Title: Cyber Integration “The art of the possible”

Release Date: 2014-02-07

Document Date: 2012-01-01

Description: This GCHQ presentation, given to the 2012 SigDev Conference by a representatives of the Joint Threat Research and Intelligence Group (JTRIG) and Cyber Defence Operations (CDO) describes how JTRIG attempts to “deny, disrupt, degrade and deceive” its targets. Speaker notes are included: see the NBC News article Snowden Docs: British Spies Used Sex and ‘Dirty […]

Document: A NBC NEWS INVESTIGATIONS

investigations.nbcnews.com

The Snowden Files: British Spies Used Sex and 'Dirty Tricks'
Slideshow No. 1

GCHQ, the British signals intelligence agency, prepared the
following slides for a top-secret spy conference in 2012, describing
cyber operations. The slides focus on the efforts of a unit, the Joint
Intelligence Threat Research Group, or JTRIG. According to the
documents, JTRIG conducts "honey traps," sends adversaries
computer viruses, deletes their online presence, and employs
several other tactics. Documents previously published by NBC
News showed JTRIG engaged in cyber attacks on the hacktivist
collective known as Anonymous.

The slides were leaked by former NS A ontractor Edward Snowden
and obtained exclusively by NBC News. NBC News is publishing
the documents with minimal redactions to protect individuals. The
presenter's notes for the slideshow are included.

NBC NEWS INVESTIGATIONS

investigations.nbcnews.com

cdo

r defence operations

Cyber Integration
The art of the poss/O/e”

JTRIG / GCHQ
CDO/GCHQ



Joint Threat

Research

Intelligence

Group, a

GCHQ unit

focused on

cyber

forensics,

espionage

and covert

operations

¿¡ANBCNEWS INVESTIGATIONS

investigations.nbcnews.com

JTRIG - Core^m

JTRIG has the following core functions:

• Covert Internet Investigations

• Forensic Investigation and Analysis

• Active Covert Internet Operations, (including online Humint and Effects)

• Covert Technical Operations

• Provision of Unattributable Internet Access

• Development of new capability

Explanation of the “base-line” for JTRIG-related work and make-up:

The structure of JTRIG:

- Ops / Technical (Cap Dev) / JBOS.

Mention the “Online Covert Action Accreditation” Programme.

- Commenced September 2011.

- Initially for JTRIG staff.

- A small number of ISD analysts now being accepted on courses.

Main skills covered:

- Information & Influence Operations.

- Online Humint.

- Disruption & CNA.

- Briefing to be provided by

^k NBCNEWS INVESTIGATIONS

investigations.nbcnews.com

Development of new capability:

- Capabilities being developed to access data from various internet services

- How these data sources may help to mitigate the loss that passive access could
suffer to encryption etc

- How to look further at integrating /fusing these data sources into our analytic stores
and workflows

^NBCNEWS INVESTIGATIONS

investigations.nbcnews.com

EFFECTS: Dsfl

"Using online techniques to make something
happen in the real or cyber world"

Two broad categories:

- Information Ops (influence or disruption)

- Technical disruption

Known in GCHQ as Online Covert Action
The 4 D's: Deny / Disrupt / Degrade / Deceive

Key statement is the initial one.

Explain the categories more.

The one thing to remember for JTRIG is the 4 “D’s”.

¿fe NBC NEWS INVESTIGATIONS

Stop Someone From

investigations.nbcnews.com

Bombard their phone with text messages
Bombard their phone with calls
Delete their online presence

Block up their fax machine

SMO examples from Afghanistan.

- Significantly disrupting Taleban Operations.

- Sending targets a text message every 10 seconds or so.

- Calling targets consistently on a regular basis.

Ability to delete a target’s online presence. Very annoying!!

Older type of Effects, but faxes are still used in some areas.

•»k NBCNEWS INVESTIGATIONS

investigations.nbcnews. com

Discredit a target

Set up a honey-trap

Change their photos on social networking sites

Write a blog purporting to be one of their victims

Email/text their colleagues, neighbours, friends etc

Honey-trap; a great option. Very successful when it works.

- Get someone to go somewhere on the internet, or a physical location to be
met by a “friendly face”.

- JTRIG has the ability to “shape” the environment on occasions.

Photo change; you have been warned, “JTRIG is about!!”

Can take “paranoia” to a whole new level.

Blog writing:

- Has worked on a number of different Ops.

- One example is on a Serious Crime Opf

- Other examples on Iran work.

Email/text:

- Infiltration work.

- Helps JTRIG acquire credibility with online groups etc.

NBC NEWS INVESTIGATIONS

investigations.nbcnews. com

- Helps with bringing SIGINT/Effects together.

S&àNBCNEWS investigations

Discredit

investigations.nbcnews.com

Leak confidential information to companies / the
press via blogs etc

Post negative information on appropriate forums
Stop deals / ruin business relationships

Info Ops style work:

- Use of Open Source info and/or releasable Sigint items.

- Attempts to inform the public, where necessary (government protected
environment)

- First stages of disruption and/or discrediting companies / organisations

- Stop /divert the flow of funding. Introduce panic etc.

à^NBCNEWS INVESTIGATIONS

investigations.nbcnews.com

Get another

believe a 'secre

• Place 'secret' information on a compromised
computer

• Send 'secret' information across a network visible
to Sigint

• Provide 'secret' information through an online
agent



Work alongside CNE:

- Use of various masquerade type techniques.

- Placement of potential “damming” information, where appropriate.

Visible networks:

- Shape the environment, so that Sigint can provide BDA for Operations.

- Use of releasable information, (support from SIA’s etc).

Online agent:

- Use of online aliases to good effect.

- Visibly shaping the online environment.

Ààk NBCNEWS INVESTIGATIONS

Stop someone’s
computer fr&mlwoifcffWf

investigations.nbcnews.com

JTRIB

Send them a virus:

• AMBASSADORS RECEPTION - encrypt itself, delete
all emails, encrypt all files, make screen shake, no
more log on

Conduct a Denial of Service attack on their computer



Virus sending:

- Use of various JTRIG tools, including AMBASSADORS RECEPTION.

- Has been used in a variety of different areas, very effective.

SÏÏ& NBC NEWS INVESTIGATIONS

investigations.nbcnews.com

Active Collection

Use of active techniques to collect intelligence required
to map out:

- Who does what?

- What institutions etc are being used?

- What companies?

- Who sets up the websites?

- How do they communicate between ministeries
and / or each other?

- How do they communicate to investors?

- How do they store information?

Some basic questions, that are normally associated with scoping potential
Active Ops.

In essence Intelligence Analysts use SIGINT to answer the “pattern of life”
question.

But... do they know the “online - pattern of life” for their target set??

Do the analyst’s know not just what their target is doing, but what is it
thinking??

c^SNBCNEWS INVESTIGATIONS

investigations.nbcnews.com

Impact oi

How do we measure the impact of "effects"?

"Blitz" style approach:

- Creating as much disruption as possible within a
short period of time

More subtle approach:

- Effects use less likely to be detected, therefore

- More sustainable over a longer period of time

Two main ways to measure the impact of “Effects” Operations.

•ik NBCNEWS INVESTIGATIONS

investigations.nbcnews.com

Pros:

• Provide an opportunity for JTRIG analysts to be
more actively involved with ISD counterparts

• Enable further upskilling (e.g. C2C etc)

• Provide JTRIG analysts with the opportunity to
identify CNA-type options a lot earlier in Operations

• Provides ISD analysts a greater baseline and
understanding of JTRIG work

• An Opportunity for analysts to learn new ACNO
skills, (e.g. On-line HUMINT etc)

•ik NBCNEWS INVESTIGATIONS

investigations.nbcnews.com

Cons:

Current lack of JTRIG IT infrastructure on the general
floor-plate

Lack of wider resource investment

Lack of overall training and support resources

Integration process will be resource intensive for CDO

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh