Intrusion Analysis – GCHQ
Jun. 22 2015 — 10:57a.m.
SEC ET STRAP1 Intrusion AnalysisteAC The IA team conducts all-source analysis both of emerging and current electronic attack types. ltforms part of the Joint Electronic Attack Oell (Other elements are EITT, JTRIG and the EA Threat Team). SIGINT targeting by the IA team falls under EITT oversight (see Seth?s email of Bf?l The IA team is responsible for the management and release of eA signatures. PoCs: (Team Leader) Main Customers: SS, GOHO, SIS, Hlle, :2"d Parties. Sources: where does the material come from? . SIG-INT - HARUSPEX (though most ?rst-line analysis is done by the Incident Response Team) lvlessageLabs data managed via the network - Tasking of ONE - Open Source ?Target? location HARUSPEX sensors monitor attacks against UK systems based on known attack signatures. These signatures typically reflect attack vectors, infrastructure or entity identifiers associated with attacks. While the signatures reflect our knowledge of FIS activities, traf?c may be collected if the attacker is using UK infrastructure. SIGINT is used to detect attack activity associated with FIS or Foreign Governments. Selectors include IP addresses, web domains and email addresses. In general these are not associated with the UK, but where UK infrastructure is involved, appropriate SIG-INT processes are followed. Report Types: How are results reported? reports are issued as standard EPRs via PROSPERO. Report Distribution Mechanism PROS PERO Legal Authorities Authorisation varies depending on the source of the information: Any ONE will be authorised under ISA and (where necessary) either with a warrant issued under s5 or under depending on where the target is located. Use of the SIGINT system is under the direction of EITT all normal Ops rules apply and interceptwill have been acquired under Part of RIPA. Any HARUSPEX information has been lawfully acquired under the LBPR, as for the Response Team. Local Polic statementsr?documentation - he signature release policy (xrze3r3rmow009r000r0 of26 June 200?) ?Iof2 - SEC TRE STRAP 1
SEC ET STRAP1 - email of Sf?th?UT: is accountable for eA use of the SIGINT stem?. of EITT is working with OPPLEG on eA-specific authorisations for ONE . to allow the targeting of UK-based victims). - ?e description of the Signature Spreadsheet. Auditing arrangements The IA team has a fairly small number of selectors in CORINTH. Team members are prompted to check the validity of their selectors. Formal audits are conducted under the auspices of EITT. HRA checking is enforced by the SIGINT system, in that selectors will age off if not re-validated. Use of SIGINT system for eA is covered by 2 MIRANDA numbers, corresponding to the separate JIC requirements for current and emerging electronic threats. The team maintains a local spreadsheet of about 1500 eA signatures with associated information on nationality, release, likely false positive rate etc. The Signature Release Policy mentioned above controls the deployment of these signatures on HARUSPEX and their release to external agencies. Number of reporters and their skill levels There are reporters in the IA team, ofwhom 2 are trained to Skill level 3 and 2 to Skill Level 2. Other available legall?policyr training Operational Legalities Briefing. Status: Updated 23mins with inputfrom - and Zof2 - SEC TRE STRAP 1