082049 2011-10-11 16 56 45 308204523082038 2011 11 11 02 30 22 308202DA3082024 2011-11-01 01 23 06 308204303082039 2011-08-25 13 03 12 308204AA3082039 2011 11 08 09 35 22 30820464303203C 2011-11-17 r 2011-10-20 14 05 2011-11-25 15 41 29 2011 11 25 06 20 50 2011-11-25 12 48 58 2011-10-13 0 51 24 2011 11 25 15 00 37 2011-11-25 THIS INFORMATION I5 UNDER THE FREEDOM OF INFORMAYION A 0 5 26 71 1 3 436 3154 1214 5 2 547 467 440 438 2011-09-05 06 05 49 2011-09-20 06 07 12 2011 11 02 21 08 36 2010-09-02 07 56 28 2011-08-12 03 49 02 2011 09 20 06 07 12 2011-11-10 2012-09-05 06 15 49 2012-09-20 06 12 2012 11 02 21 18 36 2011-09-02 08 06 28 2012-08-12 03 59 02 2012 09-20 06 12 2012-11-10 google com google com google com gnogle com google com google com googlelcom How the attack was done requt-mi h Hg-z Ir-m-e 4 I Home google inc gougle inc google in google inc google inc google inc TOP TO USA AUS CAN GBR NZL Rare ANY nuEmES To ECHU DN CONTAINS THE MATERIAL MAY BE DIESEMINATED THROUGHOUT THE RECIPIENT BUT ECHO FERMISSIEIN MUST BE OBTAINED FDR DISSEMINATIDN OUTSIDE THE 1 4 ng zscaler google internet authority zscaler sfibluecoats corpmm zscaler zscaler INF RMATICIN LEGISLATIONTarget Turin is loreal cage TOP TO USA AUS CAN GBR NZL Cyber applications 0 Other Cyber applications Multiple examples of FIS data exfiltration using SSL have been found using FLYING PIG In particular certificates related to LEGION JADE LEGION RUBY and MAKERSMARK activity were found on FLYING PIG using known signatures These were then used to find previously unknown servers involved in exfiltration from US companies FLYING PIG has also been used to identify events involving a mail server used by Russian Intelligence TOP TO USA AUS CAN GBR NZL THIFI a Tum ATIDN 6 TOP TO USA AUS CAN GBR NZL Identification of malicious TLSISSL - Can identify malicious TLSISSL using signatures if known - However this approach generally does not allow discovery of new threats - Alternative is to use behavioural features to automatically identify potentially malicious traffic - Features currently being investigated include Certificates with same subject but different issuers may be indicative of Diginotar-style attack Beaconing in TLSISSL indicative of botnetlelS implants Number of client cipher suites offered Repeated identical random challenges TOP TO USA AUS CAN GBR NZL WT TOP TO USA AUS CAN GBR NZL HUSH PUPPY motivation Much private network traffic seen but previously discarded If traffic could be attributed potential high value close access HUSH PUPPY is a bulk private network identification Cloud analytic Basic idea is to look for the same TDI being seen coming from a private address and then from a public address within a short time The private traffic can then be attributed to the owner of the public address Works for SSE COMSAT TOP TO USA AUS CAN GBR NZL or TOP TO USA AUS CAN GBR NZL HUSH PUPPY example Internet 1 2 3 4 cookie fred@yahoo com NAT or proxy Private network request to Yahoo cookie fred@yahoo com 192 168 02 TOP TO USA AUS CAN GBR NZL TOP TO USA AUS CAN GBR NZL Other HUSH PUPPY datasets HUSH PUPPY also makes use of Yahoo T-cookies to do correlations A T-cookie contains the IP address of the client as Yahoo sees it Hence a cookie coming from a private IP can give the public IP of the NAT or proxy In addition HUSH PUPPY uses the following data to help verify results - Kerberos Lotus Notes Domains organisations departments countries machine names user names - HTTP Heuristic detection of Intranet web servers - SSL Issuers subjects countries - SMTP From to domains TOP TO USA AUS CAN GBR NZL THIFI a or INFO on ACT 2000 IFOIA AND MAY BE UK 5 TOP TO USA AUS CAN GBR NZL Results what do we find Foreign government networks Airlines Energy companies Financial organisations In cases of good collection 50-80% of collected private network traffic has been attributed Some false positives can arise if few events correlated due to factors such as TDIs not being completely unique and public internet proxies giving misleading public IP results Results can frequently be verified using Kerberos etc data TOP TO USA AUS CAN GBR NZL WT TOP TO USA AUS CAN GBR NZL Examples of operational successes A large private network related to the Afghan government was identified with 800 000 events correlated Examination of the case notations suggested it belonged to the Afghan MOD A Kerberos domain mod oca HTTP servers mod oca mail SSL certificates with the subject Ministry of Defense and the geo Results confirmed by analysis of content on XKEYSCORE A VSAT private network belonging to a Ministry of Foreign Affairs was identified NOSEY PARKER events were correlated with SSE TOP TO USA AUS CAN GBR NZL TOP TO USA AUS CAN GBR NZL Contacts G 2 I TOP TO USA AUS CAN GBR NZL THIH 5 ACT 2000 AND LII E EEHD BUT ECHO