Documents

OSINT Fusion Project

Jul. 1 2015 — 1:51p.m.

/24
1/24

TOP SECRETHCOMINTHREL TO USA, OSINT FUSION PROJECT Lockheed Martin Intelligence TOP SECRETHGOMINTHHEL

TOP SECRETHCOMINTHREL TO USA, Traditional OSINT q. frag? a - Traditional OSINT is mostly from main stream news, compiled summaries, and information put out by venders. Good for situational awareness Some excellent analysis on attacks and exploits Information can be days or weeks old Doesn?t normally contain strong selectors TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

TOP SECRETHCOMINTHREL TO USA, Research Objectives I q. I I To compile OSINT information that enables CNO operations analysis Emerging threats Situational awareness Identification of the following: - Victims - Capabilities - Adversaries - Infrastructure TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL TO USA, .: Research Objectives To identify strong selectors and unique strings from OSINT that can be used within SIGINT: To build XKEYSCORE Fingerprints to identify the an adversaries capabilities being used within SIGINT Collection To identify and task adversaries and their infrastructure within SIGINT To identify victims for Party Collection Opportunities TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

TOP To USA, a Hacker Forums - A clever way to collect OSINT information from Hacker Forums RSS Feeds - Automated collection of new and historical posts - Allows quicker analysis of posts - Leaves no tracks on the forum unlike AIRGAP - If enabled, can also get feeds from closed (login required) forums. - Enables analyst to prioritize other sites without RSS feeds for other access operations TOP SECRETHCOMINTHREL TO USA, F?lr'E?t?r

TOP SECRETHCOMINTHREL TO USA, 3. .. -- as ital?a Hacker Forums - Allows for the identification of: Adversaries - Those who are building capabilities - Those who are selling capabilities - Those who are using the capabilities - Those who are selling information (Cyber Crime) Capabilities - Profiling and understanding of emerging tactics, techniques, and procedures used by our adversaries - Identification of locations where capabilities can be obtained TOP SECRETHCOMINTHHEL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA, mm.? un?t; Hacker Forums BalchEnergy title-3 Bet by nuclear stealth mechanisms fiudertr suppert muititargeting and - if the purpese fer the attack indicates the demain name is created by a greup cf flaws tc attack: each lP-address attached tp this dcmain [rezeluing repeated euery15 minutes} Slayer??l 5'3 HEAT '1 -2 Final lay slayer?'i Heel.Ir Guy's, lhE ?rst Final Htliid. After sear-rte hard wars: i fit-red tilts: ea little Bugs and added Heyiegging Function Better GUI FlagEysten-it Senate-miner Ea. Slay-erul? Huwrs?- - Lemma an - EH firBundles esptcit [yes Expieit System} by Saint Weleeme ferumehan! i. - Sell splpiteti ligament. Create ?1 ZIP ?rfIDE?th Test mist, iframe traffic: ?i'euur brewser tersicn prehiva Percent P??t?d it}? X.l:i.l1.0 trite-net 5U - ?ll-T5931: hie-?rial Emu? 5-1 ?t z_ip hetnh, alse human as a Zip at Death, is a malieietts archive ?le designed te crash er t'iternet Esplarer 5.5 - Ell-90% t'itE?I'ia?t 5J3 - 35-59% hte'net TD Jill-15% render useless the er system readng it. it is alien used by _?fil?lls writers te disable anti'rirus sp llware__ set that a mere traditienal 1rirus sent a?ensatds eeuld get inte mimic [-mlmr an system undetected. nip hemp is usually a small file {up te a ?ew hundred ltilehjrtes} tel? Gpera ail?9.25 30% ease Ur transpert and in areid suspieien. I-lewerer, when the tile is tatpaelted its eentents {Jeers 13?1 5% are mere than the system can handleffeu can make yeur awn zip heath tn yeur 10.0 - B-1D?te lriends er just put pf euriesity (er wilderness] te experiment with it. Make sure yea den't IeFus - 15-20% .Z'trchi-i - Eli-t 3st ?Itjl?li: t'u'rlrr't'l a detenate it an TOP SECRETHOOMINTHHEL TO USA,

TOP SECRETHCOMINTHREL To use, FVEY w, . Hacker Forums 'an The Fella-wing Heet Heme wee requested frern a hnet ?etabaee: 1? There wee registered attempt te establish calm? re?ection deteiis . [m {server [whats here! in Emu "It: etiem niekesin?lmad Hum r. mete Heet F'ert - Fri. DRSEH . CUM EIEJ 333 euthanqu traffic [petentieily malicious} I11 Attentien! There was new em I - .egemitme ?ee?e 55Eel-and Analysis :1 TOP SEGHETHCOMINTHFEEL To'use, We?

TOP SECRETHCOMINTHREL TO USA, it? 4* 3.5a- Hacker Forums You need tn he nperatnr tn net the tnnic. Default ia taper the hat; but if they have changed it, attach it with year hate and make sure that yen are the ti rat tn jain! If yen happen to get intn a channel with a tan cf hate: and the an iant there? change year nick tn a hate name, at similar, and wait. The}t ahculd type like .lngin thate 1ahen you dc the same! haha. type Jegin {password} then npdate httpeh?anawi TOP SECRETHCOMINTHHEL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA, a: Malicious Emails - Leverage OSINT to identify the infrastructure and source of top virus email senders by IP address Based on CISCO Iron Port view of 25-30% of the worlds email Identifies infrastructure used by adversaries to deliver capability Allows SIGINT profiling of activity on the IP TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL To USA. FVEY . Malicious Emails l?E virus by ip last day l? HEY . change I 1. ENS issue; :1 0.2111923 Csmmunisstisns 217.57.123.22; 11.14959 49:1.541i3tandby 113::- range 2111311115151 Aditama - i- --rss?s. {Nation-a1 IntEsEE-sF-iaisri_-. 59.71.203.33?? 111m? 0.01513'333113 259.337 1131' Tsur Eggs-131. 14 CID 55.191.129J _l imam-Iii ?54.35?3 H?Dptissm 125.139.311.124: I i (1.0115515?i "135-999 92.518.118.11? [1.111115415; HIE-EBB Psun?Hsst Internet Services Hem-s.- 195.311.9.15 i aim-11131149 12.2101 Interns: CHTD. Cs. . Ltd. 194.223.41.114 I if Tsls-ssm a.s. swans-:15 -s.34us4 ?srss 11-34 arr-94 mamas-net mssas-sr FIT-11314335 sh-?idEI-UEE-sg-?sl-hg i [1.11115111113?1 951.1?df?avidsv Hist PI spa-rs TOP SEGHETHCOMINTHFEEL Friar

TOP SECRETHCOMINTHREL To usa, q. Malicious Connections - An effort to identify the latest emerging threats that are not yet detected by anti- virus or signatures Malicious Binary MD5 (track capability) The adversaries infrastructure that exploited systems connect to after being compromised Traffic generated by compromised systems to build XKEYSCORE fingerprints TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

TOP SECRETHCOMINTHREL To USA, FVEY Malicious Connections MI-ISCND Connections Report 18 LMAY 2009 The fellewing ?call heme" IPefDemaine eheuld he eeneidere? and eenneetivity te them eheuld he investigated- Hyatema initiating a eenneetien with IPeIDemaine eheuld be treated as eem remieed until '9 Mme-wed- Fc-c: File Filesize: 108,032 bytes Eategery: trejan heree er bet that may represent riek her the eempremieed systEm andfer i 5 me twee-k; :11! i lit The fellewihg Heet'mame wee requeeted frem a best ?atabaee: - bf.burimehe.net There wee Legietered attempt te eetahlieh een?ectien with the rennet-F: heat- The eenneetieze ?etaile are: Remete Heet Pert Number hf.hurimehe.net e244 where was a new cenneetien established with a remete THC Server? The generate? eutbeund IRE traffie ie ptevided beme: PASS hf HIDE USER TOP SECRETHCOMINTHHEL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA, I q. I I Malicious Connections - NTOC Signatures for Sensors BLUESASH TUTELAGE (TURBULENCE Defensive) CROSSBONES NSA TAO GCHQ CNE Counter CNE Ops IVIHS NDIST 4th Party Collection JCMA Cyber Customer focused CND GOVCERT UK UK Government CND TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

TOP SECRETHCOMINTHREL TO USA, Malicious Connections The following statistics show the number of NTOC DNS Alerts that were an exact match for a malicious connection reported in the Malicious Connections Report. Date 51114109 51113109 51"1 2?09 511 1109 5110109 51103109 51031109 5107109 51'06l?09 5104109 51031109 5101109 41130109 41125009 Total DNS Alerts Exact MCFI Match TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r Percentage 59

.7 It Malicious Connections - Government Email addresses passed to exploit server 17 email accounts Discovered using an MHS developed XKEYSCORE Fingerprint that was written to identify a malicious connection while searching for MENA 4"h Party Collection opportunities. TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r TOP SECRETHGOMINTHREL To USA, Fva

TOP SECRETHCOMINTHREL TO USA, ShadowServer Data 1 q. I I - Sinkhole HTTP Drone Report - All the IP addresses that joined the sinkhole server that did not join via a referral URL. Since the Sinkhole server is only accessed through previously malicious domain names only infected systems are in the report. Victims I Infrastructure I Command Strings TOP SECRETHCOMINTHREL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA, q. ShadowServer Data - Sandbox URL Report - These are UFth that were access by malware. Binary MD5 Hashes Infrastructure HTTP Command Strings - Botnet Drone Report - All the IP addresses that were seen joining a known Botnet Command and Control Server. Victims Infrastructure - 25 US Government (Federal State Local) systems communicating with botnets between 5?7 June 2009 TOP SECRETHCOMINTHREL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA, ShadowServer Data q. I I - Botnet URL Report - Any URL that was seen in a botnet channel is reported. The URL could be an update, complaint, or information related to the criminals. Everything is included in case there is something of value in the URL. Infrastructure Capabilities HTTP Command Strings - DDOS Report - Any attack is reported whether the country is the target or the source of the attack. Victims I Infrastructure I Capabilities TOP SECRETHCOMINTHREL TO USA, F?sl'E?t?r

State Sponsored I q. I I Example 1 (FBI CN Intrusion Set) Identified MALWARE report for known domain. Found another binary which was an exact match that revealed a previously unassociated domain to this intrusion set 9 months before first known activity of this intrusion set. - Infrastructure/ Registration Timeline MD5 hash TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r TOP SECRETHCOMINTHREL TO USA, Hm}-

TOP SECRETHCOMINTHREL TO USA, q. 7 State Sponsored - Example 2 (JTF-GNO CN Intrusion Set) 6 different reports noted the use of a specific Chinese developed standalone web server software package. Identified 3 new binaries in OSINT malware research that also used this exact software package. - 3 new domains (infrastructure registration time line MD5 Hashes) TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL TO USA, Hm}- State Sponsored I q. I I - Example 3 (NSA CN Intrusion Set) Identified 2 binaries in OSINT that matched those called out in a report with their associated malware analysis and MD5 hashes. TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL TO USA, Collaboration TOP SECRETHCOMINTHREL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA, FVEY Questions? TOP SECRETHCOMINTHHEL TO USA, FVEY

Fetching more

Filters SVG