![Page 1: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/1.jpg)
Identifier Lead Triage Identifier Lead Triage with ECHOBASEwith ECHOBASE
XXXXXXXXX XXXXXXXXX NSA NSA -- S2I51S2I51XXXXXXXXX XXXXXXXXX NSA NSA -- T1442T1442
JUN 2012JUN 2012
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 2: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/2.jpg)
The Problem
2
Potential leads50-10k+
????
Manual analysis
SIGINT is very good at 2 things:1. Establishing lists of potential leads (50-10k+)2. Manual analysis to vet individual targets
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 3: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/3.jpg)
Inpu
t Seed List Provided to SIGDEV Ph
ase
2 Normalize and Expand Selectors Ph
ase
3 Foreignness and Compliance Check
Phas
e 4 SIGINT
Queries on Selector activity and behavior attributes
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Tradecraft
3
A common model for identifier lead lists, today:
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Bulk enrichment of‘SIGINT business knowledge’ Manual analysis
????
![Page 4: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/4.jpg)
Triage Today
4
After initial enrichment checks, the analyst is often left with too many identifiers of “possible interest”
Percentages are conceptual
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 5: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/5.jpg)
Bulk Lead Triage via Behavior Analytics
5
• Hundreds or thousands of selectors to go through high level vetting very quickly• Better triage prioritization allows for highly adjustable thresholds to be set for
follow -on analysis• Compliance can be inserted at both the “batch result” and “query” level• Potentially utilize multiple clouds & cross-enterprise analytics
Definite Interest (Pri. 1)
5% High Interest (Pri 2)15%
Medium Interest (Pri 3) 35%
Low Interest (Pri 4)
25%
No Further Analysis Needed
20%
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 6: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/6.jpg)
Identifier ‘SIGINT Business’ Enrichment
6TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Bulk gathering, via Identifier Scoreboard
• Targeting• Authorities• Reporting• Targets• Knowledge• Foreignness• Compliance
…not a raw SIGINT query
(phase 2/phase 3)
![Page 7: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/7.jpg)
‘Yes/No’ Identifier Behavior
7TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Bulk triage, via SIGINT Analytics Mode (start of phase 4)
Core set of ‘yes/no’ behavioral questions about a set of identifier leads
…against raw SIGINT!
![Page 8: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/8.jpg)
SIGINT Analytics Mode
8
One column per ‘yes/no’ question
Triage by aggregate behaviors
Quickly zero in on worthy leadsTOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 9: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/9.jpg)
SIGINT Analytics Mode – Detailed View
9TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 10: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/10.jpg)
SIGINT Analytics Mode – Detailed View
10
Go view contentGo view target knowledge
External links to guide next steps in analysisTOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Add new knowledge
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 11: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/11.jpg)
ECHOBASE Analytics Architecture
11
Targeting
GM Analytic Engine
Targeted identifiers
Analytic
Query QFDs Svc
Seeds
Analytic
Seeded AnalyticSeeded
Analytic
Bulk feeds of analytics results
OCTAVE
UTT
WAVELEGAL
User DN, justification, leads &which QFDs (“domains”)
Daily Feeds
SelectorList
CASport
Check userauthorizations
Check userauthorizations
Log queries
QFDQFD
QFDQFDQFD QFD
GHOSTMACHINE
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
T12CDP
Non-GM Analytic FGS
Bulk feed of analytic results
Initial set of analytic questions• Most running within GHOSTMACHINE framework
• Limited contributors
• GHOSTMACHINE Analytic Engine provides • QFD hosting of analytic results • RESTful query interface
Future analyticFuture analyticFuture analytic
service
Future analyticFuture analytic
Future analyticDirect servicequery
?
FutureAnalytic
Future analytics• multiple organizations/
frameworks
![Page 12: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/12.jpg)
2012 Olympics Sharing
12
Targeting
GM Analytic Engine
Targeted identifiers
Analytic
Query QFDs Svc
Seeds
Analytic
Seeded AnalyticSeeded
Analytic
Bulk feeds of analytics results
OCTAVE
UTT
WAVELEGAL
User DN, justification, leads &which QFDs (“domains”)
Daily Feeds
SelectorList
CASport
Check userauthorizations
Check userauthorizations
Log queries
QFDQFD
QFDQFDQFD QFD
GHOSTMACHINE
Analytic
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
T12CDP
Non-GM Analytic FGS
Bulk feed of analytic results
Releasable targeted
identifiers
GCHQ
NSA
Lineupquery details
User DN, justification, leads &which QFDs (“domains”)
Job Tracker
(GCHQ architecture details omitted)
Seeded AnalyticSeeded
Analytic
Seeded AnalyticSeeded
Analytic
![Page 13: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/13.jpg)
2012 Olympics Support
13TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
• NSA SID Leads Evaluation Cell• Triage of Olympics-based leads through the event • Leverage both NSA and GCHQ-produced analytics
• Greater SID-wide usage following the Olympic period
![Page 14: Ghostmachine Identifier Lead Triage With Echobase New NSA Edward Snowden Leaks](https://reader034.vdocuments.mx/reader034/viewer/2022051419/55cf97ab550346d03392ed57/html5/thumbnails/14.jpg)
Contact/Information
14TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
- Briefers:- XXXXXXXXXXXXXXXXXXXXXXXXXXXX- XXXXXXXXXXXXXXXXXXXXXXXXXXXX
- ECHOBASE Alias:- XXXXXXXXXXXXXXXXXXXXX
- NSA WikiInfo page:- XXXXXXXXXXXXXXXXXXXXXXX