Title: Identifier Lead Triage with ECHOBASE

Release Date: 2014-04-30

Document Date: 2012-06-01

Description: This SIGDEV presentation dated June 2012 describes techniques for filtering very large datasets through the cloud-based GHOSTMACHINE framework. Cooperation between NSA and GCHQ during the 2012 London Olympics – the “Olympic Option” – is used as a case study: see the Intercept article British Spy Chiefs Secretly Begged to Play in NSA’s Data Pools, 30 […]

Document: ;--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------





TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

.......... M* *«■■!



L1.ILUUUL







Identifier Lead Triage
with ECHOBASE

NSA -S2I51
NSA - T1442

JUN 2012

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

The Problem

SIGINT is very good at 2 things:

1. Establishing lists of potential leads (50-10k+)

2. Manual analysis to vet individual targets

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

<

Input

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

Tradecraft

common model for identifier lead lists, today:



Seed List
Provided to
SIGDEV

Normalize

a>

and Expand
Selectors





Foreignness

and

Compliance

Check

*











SIGINT

CD

Queries on
Selector
—activity and
—behavior
attributes

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

3

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

Triage Today

After initial enrichment checks, the analyst is often
left with too many identifiers of "possible interest"

No Further Definite

Percentages are conceptual

4

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

Bulk Lead Triage via Behavior Analytics

Hundreds or thousands of selectors to go through high level vetting very quickly

Better triage prioritization allows for highly adjustable thresholds to be set for
follow -on analysis

Compliance can be inserted at both the "batch result" and "query" level
Potentially utilize multiple clouds & cross-enterprise analytics

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

• Targeting

• Authorities

• Reporting

• Targets

• Knowledge

• Foreignness

• Compliance

...not a raw
SIGINT query

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

6

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

'Yes/No' Identifier Behavior

Bulk triage, via SIGINT Analytics Mode

(start of phase 4)

Core set of
'yes/no'
behavioral
questions
about a set of
identifier leads

...against raw
SIGINT!

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

7

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

SIGINT Analytics Mode

Triage by aggregate behaviors

7

One column per ‘yes/no’ question

Quickly zero in on worthy leads

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

8

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

SIGINT Analytics Mode - Detailed View

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

SIGINT Analytics Mode - Detailed View

Go view target knowledge Go view content Add new knowledge

External links to guide next steps in analysis

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

10

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

ECHOBASE Analytics Architecture

Initial set of analytic questions

• Most running within GHOSTMACHINE framework
• Limited contributors

Daily Feeds

Targeting

F -
OCTAVE

UTT

GHOSTMACHINE Analytic Engine provides

• QFD hosting of analytic results

• RESTful query interface

Future analytics

• multiple organizations/
frameworks

GHOSTMACHINE

' s

GM Analytic Engine

User DN, justification, leads &

Query

Log queries
WAVELEGAL Check user
authorizations

Check user

authorizations

Direct service
query


QFD 1 |
QFD QFD
QFD QFD

Targeted identifiers

'' r
Selector List

Bulk feeds of

analytics results

^iFuture
Analytic

Seeds

It

—Seeded
Seeded lytic
Analytic
Analytic
Analytic

Bulk feed of
analytic results

T12

CDP

CASport ! ^ J ,
~ 1 1 1 i i Future analytic | i F Future analytic —*:
-> service | m

Non-GM

Analytic

FGS

?

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

11

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

2012 Olympics Sharing

Check user

authorizations

T12

CDP

CASport

Non-GM

-Analytic

FGS

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

12

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

2012 Olympics Support

• NSA SID Leads Evaluation Cell

• Triage of Olympics-based leads through the event

• Leverage both NSA and GCHQ-produced analytics

• Greater SID-wide usage following the Olympic period

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

13

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

Contact/Information

- Briefers:

- ECHOBASE Alias:

- NSA WikiInfo page:

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh