TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

Identifier Lead Triage with ECHOBASE

XXXXXXXXX XXXXXXXXX JUN 2012
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

NSA - S2I51 NSA - T1442

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

The Problem
SIGINT is very good at 2 things:
1. Establishing lists of potential leads (50-10k+) 2. Manual analysis to vet individual targets

Potential leads 50-10k+ ????
Manual analysis

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

2

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

Tradecraft
A common model for identifier lead lists, today:
Phase 2 Phase 3

Seed List Provided to SIGDEV

Normalize and Expand Selectors

Foreignness and Compliance Check

Phase 4

Input

SIGINT Queries on Selector activity and behavior attributes

????
Bulk enrichment of ‘SIGINT business knowledge’
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

Manual analysis
3

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

Triage Today
After initial enrichment checks, the analyst is often left with too many identifiers of “possible interest”

Percentages are conceptual
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

4

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

Bulk Lead Triage via Behavior Analytics
• • • • Hundreds or thousands of selectors to go through high level vetting very quickly Better triage prioritization allows for highly adjustable thresholds to be set for follow -on analysis Compliance can be inserted at both the “batch result” and “query” level Potentially utilize multiple clouds & cross-enterprise analytics

No Further Analysis Needed 20%

Definite Interest (Pri. 1) 5% High Interest (Pri 2) 15% Medium Interest (Pri 3) 35%

Low Interest (Pri 4) 25%

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

5

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

Identifier ‘SIGINT Business’ Enrichment
Bulk gathering, via Identifier Scoreboard
• • • • • • • Targeting Authorities Reporting Targets Knowledge Foreignness Compliance …not a raw SIGINT query
(phase 2/phase 3)

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

6

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

‘Yes/No’ Identifier Behavior
Bulk triage, via SIGINT Analytics Mode
Core set of ‘yes/no’ behavioral questions about a set of identifier leads
(start of phase 4)

…against raw SIGINT!

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

7

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

SIGINT Analytics Mode
Triage by aggregate behaviors

One column per ‘yes/no’ question

Quickly zero in on worthy leads
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

8

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

SIGINT Analytics Mode – Detailed View

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

9

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

SIGINT Analytics Mode – Detailed View

Go view target knowledge

Go view content

Add new knowledge

External links to guide next steps in analysis
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

10

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

ECHOBASE Analytics Architecture
Initial set of analytic questions
• Most running within GHOSTMACHINE framework • Limited contributors • GHOSTMACHINE Analytic Engine provides • QFD hosting of analytic results • RESTful query interface
Daily Feeds UTT

Targeting
OCTAVE

Targeted identifiers

Future analytics
• multiple organizations/ frameworks
User DN, justification, leads & which QFDs (“domains”) Log queries

GHOSTMACHINE
GM Analytic Engine
QFD QFD QFD QFD QFD QFD

Selector List

Seeds

Seeded Analytic Seeded Analytic Analytic Analytic

Bulk feeds of analytics results Future Analytic

T12 CDP

Query QFDs Svc

WAVELEGAL

Check user authorizations

Bulk feed of analytic results Non-GM Analytic

FGS

Check user authorizations Direct service query

CASport

Future analytic Future analytic Future analytic service

Future analytic Future analytic Future analytic

?
11

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

2012 Olympics Sharing
Seeded Seeded Analytic Seeded Analytic Analytic Seeded Analytic Releasable targeted identifiers Daily Feeds UTT

Targeting
OCTAVE

Job Tracker

GCHQ
(GCHQ architecture details omitted)

NSA
Lineup query details Targeted identifiers

User DN, justification, leads & which QFDs (“domains”)

GHOSTMACHINE
GM Analytic Engine
QFD QFD QFD QFD QFD QFD

Selector List

Seeds

Seeded Analytic Seeded Analytic Analytic Analytic Analytic

Bulk feeds of analytics results

T12 CDP

User DN, justification, leads & which QFDs (“domains”) Log queries

Query QFDs Svc

WAVELEGAL

Check user authorizations

Bulk feed of analytic results Non-GM Analytic

FGS

Check user authorizations

CASport

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

12

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

2012 Olympics Support
• NSA SID Leads Evaluation Cell
• Triage of Olympics-based leads through the event • Leverage both NSA and GCHQ-produced analytics

• Greater SID-wide usage following the Olympic period

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

13

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

Contact/Information
- Briefers: - XXXXXXXXXXXXXXXXXXXXXXXXXXXX - XXXXXXXXXXXXXXXXXXXXXXXXXXXX - ECHOBASE Alias: - XXXXXXXXXXXXXXXXXXXXX - NSA WikiInfo page: - XXXXXXXXXXXXXXXXXXXXXXX
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL

14