(The article is available as PDF for download here)
This is short introduction for the (network) communication interception tactics, techniques and procedures (TTPs). Though I have left the “Tactics” part to less attention this time. This should be more about the matter than the mind -article. I have cut some details away to keep more the big picture on focus.
This article was on my mind (somehow) already in 200x when I started to “play” with technologies available for such needs. Initially, I had first touch in some extent with such systems already in 1996 when I first time welded fiber cables. I thought it might be a good idea to show the crowd about technicalities in so called “mass surveillance” and “wire tapping” so famously advertised by others. And put it out without too much passion.
The article should give basic understanding how network based interception works, what are the modern technical capabilities of such system and how this kind of system may have been organized per its technical architecture and operational model. To avoid discussion around “surveillance, spying” or any other such related – I tell you this: Such systems can easily being used for good or for equally bad. Its not systems fault to perform its duties.
I describe few details with on example how modern, massive scale network communications interception system (may) work, how it taps to the network and how the data within collection process flows towards analysis. In addition, I describe some technicalities about the data processing.
I do not explain in detail each and every piece of data how it can be used in intel analysis. Among that, I do leave some questions open about the challenges and capabilities with such system for further study and analysis whom it may consider important.
I take no responsibility of-what-so-ever the contents, results you being the next snooper of the night by the results you read this article, names, places or acronyms, or anything that could harm kids, dogs and nature, Sochi Olympics and/or people ability to sleep. However, if you feel confronted due the article – by all means. If you need the diagrams, I do reserve all rights – ask me permission. Or name at least the source.
WHAT IS “NETWORK COMMUNICATIONS INTERCEPTION”?
Network interception, sometimes awfully described as “snooping, eavesdropping, cyber espionage” among other mildly misleading names is suite of capabilities combined to achieve signals intelligence collection, store and analysis within computer networks.
The reason for such platform originates from the the need to support the intelligence apparatus by its role within signals intelligence, or #SIGINT. All the other functions it may have are secondary options. Some people may remember system called #ECHELON? Well its “about” same thing, in which Echelon was being used to intercept mostly analog signals over the air (OTA) – these kind of systems make same possible with digital carriers on computer networks. Different organizations and nation-states perform their activities quite differently, so leaving tactics -part away is more than reasonable in this context.
Making it short: The modern intel apparatus consist of capabilities for gathering (collection), processing/exploitation (& store of data), analysis and dissemination of variety sourced data under the direction and requirements given BY the decision makers FOR the decision makers.
With such network interception capabilities, the system feeds intel apparatus with #SIGINT or #COMINT (between people, or groups) data.
We are anyway talking about system which is able to collect information more than 640 Gbit/s; that exceeds some several million broadband subscribers.
What you can do with platform such as described?
Simply put: non-intrusive, passive #SIGINT #COMINT gathering (collection) with a very high speed (volumetric) data. Its not a single “equipment” as one might think, more like a system with separate interoperable functions. There’s however few “issues” with handling of such capability which I explain later in this article. If someone is interested about the acronyms used, check Wikipedia or some other approx. trustful source.
What you can NOT do with platform such as described?
Directly, nothing offensive. This example platform with interception suite in place is meant for passive intel gathering. It is not active in means that it does not interfere or manipulate network flow tapped in fibre splitting box. With a relatively small adjustment and some extra elements, the system could be used as very powerful cyber weapon. It could create very high volumetric traffic, DDoS and as well manipulation of information the passive interception part captures. After all, intelligence analysis is separated from actionable items it produce 🙂
Indirectly, plenty. After all, it is intelligence collection system being used by intel analysis. Some of the analysis may have been automated rather vastly, some of the analysis may require huge amount artisan work. I’ll go through in later chapters how this analysis work.
Here’s piece of backbone network with some fiber cabling. Simplified. The Ethernet switch resembles network service provider or interchange.
CONCEPT OF OPERATIONS (CONOPS)
The system collects signals intelligence information from fiber optics (OR in some cases other form of network cabling, such as CAT 6 Ethernet cabling) with very high speed network equipment. Now depending manufacturer and structure of the system, some call the equipment as “DPI”; as of Deep Packet Inspection system – some call it Network Monitoring Switch (NMS) and so on. The main point is that there’s logical – and sometimes due the technicalities – separation of the data collection, storage of the data and ALWAYS separation for analysis of the data.
For all parts of the system, few important non-functional requirements include: No single point(s) of failure, Non-disruptive upgrades, speed and low TCO (hard to achive though…), dynamic rules and some sort of interoperability with auxiliary systems through API or other means.
For the reference: If you look at how Swedish #FRA has established such a collection system, there’s not too much difference in this shown here..
By our example system, the data collection is being made possible with “tapping” into fiber optical cable and passively feeding the NMS. The NMS has purpose specific #FPGA chips being able to process “INCOMING” e.g. ingress/egress data with given policy & rule set.
Based on policy and rule set, the data may be “cleaned” before further processing. In some occasions it may handle IP packet de-duplication, trimming and stripping functions.
The second stage of collection item processing is typically pushing packet’s through some ruleset. One can think this ruleset being very similar to firewall rules, with exception these rules are made to define how the collected data should be delivered further and to which locations. This is particulary important feature as it allows designating data to separate, high speed data stores for further use.
One can think that (as an example) system is stripping SMTP (e-mail) data to its primes. Big junk of metadata (src ip, dst ip, time, header info etc.) goes to SMTP designated data store, whilst content of the data goes to another data store. There may be regulatory requirement for such behavior or purely speeding up the analysis work in latter phases.
In some occasions this rule set is being manipulated with dynamic or computer induced rules. These rules may be set in action to find “needle in haystack”; to gather information for specific intelligence program needs. In this case there’s chance to dynamically set filtering rule in action to tell for example the need for “intercept all collection sites proto http using (known selector) @mikk0j using src ip: Russia with dst ip: Sweden include data plain encrypted” and with this collection system to push data towards designated intel program data store with high speed SAN network links.
Example: If you take collaboration between callers; one can find out set of patterns on each layer with distinguishable characteristics. And each OR some of the characteristics are tied to callers on layers that it is possible to create CORRELATION. With that….information one can create ‘faint signal’/anomaly detection on behavior that does NOT follow normal or is related to others.
Data store (or storage system) can be easily misunderstood here. It is not a single network (SMB, NFS) share being used to store the snatched data. Its more like a very, very fast, compartmented memory bank with ability to replicate needed data to different locations and secondary storages, such as interception program specific data stores OR distributed due the intel analysis processing, data security/contingency or purely physical reasons.
The data collection engine described earlier integrates with data stores through purpose selected 10G/Fibre Channel/iSCSI interface.
One example such systems is build on top of SAS MLC Flash memory. It has built in mechanism for creating different compartments for different data, use and replication. Beyond that, it reduces data size by deduplicating it inside the system.
You have the data: What to do with the data? Typically data is being used in purpose specific data stores to achieve answers for certain sets of questions like: Who is contacting this and that person, what information they share, what is their next move and so on. Another part is related to cyber espionage and intelligence efforts being set by foreign entities. Then typical questions include: Do we have network traffic that resembles something we know might harm our systems and may contain data identifies the perpetrators? Is there a data leak? And so on…
The questions are highly dependent for the outcome needs the answer. However, sometimes only the big data collected gives hint for the answers. Then being able to ask directly from the data is not option and more elegant methods are needed.
Typical methods for the intel data analysis include, but are not limited to:
* In many cases data needs to be normalized to some form before being able to be analyzed efficiently. That is due the differences in collected data structures. Either this is done already in preprocessing with collection environment tools OR as a last resort, its done single handed by intel analysis – whom typically knows certain aspects of the targets.
* Correlation of events, people, technical addresses and other selectors being used as key for searching the correct answers. Correlating for example e-mail addresses with SMTP-MTA being used maybe one of such operations to do.
* Aggregation of such data. Asking questions such as this selector has done this and that with another party involved with some form of illegal activity. Buidling the bigger picture.
As there’s more than few vendors providing very capable technology for such needs, it is more about the characteristics of the system what matters. Common features for such system are:
* Scalability and parallelism.
* Packet de-duplication, trimming and stripping.
* Data normalization, categorization
* Storing the data.
* Correlated analysis, views.
* Session & flow replay
* Encrypted data recognition.
* Data adjoining
and so on..
SETUP & CONFIGURATION (EXAMPLE)
1. Fiber (optical) splitter
It’s exactly what it says it is. A passive system called Fiber optic splitter, aka beam splitter aka method called “fiber tapping”.
The information is transmitted through fiber optical cables. As data travels by using laser light it splits a beam of light in two. This apparatus has secondary optics attached to the original ones. What it does it feeds fiber optical lines installed in fiber trunks carrying traffic towards interception system.
In theory, very simple – in practice – lots of things depends on quality of splitter box. The detection of such system is very difficult, whilst some succeeds has been made with Quantum cryptography; especially with QKD/BB84.
2. Network monitoring switch (NTO/DPI) – interception suite
Very high performance “software switch” capable to direct traffic intercepted with fibre splitter to the targeted location specified. Being the target itself application or storage system, it can perform pre-adjusted or dynamic (automated, programmed) selection of L2-4 raw traffic towards designated targets. This allows tuning the data capture in efficient ways and making destination resolutions for the intercepted data as well. Maybe not all the data is as important or relevant other data is (headers, metadata etc.), maybe some of the data is needed urgently in analysis and it needs separate destination for analysis and so on.
Some of the data can be discarded and for some data it is quite mandatory to perform deduplication and other cleaning operations as well.
This is one of the features which “normal” switches are not able to perform, thus making use of these capabilities in large content delivery networks important. Why it is called “interception suite” it typically comprises of multiple different applications, including analysis tools and management application(s), APIs and so on. It’s more than tool 🙂
3. Raw data & storage
In our example here, there’s very high performance raw data storage (like KAMINARIO :=) able to handle such high amount of data without I/O issues.
Accurately, data can be anything obtainable through fiber tap that is support by the “data collection” – establishment(s). As some of the traffic can be else than Ethernet -framed (like ATM), there’s several different interface modules for different needs able to run in parallel.
4. Data visiblity
The data being collected is defined by the rules and adjusted by the visibility. Typically interception allows visibility to (our example drives here):
- Layer 2-4
- MAC source/destination addresses
- VLAN and Ethertypes
- IP protocol and DSCP/TOS
- GTP and MPLS
- Source/destination IP (IPv4/6)
- UDP, TCP ports
Anyone ever played with such a great tool called Wireshark understands quite well the theory.
Data normalization efforts are either done already with the collection function OR separate dispatcher often called as big data gatherer/worker instance (server) using the raw data storage.
In some cases normalization are not done. Pure raw data can be meaningful. In some cases (particular analysis task for example) it is very strict what kind of normalization there’s available and how much there’s trust for certain “field”, like time. It is important to make distinction between structured and un-structured data. Both can be used equally in intelligence analysis, but typically for different reasons. With intelligence analysis the un-structured raw data is typically being used to find anomalies hardly visible in structured; tightly normalized views.
5. Interception (program) specific data stores
As the main data store keeps data mostly pure and allows views for normalized data; the interception specific data stores are meant to gather data ONLY specific for the needs under the specific discipline. This can be specific project, mission or task. One must understand that these kind of specific data stores can be enabled and deployed within a second there’s need and after being used, they can be dismantled. Data can be pre arranged and aggregated during intel analysis process.
The vast use of automation kicks in and per definition (selectors) used by intel analyst the ongoing gathering can be adjusted and use the collection system OR dispatcher (worker instance) to “divert” the meaningful data to the specific store used by only certain programs.
6. Intel analysis
This section could use its whole own article due its nature. To take the most obvious approach: Intel analysis is processing of intelligence data in closed, repeating path to produce intel products (such as actionable items). What it comes to this context of “Network interception” – it is functioning as in any other #SIGINT feature one can potentially imagine.
The focus however, is mainly about the information collected through the networked channels. This information may contain huge amount of nosense, auxiliary information without any relevance for the task (needs) in behind. This network communications interception -process as one type of intelligence analysis is attached to other types of intelligence gathering products to make distinct decisions.
Yes; its cryptanalysis..
What about encrypted data? What to do with it? One of the good things with “normally” (I say normally as there’s few other ways to hide encrypted data..) encrypted data transmitted over Ethernet is that its structure is somewhat known. That makes it’s easier to analyze. However, whilst there’s hundreds of proprietary implementations of encryption it needs special attention.
Encrypted data among other more sensitive “collection items” are typically handled with separate systems, even while the collection mechanism is same for all data.
2 options: Either usage of dispatch search tools for the raw data (slower) to identify suitable data within defined context OR predefined/dynamically adjusted rule set to divert such data to program specific data store. Encrypted data is then processed with mechanism called cryptoanalysis. It is similar kind of mechanism the intercepted data was originally dissected (identification of crypto being used and so on).
Its all about big picture anyway; combined view below. To really put it real life scenario, the interception points vary and there are more than one location of them.
DEPLOYMENT & OPERATIONAL CONSIDERATIONS
See – its like any other computer systems being used by amount of people with critical demands. To name few issues or things to consider for running such system, I decided to select few – maybe not the most obvious ones.
1. Physical apparatus: Installation, maintenance, secrecy/stealth of the operation. Tapping to fiber optics sounds easy to technically accomplish but needs detailed planning. No only during the deployment, but with continuous operations as well.
* How to make the tapping happen stealthy as possible?
* Is there ISP/carrier co-operation available?
* Size, physical & electrical requirements: These systems are still big in size, whilst not running w/tubes any more.
* Fiber splitting & co-location: Maybe just split the photons & handle collection elsewhere? Suitable solution?
* Maintenance: What if one of the boxes fails out OR backhoe splits the cables; how this should be handled?
* All the changes: Change management etc.
2. Data transfer. Typically the collection part of such system(s) and potential auxiliary buffering storage sits very next to the collection point. This may cause issues for transmitting the collected data securely to location where the data is stored and the actual intelligence analysis may take a place. Analysis may, and most often is highly distributed but the shared “big data” reside typically within one or potentially two (secondary) locations.
3. Security of the intel capabilities (apparatus). This is one of the most problematic one. Giving a hint of such system how it is structured to adversary lowers down dramatically, or renders incapable operational security (#OPSEC) of such system and function it serves.
Now if this is the key component of ones “distributed sonar net” delivering important information of adversary movements, and it gets compromised – the rest of the intel apparatus may be in harms way or unusable as well. OR even worse, the function it serves the products of intel gathering may turn against the very potential it should deliver.
WHAT DATA SHOULD BE COLLECTED and WHERE?
Without making any political statement, I have to believe that “network interception” and “cyber espionage protection” themes are probably one of most difficult themes around intelligence communities and governments making decisions for their future capabilities.
1. As described prior, the data collection is very problematic. In case you make a filtering set being very restrictive and collecting only “metadata” with very strict scope – you may easily render your beautiful engine useless. Being able to change more relaxed rules and filtering set is important, but it does not help if potential adversary has already deployed their payloads on networks behind collection capability.
2. Collecting everything from the beginning would be one way to go but someone maybe interested about the privacy thingys.
3. If not collecting everything; where resides the decision making point to justify the specific rules in action?
4. You ask detailed question from the data, in which the data answers detailed answer. Do not expect to find “faint signatures or signals” with exact question.
5. Network communications interception is context driven (as all the intel work is). Its more about the quality of data than quantity. But here’s a catch..
6. ..that is anomalities: Such situations in single or correlated data which is different to ones normal profile. To make such distinction on the data, you need a lots of data. Even such data which in first glipse does not look like important.
7. The nation or other “entity” behind interception capability may be “digitally occupied” and using such variety of channels that goes way beyond network tapping capabilities. How you catch computerized swarming attack using a variety of EM features for command & control. It is definitely difficult.
8. Distributed collection vs. distributed analysis and vice-verse. It depends what you are looking to achieve and what are the both technical – and analysis possibilities. Having one tap in one internet junction (like FICIX to say) does not get one anywhere. Analysis, however – is something that can (and most like is being) be distributed.
However, being able to efficiently maneuver with such data and able to produce intel products in demand, the system should most likely be multistaged and that unfortunately this shall create some unneeded management overhead AND harmful vastness (decreases speed typically) for the system.
9. Who is doing it? Where is the responsibility/accountability line. Is collection a “regulatory compliance” kinda thingy ISP & others must do and those whom need intel data just obtain it?
10. This example illustrated only few potential ways to collect data. Thinking about end-to-end service architecture from channel & hand-held devices towards cloud data stores. Plenty of places to collect the information, beginning from the handheld IP stack.