nsa sigdev: identifier lead triage with echobase
TRANSCRIPT
![Page 1: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/1.jpg)
Identifier Lead Triage Identifier Lead Triage with ECHOBASEwith ECHOBASE
XXXXXXXXX XXXXXXXXX NSA NSA -- S2I51S2I51XXXXXXXXX XXXXXXXXX NSA NSA -- T1442T1442
JUN 2012JUN 2012
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 2: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/2.jpg)
The Problem
2
Potential leads50-10k+
????
Manual analysis
SIGINT is very good at 2 things:1. Establishing lists of potential leads (50-10k+)2. Manual analysis to vet individual targets
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 3: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/3.jpg)
Inpu
t Seed List Provided to SIGDEV Ph
ase
2 Normalize and Expand Selectors Ph
ase
3 Foreignness and Compliance Check
Phas
e 4 SIGINT
Queries on Selector activity and behavior attributes
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Tradecraft
3
A common model for identifier lead lists, today:
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Bulk enrichment of‘SIGINT business knowledge’ Manual analysis
????
![Page 4: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/4.jpg)
Triage Today
4
After initial enrichment checks, the analyst is often left with too many identifiers of “possible interest”
Percentages are conceptual
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 5: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/5.jpg)
Bulk Lead Triage via Behavior Analytics
5
• Hundreds or thousands of selectors to go through high level vetting very quickly• Better triage prioritization allows for highly adjustable thresholds to be set for
follow -on analysis• Compliance can be inserted at both the “batch result” and “query” level• Potentially utilize multiple clouds & cross-enterprise analytics
Definite Interest (Pri. 1)
5% High Interest (Pri 2)15%
Medium Interest (Pri 3) 35%
Low Interest (Pri 4)
25%
No Further Analysis Needed
20%
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 6: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/6.jpg)
Identifier ‘SIGINT Business’ Enrichment
6TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Bulk gathering, via Identifier Scoreboard
• Targeting• Authorities• Reporting• Targets• Knowledge• Foreignness• Compliance
…not a raw SIGINT query
(phase 2/phase 3)
![Page 7: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/7.jpg)
‘Yes/No’ Identifier Behavior
7TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Bulk triage, via SIGINT Analytics Mode (start of phase 4)
Core set of ‘yes/no’ behavioral questions about a set of identifier leads
…against raw SIGINT!
![Page 8: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/8.jpg)
SIGINT Analytics Mode
8
One column per ‘yes/no’ question
Triage by aggregate behaviors
Quickly zero in on worthy leadsTOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 9: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/9.jpg)
SIGINT Analytics Mode – Detailed View
9TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 10: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/10.jpg)
SIGINT Analytics Mode – Detailed View
10
Go view contentGo view target knowledge
External links to guide next steps in analysisTOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
Add new knowledge
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
![Page 11: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/11.jpg)
ECHOBASE Analytics Architecture
11
Targeting
GM Analytic Engine
Targeted identifiers
Analytic
Query QFDs Svc
Seeds
Analytic
Seeded AnalyticSeeded
Analytic
Bulk feeds of analytics results
OCTAVE
UTT
WAVELEGAL
User DN, justification, leads &which QFDs (“domains”)
Daily Feeds
SelectorList
CASport
Check userauthorizations
Check userauthorizations
Log queries
QFDQFD
QFDQFDQFD QFD
GHOSTMACHINE
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
T12CDP
Non-GM Analytic FGS
Bulk feed of analytic results
Initial set of analytic questions• Most running within GHOSTMACHINE framework
• Limited contributors
• GHOSTMACHINE Analytic Engine provides • QFD hosting of analytic results • RESTful query interface
Future analyticFuture analyticFuture analytic
service
Future analyticFuture analytic
Future analyticDirect servicequery
?
FutureAnalytic
Future analytics• multiple organizations/
frameworks
![Page 12: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/12.jpg)
2012 Olympics Sharing
12
Targeting
GM Analytic Engine
Targeted identifiers
Analytic
Query QFDs Svc
Seeds
Analytic
Seeded AnalyticSeeded
Analytic
Bulk feeds of analytics results
OCTAVE
UTT
WAVELEGAL
User DN, justification, leads &which QFDs (“domains”)
Daily Feeds
SelectorList
CASport
Check userauthorizations
Check userauthorizations
Log queries
QFDQFD
QFDQFDQFD QFD
GHOSTMACHINE
Analytic
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
T12CDP
Non-GM Analytic FGS
Bulk feed of analytic results
Releasable targeted
identifiers
GCHQ
NSA
Lineupquery details
User DN, justification, leads &which QFDs (“domains”)
Job Tracker
(GCHQ architecture details omitted)
Seeded AnalyticSeeded
Analytic
Seeded AnalyticSeeded
Analytic
![Page 13: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/13.jpg)
2012 Olympics Support
13TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
• NSA SID Leads Evaluation Cell• Triage of Olympics-based leads through the event • Leverage both NSA and GCHQ-produced analytics
• Greater SID-wide usage following the Olympic period
![Page 14: NSA SIGDEV: Identifier Lead Triage with ECHOBASE](https://reader030.vdocuments.mx/reader030/viewer/2022033107/577ccde61a28ab9e788cdc73/html5/thumbnails/14.jpg)
Contact/Information
14TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL
- Briefers:- XXXXXXXXXXXXXXXXXXXXXXXXXXXX- XXXXXXXXXXXXXXXXXXXXXXXXXXXX
- ECHOBASE Alias:- XXXXXXXXXXXXXXXXXXXXX
- NSA WikiInfo page:- XXXXXXXXXXXXXXXXXXXXXXX