Agenda

The Challenge

Current Threat Landscape

Emerging Threats

What is MASINT/(TSCM)

Low Cost MASINT

Practical Applications

What’s next

Q&A

Manager Security Operations - Philadelphia Federal Reserve

Board Member & Officer for Philadelphia InfraGard Chapter

SANS Institute Instructor / Advisory Board / Content provider

2010 Gold Medal Recipient – Excellence in Government Service

Author / Writer / Presenter

Consultant – FBI, DCIS, DHS, USSS, MITRE

Numerous Certs - CISSP, GCIA, GCIH, GCFA, OSCP

I can sum things up for you in a word…..

Who am I

The Challenge

Business Plans Business Plans

Corporate Strategy

Corporate Strategy

Physical Security (Personnel)

Physical Security (Personnel)

Wireless Networks Wireless Networks

Financial Assets Financial Assets

Mobile Devices Mobile Devices

Financial Data Financial Data

Trade Secrets Trade Secrets

Employee Information Employee

Information

Customer Information Customer

Information

Reputation

& Credibility

Networks Networks Workstations Workstations

The Current Threat Landscape

The information Security Industry is in the late stages of a complete paradigm shift.

Motives are shifting – Site defacements are a thing of the past

Compromises are more frequently driven by financial and/or political agenda

Hackers for hire are becoming more prevalent

0 day exploits and “Targeted” exploits earn real money

Current Threat Landscape

Exploit developers are selling to the highest bidder

Purchaser can take advantage of various developers exploits to develop unique and difficult to detect attacks

Exploits against varying types of technology and hardware

Nation states are becoming more brazen in their attacks

Corporate and Industrial espionage increasing rapidly

Scope and vector of attacks is shifting to more blended attack methodologies (hardware & software) Real world examples and frameworks are being build

Teensy, FunCube, KillerBee, Bus Pirate, GoodFet, etc.

Attackers are more frequently using a blend of physical, embedded electronics and systems attacks to compromise their targets - Stuxnet a perfect example

We continue to see a proliferation of wireless technologies Zigbee(802.15.4), Bluetooth(802.15.1), RF link devices, etc.

Medical, industrial, corporate, etc.

Current Threat Landscape

Traditional wireless attacks – Decreasing

Other types wireless attacks – Increasing (FAST)

Embedded devices – Everything has a computer in it!

Embedded devices control the physical world

Unique wireless solutions are become more common

Emerging Threats Cont…..

What is MASINT ?

Measurement & Signature Intelligence

Collection of unintended emissions or byproducts of devices

All devices generate unique unintended trans. artifacts

Discrete intelligence gathering process

DoD - Officially adopted as a Intelligence discipline in the 80s

Often aggregated with other intelligence sources

(ELINT, SIGINT, HUMINT, ETC.)

MASINT – (Tactical and Strategic Sensors)

Electro / Electronic

Nuclear / Explosives

Geospatial / Materials

Radio Frequency / Electromagnetic fields*

MASINT - Primer

The cost and complexity of utilizing MASINT functionality in the corporate environment are dimensioning

Could be used by competitors for reverse engineering of products in certain industries

Could be used for corporate espionage and intelligence gathering by competing companies

There is a general lack of understanding of the risks associated with MASINT capabilities

Information Security Professionals are typically not trained or skilled in this area of Information Security

Other considerations MASINT is being used today to support Law Enforcement

Legalities of the use of MASINT capabilities haven’t been challenged

MASINT – What’s the concern

Traditional communications are frequently encrypted

Can’t easily be decrypted in real time

MASINT focuses on the information about a signal not it’s contents

Derive data from metadata & characteristics

Gather Actionable Intelligence

How does it work

Lots of passive Intelligence to be had!

Frequency, Origin and strength – (SOI)

Unique hardware / radio frequency signature

Characteristics of the signal

Track movements and habits via RDF

Other useful intelligence

Hardware capabilities / Transmission range / Frequencies

Identify patterns & Weakness

Naturally occurring / Very difficult to spoof*

RF MASINT – What does it do? Cont…

Detection mechanism against emerging wireless (RF) attacks

Identify spurious transmissions

Identify and Isolation jamming activity

Add MASINT components to pen testing capabilities

Uniquely identify equipment by its RF signature

Tracking of RF emitting devices

Develop Technical Surveillance & Counter Measures Capabilities

Testing of reverse engineering counter measures

Perform reverse engineering of parts

MASINT – Practical Applications

Spectrum Analyzer

(SDR) Search Receiver &

Antenna System

Signal Collection Analysis & Signature

Generation

Signature Analysis, Tracking, Intel

RF MASINT – Lets Build It!

Spectrum Analyzers – Lots of Choices but….. Generally very expensive! ($10K-$60K)

Typically not designed to provide MASINT or TSCM functionality

Limited frequency range

Difficult to get data out of in raw form

Restrictive antenna capabilities

Some “friendly” models exist (SpecTran, Anritsu, TekTronix, etc.)

Device of choice – Signal Hound (USB-SA44B) Software defined / USB connected / easily interfaced

Decoding Capabilities (FM,WFM, NFM, CW, SSB, Video, FSK, ASK, etc.)

API available / scripting friendly

Low cost $300 - $400 used

1Hz to 4.4GHz / fast sweep times*

Good Sensitivity / built-in Preamp / Attenuators*

Calibration capabilities

Let’s build it!!! – Equipment

Signatures structure Signature taken a set frequency (446MHz, 220MHz, 146MHz, 900MHz)

RF Signature recorded over (3) secs with a Span of 10Khz

Unique Signature created using Amplitude (Max & Min) per/Hz

Aprox. Distance 10ft – no faraday enclosure used

Let’s build it!!! – Spectral collection

Frequency (MHz) Amplitude Min(mW) Amplitude Max(mW)

445.994986 1.51E-09 1.51E-09

445.995015 1.53E-09 1.53E-09

445.995045 1.17E-09 1.17E-09

445.995075 7.27E-10 7.27E-10

445.995104 4.87E-10 4.87E-10

445.995134 1.91E-10 1.91E-10

445.995164 1.66E-10 1.66E-10

445.995193 2.63E-10 2.63E-10

445.995223 4.61E-10 4.61E-10

445.995253 5.80E-10 5.80E-10

445.995282 3.29E-10 3.29E-10

445.995312 1.12E-10 1.12E-10

445.995342 6.12E-10 6.12E-10

Motorola XTS3000 model3

Finding unique RF characteristics All electronic devices will generate unique “Artifacts” in near-field

Filtering Ambient noise with 10db attenuation

Measuring mW at the SRD antennas

Collecting Amplitude

Max/Mins

RF span 10Khz

3+ sec measurement

340 Points of Interest

0.e-14 sensitivity

.CSV file output

User defined Max

Amplitude

Let’s build it!!! – SOI Signature Collection

Signal of Interest (SOI)

Ambient Noise Floor (ANF)

Attenuation to reduce ANF

Unique Artifacts / (POIs)

Signature Creation Scripts – Python & .NET Signature Generator & Signature Compare

Let’s build it!!! – SOI Signature Creation

Signature Comparing No two signatures will come back 100% same

Script provides a configurable tolerance

Tolerance does not sway results significantly because of the ranges

Negative hits increase as you move away from center

Let’s build it!!! – SOI Signature Compare

Let’s build it!!! – Signature Compare Contin…

Lots of things can throw off your Signals of Interest (SOI) Changing antennas, RF noise, Physical structures, atmospheric, etc.

Spread spectrum signals can be missed in a simple full spectrum sweep

Lower output devices require a closer (near field) range Some devices have too low of output in standby mode to detect cleanly

Antennas are extremely important RDF – requires both attenuators and directional antennas (Yagi)

96” Discone and a collection of whip antenna worked well (YMMV)

Sweep speeds become really important when looking at TSCM 20secs is very fast for low cost units. OSCAR devices are probably better

Caveats…..

Lots more work to be done….

Develop database of manufacturer signatures

Develop traditional TSCM – capabilities Automatic Discrete Signal Searching

Threat Detection Algorithm ( TDA)

VLF – digital recorders / other recording devices

Spread Spectrum and infrared detection

Infrared (between 850nm & 1070nm) Optical

MASINT / TSCM portal Antenna Array

Triangulation / Ranging capabilities

Programmatic Attenuation

Multiple Device Configuration / Triangulation

What’s Next?

Information security is going through a paradigm shift

Blended hardware and software attacks are an emerging threat

Risks associated with Insider threats and espionage are driving the adoption of MASINT and TSCM capabilities

RF MASINT / TSCM capabilities can be developed using relatively low cost SDR equipment and code

Both offensive and defensive capabilities exist

Traditional Information Security and TSCM industries are overlapping and merging

Broader training is required for Information Security management and staff to mitigate emerging threats

To Surmise…..

Contact information : Brad Bowers BBowers@DigitalIntercept.com

THANK YOU!!!