Elegant Chaos: collect it all, exploit it all

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 Project Leads: Code Support: For more up-to-date information please visit this URL: Elegant_Chaos For recent developments please contact the authors. SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 Field Site Responsibilities Sniff it All Partner it All Know it All Exploit it All Collect it All Process it All SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 For Better Or Worse… Collection access is increasing, • software modems (ASPHALT/A-PLUS) • new hardware/software solutions (STORMFORCE modems and DARKQUEST auto-survey) • new physical capacity (TORUS antennae) Processing capabilities are increasing, • JCE, TINT, XKS Deep Dive But size of analytic workforce is not! • more resources = more resource management SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 New Collection Posture Torus increases physical access Sniff it All Work with GCHQ, share with Misawa Partner it All Know it All Automated FORNSAT survey - DARKQUEST Analysis of data at scale: ELEGANTCHAOS Exploit it All Collect it All Increase volume of signals: ASPHALT/A-PLUS Process it All Scale XKS and use MVR techniques SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 ELEGANTCHAOS Goals • Goal: perform basic, time-sensitive analysis on all of MHS collection • Goal: create a prioritized list of signals (case notations) in our viewing arc • Goal: use this list to automatically drive collection as collection capabilities increase • Offshoot goal: create a product that analysts and collection managers can use to see into the system SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 ELEGANTCHAOS + Cloud The MHS Cloud provides an excellent platform for this project: – data ingest, normalization, tagging – access to SIGINT data from various processors, from sustained mission + survey – access to a huge body of enrichment data – processing, storage, and web-hosting • considering decoupling these parts… SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 DARK QUEST ASPHALT Collection Distribution FRONT END RF Collection COLLECTION STORM FORCE WC XKS METADATA CLOUD TURMOIL METADATA TARMAC PPF ∑ SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 SLR Multiple QFDs Open Source Target Network Service IP Geo System Status ENRICHMENT ELEGANTCHAOS In Context

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 EC System Overview 1 Data 2 EC Code 3 GUI QFD enrichment MHS CLOUD SERVERS SIGINT QFD questions QFD QFD QFD QFD score log QFD QFD MySql tables and code SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 Data Sources (May 2011) SIGINT Feeds • XKEYSCORE TU/Live • ASDF (Turmoil LIVE) TU/Dev • SLR (TARMAC) SLR • POPQUIZ (Turmoil DEV) WC2 • WEALTHYCLUSTER2 XKS Enrichment Feeds • IPGeoTrap • TRAVELLINGWAVE Scores • BILBOBADGER Daily Summaries • Target Network Service list + CNO Target list • DRINKYBIRD monitoring info • GLOBETROTTER OH Geo • MASTERSHAKE Geo • Quantumable Case Notation list SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 Event counts over a 12-hour period. Total events: 335,663,981

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 Analytic Questions (May 2011) Target Technology • Dictionary hits • Target Networks – TNS, TW, CNO • PLUS Reports, CRNs, etc. • • VPNs • Twitter, Facebook, VoIP • CNO behavior Location Miscellany • • • • • Modem Capacity • Paired Links • Quantumable IP-based MAC-based Geo-based Surge Countries – Libya, Egypt, Afghanistan, Syria, Yemen, Ivory Coast, etc. SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 Questions & Scoring • Each question is represented by a SQL query applied to one or more QFDs • QFDs are case notation-based repositories of signal information – eg, IPs and registries for all case notations – eg, category hits for all case notations – eg, GLOBETROTTER geos for all case notations • All questions are asked once per day across all case notations • Points are assigned to each question based on current analytic priorities • Points for any particular question are “active” for a window of time (eg, 1 day, 7 days, 30 days) • The sum of “active” points for a case notation, across all questions, forms the score SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 Interfaces Different interfaces for different customers • ELEGANTCHAOS GUI – made for analysts to examine scores and the impact of the different questions – eventually, control over the algorithms may reside here • REST interface – made for programmatic query, precursor to auto tasking • DRINKYBIRD GUI – made for collection personnel to determine if resources are available, easy to view what’s on cover SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 EC GUI: Case Notation View SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 EC GUI: Case Notation View SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 EC GUI: Question View SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 EC GUI: Question View SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 Focus Areas: Custom Views? SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 REST: “Auto-tasking” • ASPHALT – Updated list of prioritized casns • VENUSAFFECT – Scores in DRINKYBIRD – Using modem tasking sheet SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 DRINKYBIRD SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 Libya Surge PROBLEM Which of the 1000’s of signals surveyed have Libyan / Egyptian / Afghan networks on the VSAT-side? SOLUTION • Pre-run analytics determine “significance” • Quick identification of 25 ‘LY’ / 11 ‘EG’ / 10 ‘AF’ candidate signals • Combine other analytics: target hits, pairing, etc. • (Repeat for next country) SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 AMULET STELLAR PROBLEM Which case notations have traffic on IPs of interest that matches AST fingerprints? SOLUTION • Create IP target set; create whitelist and blacklist of XKS fingerprints • Use Cloud capabilities to bridge between the set of all SIGINT events with matching fingerprints, and the target set • Add the scoring question to EC SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 Ongoing Work • New data feeds (FOGHORN, MATCHMAKER, ROADBED) • More fields from XKS (HTTP language, NetStrings) • XKS from MOONPENNY • Fine tuning of GUI for Link Characterization Analysts • NetStrings study • Better use of Cloud resources (Link Direction) (CCDP) • Detailed study of scoring methodology (math hire) • Close the auto-tasking loop (RSE) • Increase awareness and partnership with similar efforts • Training SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108

SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108 Questions? SECRET//REL TO USA, AUS, CAN, GBR, NZL//20320108