Title: ROCKRIDGE

Release Date: 2015-09-03

Description: This undated GCHQ presentation describes some of the Question Focused Databases (QFDs) developed to analyse the massive amount of raw data the agency collects from undersea cables: see the Intercept article Profiled: From Radio to Porn, British Spies Track Web Users’ Online Identities, 25 September 2015.

Document: demystifying-nge-rock-ridge-p1-normal.gif:
demystifying-nge-rock-ridge-p2-normal.gif:
tr tr tr tr

Scope and Aims

Increase
maturity and
availability of
QFDs

Pull through
more QFDs
based on Ops
priority

Deliver QFDs capable
of holding
'Convergence' data
and wider event types

DIAMOND

Provide a data mining and
collaborative QFD
development facility
(BLACK HOLE - part of
ROUGH DIAMOND)



Enable
sharing of
QFD data
with 2nd and
3rd Parties

Interface

with

visualisation
services in
FIRE
STORM

SECRET STRAP 1

NEXT GENERATION

eventsdemystifying-nge-rock-ridge-p3-normal.gif:
What is a QFD?

Designed to answer
single analytic question
(e.g. 'where is my
target?')

Simple table structure
compared to traditional
multi-function databases
(e.g. HAUSTORIUM)

Pioneered by ICTR. now
developed by a
community including
Next Gen Events. ICTR,
SD. GTE,...

Question

Focused

Database

No specialised database
technologies so simpler
to develop and maintain

Additional instances can / Smaller size and lower
easily be deployed at complexity means easier
new locations or to and quicker to develop
increase capacity and change

SECRET STRAP1



NEXT GENERATION

eventsdemystifying-nge-rock-ridge-p4-normal.gif:
What does each QFD answer?

What web pages was
my target looking at
before going to this
f website?

What websites
has my target
visited?

Who’s been visiting
this dodgy
websites?

Karma Police

Who is my target GooBzs
interacting with on social networking (QFD Query Federator)
Vw sites? _—^

Who’s been posting
(vBulletin Loareis) to
this forum?

Social Animal

AutoAssoc

Infinite Monkeys

What files have my
target been

uploading/downloading?



What alternative
identifiers can l use
to search for my
target?

What posting (vBulletin
boards) activity has my
target been up to?

Marbled Gecko What is my target doing on- line right now?! ^ _ Memory Hole


Who’s been
looking at this
suspicious part of
the world?

What part of the
world has my
target been
looking at?

Samuel Pepys

(Coming soon!)

Who’s been searching
for these suspicious
things on-line?

What has my
target been
searching for
on-line?

SECRET STRAP 1



NEXT GENERATION

eventsdemystifying-nge-rock-ridge-p5-normal.gif:
Ingest roadmap

MUTANT ttfOT*. INFINITE UOSKf YS. i
MEMORY MOLE*

Eupe

CPC and RPCl

CPC and RPC 1

TPS are wortung with the NGE
Prqect and SMO Motile theme
to produce nlcrnct presence
and application usage events
from wftun motile phone
'tunnels’ n nlcmct tearers.
These wilt be dialed tetore fufl
operaaonal rollout

Jmti pat 3 - Hcmri. Cm**. rrd Ru. Y^oo «rabna* term

xpe\ment Explore

Deployed across CPC and RPC1

Tmdcmi*- Wniow Lm IU. Y^oo

L

acrosJ

Deployed across? CPC and RPCl

'QfD style ’ events will also
be produced tor types of
v event traditKXiaifv fed «to
* the older HAUSTORIUM
and HARBOUR PILOT
da-abases

SECRET STRAP1

NEXT GENERATION
eventsdemystifying-nge-rock-ridge-p6-normal.gif:
Convergence QFDs

Screerashofs from evolved MUTANT BROTH vreb interface,
and an export of it's data to Google Earth

This major thread of work will:

£ Store events where internet
applications are accessed from a
mobile device

£ Allow analysts to relate mobile
device identifiers to internet
identifiers such as email
addresses

£ Enable QFDs to store other
more diverse event types, such
as telephony events (currently
SALAMANCA), and email events
(currently HAUSTORIUM /
HARBOUR PILOT)

£ Interface to LOOKING GLASS
visualisation coming soon
(in FIRE STORM work package)

SECRET STRAP1

NEXT GENERATION
eventsdemystifying-nge-rock-ridge-p7-normal.gif:
*

o

O o

*5

^ CNJ

O)

cu

O >,

¿ -Q
■*-' )
•O <1)

® E

Q- O
O) >

.£ O
0 o

-Q T-

^=5

c

0) o

3 T3

o ®

CU

o



CD
-Q

I

cr

F—

O

> >
-Q 5

"O LLÍ
0) rn
Q_ X

>* Q
o
o


CL

<

cr

w

ÍL

a:

o

LU

(/)demystifying-nge-rock-ridge-p8-normal.gif:
BLACK HOLE

NEXT GENERATION
events

What is BLACK HOLE?

& A flat file store housing all
data from a wide range of
feeds (events and content)

& Provides a set of tools for
accessing that data.

& Intended to be the source of
events (and limited content)
for the development of new
QFDs and analytics.

® Contains a rolling 6 months
retention

« Part of ROUGH DIAMOND

What does it enable? ® New QFDs to be rapidly prototyped, then to be added to the operational QFD suite ® Trialling of new bulk analysis ideas & New sources of data to be introduced quickly into existing QFDs. ® Users to look for particular patterns and behaviours (target discovery) ® TR, GTAC and GTE access to more data for research purposes, which may not be QFD related.
i

SECRET STRAP1demystifying-nge-rock-ridge-p9-normal.gif:
User Feedback

'Absolutely FABULOUS
well done'

(lain Lobban, ref
SJPERDRAKE reporting)

'its amazing to soo how the pace
of delivery in TDB has increased
and I have been impressed by
your responsiveness to customer
needs.’

.Senior User)

'Almost exactly a year ago I set you the challenge of delivering
an upscaled massive events capability ... in order to support
Internet Operations being conducted by GCHQ.
Through your stripy team working on BLAZING SADDLES,
BLUESHIFT and SUPPORTING INO you successfully met this
chalcngc and delivered us a significant new capability in July.'

Deputy Director Cyber Operatons)

‘It's working flawlessly'

(analyst, ref BLACK
HOLE)

SECRET STRAP1

‘Bloody awesome'

(analyst, ref )

SUPERDRAKE QFD) /

NEXT GENERATION
events

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh