19
Call Signs
When you steal in, the first thing you should do is mark the route, showing allies the exit and how to escape.

After you have slipped into the enemy’s area successfully, give more attention to not accidentally fighting yourselves than to the enemy.

—Yoshimori Hyakushu #26

While shinobi are often portrayed in popular culture as lone actors, many shinobi worked in teams. These teams were particularly adept at discretely relaying information to each other in the field. The Gunpo Jiyoshu manual describes three call signs, or physical markers, that the shinobi developed to communicate with each other without arousing suspicion. Based on what the markers were and where they were placed, call signs helped shinobi identify a target, marked which path they should take at afork in the road, provided directions to an enemy stronghold, or coordinated an attack, among other actions. Though call signs were well known within shinobi circles, participating shinobi agreed to custom variations prior to a mission to ensure that targets or even enemy shinobi could not recognize the call signs in the field. The scrolls suggest using markers that are portable, disposable, quick to deploy and retract, and placed at ground level. Most importantly, the markers had to be visually unique yet unremarkable to the uninitiated.

For example, a shinobi might agree to inform their fellow shinobi of their whereabouts by leaving dyed grains of rice in a predetermined, seemingly innocuous location. One shinobi would leave red rice, another green, and so on, so that when a fellow shinobi saw those few colored grains, they would know their ally had already passed through. The beauty of the system was that, while the shinobi could quickly identify these items, ordinary passersby would not notice a few oddly colored grains of rice. Using similar methods, the shinobi could subtly point a piece of broken bamboo to direct an ally toward a chosen footpath, or they could leave a small piece of paper on the ground to identify a dwelling that would be burned down, lessening the chance that team members would find themselves either victims or suspects of arson.¹

In this chapter, we will explore the ways that call sign techniques could be used in networked environments and why cyber threat actors might use them. We will hypothesize where in the network call signs could be placed and what they might look like. In addition, we will discuss how one could hunt for these call signs in a target network. We will review the challenge of detecting creative call signs and touch on the crux of this challenge: controlling and monitoring your environment for an adversary’s actions. You will get a chance, in the thought exercise, to build up mental models and solutions to deal with the challenge of enemy call signs. You will also be exposed to security controls that may prevent threat actors from using call signs in your environment, as well as limit their capabilities.

Operator Tradecraft

During the Democratic National Committee hack of 2016, the Russian military agency GRU (also known as APT28 or FANCYBEAR) and its allied security agency FSB (APT29 or COZYBEAR) were operating on the same network and systems, but they failed to use call signs to communicate with each other. This oversight resulted in duplication of effort and the creation of observables, anomalies, and other indicators of compromise in the victim’s network, likely contributing to the failure of both operations.² The lack of communication, which probably stemmed from compartmentalization between the two intelligence organizations, gives us a sense of what cyber espionage threat groups could learn from the shinobi.

While the cybersecurity community has not yet observed overlapping threat groups using covert markers, the DNC hack demonstrates the need for such a protocol to exist. It’s reasonable to assume that the GRU and FSB performed an after-action report of their DNC hack tradecraft efforts, and they may already have decided to implement a call sign protocol in future operations where target overlap is a concern. If cyber espionage organizations begin to work regularly in insulated but intersecting formations, they will need a way to communicate various information, including simply their presence on systems and networks and details about their targets, when using normal communication channels is not possible.

If these call signs did exist, what would they look like? Effective cyber call signs would most likely:

Change over time, as shinobi markers did
Be implemented in tools and malwares that cannot be captured and reverse engineered. Humans using keyboards would be needed to identify them.
Exist in a location that the overlapping espionage group would surely find, such as the valuable and unique primary domain controller (DC). Given the presence of file security monitors and the operational reality that DCs do not restart very often, a threat group might place the marker in the DC’s memory to maximize its persistence and minimize its detectability.

It remains unclear what kind of strings or unique hex bytes could function as markers; in what cache, temporary table, or memory location markers could reside; and how another operator could easily discover them. Note, however, that the cybersecurity industry has observed multiple malware families that leave specific files or registry keys as a signal to future copies of the virus that the infection has already successfully spread to a given machine (and thus that they need not attempt to infect it again).³ Though this call sign functionality could not be implemented as easily against dynamic human threat actors, defenders could create files and registry keys that falsely signal infection, prompting malware to move on innocuously.

Detecting the Presence of Call Signs

Many organizations struggle to identify which user deleted a file from a shared network drive, let alone to detect covert call signs hidden inside remote parts of a system. Nonetheless, defenders will increasingly need to be able to defend against threats that communicate with each other, inside the defender’s environment. To have a chance of catching threat actors, defenders will need training, and they will need to implement detection tools and have host visibility.

Implement advanced memory monitoring. Identify high-value systems in your network—systems that you believe a threat actor would target or need to access to move onward to a target. Then, explore the existing capabilities of your organization to monitor and restrict memory changes on these systems. Look at products and services offered by vendors as well. Evaluate the amount of effort and time that would be necessary to investigate the source of such memory changes. Finally, determine whether you could confidently identify whether those changes indicated that the target machines had been compromised.
Train your personnel. Train your security, hunt, and IT teams to consider forensic artifacts in memory as potential indictors of compromise, especially when these are found in high-value targets, rather than dismissing any incongruities they find.

Castle Theory Thought Exercise

Consider the scenario in which you are the ruler of a medieval castle with valuable assets inside. You receive reliable intelligence that teams of shinobi are targeting your castle and that they are using call signs to communicate with each other. Their covert signals include placing discreet markers on the ground, including dyed rice, flour, and broken bamboo.

How would you train your guards to be aware of these techniques—and of techniques you have not yet considered? How could you help them manage the false alerts likely to occur when your own people accidentally drop rice on the ground or when animals and wind disturb the environment? What architectural changes could you make to your castle and the grounds to more easily detect secret markers? What countermeasures would destroy, disrupt, or degrade the ability of these markers to communicate or deceive the shinobi who are sending and receiving the signals?

Recommended Security Controls and Mitigations

Where relevant, recommendations are presented with applicable security controls from the NIST 800-53 standard. Each should be evaluated with the concept of call signs in mind.

Ensure that prior user information is unavailable to current users who obtain access to the same system or resources. [SC-4: Information in Shared Resources]
Identify system communications that could be used for unauthorized information flows. A good example of a potential covert channel comes from control “PE-8: Visitor Access Records.” Paper log books or unrestricted digital devices that visitors use to sign in to facilities could be vulnerable to information markers that signal to compartmentalized espionage actors that other teams have visited the location. [SC-31: Covert Channel Analysis]
Search for indicators of potential attacks and unauthorized system use and deploy monitoring devices to track information transactions of interest. [SI-4: System Monitoring]
Protect system memory from unauthorized changes. [SI-16: Memory Protection]

Debrief

In this chapter, we reviewed the physical markers shinobi teams used to signal to each other inside enemy territory. We learned why these call signs were useful and the characteristics of good call signs according to the scrolls. We then reviewed a cyber espionage operation where a lack of call signs and the resulting uncoordination contributed to revealing threat group activity. We discussed how modern threat groups will likely continue to gain sophistication—a sophistication that may include adopting call sign techniques. We explored what modern digital call signs could look like as well as how we might notice them.

In the following chapter, we will discuss the opposite of shinobi call signs: precautions that shinobi took to leave no trace of their activity inside enemy territory, as the scrolls instructed. Advanced techniques included creating false signals intended to deceive the defender.