GHOSTMACHINE: Identifier Lead Triage with ECHOBASE

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL Identifier Lead Triage with ECHOBASE XXXXXXXXX XXXXXXXXX JUN 2012 TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL NSA - S2I51 NSA - T1442

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL The Problem SIGINT is very good at 2 things: 1. Establishing lists of potential leads (50-10k+) 2. Manual analysis to vet individual targets Potential leads 50-10k+ ???? Manual analysis TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 2

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL Tradecraft Foreignness and Compliance Check Phase 4 Normalize and Expand Selectors Phase 3 Seed List Provided to SIGDEV Phase 2 Input A common model for identifier lead lists, today: SIGINT Queries on Selector activity and behavior attributes ???? Bulk enrichment of ‘SIGINT business knowledge’ TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL Manual analysis 3

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL Triage Today After initial enrichment checks, the analyst is often left with too many identifiers of “possible interest” Percentages are conceptual TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 4

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL Bulk Lead Triage via Behavior Analytics • • • • Hundreds or thousands of selectors to go through high level vetting very quickly Better triage prioritization allows for highly adjustable thresholds to be set for follow -on analysis Compliance can be inserted at both the “batch result” and “query” level Potentially utilize multiple clouds & cross-enterprise analytics No Further Analysis Needed 20% Low Interest (Pri 4) 25% Definite Interest (Pri. 1) 5% High Interest (Pri 2) 15% Medium Interest (Pri 3) 35% TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 5

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL Identifier ‘SIGINT Business’ Enrichment Bulk gathering, via Identifier Scoreboard • • • • • • • (phase 2/phase 3) Targeting Authorities Reporting Targets Knowledge Foreignness Compliance …not a raw SIGINT query TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 6

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL ‘Yes/No’ Identifier Behavior Bulk triage, via SIGINT Analytics Mode (start of phase 4) Core set of ‘yes/no’ behavioral questions about a set of identifier leads …against raw SIGINT! TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 7

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL SIGINT Analytics Mode Triage by aggregate behaviors One column per ‘yes/no’ question Quickly zero in on worthy leads TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 8

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL SIGINT Analytics Mode – Detailed View TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 9

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL SIGINT Analytics Mode – Detailed View Go view target knowledge Go view content Add new knowledge External links to guide next steps in analysis TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 10

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL ECHOBASE Analytics Architecture Targeting Initial set of analytic questions OCTAVE • Most running within GHOSTMACHINE framework • Limited contributors Daily Feeds UTT • GHOSTMACHINE Analytic Engine provides • QFD hosting of analytic results • RESTful query interface GHOSTMACHINE Future analytics • Targeted identifiers multiple organizations/ frameworks Seeds Selector List Seeded Analytic Seeded Analytic GM Analytic Engine QFD QFD QFD QFD QFD QFD Query QFDs Svc User DN, justification, leads & which QFDs (“domains”) T12 CDP Analytic Bulk feeds of analytics results Analytic Future Analytic Log queries Check user authorizations WAVELEGAL Bulk feed of analytic results Non-GM Analytic Check user authorizations Direct service query CASport Future analytic Future analytic Future analytic service Future analytic Future analytic Future analytic TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL FGS ? 11

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 2012 Olympics Sharing Releasable targeted identifiers Seeded Seeded Analytic Seeded Analytic Analytic Seeded Analytic Job Tracker Targeting OCTAVE Daily Feeds UTT GCHQ NSA (GCHQ architecture details omitted) Targeted identifiers Lineup query details User DN, justification, leads & which QFDs (“domains”) GHOSTMACHINE Selector List GM Analytic Engine QFD QFD QFD QFD QFD Bulk feeds of analytics results Seeds Seeded Analytic Seeded Analytic T12 CDP Analytic Analytic Analytic QFD Query QFDs Svc User DN, justification, leads & which QFDs (“domains”) Log queries Check user authorizations WAVELEGAL Bulk feed of analytic results Non-GM Analytic Check user authorizations FGS CASport TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 12

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 2012 Olympics Support • NSA SID Leads Evaluation Cell • Triage of Olympics-based leads through the event • Leverage both NSA and GCHQ-produced analytics • Greater SID-wide usage following the Olympic period TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 13

TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL Contact/Information - Briefers: - XXXXXXXXXXXXXXXXXXXXXXXXXXXX - XXXXXXXXXXXXXXXXXXXXXXXXXXXX - ECHOBASE Alias: - XXXXXXXXXXXXXXXXXXXXX - NSA WikiInfo page: - XXXXXXXXXXXXXXXXXXXXXXX TOP SECRET//COMINT//REL TO USA, CAN, AUS, GBR, NZL 14