nsa sigdev: identifier lead triage with echobase
TRANSCRIPT
Identifier Lead Triage Identifier Lead Triage with ECHOBASEwith ECHOBASE
XXXXXXXXX XXXXXXXXX NSA NSA -- S2I51S2I51XXXXXXXXX XXXXXXXXX NSA NSA -- T1442T1442
JUN 2012JUN 2012
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
The Problem
2
Potential leads50-10k+
????
Manual analysis
SIGINT is very good at 2 things:1. Establishing lists of potential leads (50-10k+)2. Manual analysis to vet individual targets
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Inpu
t Seed List Provided to SIGDEV Ph
ase
2 Normalize and Expand Selectors Ph
ase
3 Foreignness and Compliance Check
Phas
e 4 SIGINT
Queries on Selector activity and behavior attributes
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Tradecraft
3
A common model for identifier lead lists, today:
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Bulk enrichment of‘SIGINT business knowledge’ Manual analysis
????
Triage Today
4
After initial enrichment checks, the analyst is often left with too many identifiers of “possible interest”
Percentages are conceptual
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Bulk Lead Triage via Behavior Analytics
5
• Hundreds or thousands of selectors to go through high level vetting very quickly• Better triage prioritization allows for highly adjustable thresholds to be set for
follow -on analysis• Compliance can be inserted at both the “batch result” and “query” level• Potentially utilize multiple clouds & cross-enterprise analytics
Definite Interest (Pri. 1)
5% High Interest (Pri 2)15%
Medium Interest (Pri 3) 35%
Low Interest (Pri 4)
25%
No Further Analysis Needed
20%
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Identifier ‘SIGINT Business’ Enrichment
6TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Bulk gathering, via Identifier Scoreboard
• Targeting• Authorities• Reporting• Targets• Knowledge• Foreignness• Compliance
…not a raw SIGINT query
(phase 2/phase 3)
‘Yes/No’ Identifier Behavior
7TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Bulk triage, via SIGINT Analytics Mode (start of phase 4)
Core set of ‘yes/no’ behavioral questions about a set of identifier leads
…against raw SIGINT!
SIGINT Analytics Mode
8
One column per ‘yes/no’ question
Triage by aggregate behaviors
Quickly zero in on worthy leadsTOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
SIGINT Analytics Mode – Detailed View
9TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
SIGINT Analytics Mode – Detailed View
10
Go view contentGo view target knowledge
External links to guide next steps in analysisTOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Add new knowledge
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
ECHOBASE Analytics Architecture
11
Targeting
GM Analytic Engine
Targeted identifiers
Analytic
Query QFDs Svc
Seeds
Analytic
Seeded AnalyticSeeded
Analytic
Bulk feeds of analytics results
OCTAVE
UTT
WAVELEGAL
User DN, justification, leads &which QFDs (“domains”)
Daily Feeds
SelectorList
CASport
Check userauthorizations
Check userauthorizations
Log queries
QFDQFD
QFDQFDQFD QFD
GHOSTMACHINE
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
T12CDP
Non-GM Analytic FGS
Bulk feed of analytic results
Initial set of analytic questions• Most running within GHOSTMACHINE framework
• Limited contributors
• GHOSTMACHINE Analytic Engine provides • QFD hosting of analytic results • RESTful query interface
Future analyticFuture analyticFuture analytic
service
Future analyticFuture analytic
Future analyticDirect servicequery
?
FutureAnalytic
Future analytics• multiple organizations/
frameworks
2012 Olympics Sharing
12
Targeting
GM Analytic Engine
Targeted identifiers
Analytic
Query QFDs Svc
Seeds
Analytic
Seeded AnalyticSeeded
Analytic
Bulk feeds of analytics results
OCTAVE
UTT
WAVELEGAL
User DN, justification, leads &which QFDs (“domains”)
Daily Feeds
SelectorList
CASport
Check userauthorizations
Check userauthorizations
Log queries
QFDQFD
QFDQFDQFD QFD
GHOSTMACHINE
Analytic
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
T12CDP
Non-GM Analytic FGS
Bulk feed of analytic results
Releasable targeted
identifiers
GCHQ
NSA
Lineupquery details
User DN, justification, leads &which QFDs (“domains”)
Job Tracker
(GCHQ architecture details omitted)
Seeded AnalyticSeeded
Analytic
Seeded AnalyticSeeded
Analytic
2012 Olympics Support
13TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
• NSA SID Leads Evaluation Cell• Triage of Olympics-based leads through the event • Leverage both NSA and GCHQ-produced analytics
• Greater SID-wide usage following the Olympic period
Contact/Information
14TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
- Briefers:- XXXXXXXXXXXXXXXXXXXXXXXXXXXX- XXXXXXXXXXXXXXXXXXXXXXXXXXXX
- ECHOBASE Alias:- XXXXXXXXXXXXXXXXXXXXX
- NSA WikiInfo page:- XXXXXXXXXXXXXXXXXXXXXXX