Grondstation van de Nationale SIGINT Organisatie (NSO) in Burum, Frysl‚nI have added five new items to the SIGINT Summaries page. The Summaries include downloadable copies of leaked Communications Security Establishment(CSE) documents, along with summary, publication, and original source information.1 CSE is Canada’s foreign signals intelligence agency and has operated since the Second World War.

Documents were often produced by CSE’s closest partners which, collectively, form the ‘Five Eyes’ intelligence network. This network includes the CSE, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), Australian Signals Directorate (ASD),2 and Government Communications Security Bureau (GCSB)).

All of the documents are available for download from this website. Though I am hosting the documents they were all first published by another party. The new documents and their summaries are listed below. The full list of documents and their summary information is available on the Canadian SIGINT Summaries page.

The new contributions come from documents released by CBC. They cover a range of topics, including extended discussions of the CSE’s domestic and international sensor networks, overviews of challenges facing Information Technology Security (ITS), which is itself responsible for defending government systems and networks, as well as overviews of the cyber threats CSE believed faced the Government of Canada.

CASCADE: Joint Cyber Sensor Architecture

Summary: This document discusses the configuration of CSE’s sensor networks as of 2011, and CSE’s plans for developing the network in the future. The discussion only revolved around passive sensors and their supporting infrastructure. Two sensors systems were identified, PHOTONIC PRISM, for monitoring Government of Canada networks, and EONBLUE, which is a passive SIGINT system that was used to collect ‘full-take’ data, as well as conduct signature and anomaly based detections on network traffic.

EONBLUE systems were deployed in select government networks, and were also used for monitoring Foreign Satellite (FORNSAT) communications; it also may be used for monitoring cellular or radio-based telecommunications traffic. The INDUCTION system, which has similar capacities as EONBLUE, was deployed domestically at gateways between domestic and international network domains. The document also discusses a metadata production and processing program, THIRD-EYE, which operated at select new sites and an unclassified sensor, CRUCIBLE, which was designed to track targets in pre-Sensitive Compartmentalized Information Facilities (SCIF).

CASCADE is the codename for a project focused on standardizing Information Technology Security (ITS) and SIGINT sensors, so that the above-mentioned sensors can be seamlessly integrated and enable a common analyst platform for captured data.

By 2015, CSE hoped to increase its Special Source (SSO) access to include all international gateways accessible from Canada along with a multi-layered sensor network meant to enhance the security of Government of Canada systems. Further, operational capacity was meant to be enhanced, such that SIGINT, ITS, and cryptologic partner sensors interoperated seamlessly. It is unclear what, precisely, these partner sensors may encompass. Authority was also sought for ‘Effects’ operations, as well as the infrastructure, policies, and tradecraft required to conduct such operations.

As a result of these activities, CSE hoped to detect threats before they entered national infrastructure, to identify exfiltration and command and control systems, and transform the network itself into a defensive domain. This final objective would require CSE to be able to change data traffic routes, silently discard packets, and insert payloads into data packets. CSE regarded such expansive ‘defensive’ activities as necessary because gateway or end-node defence was insufficient to protect government systems.

If the sensors were upgraded, then CSE suggested that changes to basic Five Eyes interoperations might follow. Such changes included the following: tipping and queuing might not longer be used for sharing threats to government systems and instead could be exclusively used to enable intelligence collection; and there would be no need to make tasking/targeting requests concerning those common actors who target CSE and other Five Eyes alliance members. The result would be that foreign SIGINT would become a domain for ‘hunting’ and domestic defence would be integrated into the very core of the Internet — domestic and foreign — itself.
Document Published: March 23, 2015
Document Dated: 2011
Document Length: 66 pages
Associated ArticleCommunication Security Establishment's cyberwarfare toolbox revealed
Download DocumentCASCADE: Joint Cyber Sensor Architecture

Cyber Network Defence R&D Activities

Summary: This slide deck provides an overview of the research and development activities that were being undertaken by the Cyber Network Defence (CND) group. The core focus of CND at the time was on PHOTONIC PRISM, a sensor network designed to protect Government of Canada networks and devices from external threats.

CND primarily leveraged the R&D of external partners because its size precluded it from conducting low level research. As examples, it used POPQUIZ from R23 and an email attachment scanner from GCHQ. Projects CND was engaged in at the time include PONYEXPRESS, an email  scanning program, the previously mentioned PHOTONIC PRISM, and dynamic defence enabled by software installed on Consumer Off The Shelf (COTS) hardware.

CND noted that challenges included the length of its research activities, translating classified requirements to an unclassified domain, properly engaging industry and academia, and policy, amongst other challenges.
Document Published: March 23, 2015
Document Dated: 2010
Document Length: 26 pages
Associated ArticleCommunication Security Establishment's cyberwarfare toolbox revealed
Download DocumentCyber Network Defence R&D Activities

CSEC ITS/N2E Cyber Threat Discovery

Summary: This slide deck provides some context about the N2E unit of Information Technology Security (ITS), its existent capabilities, and a series of experiments run during a 2010 workshop held in Canada. The N2E team was established in 2010 and uses full-take data and (at the time) was making headway on putting policies in place to use intercepted private communications and either share, or gain access to shared, data. They stored full packet captures of Government of Canada-destined traffic for days to months, and metadata for months to years.

The core issue facing N2E, or perhaps CSE more broadly, was the volume of data that is acquired, retained, summarized, analyzed, and presented to analysts. The 2010 workshop held in Canada addressed some of these challenges by developing a process to reduce the volume email URL metadata information presented to analysts, which lowered false positive rates compared to URL inspections. The workshop also analyzed how to predict whether email attachments were malicious, which led to reducing data retention by 85% with only a 1-3% loss of ‘interesting’ emails. Participants also investigated how to more effectively detect threat actors who used masquerading Windows Preinstallation Environment (PE) downloads which led to progress in identifying offending kinds of downloads.
Document Published: March 23, 2015
Document Dated: 2010
Document Length: 60 pages
Associated ArticleCommunication Security Establishment's cyberwarfare toolbox revealed
Download DocumentCSEC ITS/N2E Cyber Threat Discovery

CSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach

Summary: This slide deck provides an overview of how SIGINT and government Information Technology Security (ITS) interoperate for ‘defensive’ operations. Analysis of data traffic takes place by Government of Canada sensors, as well as ones tasked by CSIS for warranted full take collection, those located at Canadian/International Internet gateways, those situated within the broader internet, as well as data traffic analyzed on devices CSE has ‘exploited’.

EONBLUE is used for non-Government of Canada network analysis and involves discovering targets, tracking them, as well as producing metadata out of the traffic exposed to EONBLUE. EONBLUE is a deep packet inspection-based system that, when paired with warranted full-take, lets CSE discover network beacons. ITS’s equivalent program is PHOTONIC PRISM.

CSE’s network sensors were processing 125GB/hour of HTTP metadata and relied on 50TB of high-speed storage to conduct analysis towards the front end of the data intake. ITS stored 300TB of full-take data, the equivalent of months of traffic.

In the process of analyzing data from ITS and SIGINT sensors, anomalies and events are detected, which are processed through alerting engines and decision logic servers; the logic information is shared with all Five Eyes partners as a result of the Sydney Resolution. The logic is based, in part, on tipping and cueing information; such information can facilitate warnings or indications of attacks in near real time and enable collaborative defence across all Five Eyes nations.

CSE identified ’dynamic defence’ as involving both localized actions at the network edge by ITS, as well as operating in the core of the global internet to act on, and modify, data traffic, as well as implanting malware on foreign infrastructure to probe, explore, and learn about adversary network space and gather information and tools used by adversaries. These ‘defensive’ operations may be supplemented with influencing technology, such as anti-virus companies’ signatures, developing relationships with supply chains, or political maneuvers. Such activities are segregated in the ‘Cyber Activity Spectrum’ from active operations and deception techniques.

The final slide identifies next steps, which include sychonizing the SIGINT and ITS missions, funding, developing joint sensor and analytics capabilities and more international interoperability and policy co-ordination. It also has, as a consideration, legislative amendments. Specific amendments are not mentioned in the slide.
Document Published: March 23, 2015
Document Dated: 2009 or 2010 (possibly; document not formally dated)
Document Length: 46 pages
Associated ArticleCommunication Security Establishment's cyberwarfare toolbox revealed
Download DocumentCSEC Cyber Threat Capabilities: SIGINT and ITS: an end-to-end approach

Cyber Threat Detection

Summary: This document summarizes how CSE monitors for threats using the EONBLUE system alongside traditional metadata collection systems. These latter systems are deployed at Special Source (SSO) locations, rely on warrant access, and tap into foreign satellite communications. Domestic and SIGINT (international) sensors are used in detecting and mitigating threats, with China (i.e. SEEDSPHERE) used as an example of a recurring threat actor.

OLYMPIA, CSE’s network knowledge engine, is used in analyzing or sorting data stored at high-speed clustered storage at CSE’s collection sites to facilitate DNS Response harvesting and to de-dupe data.

The detection of Fast Flux Botnets, denoted as CROSSBOW, relies on target discovery algorithms deployed at CSE SSO sites; the sensors these algorithms run on may be CRUCIBLE servers that are low-cost, rapidly deployed passive systems that use Top Secret/Special Intelligence targeting signatures in non-Sensitive Compartmentalized Information Facilities (SCIF).
Document Published: March 23, 2015
Document Dated: November 2009
Document Length: 14 pages
Associated ArticleCommunication Security Establishment's cyberwarfare toolbox revealed
Download DocumentCyber Threat Detection

Footnotes


  1.  Formally known as the Communications Security Establishment Canada (CSEC). 
  2.  The ASD was formerly known as the Defence Signals Directorate (DSD).