Documents
OSINT Fusion Project
Jul. 1 2015 — 9:51 a.m.

TOP SECRETHCOMINTHREL TO USA,
OSINT FUSION PROJECT
Lockheed Martin Intelligence
TOP SECRETHGOMINTHHEL

TOP SECRETHCOMINTHREL TO USA,
Traditional OSINT
q.
frag?
a
- Traditional OSINT is mostly from main
stream news, compiled summaries, and
information put out by venders.
Good for situational awareness
Some excellent analysis on attacks and
exploits
Information can be days or weeks old
Doesn?t normally contain strong selectors
TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

TOP SECRETHCOMINTHREL TO USA,
Research Objectives
I
q.
I
I
To compile OSINT information that
enables CNO operations analysis
Emerging threats
Situational awareness
Identification of the following:
- Victims - Capabilities
- Adversaries - Infrastructure
TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL TO USA,
.:
Research Objectives
To identify strong selectors and unique
strings from OSINT that can be used
within SIGINT:
To build XKEYSCORE Fingerprints to identify
the an adversaries capabilities being used
within SIGINT Collection
To identify and task adversaries and their
infrastructure within SIGINT
To identify victims for Party Collection
Opportunities
TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

TOP To USA,
a
Hacker Forums
- A clever way to collect OSINT information
from Hacker Forums
RSS Feeds
- Automated collection of new and historical posts
- Allows quicker analysis of posts
- Leaves no tracks on the forum unlike AIRGAP
- If enabled, can also get feeds from closed (login
required) forums.
- Enables analyst to prioritize other sites without
RSS feeds for other access operations
TOP SECRETHCOMINTHREL TO USA, F?lr'E?t?r

TOP SECRETHCOMINTHREL TO USA,
3.
..
-- as
ital?a
Hacker Forums
- Allows for the identification of:
Adversaries
- Those who are building capabilities
- Those who are selling capabilities
- Those who are using the capabilities
- Those who are selling information (Cyber Crime)
Capabilities
- Profiling and understanding of emerging tactics, techniques,
and procedures used by our adversaries
- Identification of locations where capabilities can be obtained
TOP SECRETHCOMINTHHEL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA, mm.? un?t;
Hacker Forums
BalchEnergy title-3 Bet
by
nuclear stealth mechanisms fiudertr suppert muititargeting and - if the purpese fer the attack indicates
the demain name is created by a greup cf flaws tc attack: each lP-address attached tp this dcmain [rezeluing
repeated euery15 minutes}
Slayer??l 5'3 HEAT '1 -2 Final
lay slayer?'i
Heel.Ir Guy's,
lhE ?rst Final Htliid. After sear-rte hard wars: i fit-red tilts: ea little Bugs and added Heyiegging Function Better GUI
FlagEysten-it
Senate-miner
Ea. Slay-erul? Huwrs?- - Lemma an - EH firBundles esptcit [yes Expieit System}
by Saint
Weleeme ferumehan! i. -
Sell splpiteti ligament. Create ?1 ZIP ?rfIDE?th
Test mist, iframe traffic:
?i'euur brewser tersicn prehiva Percent P??t?d it}? X.l:i.l1.0
trite-net 5U - ?ll-T5931:
hie-?rial Emu? 5-1 ?t z_ip hetnh, alse human as a Zip at Death, is a malieietts archive ?le designed te crash er
t'iternet Esplarer 5.5 - Ell-90%
t'itE?I'ia?t 5J3 - 35-59%
hte'net TD Jill-15%
render useless the er system readng it. it is alien used by _?fil?lls writers te
disable anti'rirus sp llware__ set that a mere traditienal 1rirus sent a?ensatds eeuld get inte
mimic [-mlmr an system undetected. nip hemp is usually a small file {up te a ?ew hundred ltilehjrtes} tel?
Gpera ail?9.25 30% ease Ur transpert and in areid suspieien. I-lewerer, when the tile is tatpaelted its eentents
{Jeers 13?1 5% are mere than the system can handleffeu can make yeur awn zip heath tn yeur
10.0 - B-1D?te lriends er just put pf euriesity (er wilderness] te experiment with it. Make sure yea den't
IeFus - 15-20%
.Z'trchi-i -
Eli-t 3st ?Itjl?li:
t'u'rlrr't'l a
detenate it an
TOP SECRETHOOMINTHHEL TO USA,

TOP SECRETHCOMINTHREL To use, FVEY w, .
Hacker Forums
'an The Fella-wing Heet Heme wee requested frern a hnet ?etabaee:
1?
There wee registered attempt te establish calm? re?ection deteiis .
[m {server [whats
here! in Emu "It:
etiem
niekesin?lmad Hum
r. mete Heet F'ert -
Fri. DRSEH . CUM EIEJ
333 euthanqu traffic [petentieily malicious}
I11 Attentien! There was new em I -
.egemitme
?ee?e 55Eel-and
Analysis :1
TOP SEGHETHCOMINTHFEEL To'use, We?

TOP SECRETHCOMINTHREL TO USA,
it? 4*
3.5a- Hacker Forums
You need tn he nperatnr tn net the tnnic. Default ia taper the hat; but if they have changed it, attach it with year hate
and make sure that yen are the ti rat tn jain!
If yen happen to get intn a channel with a tan cf hate: and the an iant there? change year nick tn a hate name, at similar, and wait.
The}t ahculd type like .lngin
thate 1ahen you dc the same! haha.
type Jegin {password}
then npdate httpeh?anawi
TOP SECRETHCOMINTHHEL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA,
a:
Malicious Emails
- Leverage OSINT to identify the
infrastructure and source of top virus email
senders by IP address
Based on CISCO Iron Port view of 25-30% of
the worlds email
Identifies infrastructure used by adversaries to
deliver capability
Allows SIGINT profiling of activity on the IP
TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL To USA. FVEY .
Malicious Emails
l?E virus by ip last day l? HEY .
change I
1.
ENS issue;
:1 0.2111923 Csmmunisstisns
217.57.123.22; 11.14959 49:1.541i3tandby 113::- range
2111311115151 Aditama
- i- --rss?s. {Nation-a1 IntEsEE-sF-iaisri_-.
59.71.203.33?? 111m? 0.01513'333113 259.337 1131' Tsur
Eggs-131. 14 CID
55.191.129J _l imam-Iii ?54.35?3 H?Dptissm
125.139.311.124: I i (1.0115515?i "135-999
92.518.118.11? [1.111115415; HIE-EBB Psun?Hsst Internet Services
Hem-s.-
195.311.9.15 i aim-11131149 12.2101 Interns:
CHTD. Cs. . Ltd.
194.223.41.114 I if Tsls-ssm a.s.
swans-:15 -s.34us4 ?srss
11-34 arr-94 mamas-net mssas-sr
FIT-11314335 sh-?idEI-UEE-sg-?sl-hg i [1.11115111113?1 951.1?df?avidsv Hist PI spa-rs
TOP SEGHETHCOMINTHFEEL Friar

TOP SECRETHCOMINTHREL To usa,
q.
Malicious Connections
- An effort to identify the latest emerging
threats that are not yet detected by anti-
virus or signatures
Malicious Binary MD5 (track capability)
The adversaries infrastructure that exploited
systems connect to after being compromised
Traffic generated by compromised systems to
build XKEYSCORE fingerprints
TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

TOP SECRETHCOMINTHREL To USA, FVEY
Malicious Connections
MI-ISCND Connections Report
18 LMAY 2009
The fellewing ?call heme" IPefDemaine eheuld he eeneidere?
and eenneetivity te them eheuld he investigated-
Hyatema initiating a eenneetien with IPeIDemaine
eheuld be treated as eem remieed until '9
Mme-wed- Fc-c:
File
Filesize: 108,032 bytes
Eategery: trejan heree er bet that may
represent riek her the eempremieed systEm andfer
i 5 me twee-k; :11! i lit
The fellewihg Heet'mame wee requeeted frem a best ?atabaee:
- bf.burimehe.net
There wee Legietered attempt te eetahlieh een?ectien with
the rennet-F: heat- The eenneetieze ?etaile are:
Remete Heet Pert Number
hf.hurimehe.net e244
where was a new cenneetien established with a remete THC
Server? The generate? eutbeund IRE traffie ie ptevided
beme:
PASS hf
HIDE
USER
TOP SECRETHCOMINTHHEL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA,
I
q.
I
I
Malicious Connections
- NTOC Signatures for Sensors
BLUESASH
TUTELAGE (TURBULENCE Defensive)
CROSSBONES
NSA TAO GCHQ CNE Counter CNE Ops
IVIHS NDIST 4th Party Collection
JCMA Cyber Customer focused CND
GOVCERT UK UK Government CND
TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r

TOP SECRETHCOMINTHREL TO USA,
Malicious Connections
The following statistics show the number of NTOC DNS
Alerts that were an exact match for a malicious connection reported in
the Malicious Connections Report.
Date
51114109
51113109
51"1 2?09
511 1109
5110109
51103109
51031109
5107109
51'06l?09
5104109
51031109
5101109
41130109
41125009
Total DNS Alerts
Exact MCFI Match
TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r
Percentage
59

.7 It
Malicious Connections
- Government Email addresses
passed to exploit server 17 email accounts
Discovered using an MHS developed XKEYSCORE
Fingerprint that was written to identify a malicious
connection while searching for MENA 4"h Party
Collection opportunities.
TOP SECRETHCOMINTHREL TO USA, F?il'E?t?r
TOP SECRETHGOMINTHREL To USA, Fva

TOP SECRETHCOMINTHREL TO USA,
ShadowServer Data
1
q.
I
I
- Sinkhole HTTP Drone Report - All the IP
addresses that joined the sinkhole server that did
not join via a referral URL. Since the Sinkhole server
is only accessed through previously malicious
domain names only infected systems are in the
report.
Victims I Infrastructure I Command Strings
TOP SECRETHCOMINTHREL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA,
q.
ShadowServer Data
- Sandbox URL Report - These are UFth that were
access by malware.
Binary MD5 Hashes Infrastructure HTTP Command
Strings
- Botnet Drone Report - All the IP addresses that
were seen joining a known Botnet Command and
Control Server.
Victims Infrastructure
- 25 US Government (Federal State Local) systems
communicating with botnets between 5?7 June 2009
TOP SECRETHCOMINTHREL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA,
ShadowServer Data
q.
I
I
- Botnet URL Report - Any URL that was seen in a
botnet channel is reported. The URL could be an
update, complaint, or information related to the
criminals. Everything is included in case there is
something of value in the URL.
Infrastructure Capabilities HTTP Command Strings
- DDOS Report - Any attack is reported
whether the country is the target or the source of the
attack.
Victims I Infrastructure I Capabilities
TOP SECRETHCOMINTHREL TO USA, F?sl'E?t?r

State Sponsored
I
q.
I
I
Example 1 (FBI CN Intrusion Set)
Identified MALWARE report for known
domain.
Found another binary which was an exact
match that revealed a previously
unassociated domain to this intrusion set 9
months before first known activity of this
intrusion set.
- Infrastructure/ Registration Timeline MD5 hash
TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r
TOP SECRETHCOMINTHREL TO USA, Hm}-

TOP SECRETHCOMINTHREL TO USA,
q.
7
State Sponsored
- Example 2 (JTF-GNO CN Intrusion Set)
6 different reports noted the use of a specific
Chinese developed standalone web server
software package.
Identified 3 new binaries in OSINT malware
research that also used this exact software
package.
- 3 new domains (infrastructure registration time
line MD5 Hashes)
TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL TO USA, Hm}-
State Sponsored
I
q.
I
I
- Example 3 (NSA CN Intrusion Set)
Identified 2 binaries in OSINT that matched
those called out in a report with their
associated malware analysis and MD5
hashes.
TOP SECRETHCOMINTHREL TO USA, F?ll'E?t?r

TOP SECRETHCOMINTHREL TO USA,
Collaboration
TOP SECRETHCOMINTHREL TO USA, FVEY

TOP SECRETHCOMINTHREL TO USA, FVEY
Questions?
TOP SECRETHCOMINTHHEL TO USA, FVEY