Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20350112
11 (U) Mission Use Cases
(S) This section characterizes a few common system use cases, and discusses the
appropriate Mission configuration based on those use cases.
11.1 (S) Tradeoffs Related to Flytrap Covertness
(S) In most use cases, there is a tradeoff between amount/timeliness of Target
information and Flytrap covertness. For example, the “Copy” Action reveals a Target’s
network traffic stream, but also means that the Flytrap is streaming a Copy of this data to
the CherryTree, which impacts Flytrap covertness. By the same token, Target Monitoring
can give a near realtime indication of Target network activity, from which it might be
implied whether or not the Target is located in the proximity of the Flytrap. But the faster
the Target Monitor Interval, the more monitoring traffic the Flytrap generates, which
again impacts Flytrap covertness.
(S) Any Flytrap feature/Action that generates network traffic or causes unexpected user
behavior could raise suspicions of a vigilant network administrator or Target user. The
following is a list of features/Actions that could cause suspicion, with some remarks for
mitigating Flytrap detection:
Copy All – as all network traffic is copied, the Flytrap throughput will halve. Also, a
person using a network sniffer on the WAN side of the Flytrap may detect a copy of the
data (copy data is not scrambled/encrypted). A Copy All timeout can be configured to
mitigate detection.
Copy VoIP (Global) – as all VoIP traffic is copied, the Flytrap throughput may be
reduced significantly. Also, a person using a network sniffer on the WAN side of the
Flytrap may detect a copy of the data (copy data is not scrambled/encrypted). A Copy
timeout can be configured to mitigate detection.
Copy – if a Copy Action is assigned to a Target, only that Target’s traffic is copied,
which mitigates detection. Also, a Copy timeout can be configured.
Disabling of GZIP Encoding – if a Mission is configured to strip gzip encoding, any user
visiting a site that uses GZIP encoding may notice a slower download of data from that
site (because the data will not be gzip-compressed). This would be more noticeable on a
Flytrap with a slower WAN connection. This can be disabled in a Mission, but fewer
target emails would be detected because some webmail services (yahoo, for example)
currently use gzip-encoded pages.
VPN Proxy All –a network sniffer could reveal a VPN tunnel that might be suspicious. A
VPN Proxy All timeout can be configured to mitigate detection. VPN Proxy can be
susceptible to network latencies and may slow down the Flytrap’s process/throughput,
which may be noticeable by a network user.
VPN Proxy – a network sniffer could reveal a VPN tunnel that might be suspicious. If a
VPN Proxy Action is assigned to a Target, only that Target’s traffic is proxied, which
mitigates detection. Furthermore, a VPN Proxy timeout can be configured per-Target to
mitigate detection. VPN Proxy can be susceptible to network latencies and may slow
down the Flytrap’s process/throughput, which may be noticeable to the Target (i.e., non-
Target users would not be noticeably affected).
116
SECRET//20350112

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh