Title: Next Generation Events

Release Date: 2015-09-25

Document Date: 2009-03-23

Description: This GCHQ presentation from 23 March 2009 discusses the agency’s plan for “processing Events [metadata] at scale”: see the Intercept article Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities, 25 September 2015.

Document: nge-anyst-exch-redacted-p1-normal.gif:
TOP SECRET STRAP 1

Analysis

Next Generation Events

TOP SECRET STRAP 1

23 March 2009nge-anyst-exch-redacted-p2-normal.gif:
TOP SECRET STRAP 1



What is NGE?

Cmtl

• Systems like HAUSTORIUM reaching ingest capacity
- But scale and variety both increasing

• 5-Eyes also far-apart on "metadata” requirements, need to get closer together
The Answer?

• NGE: A multi-stage project that tackles a series of the problems, at increasing scale, and with
increasing collaboration

29 September 2009nge-anyst-exch-redacted-p3-normal.gif:
TOP SECRET STRAP 1

Next Gen Events: High-level Plan

Analysts

( mtl

IS



OI2IM 012ÜI 02*no 0) 2*10 012*11
-1EAt90C1-46»Œ) -l-éd COW Cloud -MXtndSftV«** -LffpScafttCCT
•irMMz ■ .M0ltQ't>9«*«Mfe • Ccrr/*f9*s0fû» . -CCr*C • Cfcud Ar*Mo • LtfptSdftiCcuS
-DevCtoud . SVJ * 'As Bf»J -0AJT rarrtOr-
’ece ’ OSS Cd*wr*cn ? OconTnacrog

Full Operational Useage

New technologies (particularly from JCE) incorporated into solution as they are dc-risk cd / proven

We Are Here

29 September 2009nge-anyst-exch-redacted-p4-normal.gif:
TOP SECRET STRAP 1



NGE: The Last Three Months

Cmtl

• Sharing Enriched Metadata (HARBOUR PILOT)

- Moving towards metadata standards across 5-Eyes

- Invisible to GCHQ analysts

. Internet Profiling (BLAZING SADDLES)

- Taking ICTR ideas on how to process Events at scale, and scale even more

- Required significant effort on End-to-End Sigint process

29 September 2009nge-anyst-exch-redacted-p5-normal.gif:
TOP SECRET STRAP 1

Plug 1 - Internet Profiling: The BLAZING SADDLES Delivery

Cmtl

• What It Does:

Takes 8 ICTR QFD’s and scales them for up to 100 x 10G bearers

- Allows the analyst to see large amounts of a targets online activity

- Metadata - MUTANT BROTH, AUTO ASSOC, KARMA POLICE, SOCIAL ANIMAL, INFINITE
MONKEYS, HRMAP

- Content - MEMORY HOLE, MARBLED GECKO

• Why You Care:

- Want to know alternate online accounts?

- Quickly build up a picture of someone's online MO and interests?

Identify for further exploitation (with other techniques) a targets network/machines?

- Success across IP/X - CP, SIMMER, Mumbai, G20 - and ask around in your IPT!

• How You Get Access:

- Currently instigating corporate process (based on C2C skill level)

- Interim - see your Tech Director or Tech Ex

29 Septem bet 2009nge-anyst-exch-redacted-p6-normal.gif:
TOP SECRET STRAP 1



NGE: The Next Three Months

,Cmtl

• ROCK RIDGE

- Continuing QFD roll-out

• SAMUEL PEPYS

• CAFFEINE HIT

- Sharing some QFD’s with (initially) NSA

• Converged Events

- Ensuring we don't perpetuate the C2C/Telephony divide

- Specific QFD’s that enhance our ability to exploit converged

• Evolved MUTANT BROTH

• LAUGHING HYENA

- Exit strategy for SALAMANCA/HAUSTORIUM

• CLOUD Experiments at Bude

- JCE and TINT

• Developing/testing technologies for later in the roadmap

• ICTR (and othersl) continue to develop new ideas

29 September 2009nge-anyst-exch-redacted-p7-normal.gif:
TOP SECRET STRAP 1



NGE: And After That?

jCmtl

• Capability Development Workspace

Bulk datamining capability

- Use existing sources, and new cloud capabilities

• Large-scale contact chaining

- MOAG - but anyone can create
Using both GCHQ and NSA datastores

• MO/Profiling based discovery

- Always been the goal for events-led analysis

- Dependent on technological advancements, but looking good

• Events/Content Fusion & Visualisation

Seamless navigation between Events and Content

Making sure we continue the MONTE VISTA/LOOKING GLASS ideas

29 September 2009nge-anyst-exch-redacted-p8-normal.gif:
TOP SECRET STRAP 1

Next Generation Content..?

(Cmtl

• Not yet.. .but thinking and delivery is happening

- TIPC using TDI’s

- Expand XKS use

- Trial new ways of collectingfprocessing content (TINT)

29 September 2009nge-anyst-exch-redacted-p9-normal.gif:
TOP SECRET STRAP 1



Plug 2: TIPC Expansion

Cmtl

• What It Does

- Full client IP stream collection triggered by known selector

- Expanded to STM-64 environment as well as STM-1 /4

- Now triggered by TDI’s, not just gmail, yahoo and maktoob

• Why You Care

- Unique Intelligence material that can't be strong selected - web visits/searches etc

- Find new protocols used by targets - you, tech trends, T development

- Contextless

- New dictionary - old one completely erased

• How Do You Get Access?

- Talk to your C2C Tech Ex - they are running pre-requisite briefings as there are some
dangers...(full IIB!)

29 Septembef 2009nge-anyst-exch-redacted-p10-normal.gif:
TOP SECRET STRAP 1

Plug 3: XKS & TINT @Bude Experiments

• What It Will Do:

Promotion from XKS to IIB

Integration into LOOKING GLASS

Connection to Native Hie Viewer (FUME CUPBOARD)

Continuing to work on the NSA data access issue

- The TINT @Bude Experiments Attempt To:

• Re-sessionise everything

• Tag traffic, based on

•strong sctecao d geography appkcancn
•corecxuul tingcrpnns:

• Extract metadata in bulk

• Retain a 3-day rolling buffer of •interesting' content

•tw rei’cspcctivo'srotocol'nctwork/arajyas
•tor rcAnuvg tuvgerpmts/selectors

• Do this on 20 x 10G‘s!

• Why You Care:

Packet processing approach misses stuff
Strong selection only

Too much data retained is unused (97% unviewed)

- Promote only the good stuff to long-term storage

- Aim: to automatically promote to long term storage

• When Do You Get Access?

New XKS capabilities will be rolled out to GCHQ KS s when available
TINT PUT in place, but experimental, not operational use only

Cmtl

29 September 2009

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh