Treasure Map Presentation

Sep. 14 2014 — 10:15a.m.


-- :2 r=~t -- ?r If?. ?In? ll?t Bad guys are everywhere, good guys are somewhere! Threat Operations Center (NTOC) NTOC Technology Development

TSHSIHREL TD USA. F'v'E?r" (U) NTOC - Operates under both SIGINT and Information Assurance authorities Leverage SIGINT, IA, OSINT - (UIIFOUO) Coordinates Integrated Cyber Operations V2: Analysis V3: Operations V4: Technology Development Support - V45: Technologyr Development Division

TSHSIHFQEL TD USA. (U) V45 - Projects TREASUREMAP Massive Internet mapping, exploration, and analysis engine - PACKAGEDGOODS Globally dispersed traceroute generators - (U) Other Projects TSJISWREL TD USA,

TSHSIHFEEL TD USA. F'v'E?t' (U) What is ran (UHFOUO) Capability for building a near real-time, interactive map of the global internet. Map the entire Internet Any device*, anywhere, all the time (UHFOUO) We enable a wide range of missions: Cyber Situational Awareness your own network plus adversaries? - Common Operation Pictures (COP) - Computer Anackaxploit Planning Proparation of the Environment - Network Reconnaissance - Measures of Effectiveness (MOE) limited only by available data) w_ TEJJEWHEL TD USA, F'Iul'E?i"

TSHSIHFEEL TD USA. (U) TREASUREMAP - Continual generation of global Internet map, and (limited) - Focus on logical layers (router and autonomous system), but touches physical, data link, and application layers - (U) Its Huge. 5 TEHSWREL USA.

TSHSIHREL TD USA, F?y'E?r? (U) TREASUREMAP as an Enabler 1?1" I. Persona Layer Cyoer Persona Layer Physical Network Layer Geographical Layer Dur mission

TSHSIHREL TD USA. (U) Current State (UHFOUO) Data Sources Open Source intelligence Academic Commercially Acquired SIGINT Information Assurance (UHFOUO) Available on multiple networks to many user groups 5-Eyes partners JWICS users - USG IC USG IC lDoD TREASUREMAP-SIPR (U) Nevv capabilities delivered every 90 days (U) 30+ Gigabytes of additional data added and replaced per day OSINT Open Source Publicly available Internet Meta-Data) TEHSWREL TD USA, F'v'E?r'

TSHSIHREL TD LISA, J?il?E Peril: (U) Data Sources Feed the Machine

TSHSIHFEEL TD USA. FVET OSINT, Commercial Academich Plci. ?In. nah(UIIFOUO) BGP Gives the 300,000 foot trietmr of the Internet Defines routing across Autonomous Systems (AS) Origination of IP address spaces (Prefixes) to AS How the Internet gets knowledge of itself (IP address space) Commericaly purchased Data Sources Akamai, SOCIALSTAMP, SEASIDEFERRY Open Source Public BGP, IXP (RIPE), APNIC, ROUTEVIEWS, CERNET TD

TSHSIHFEEL TD USA. -. 1- l? (U) OSINT, Commercial Academicwmn - (UHFOUO) Traceroutes Router ?to- router links to targeted IP addresses Creates links between networking devices (routers) TM ingests approx. ~16?18 million traceroutes daily Gives the 300 foot View, router-to-router infrastructure Data Sources ARK Archipelago Project PACKAGEDGOODS SOCIALSTAMP - RUSTICBAGGAGE User Input w? TENSWHEL TD USA.

TSHSIHREL TD USA. AcademicIPi?ar?r? remap - (U) Registries - Information on netblock and AS ownership - (U) DNS - IP address to domain name matching - (U) Operating System (OS) Fingerprints Software and Operating System characteristics of networked devices ~30-50 million unique IP addresses represented per day

TSHSIHFEEL TD USA. OUO) Traceroutes: . d? I l?(UHFOUO) Collects ?network measurement" data, on public internet (U) Random traceroutes and user requested (UHFOUO) PG-GTR Currently using JDD public traceroute sites to perform operations High target (full IP addresses) Capable of le4 and le? traceroutes daily (UHFOUO) PG-Seryer High yolume: ~65 million traceroutes per day Low targeting: le-l ?24 netblocks or higher Can do whole ASes, Country, Netblocks 13 covered servers in unwitting data centers around the globe - Asia: Malaysia, Singapore, Taiwan, China (2), Indonesia, Thailand, India - Europe 3; Russia: Poland, Russia, Germany, Ukraine, Latyia, Denmark - Africa: South Africa - South America: Argentina, Brazil TEHSWREL USA.

TSJISIHREL TD USA, (U) Coming Soon! Int?53721 J?il?E - PG-Server 2.0 Tasking of full IP address Choice of traceroute types: - ICMP - ICMP Paris - TCP - UDP Choice of PG-SVR (for source of traceroute) Auto-refresh

TSHSIHFQEL TD USA. F'v?E?t' (U) Traceroutes - CAIDA (U) University of California, San Diego Cooperative Association for Internet Data Analysis Archipelago measurement platform TM data source: ARK (U) High volume: ~10 million traceroutes per day (U) Random targeting (I24 netblock, BGP advertised) (U) 44 Locations: Asia (5), Europe (15), Africa (2), North America (18), South America (2), Oceania (2) TSJISWREL TD USA,

TSHSIHFEEL TD USA. FUET (UHFOUO) PACKAGEDGOODS - NTOC (S) Clandestine traceroute and DNS processor (SHSIHREL) BLACKPEARL SIGINT session 5-tupel, identified routers, routing protocols, SIGINT access points, (inferred SIGINT access points) (SHSIHR EL) LEAKYFAUCET Flow repository of 802.11 WiFi IP addresses and clients via STUN data (SHSIHREL) HYDROCASTLE 802.11 configuration data extracted from CNE activity in specific locations (Requires HYDROCASTLE account) (SHSIHREL) MASTERSHAKE FORNSAT and WiFi collection data (SHSIHREL) S-TRICKLER - NTOC - IP address fingerprints and potential vulnerabilities from FORNSAT collection In ?v To LISA. weir

TSHSIHFEEL TD USA. F'v'E?t' U) Internal Sources (Protected . (SHSIHREL) TOYGRIPPE - Repository of VPN endpoints (SHSIHREL) Router configuration files from CNE and passive SIGINT DISCOROUTE repository VITALAIRZ Autontated scaned IP addresses for TAO known vulnerabilities (UHFOUO) IPGeoTrap - Provides geolocation services for IP addressesfranges JOLLYROGER Provides metadata that describes the networking environment of TAO- implanted Windows PCs (Requires JOLLYROGER account) (UHFOUO) NTOC - Specific alerts from intrusion detection sensors - (not currently active) 3 USA.

TSHSIHREL TD LISA, Til?E Igc?xftI: (U) The Whole is Greater than the Sum of the Parts

TSHSIHFEEL TD USA. (U) Data Relationships Router Configuration Files Router Traceroutes Advertl?emem? Geolocatl on Autonomous u: an dress stem DU main SIGADICASN MAC Address NetblocI-t Names E11. Ex: Yellow links denotes direct relationships between data types. For example, we know which AS contains a router because we can relate a router to IP Addresses, IP Addresses to IP Pre?xes, then IP Pre?xes to an AS. TD USA,

if] EL Announcements Potential Satellite Hops Graph simplified for presentation purpose Stulo AS: Molti-hometl EL Single hometl TD LISA, F'IurlE?l?r

TD (U) and Registries Tl'l Fit:th Teleleem A. Etris It I I. n. I. urn Unet Hell-er li'Jr'JL?i . E55 Tl'ne?r Aul'molnol? Erstem ?l I. Ujlilrrl?liL?mrl'j I 5? TM Net, intern-st ieren iuuljorl Curl-mall} Jr? I ilnii'rh'i 1m. a. a. INTEL-ASH I?ntol Teleoom LEUELE Level 3 mmlcotlons Singapore Plovider Petisi'an Teleoom lelted State I?titute a I. I .- of leclnoloqies and or FREE-NET-F. I'RlInet Graph simplified for presentation purpose LISA, Pu'E?r'

TD USA. (U) Internet ?flow? to a ?Network? Tit?5*: no Graph simplified for on purpose They?re color-coded by country. Big deal. TD USA,

EL TD LJ (U) With 1?4 as; 1' Correlation of IP Address with AS EL 1' 5 Country 1T4 rus?: . . . a? - Hops . I --.. - .. 171T4 rust; Addresses (private IP address spaceNetwork Bottlenecks Graph sln1 plIfI ed for presentation purpose TO USA,

HF: EL TD Pu" E"r' LISA, a all Graph simplified for presentation purppse

TSHSIHHEL TD USA, (U) IP Geolocation Data Til?E Ii?v?F

TSHSIHHEL TD USA, J?il?E (U) Seeing in the Water

EL TD Fin-?E? 1 writRed Links: Red Ccre ches: SIGINT Ccllecticn access pcints between SIGINT 333355 PDintS Within A5 :rc. FH?xbjri-H Psi-net zed serge: ntng'L i . '21 I +5.3 .- as u: rum-e 1:5 as 3 ?a .. 1.5- 33 - .x a hat"; . -. a JF fir-I-FI Fl. ?Ema TI: In t-Ii'rlrl tic-1 it: if: in [His Funk.? IE em? LI L: In? cs. 41mm x" Eer'u' ce iredder 2 ?1 inn! !i '1 - JP sewice crevicer ic [Jens-e a [teasing acts-scra? 1 . Ltd- [Arth _h LENS L'Li?ri'dl .L'iirt-LiliIEc: ?ags {hen Ln 'T'erslta?l?b?l nejrm+__ Red Hinged che: ches within A5 are SIGINT Referenced Graph BimP'i?E?d Presentati?n PUFPDSE TD USA, F'ifE?r?

TD USA. Traceroute overlaid with SIGINT and other Router Configuration DE Fmgerpr'ms Router lti'endor:t3istNode Referenced in SIGINT Shields: IP Addresses Undersoore AS: ?Operational? AS TD USA, F?Iul'E?f'

TD USA. Known Devices Scurces: DISCOROUTE rcuter ccnfiguraticn repcsitcry) Display infrastructure, as ccnfigured in rcuter ccnfiguraticn files - Where rcuter accessed from (pcssible - sewers configured for rcuter DNS, Radius, TACACS) TO USA,

TD USA. FUET (SHSIHREL) Known Devices Sources: DISCOROUTE (NAG router configuration repository54'. . I . I: Routerdata in tables I I Fmiir F: Fir rho; r11 Finn? - I EDT: i'n'ILIr f-tFtE Ht'tT - I TD USA,

.- Ir - ?alr 39.254.60- LEE-SIN 1 TD USA. EDP Router Report: P?fil??l FDIC Cisco Discovery Protocol (CDP) ELF Involz bwitching Protocol ?5 Hounzry ..-1. 1:31 mm? 5?6 ?ourcez ED LEL ?32310 I TD USA,

TD USA. (UIIFOUO) 302.11 WiFi Data Display and correlation of 802.11 wireless networks and clients Sources 1* account required) J. TD USA,

TD USA. F'v?E?r' (U) Communities Individual IP addresses related by a common attribute - TOR router Servers (DNS, NTP, SNMP, TACACS, RADIUS) - Hide IP NG Proxy Servers - BYZANTINE HADES Infrastructure hostinnfected hosts - Sources: (Varies) Currently TOR router advertisements TD USA,

EL TD LJ E- II- H-u .?al?dl'allnam - - If] EFFICA. LEE Grandad: 11?191'2010 Modi?ed: 13:1.21 ERR #1511] . I IE.- Evl? ;Iii - . I . at] F. 3?1] 'J-H?ol 3?51?: ?3311geese-I; gig-3;; I 333312; I LEEDEIEI I LEE-ISM I $332935 313327: AEI E-II A I H: Film I ll'.l I :uu. ?31'1" .l I h? 2-39? cm 7343 3.3.11- ?3 CW 73' I533 ?In. 51' I II IE EW 51": ?in. I 13:1:- Fin-'7- IZITICA. LEE I: Ll'l' TSHSIHREL TD USA, F?qu'E?fr

TSHSIHFEEL TD USA. F'v'E?t' (UIIFOUO) TREASUREMAP Workspace - (UIIFOUO) Toolbar: Offers access to a variety of commonly used func?ons - (UIIFOUO) Search Pane: Input search parameters (UIIFOUO) Advanced Search Options: Preferences for searches (UIIFOUO) Release my search to PG: Requesting traceroutes for target IP addresses - (UIIFOUO) Other Searches: Includes Router, DNS, Batch IPIMAC and JOLLYROGER Legend: Contains all of the icons and decorations as seen in an active graph - (UIIFOUO) Send Feedback: Provides a vvay to communicate questions, comments or problems to the TREASUREMAP team. w_ TEJJEWHEL TD USA,

TSJISIHREL TD USA, F'u'E?r' (UIIFOUO) TREASUREMAP Search Items IP Address Routers (UIIFOUO) DNS (FQN) MAC address 1? 802.11 BSSID 1? 802.11 SSID IP Prefix 1? Range (CIDR Notation) Registry Netblock SIGAD andr?or Case Notation (UIIFOUO) Country! IP Country Code (UIIFOUO) Autonomous System (AS) Number 10. (UIIFOUO) Free Text .

TD USA. ?It E-:t e: ?11 .1 111:1 IE- Nude.- detail u-us I I: Traceruute routing infrastructure Links I II Jr?er a mu Iii-lit 143% mummy Summary I Information "mm, mm. 21:11:: Tar-Jet ?at-2H: Tar-:b.3151 I.I- II- II IT IT TI: JEA. TD USA,

Hui?. 53]] Elli-L?ilw-I. an. _Gu I - Emu: gm name gunman-Jana Ems. male tumm- - arr-mm Fr'hl Inlj I I qurInirm-urlj' I I'il'll'l PET. lql'llri an I1 II I'h: HpimhhlrI? imIlThI 'Ilnll'l'la-I: uni-:l 13mer :11" il'nln-Illr .TI rIIllinI: 'I'ilh lh' Inn. 'Iln. I Tm'ul? Irhh ?Jill-II 1M wnlinul ILL- l'll?ll. uni] :wu: apt-n Mumvm will: Iu 11ml?. L?usmuamu'mm IJHH: l-?JJm-?Ji' .1. ma: :5 1] hme. In: .111:- n: 111-9 g; CI: .L'i min-{Jug 112-74.- rem .111. I . 5:51 r. :t'uthcu. a: . - urtlu.r_.._ wall L: Lela?2c}. Iii-1.15. alme Lani-Lilla: mm'?n?l?un mil Lam-?- M?m Hm m?m? urI. NEH. Inn and nil: - Small text-d ueries Dunduul. mammw W's? Hun in?ammat- DDW I- 621:. 341.:3. '12! . . . . - Min-55.1.! Emmi.? tum! 5.33133: all? I .iti Hana. ?ll?llrm 13.3.. 1rd ate I 1955:]- C1 I I F: D?n'rIrnunT?nl E?j? I I mE-?fl I T-t'rlifjr i-t'rlifj: nrhnal van-m pr-i-?H I wring Til-If v?'lr'rk ninth r'f?w'i "It: . In" I 31.1. In: In I: ll ll E-IHI Ilia-wk Hz: m: Hz: urn-(Lam. -.I- 'u I: Lid. Lin'I-Trw Flt-u 'rh rmr'.? - 'trr. hm" 55?? II he]; (client: .L'd Lita-hr. 5-H: net: ml Iri?u? I 1: Ed (2-H: In?: -. . j. I, - Ll'L'rr- I T: l'uPrr .- Brim-r: Jul ~rn'm3"un'" - Ff? - bur-J.- hz- uni-e TO USA,

TSHSIHHEL TD USA, 4 "i . (UIIFOUO) TREASUREMAP Contact Infomm Government Lead - Customer Support Team - Email: DL

Fetching more

Filters SVG