OCR of the Document

View the Document >>

NSA/CSS Threat Operations Center, TREASURE MAP: Bad guys are everywhere, good guys are somewhere!, undated. TS//SI//REL TO USA, FVEY

-- 2 -- r If 1H- In ll t Bad guys are everywhere good guys are somewhere Threat Operations Center NTOC NTOC Technology Development TSHSIHREL TD USA U NTOC - Operates under both SIGINT and Information Assurance authorities Leverage SIGINT IA OSINT - UIIFOUO Coordinates Integrated Cyber Operations V2 Analysis V3 Operations V4 Technology Development Support - V45 Technology Development Division TSHSIHREL TD USA U V45 - Projects TREASUREMAP Massive Internet mapping exploration and analysis engine - PACKAGEDGOODS Globally dispersed traceroute generators - U Other Projects TSJISWREL TD USA TSHSIHFEEL TD USA F'v'E r' U What is ran lute UHFOUO Capability for building a near real-time interactive map of the global internet Map the entire Internet Any device anywhere all the time UIIFOUO We enable a wide range of missions - Cyber Situational Awareness your own network plus adversaries - Common Operation Pictures COP - Computer Attackaxploit Planning if Preparation of the Environment - Network Reconnaissance - Measures of Effectiveness MOE limited only by available data 4 TENSWHEL TD USA TSHSIHFEEL TD USA U TREASUREMAP - Continual generation of global Internet map and limited - Focus on logical layers router and autonomous system but touches physical data link and application layers - U Its Huge L- TENSWFIEL USA TSHSIHREL TD LISA U TREASUREMAP as an Enabler fir-m r1 i'i-Kl'n I Persona Layer Cyoer Persona Layer Physical Network Layer Geographical Layer Bur mission TSHSIHREL TD USA U Current State Data Sources Open Source intelligence Academic Commercially Acquired SIGINT Information Assurance Available on multiple networks to many user groups 5-Eyes partners JWICS users - USG IC USG IC lDoD TREASUREMAP-SIPR TM-S U Nevv capabilities delivered every 90 days U 30 Gigabytes of additional data added and replaced per day OSINT Open Source Publicly available Internet Meta-Data 1 TD TSHSIHHEL TD LISA J il E U Data Sources Feed the Machine TSHSIHFEEL TD USA FVET OSINT Commercial Academicw d UIIFOUO BGP Gives the 300 000 foot Viewr of the internet Defines routing across Autonomous Systems AS Origination of IP address spaces Prefixes to AS HOW the Internet gets knowledge of itself IP address space Commericaly purchased Data Sources - Akamai SOCIALSTAMP SEASIDEFERRY Open Source Public BGP IXP RIPE APNIC ROUTEVIEWS CERNET TD USA TSHSIHFEEL TD USA - 1- U OSINT Commercial UHFOUO Traceroutes Router to- router links to targeted IP addresses Creates links between networking devices routers TM ingests approx 16 18 million traceroutes daily Gives the 300 foot View router-to-router infrastructure Data Sources ARK Archipelago Project PACKAGEDGOODS SOCIALSTAMP - RUSTICBAGGAGE User Input 4 TENSWHEL TD USA TSHSIHREL TD USA U OSINTI commerCia-l AcademiCIPi ar r Fara U Registries - Information on netblock and AS ownership - U DNS - IP address to domain name matching - U Operating System OS Fingerprints Software and Operating System characteristics of networked devices 30-50 million unique IP addresses represented per day TSHSIHFEEL TD USA a U0 Traceroutes PACKEGEDGOODS i Tit 5 7 1 ran lira UHFOUO Collects network measurement data on public internet U Random traceroutes and user requested UHFOUO PG-GTR Currently using JDD public traceroute sites to perform operations High target full IP addresses Capable of le4 and traceroutes daily UHFOUO PG-Seryer High yolume 65 million traceroutes per day Low targeting le4 24 netblocks or higher Can do whole ASes Country Netblocks 13 covered servers in unwitting data centers around the globe - Asia Malaysia Singapore Taiwan China 2 Indonesia Thailand India - Europe 3 Russia Poland Russia Germany Ukraine Latvia Denmark - Africa South Africa - South America Argentina Brazil TEJISWREL TSJISIHREL TD LISA U Coming Soon Int 53721 J il E - PG-Server 2 0 Tasking of full IP address Choice of traceroute types - ICMP - ICMP Paris - TCP - UDP Choice of PG-SVR for source of traceroute Auto-refresh TSHSIHFQEL TD USA F'v E r' U Traceroutes - CAIDA U University of California San Diego Cooperative Association for Internet Data Analysis Archipelago measurement platform TM data source ARK U High volume 10 million traceroutes per day U Random targeting I24 netblock BGP advertised U 44 Locations Asia 5 Europe 15 Africa 2 North America 18 South America 2 Oceania 2 1 TSJISWREL TD USA TSHSIHFEEL TD USA FUET U Internal Sources Protected UHFOUO PACKAGEDGOODS - NTOC S Clandestine traceroute and DNS processor SHSIHREL BLACKPEARL SIGINT session 5-tupel identified routers routing protocols SIGINT access points inferred SIGINT access points SHSIHR EL LEAKYFAUCET Flow repository of 802 11 WiFi IP addresses and clients via STUN data SHSIHREL HYDROCASTLE 802 11 configuration data extracted from CNE activity in specific locations Requires HYDROCASTLE account SHSIHREL MASTERSHAKE FORNSAT and WiFi collection data SHSIHREL S-TRICKLER - NTOC - IP address fingerprints and potential vulnerabilities from FORNSAT collection i I USA TSHSIHFEEL TD USA F'v'E t' U Internal Sources Protected SHSIHREL TOYGRIPPE- Repository of VPN endpoints SHSIHREL Router configuration files from CNE and passive SIGINT DISCORDUTE repository VITALAIRZ Automated scaned IP addresses for TAO known vulnerabilities UHFOUO IPGeoTrap - Provides geolocation services for IP addressesfranges JOLLYROGER Provides metadata that describes the networking environment of TAO- implanted Windows PCs Requires JOLLYROGER account UHFOUO NTOC - Specific alerts from intrusion detection sensors - not currently active - -- USA TSHSIHREL TD LISA Til E Peril U The Whole is Greater than the Sum of the Parts TSHSIHFEEL TD USA U Data Relationships Router Configuration Files IP 03 - Traceroutes Advertisements Geolocatl on IP Ad dress Es E1 For example we know which AS contains a router because we can relate a router to IP Addresses IP Addresses to IP Pre xes then IP Pre xes to an AS TD USA DU main SIGADICASN MAC Address NetblocI-t Names E11 Es Yellow links denotes direct relationships between data types if EL Announcements Potential Satellite Hops Graph simplified for presentation purpose Stub AS Molti-hometl EL Single hometl TD LISA F'IurlE l r TD FUCK and Registries INTEL-ASH IFItel Telecpm Tl'l FII atria mLUImrrleueSrEterrl urn Unet Helher 3 - - Tfne r rmI-erpIr iera'l k1 State IiierItute menuuzl Si' tem Ti ieumlrru iuulitin Eurlrpalf -- Elfll'lf l' leclnelpqies I and Meeka ra I I 1'11 Singapore Iw TM Tn rernei' Servite Plunder HS- PIE Telemm Companr lelted Graph simplified for presentation purppee TD USA TD USA U Internet flow to a Network hrs Graph simplified for presentation purppse They re color-ceded by eeuntry Big deal LISA EL TD U With 1 1 Correlation of IP Address with AS EL Country Hops our rosy Addresses or private IP address spaoe I Network Bottlenecks Graph sIn1 plIfI ed for presentation purpose TSJISWREL TO USA Graph simplified for presentation purppse 55 2 I11 TD FEET all TSHSIHHEL TD USA U IP Geolocation Data Til E Iiivf'tF F'Cerrelate IP addresses with country latitude and longitude via lPGeoTrap a A I'g TSHSIHHEL TD USA J il E lif'f'tF U Seeing in the Water EL TD Red Links SIGINT Collection access points between two Red Core Nodes SIGINT Collection access points within AS ASes Peril blfl Ja Merge oto F C- Tello le Clol Iol 55- r-F' TI I no lit -i it l Forster Roll-1 etc 11 LI L3 'i-F Fulilt'l'l TI t-I rlrl Ir tic-1 it if in 1% Zero ce irodtler 3 is 4551 s M's LENS ls H IL'Li rliil I'-'Iln-Lilil'ec ags siren Ln 'T'erslo l b l naval irII li - IL'omrie'cial JP sewice crowns-er ir Jose LEE-LI Elclz-a Crossing Ltd Red Hinged Node Nodes within A3 are SIGINT Referenced LISA Graph simplified for presentation purpose TD USA Traceroute overlaid with SIGINT and other Router Configuration OS Fingerprints Router Vendor isoo a - - a a Node Referenced in SIGINT Shields IP Addresses Underscore AS Operational AS I TD USA TD USA Known Devices Sources DISCOROUTE router configuration repository Display supporting infrastructure as configured in router configuration files - Where router accessed from possible - sewers configured for router DNS Radius TACACS TO USA TD USA FUET Known Devices Sources DISCOROUTE NAG router configuration repository54' I I Routerdata in tables I Fmiir F Fir r11 Finn EDT f-iFtE Ht'iT I TD TD USA Ir Cisco Discovery Protocol CDP 5 6 - 'alr 39 254 60- LEE-SIN 1 1 11 14E 1 1 2 luti LII-J J Ed - F - LI '3 EU 1 Data-2 Him-a J ITQF-ik-ilitioi -- - Ila-g - HE DIE PEEIILI it a HT I ELJ PortLISA TD USA UIIFOUO 302 11 WiFi Data Display and correlation of 802 11 wireless networks and RFC1918 clients Sources HYDROCASTLE account requimd TD USA TD USA F'v E r' U Communities Individual IP addresses related by a common attribute - TOR router Servers DNS NTP SNMP TACACS RADIUS - Hide IP NG Proxy Servers - BYZANTINE HADES Infrastructure hostinnfected hosts - Sources Varies Currently TOR router advertisements 12389 RU 4837 CN 2647 FR NTP TD USA EL TD E- II- H-u Jamil-1 1 in - 31 EFFICA LEE Cr at d 11 191'2010 13 11 Modi ad 13 11 can- 1 111195 15 7-1 a x I 11' 12 4er 3 511 12 am I I REESE-I3 l l n3 mam I LEE-IN I I Mall 1 51 3 - rear 4511' - g 1 u4 1 11-11 31 1 1 31 - J-a 'h'ull' I ll' l I 31'1 l I 1 31 2-39 Iu l'ia- cm 7313 3 3 11 - 3 CW 73' In 51' I II IE E3121 E172 in I 13 1 - Fin-'7- IZITICA LEE I Ll'l' TD USA F qu'E f' TSHSIHFEEL TD USA F'v'E t' UIIFOUO TREASUREMAP Workspace - UIIFOUO Toolbar Offers access to a variety of commonly used func ons - UIIFOUO Search Pane Input search parameters - UIIFOUO Advanced Search Options Preferences for searches - Release my search to PG Requesting traceroutes for target IP addresses - UIIFOUO Other Searches Includes Router DNS Batch IPIMAC and JOLLYROGER - Legend Contains all of the icons and decorations as seen in an active graph - UIIFOUO Send Feedback Provides a way to communicate questions comments or problems to the TREASUREMAP team 4 TENSWHEL TD USA TSJISIHREL TD USA F Iul E rr UIIFOUO TREASUREMAP Search Items i r IP Address Routers UIIFOUO DNS FQN MAC address 802 11 BSSID 1 802 11 SSID IP Prefix 1 Range CIDR Notation Registry Netblock SIGAD andr or Case Notation UIIFOUO Country IP Country Code UIIFOUO Autonomous System A8 Number 10 UIIFOUO Free Text TD USA FUET It E- t e in 121 1 Han- 1 IE- Search Nude - detail Inna-us I Traceruute routing infrastructure Links I II Jr er a mu E Iii-lit 2-5 ammaa Summary Information mm mm 21 11 Tar-Jet Tar- 9 tr IIrq 1 H L J LI 1 LI 'Irl'I' I I I II IT b 3151 I I- II- II IT IT u- TI JEA I TD USA Small text-based ueriea I EOE-II TDDILE Il'il'll'l lql'llri l-ln I1 ll 11ml 111115 a an 111 lune 1133 a le CI mill- Jug arr-J - rain ac' rmlze 11 mantra u-zL'l L Iii-1 15 5 me ll r ml lth-cu a ll-lil Fifi-E m m Il lrl NEH - lulu and u11 - I il I hhlrI 'Ilnll'l'll-I l nl l _ 'Illr 1 111er l-I'Irl TI lh' Inn IlIl l-l 'Iln I Talmud llr1l1'l Jill-II than Mullah ill - wnlinull winl Ill - l'll ll II rl l iI apt-n IIninhIlJWvul will Iu l1'll ' Il 'Il l l 'l 'Il 'll Build 5311 a L l u muyau'mm IJHH CHEER-IT mum mnllu'll Dawn Inaa 5 D33 ill-lama - - v 1 Rm 19 Pm 1113 1rd 5 111th '1'qu Hluud L1L'1l l l M 4 1u ll - l El f il'ETwr T'IlrF'r F Mn'l' l l 'L lr -1IIFIJ r11- 1 Ill 1 I l'uPrr - El-lln-J'IE Jul rn'm3 un' l l 'L F'll-rlu- FH - L l ll ll W's Hull Eur-Inn I- 621 sauna HIE- 1322 I iti l-llI I 1955 1- C'l 31 1 H'Ill lfllil' IIFTJIJ '11-1 Tr 1-11 2% hiuI-r II I mE- fl I ll-15's T I'fat' afar 121 - i-t'rlifj nrhnal pr-i- H I - TIln'Jl lit - 31 1 'Inr 1 rr - 'I-Trw Fla-l 'rh - 'trr al 111115- client L'd 5-H nee - Mata-1 Flt-9mg - 13 11 19 rt 1 1' - 1391 - hz- Eli-1t New Features Udate DTP TO USA TSHSIHREL TD LISA F u'E r a UIIFOUO TREASUREMAP Contact Info-WW Gwernment Lead - Customer Support Team - Email DL This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu