SECRET

  

I Communications Security Centre de la securit?
Establishment Canada des telecommunications Canada

  

 

 

 

  
  

 

 

Cyber Network Defence Activities

SIARC 2010

CSEC N30

Safeguarding Canada?s security through information superiority did
Pr?server la s?curit? du Canada par la sup?riorit? de I?information  a

 

SECRET

I Communications Security Centre de la s?curit?
Establishment Canada des telecommunications Canada

 

 

 51:41:" . 

  

 

 

   

. I
- Most cyber defence reSIdes

in Cyber Defence Futures DCITS

- Not a static picture 


Cyber Defence] Cyber Protection]

 

 

 

 

 

 

 

 

 

 

 

 

 


. I
Cyber Defence Operations and Cyber Threat 
Capabilities Development Evaluation Centre
I
.
I
Security Posture Technical Threat Cyber Defence
Assessment and Analysis Futures
I I I
I 
Safeguarding Canada?s security through information superiority 
Pr?server la s?curit? du Canada par la sup?riorit? de I?information 

SECRET

I Communications Security Centre de la s?curit?
Establishment Canada des telecommunications Canada

.

Current Focus

 

 

 
 

 

 

 

 

 

- Current operations are passive

Photonic Prism (aka P2)
- Slipstream
- Popquiz
- Email attachment scanning (via Pony Express)
Snon

Host based intrusion detection

- Soon deploying dynamic defence
COTS hardware platform

Safeguarding Canada?s security through information superiority (inI
Pr?server la s?curit? du Canada par la sup?riorit? de I ?information  a

 

SECRET

I I Communications Security Centre de la s?curit?
Establishment Canada des telecommunications Canada

 

 

. 3v- 1?

  

 

 




 

N3 Research

- N3 is mostly a consumer of research
Given our resources this is an appropriate model

- Very much relationship based
SIGINT
R23
Defence Research and Development Canada (DRDC)
Royal Military College of Canada (RMC)
Communications Research Centre (CRC)

- lntegrees

Safeguarding Canada?s security through information superiority dl?
Pr?sen/er la s?curit? du Canada par la sup?riorit? de I?information  a

  

SECRET

 
  

 
 
 

I Communications Security Centre de la s?curit?
Establishment Canada des telecommunications Canada


433:;- 

External Partners

 

 

 

   

 

 

R23

SIGINT
DRDC
RMC

CRC

Safeguarding Canada?s security through information superiority 
Pr?server la s?curit? du Canada par la sup?riorit? de I ?information  a

A


UNCLASSIFIED

WV Defence Research and
Development Canada (DRDC)



- AssetRank

- Joint Network Defence and Management Systems


ARMOUR

 

UNCLASSIFIED
Defence Canada 0 et pour la d?fense, Canada

UNCLASSIFIED

    
   
   
  
 
 
 

     
   
 

Linux security behavior;
Windows security behavior;
mmon attack techni 

Information
about data
assets

c.



System admin

  
  
  

Informatio
about

    
  

Attack graph

 

etwork configuration

 
 

on

  
 
   
 

    


1" 5"
at  

CER advisory

UNCLASSIFIED
Defence Canada 0 et pour la d?fense, Canada

UNCLASSIFIED

R97 Mulval As?etRank -) Mulasses

5
 
(Egg-Kmimeaphofamu?w

 



 

 

as


f1?. - 

4311.25 (arm.th 

 

 

 

6 More dangerous UNCLASSIFIED

Defence Canada 0 et pour la d?fense, Canada

SECRET

I I Communications Security Centre de la s?curit?
Establishment Canada des telecommunications Canada

 

 

~35,

 

 

 

 

   

Royal Military College -

- Support 1 grad student per year

- Sliding Window Anomaly Detection (SWAD)
Models normal traffic
Applies the concept of hidden Markov model (HMM)
Used to detect covert channels

Safeguarding Canada ?3 security through information superiority (il?l'I
Pr?server la s?curit? du Canada par la sup?riorit? de I?informarion  a

SECRET

I I Communications Security Centre de la s?curit?
Establishment Canada des telecommunications Canada

 

 

 

 

   

 

 

CND Development

- Mix of internal development and external collaboration

Current CND projects
Some Pony Express
Software modules for COTS hardware (dynamic defence)
Streaming 10 Gb/s sensor (P2)
Analyst data mining tools

Safeguarding Canada ?5 security through information superiority di?"
Pre'server la s?curit? du Canada par la sup?riorit? de I ?information  a,

SECRET

    

   
  
  

I Communications Security Centre de la s?curit?
Establishment Canada des telecommunications Canada

 

    

 

 

 

Unencoded
attachments

      

Scan
results

 
   
 
 

Metadata 
Scan results

 
    
     
 

Formatted
Alerts

 

PoolTable
(Scanning Framework)

 

 

 

Safeguarding Canada?s security through information superiority a

Pr?server la s?curit? du Canada par la sup?riorit? de I?information

I
mw.?
.rl

 
 

SECRET

    

I I Communications Security Centre de la s?curit?
Establishment Canada des telecommunications Canada

,Wm 


Ponies of the PonyE


?3 .1.
?ii. a ..

 

 

 

 

 

FlowPony 
TCP Session reconstruction

SMTP Parsing Header Extraction
- MailPony (mailp)
RF0822 E-mail Parsing 
MIME Attachment Extraction
- MetaPony (metap)
Evaluation Scoring of Parsed Metadata
- ScanPony (scanp)
Analysis Pre-Processing Scan Dispatching
AQQPOHY (aggp)
Scan Result Aggregation
- 
Transfers buffered output from local disk to the SAN

Safeguarding Canada?s security through information superiority dl??
Pr?server la s?curit? du Canada par la sup?riorit? de I'information  a.

 
 

SECRET

      
   

I I Communications Security Centre de la s?curite
Establishment Canada des telecommunications Canada

 

  

 

tiara? 

 

 

Ongoing Sensor Development
(Photonic Prism)

- Integration of in-house and external partner anomaly detection
tools and signature based detection 



Popquiz



Snort
Updating our sensors for multiple 10 Gb/s sources
- Moving to full streaming with full capture

Data analysis
Improved analyst interface that fuse data from many sources
Custom GUI (based on Eclipse framework)

Safeguarding Canada?s security through information superiority dlf'l
Pr?server la s?curit? du Canada par la sup?riorit? de I?information  a

  

SECRET

  
 
 
   

I Communications Security Centre de la s?curite
Establishment Canada des telecommunications Canada
.- testy  -

   
 

 

   

   

 

    



going Sensor Development
(Photonic Prism)

. at}; . .


On
Improved Analytics

Better facilities for collaboration

Near real time access to anomaly data

Improved alert/pcap performance
Knowledge database

Safeguarding Canada?s security through information superiority - dl"
Pr?server la s?curit? du Canada par la sup?riorit? de I ?information  a

1? 

Ii!

Communications Security Centre de la s?curit?
Establishment Canada

SECRET

des telecommunications Canada

 

  

 

Safeguarding Canada?s security through information superiority
Pr?server la s?curit? du Canada par la sup?riorit? de I ?information

Software modules on COTS Hardware

 

 

. 
MY
 2 3r!

 

(Dynamic Defence)

Internal but close collaboration with NSA
ActiveDynamic defence (inline device)
Modules for based device

miniSSL (passive)
SSquzzer

DNS

Data Extractor


Legal and policy work ongoing

Canad'a'


SECRET

I Communications Security Centre de la s?curit?
Establishment Canada des telecommunications Canada

 

 

?mfg/if, ?5

 
 

 

 

haHenges

Lots of standard development work to do
- Resources to pull through available research
Length of Research Activities

- Translating classified requirements to an unclassified
domain

- Properly engaging Industry and Academia

Focusing external partners on that is most
valuable to us

- Po icy
Safeguarding Canada ?5 security through information superiority dl'"
Pr?server la s?curit? du Canada par la sup?riorit? de I ?information  a



I

SECRET
. I Communications Security Centre de la securil?
Establishmanl Canada des telecommunications Canada

. i_ . ??137 


  

Cyber Network Defence Activities

2010

CSEC N3C I

Canada's security through mlummlirm Superimin dl?i
I?M-swim: In secum? rlu pm in silpmimim (IH a.

n) 

Within the Cyber Protection Branch there is an Architecture and Engineering
Directorate where most .of the Research and Development Activities takes
place.

SECRET

I Communications SecIIrIty Centre de la s?curit?
Canada des le'l?commumcalions Canada


'r  

CND CSE

 

- Most cyber defence resides

I
in Cyber Defence Futures DCITS

 

 

 

 

 

 

 

 

- Not a static picture 
DG ber Defence DG Cyber Protection
I I
I .
Cyber Defence Operations and Cyber Threat 
Capabilities Development Evaluation Centre
I
I I I
Security Posture [Technical Threat] Cyber Defence 
Assessment and Analysis Futures
I I 
I I I
maturity Uncut/II supra/Irtu

lo!
I I I
Prime/Inn in smurrle (mi In super/win: (In I'mmInIItrmII 
. .. The purpose of my talk is to characterize the within CND at CSEC. I
can not give a complete picture.

This is just to provide some context of where cyber defence research resides
with CSEC.

This is a recent partial picture.

It is not static however, the org chart is evolving.
CTEC is very new and still defining its role.
Some future changes:

It is anticipated that Cyber Defence Operations and Capabilities
Development will be become 2 separate directorates.

Cyber defence futures will be split into 2 sections. Eventually those sections
will for the start of the Capabilities Development directorate.

SECRET

I I Securin Centre de la securii?
Establishment Canada des i?l?communrcations Canada



Current Focus

 

 



 

Current operations are passive

Photonic Prism (aka P2)
- Slipstream
- Popquiz
- Email attachment scanning (via Pony Express)
0 Snon

Host based intrusion detection

- Soon deploying dynamic defence
COTS hardware platform

Safeguarding (:nnzruki'r: security through 


In secirriur rlu r'..'.'rnerrla par in supermr'rrv ri?rr  

At the moment most of our efforts are on incremental improvements on the
current sensor.

Making it ready for 10 Gb/s systems and beyond.
Our detection capabilities are based on 4 frameworks:
l. Slipstream

2. Popquiz

3. Pony Express

4. Snort

We should soon have our first dynamic defence deployment.

SECRET

I I Commumcalions Security Cenlre de la securit?
Eslablishrnenl Canada das l?l?conimunrcalions Canada

P7?-f11333?3?1'

N3 Research

mi? 

 

- N3 is mostly a consumer of research
Given our resources this is an appropriate model

- Very much relationship based

SIGINT

R23
Defence Research and Development Canada (DRDC)
Royal Military College of Canada (RMC)
Communications Research Centre (CRC)
- lntegrees

DRDC

CRC

(.?nnuu?aH w-r'miry 1? 
l'iIf-wivi-i lir in supmmriru do 

.0

   

It?s difficult to speak about a research program that is virtual
We are a small group (but growing) trying to look at a lot of data.

Given our size, our best return on investment would not come from using
current resources for low level research.

It make more sense to leverage the of some external partners. There is
already a large body of work out there that we can benefit from before we
need to push it ourselves. This means our program is mostly a
relationship based program.

In fact, this model has already proven to be extremely valuable via the success
of popquiz developed by R23 and our email attachment scanner from GCHQ.

In between in?house and external is the use of lntegrees.

SECRET

I Communicalions Security Centre de la securite
Eslablishmenl Canada des I?l?communicalions Canada

External Partners

ma"  

 

R23

SIGINT
DRDC
RMC

CRC

Sinfuyurm'ling Canada?s security through information supmioriry dl?l
Pic-sums: In tlu Canada par In sup?rlmilr} (Ir: l'inlmmuliun  a.

The next set of slides provides some overview of the research done by our
external partners that we are following/tracking/consumin g.

Some is in use (popquiz)

Some will shortly be in production (Popeyesear)

Many are ?for the future?

Some chosen examples follow.

  
  



WV Defence Research and
L. .4 Development Canada (DRDC)

MuIVal AssetRank

- Joint Network Defence and Management Systems


ARMOUR

UNCLASSIFIED
Defence Canada 0 at pour la d?fense, Canada

Defence Research and Development Canada is arm of the Department
of National Defence.

Within DRDC Ottawa is the Network Information Operations (NIO) section.

Within the Attack Detection and Analysis group, there are 3 projects of
particular interest to us:

Mulasses, and ARMOUR

DRDC also provides us a mechanism for working on NATO projects as
they already have a well established relationship with NATO.

HM 



Information Linux security behavior;
lnformatlo about data Windows security behavior;
assets mon attack techni -

Attack graph

  
      
  

    
   

   

  

   
 
  

System admin



CERT advisory

   

   

UNCLASSIFIED
Defence Canada I et pour la d?fense, Canada

Network based vulnerability analysis project.

Pure logical based reasoning engine that generates attack graphs. These attack graphs
can be huge. A system to prioritize them needed to be created.

Based on Xinming (Simon) Ou Dissertation from Princeton.

Simon is currently a professor at Kansa state University where he continues
development of Mulval and related projects.

These are the 5 classes of input that go into 
1. User and data asset information

2. Network configuration (hacls) Basically describe which computers can talk and
on which ports

3. Host configuration software running on machines within the netwok
4. CERT (or other advisories) that contain information about vulnerabilites I

5. Security expert information Logic to describe what can be accomplished on a
computer given credentials

This input goes into a reasoning system (MulVal) which can then generate attack
paths



Mulval AssetRank -) Mulasses



?11159IMJM Momma 
6 More dangerous UNCLASSIFIED -
Defence Canada 0 at pour la d?fense, Canada

 

Asset rank is an adaptation of the original Google page rank algorithm that can
prioritize nodes of an attack graph (or any other logic based graph).

It is used to prioritize which network conditions (facts) are the most important to fix
first in order to harden the network.

Attack graph: .

Ellipse AND nodes. True if all the dependencies are true.

Diamond OR nodes. True if any of the children nodes are true.

Box facts: network/host configuration, installed/running software, vulnerabilities

Together Mulval AssetRank -) Mulasses!

Mulasses output is a prioritized list of network configuration properties to be
modified to harden the network.

This project has potential value in network vulnerability shop.

SECRET

I Communications Security Centre de la securil?
Eslablishmenl Canada des l?l?communicalions Canada
3; ?saw
?any: a W-

Royal Military College

 

- Support 1 grad student per year

- Sliding Window Anomaly Detection (SWAD)
Models normal traffic
Applies the concept of hidden Markov model (HMM)
Used to detect covert channels

Suluyuulf?flq Canada's security through information superiority C, 
In securile rlu Canada pm In sup?riorilr?i ilu a.

 
    

Hidden Markov model State of the system is not visible to the observer,
only the output. System is assumed to be a Markov process.

Markov process A stochastic process with the Markov property

Markov property random phenomenon depends only on the present state of
the system, does not depend on the past or future state).

Why we are interested. Detecting covert channels is our business. If it is
successful, it may prove to be a very valuable tool.

Other benefits of RMC collaborations People! Several RMC students have
become CSEC employees. They are cleared, and have a education centred on
our mutual interests.

The current phase of the SWAD project is to built a user interface that is
analyst friendly. Much of the work to date has been proof of concept work.

SECRET

I I Communications Security Cenlre de la securit?
Canada des l?l?commumcalions Canada


 

 



CND Development



 

- Mix of internal development and external collaboration

- Current CND projects
Some Pony Express
Software modules for COTS hardware (dynamic defence)
Streaming 10 Gb/s sensor (P2)
Analyst data mining tools

:5ul?uguau/inq Canada's security through information dlr?l
in securile rm Canada: pm In such-iinum (In 

For the next couple of slides I will show some of our recent in?house
development efforts.

We really do not have what I would characterize as ?research? within Cyber
Defence.

We do hope to get there.

10