Documents
Intrusion Analysis – GCHQ
June 22, 2015
SEC ET STRAP1
Intrusion AnalysisteAC
The IA team conducts all-source analysis both of emerging and current electronic
attack types. ltforms part of the Joint Electronic Attack Oell (Other
elements are EITT, JTRIG and the EA Threat Team). SIGINT targeting by the IA
team falls under EITT oversight (see Seth?s email of Bf?l The IA team is
responsible for the management and release of eA signatures.
PoCs: (Team Leader)
Main Customers: SS, GOHO, SIS, Hlle, :2"d Parties.
Sources: where does the material come from?
. SIG-INT
- HARUSPEX (though most ?rst-line analysis is done by the Incident Response
Team)
lvlessageLabs data managed via the network
- Tasking of ONE
- Open Source
?Target? location
HARUSPEX sensors monitor attacks against UK systems based on known attack
signatures. These signatures typically reflect attack vectors, infrastructure or entity
identifiers associated with attacks. While the signatures reflect our knowledge of FIS
activities, traf?c may be collected if the attacker is using UK infrastructure.
SIGINT is used to detect attack activity associated with FIS or Foreign Governments.
Selectors include IP addresses, web domains and email addresses. In general these
are not associated with the UK, but where UK infrastructure is involved, appropriate
SIG-INT processes are followed.
Report Types: How are results reported?
reports are issued as standard EPRs via PROSPERO.
Report Distribution Mechanism
PROS PERO
Legal Authorities
Authorisation varies depending on the source of the information:
Any ONE will be authorised under ISA and (where necessary) either with a warrant
issued under s5 or under depending on where the target is located.
Use of the SIGINT system is under the direction of EITT all normal Ops rules apply
and interceptwill have been acquired under Part of RIPA.
Any HARUSPEX information has been lawfully acquired under the LBPR, as for the
Response Team.
Local Polic statementsr?documentation
- he signature release policy (xrze3r3rmow009r000r0 of26 June
200?)
?Iof2
-
SEC TRE STRAP 1
SEC ET STRAP1
Intrusion AnalysisteAC
The IA team conducts all-source analysis both of emerging and current electronic
attack types. ltforms part of the Joint Electronic Attack Oell (Other
elements are EITT, JTRIG and the EA Threat Team). SIGINT targeting by the IA
team falls under EITT oversight (see Seth?s email of Bf?l The IA team is
responsible for the management and release of eA signatures.
PoCs: (Team Leader)
Main Customers: SS, GOHO, SIS, Hlle, :2"d Parties.
Sources: where does the material come from?
. SIG-INT
- HARUSPEX (though most ?rst-line analysis is done by the Incident Response
Team)
lvlessageLabs data managed via the network
- Tasking of ONE
- Open Source
?Target? location
HARUSPEX sensors monitor attacks against UK systems based on known attack
signatures. These signatures typically reflect attack vectors, infrastructure or entity
identifiers associated with attacks. While the signatures reflect our knowledge of FIS
activities, traf?c may be collected if the attacker is using UK infrastructure.
SIGINT is used to detect attack activity associated with FIS or Foreign Governments.
Selectors include IP addresses, web domains and email addresses. In general these
are not associated with the UK, but where UK infrastructure is involved, appropriate
SIG-INT processes are followed.
Report Types: How are results reported?
reports are issued as standard EPRs via PROSPERO.
Report Distribution Mechanism
PROS PERO
Legal Authorities
Authorisation varies depending on the source of the information:
Any ONE will be authorised under ISA and (where necessary) either with a warrant
issued under s5 or under depending on where the target is located.
Use of the SIGINT system is under the direction of EITT all normal Ops rules apply
and interceptwill have been acquired under Part of RIPA.
Any HARUSPEX information has been lawfully acquired under the LBPR, as for the
Response Team.
Local Polic statementsr?documentation
- he signature release policy (xrze3r3rmow009r000r0 of26 June
200?)
?Iof2
-
SEC TRE STRAP 1
SEC ET STRAP1
- email of Sf?th?UT: is accountable for eA use of the SIGINT
stem?.
of EITT is working with OPPLEG on eA-specific authorisations for
ONE . to allow the targeting of UK-based victims).
- ?e description of the Signature Spreadsheet.
Auditing arrangements
The IA team has a fairly small number of selectors in CORINTH. Team members are
prompted to check the validity of their selectors. Formal audits are
conducted under the auspices of EITT. HRA checking is enforced by the SIGINT
system, in that selectors will age off if not re-validated. Use of SIGINT system for eA
is covered by 2 MIRANDA numbers, corresponding to the separate JIC requirements
for current and emerging electronic threats.
The team maintains a local spreadsheet of about 1500 eA signatures with associated
information on nationality, release, likely false positive rate etc. The Signature
Release Policy mentioned above controls the deployment of these signatures on
HARUSPEX and their release to external agencies.
Number of reporters and their skill levels
There are reporters in the IA team, ofwhom 2 are trained to Skill level 3 and 2 to
Skill Level 2.
Other available legall?policyr training
Operational Legalities Briefing.
Status:
Updated 23mins with inputfrom - and
Zof2
-
SEC TRE STRAP 1
SEC ET STRAP1
- email of Sf?th?UT: is accountable for eA use of the SIGINT
stem?.
of EITT is working with OPPLEG on eA-specific authorisations for
ONE . to allow the targeting of UK-based victims).
- ?e description of the Signature Spreadsheet.
Auditing arrangements
The IA team has a fairly small number of selectors in CORINTH. Team members are
prompted to check the validity of their selectors. Formal audits are
conducted under the auspices of EITT. HRA checking is enforced by the SIGINT
system, in that selectors will age off if not re-validated. Use of SIGINT system for eA
is covered by 2 MIRANDA numbers, corresponding to the separate JIC requirements
for current and emerging electronic threats.
The team maintains a local spreadsheet of about 1500 eA signatures with associated
information on nationality, release, likely false positive rate etc. The Signature
Release Policy mentioned above controls the deployment of these signatures on
HARUSPEX and their release to external agencies.
Number of reporters and their skill levels
There are reporters in the IA team, ofwhom 2 are trained to Skill level 3 and 2 to
Skill Level 2.
Other available legall?policyr training
Operational Legalities Briefing.
Status:
Updated 23mins with inputfrom - and
Zof2
-
SEC TRE STRAP 1