Scribd Logo
Upload

Welcome to Scribd!

  • NSA SIGDEV: Identifier Lead Triage With ECHOBASE

    Uploaded by

    LeakSourceInfo
    6K views14 pages
    http://leaksource.info/2014/05/01/document-nsa-sigdev-identifier-lead-triage-with-echobase/ https://twitter.com/LeakSourceInfo

    Original Title

    NSA SIGDEV: Identifier Lead Triage with ECHOBASE

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    http://leaksource.info/2014/05/01/document-nsa-sigdev-identifier-lead-triage-with-echobase/ https://twitter.com/LeakSourceInfo

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6K views14 pages

    NSA SIGDEV: Identifier Lead Triage With ECHOBASE

    Uploaded by

    LeakSourceInfo
    http://leaksource.info/2014/05/01/document-nsa-sigdev-identifier-lead-triage-with-echobase/ https://twitter.com/LeakSourceInfo

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    Identifier Lead Triage with ECHOBASE

    XXXXXXXXX XXXXXXXXX JUN 2012


    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    NSA - S2I51 NSA - T1442

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    The Problem
    SIGINT is very good at 2 things:
    1. Establishing lists of potential leads (50-10k+) 2. Manual analysis to vet individual targets

    Potential leads 50-10k+ ????


    Manual analysis

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    Tradecraft
    A common model for identifier lead lists, today:
    Phase 2 Phase 3

    Seed List Provided to SIGDEV

    Normalize and Expand Selectors

    Foreignness and Compliance Check

    Phase 4

    Input

    SIGINT Queries on Selector activity and behavior attributes

    ????
    Bulk enrichment of SIGINT business knowledge
    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    Manual analysis
    3

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    Triage Today
    After initial enrichment checks, the analyst is often left with too many identifiers of possible interest

    Percentages are conceptual


    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    Bulk Lead Triage via Behavior Analytics


    Hundreds or thousands of selectors to go through high level vetting very quickly Better triage prioritization allows for highly adjustable thresholds to be set for follow -on analysis Compliance can be inserted at both the batch result and query level Potentially utilize multiple clouds & cross-enterprise analytics

    No Further Analysis Needed 20%

    Definite Interest (Pri. 1) 5% High Interest (Pri 2) 15% Medium Interest (Pri 3) 35%

    Low Interest (Pri 4) 25%

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    Identifier SIGINT Business Enrichment


    Bulk gathering, via Identifier Scoreboard
    Targeting Authorities Reporting Targets Knowledge Foreignness Compliance not a raw SIGINT query
    (phase 2/phase 3)

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    Yes/No Identifier Behavior


    Bulk triage, via SIGINT Analytics Mode
    Core set of yes/no behavioral questions about a set of identifier leads
    (start of phase 4)

    against raw SIGINT!

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    SIGINT Analytics Mode


    Triage by aggregate behaviors

    One column per yes/no question

    Quickly zero in on worthy leads


    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    SIGINT Analytics Mode Detailed View

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    SIGINT Analytics Mode Detailed View

    Go view target knowledge

    Go view content

    Add new knowledge

    External links to guide next steps in analysis


    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    10

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    ECHOBASE Analytics Architecture


    Initial set of analytic questions
    Most running within GHOSTMACHINE framework Limited contributors GHOSTMACHINE Analytic Engine provides QFD hosting of analytic results RESTful query interface
    Daily Feeds UTT

    Targeting
    OCTAVE

    Targeted identifiers

    Future analytics
    multiple organizations/ frameworks
    User DN, justification, leads & which QFDs (domains) Log queries

    GHOSTMACHINE
    GM Analytic Engine
    QFD QFD QFD QFD QFD QFD

    Selector List

    Seeds

    Seeded Analytic Seeded Analytic Analytic Analytic

    Bulk feeds of analytics results Future Analytic

    T12 CDP

    Query QFDs Svc

    WAVELEGAL

    Check user authorizations

    Bulk feed of analytic results Non-GM Analytic

    FGS

    Check user authorizations Direct service query

    CASport

    Future analytic Future analytic Future analytic service

    Future analytic Future analytic Future analytic

    ?
    11

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    2012 Olympics Sharing


    Seeded Seeded Analytic Seeded Analytic Analytic Seeded Analytic Releasable targeted identifiers Daily Feeds UTT

    Targeting
    OCTAVE

    Job Tracker

    GCHQ
    (GCHQ architecture details omitted)

    NSA
    Lineup query details Targeted identifiers

    User DN, justification, leads & which QFDs (domains)

    GHOSTMACHINE
    GM Analytic Engine
    QFD QFD QFD QFD QFD QFD

    Selector List

    Seeds

    Seeded Analytic Seeded Analytic Analytic Analytic Analytic

    Bulk feeds of analytics results

    T12 CDP

    User DN, justification, leads & which QFDs (domains) Log queries

    Query QFDs Svc

    WAVELEGAL

    Check user authorizations

    Bulk feed of analytic results Non-GM Analytic

    FGS

    Check user authorizations

    CASport

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    12

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    2012 Olympics Support


    NSA SID Leads Evaluation Cell
    Triage of Olympics-based leads through the event Leverage both NSA and GCHQ-produced analytics

    Greater SID-wide usage following the Olympic period

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    13

    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    Contact/Information
    - Briefers: - XXXXXXXXXXXXXXXXXXXXXXXXXXXX - XXXXXXXXXXXXXXXXXXXXXXXXXXXX - ECHOBASE Alias: - XXXXXXXXXXXXXXXXXXXXX - NSA WikiInfo page: - XXXXXXXXXXXXXXXXXXXXXXX
    TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

    14

    You might also like