Documents
The Tale of Two Sources
Feb. 22, 2017
- -15
?6 URCES
NDIST
TWO
Derived From: 1-52
Dated: 20070108
Declassify On
- -15
?6 URCES
NDIST
TWO
Derived From: 1-52
Dated: 20070108
Declassify On
Rugby World Cup 2011.
For the first time, we are all in it.
Last winners: South Africa. (they beat
England).
Starts 10th September in New Zealand.
Rugby World Cup 2011.
For the first time, we are all in it.
Last winners: South Africa. (they beat
England).
Starts 10th September in New Zealand.
A Guide to Rugby.
This is a rugby ball. Note it looks a bit
like American Football
A Guide to Rugby.
This is a rugby ball. Note it looks a bit
like American Football
The Kit..
Protection is allowed.
Weaponry isn?t!
The Kit..
Protection is allowed.
Weaponry isn?t!
om?m 6:..3coxK
.
.olt
ifkmf
om?m 6:..3coxK
.
.olt
ifkmf
It?s a game for all
1 H1.-
It?s a game for all
1 H1.-
Business isn?t usual!
Unlike our agencies, the NZ?ers aren?t
small. .
And the Australians are successful 50%
of the time!
And the Chinese are not a threat.
Business isn?t usual!
Unlike our agencies, the NZ?ers aren?t
small. .
And the Australians are successful 50%
of the time!
And the Chinese are not a threat.
The Goal
Modus Operandi
Tracking/Discovery
Maturity
Threat Tracking
The Goal
Modus Operandi
Tracking/Discovery
Maturity
Threat Tracking
The Asymmetr'
Attacker Kill-Chain
Recon
Weaponised
Delivery
Exploitation
Installation
Command Control
Actions on Objectives
Attackers have to
get everything
right.
Henge
Victims only have
to get it wrong
once.
The Asymmetr'
Attacker Kill-Chain
Recon
Weaponised
Delivery
Exploitation
Installation
Command Control
Actions on Objectives
Attackers have to
get everything
right.
Henge
Victims only have
to get it wrong
once.
May 2010
At the turn of the new Financial Year we
had:
Signature
HITCH
May 2010
At the turn of the new Financial Year we
had:
Signature
HITCH
Sigint Story
Mid
Started at 13 109 Bearers
Presently at 180 x109
Bearers
From 1000 Signatures
To 2500 Signatures
Sigint Story
Mid
Started at 13 109 Bearers
Presently at 180 x109
Bearers
From 1000 Signatures
To 2500 Signatures
Challenges ahead
Good collection, poor analytics.
<9 Focused on tracking.
No status visualisation for end2end
System.
Challenges ahead
Good collection, poor analytics.
<9 Focused on tracking.
No status visualisation for end2end
System.
What about the Sigint Collection? Event
nt'
What about the Sigint Collection? Event
nt'
What is the state of collection?zvemn.
Signature
S?mmne
What is the state of collection?zvemn.
Signature
S?mmne
TOP TO USA, AUS, CAN, GBR, NZL
nt
Knowl
Events edge
vu? vi
b??ruo .. ..
.07USA, AUS, CAN, GBR, NZL
TOP TO USA, AUS, CAN, GBR, NZL
nt
Knowl
Events edge
vu? vi
b??ruo .. ..
.07USA, AUS, CAN, GBR, NZL
FRACTAL JOKER - Benefitsemm.
Wide Vision Sigint (TM, PPF,
Blackhole, and XKS statistics) and IA
Sources (GORDIAN KNOT and SPAY)
<9 Simple to use Everything in it is a
statistic!
First of it?s kind Simplifying PTC-world
and enabling understanding.
FRACTAL JOKER - Benefitsemm.
Wide Vision Sigint (TM, PPF,
Blackhole, and XKS statistics) and IA
Sources (GORDIAN KNOT and SPAY)
<9 Simple to use Everything in it is a
statistic!
First of it?s kind Simplifying PTC-world
and enabling understanding.
nt
nom?
edge
Discovery Prototypes
nt
nom?
edge
Discovery Prototypes
Near Space Uplift.
Signature
anrane 4
GO RDIAN
KNOT BUTTERFLY
PAY
Near Space Uplift.
Signature
anrane 4
GO RDIAN
KNOT BUTTERFLY
PAY
Gordian Knot
More
. 6 Full Take, GSI Logs, Local Input Sensors, and
SPAY
Faster
- Improvements to Snort.
. Database improvements for Analysis.
Safer
. Better Visualisation, Links to XKS.
Better
0 Accredited. Linked to FRACTAL JOKER
Gordian Knot
More
. 6 Full Take, GSI Logs, Local Input Sensors, and
SPAY
Faster
- Improvements to Snort.
. Database improvements for Analysis.
Safer
. Better Visualisation, Links to XKS.
Better
0 Accredited. Linked to FRACTAL JOKER
SPAY Far Mid
hrs"; I ls
efe Ge CO ntra to} I?ll:: \Ll'cst':
. After OP WAFTER
0 Local ?Near? sensors to be deployed.
0 Locations at UNCLASSIFIED.
SPAY Far Mid
hrs"; I ls
efe Ge CO ntra to} I?ll:: \Ll'cst':
. After OP WAFTER
0 Local ?Near? sensors to be deployed.
0 Locations at UNCLASSIFIED.
IA XKS Far Mid
GORDIAN KNOT SPAY into XKS.
<9 Different Legal Framework.
Standard Search Plugins.
IA XKS Far Mid
GORDIAN KNOT SPAY into XKS.
<9 Different Legal Framework.
Standard Search Plugins.
Gateways
Open Source Crimson
Crimson GCNET
GCNET Crimson
Open Source (SHORTFALL)
Gateways
Open Source Crimson
Crimson GCNET
GCNET Crimson
Open Source (SHORTFALL)
Knowledge Base Hunt Even.
Challenge of finding a Cyber TKB.
What are we after?
0 What is out there?
0 Can we do it quickly?
Some basic requirements existedknowledge?
0 Do I know where it came from?
0 Can I represent it? And then analyse it?
Knowledge Base Hunt Even.
Challenge of finding a Cyber TKB.
What are we after?
0 What is out there?
0 Can we do it quickly?
Some basic requirements existedknowledge?
0 Do I know where it came from?
0 Can I represent it? And then analyse it?
Knowledge Base Hunt Even.
TCP conducted a review of 14 different
systems that might work.
We visited 5 and tested offsite. We did
the same test against BroadOak too.
Dem?
TCP
Knowledge Base Hunt Even.
TCP conducted a review of 14 different
systems that might work.
We visited 5 and tested offsite. We did
the same test against BroadOak too.
Dem?
TCP
nt
I tS .
We learnt that there is no such thing as a
TKB on the market (inside and outside).
We then decided to try something new.
Ed raldl ILII
nt
I tS .
We learnt that there is no such thing as a
TKB on the market (inside and outside).
We then decided to try something new.
Ed raldl ILII
So WHO are Palantir? Eve
Palantir was comes from the team that made
PayPal and was supported by ln-Q-Tel (CIA
Financial Wing)
Palantir was built throu iterative
collaboration between alantir computer
scientists and from various
intelligence agencies over the course of
nearly three years, through pilots facilitated
by ln- 0- Tel
Palantir allows human to quickly
explore data from many sources in
conceptual ways
So WHO are Palantir? Eve
Palantir was comes from the team that made
PayPal and was supported by ln-Q-Tel (CIA
Financial Wing)
Palantir was built throu iterative
collaboration between alantir computer
scientists and from various
intelligence agencies over the course of
nearly three years, through pilots facilitated
by ln- 0- Tel
Palantir allows human to quickly
explore data from many sources in
conceptual ways
Normal Analyst Workflow Eve
9
This is our usual model. Access gets us Data. We do Analytics on that Data.
Target Knowledge is the result. Each is done in it?s own tool, not brought
together.
Normal Analyst Workflow Eve
9
This is our usual model. Access gets us Data. We do Analytics on that Data.
Target Knowledge is the result. Each is done in it?s own tool, not brought
together.
Why is Palantir different? Eve
This is the Palantir Model.
Data can come from anywhere, asked whatever the analyst wants, and it will
enrich from the sum of the Target Knowledge Palantir itself.
Why is Palantir different? Eve
This is the Palantir Model.
Data can come from anywhere, asked whatever the analyst wants, and it will
enrich from the sum of the Target Knowledge Palantir itself.
TOP TO USA, AUS, CAN, GBR, NZL
TOP TO USA, AUS, CAN, GBR, NZL I
TOP TO USA, AUS, CAN, GBR, NZL
TOP TO USA, AUS, CAN, GBR, NZL I
TOP TO USA, AUS, CAN, GBR, NZL
aw
?1 JMIMM an!)
0-USA, AUS, CAN, GBR, NZL
TOP TO USA, AUS, CAN, GBR, NZL
aw
?1 JMIMM an!)
0-USA, AUS, CAN, GBR, NZL
MUGSHOT Integration
[Hum
?nu-.0
Mn 'u
?sure;
f'OJtu
anus?
"nan;
Mum
nun-J
f'nul
unnw
sun"
?nu.
?ltl.7.'d
E'n1'c
11:31).
?nan
- \l Iv,
FOXTRAIL
enrichment
Out-ho.
- u.
. d-v?n-o 'iv
MUGSHOT Integration
[Hum
?nu-.0
Mn 'u
?sure;
f'OJtu
anus?
"nan;
Mum
nun-J
f'nul
unnw
sun"
?nu.
?ltl.7.'d
E'n1'c
11:31).
?nan
- \l Iv,
FOXTRAIL
enrichment
Out-ho.
- u.
. d-v?n-o 'iv
TOP TO USA, AUS, CAN, GBR, NZL
V?s.
TOP TO USA, AUS, CAN, GBR, NZL
TOP TO USA, AUS, CAN, GBR, NZL
V?s.
TOP TO USA, AUS, CAN, GBR, NZL
TOP TO USA, AUS, CAN, GBR, NZL
TOP TO USA, AUS, CAN, GBR, NZL I
TOP TO USA, AUS, CAN, GBR, NZL
TOP TO USA, AUS, CAN, GBR, NZL I
Palantir - Benefits. Eve
Faster Analytics- Eorime team can find
ORBs faster, just by ingesting files.
Target Knowledge Storage Fanner
have already run OP DEVICE on it. The
sharing of ?knowledge? got results.
Easy Development ?A ready 3 helpers
not steered by NDIST.
GLOBAL TAPIR.
Palantir - Benefits. Eve
Faster Analytics- Eorime team can find
ORBs faster, just by ingesting files.
Target Knowledge Storage Fanner
have already run OP DEVICE on it. The
sharing of ?knowledge? got results.
Easy Development ?A ready 3 helpers
not steered by NDIST.
GLOBAL TAPIR.
Comments from Eve?
Comments from Eve?
Where does it sit?
Signature
S?mrane
Where does it sit?
Signature
S?mrane
cm? >Cm. Own.
. . .
mmowmdimr cm? >Cm_ 0mm.
cm? >Cm. Own.
. . .
mmowmdimr cm? >Cm_ 0mm.
The Goal.
End to End tracing.
From Warrant to Signature; Signature to
Events/Content; to End Product or
But also do the reverse! From
Vulnerability to Malware, from Malware
to Actor, from Actor to Modus Operandi.
The Goal.
End to End tracing.
From Warrant to Signature; Signature to
Events/Content; to End Product or
But also do the reverse! From
Vulnerability to Malware, from Malware
to Actor, from Actor to Modus Operandi.
Status
an t'
Status
an t'
Unexpected Benefits Eve
6)
Nexus Peering We can link our Palantir, to
the BSD version, or maybe Special Forces?
Interacts with anything! DISTILLERY,
Hadoop, Google Earth (Incl. DSLive!)
Security Model is core to the system
Exploit system, enabling Prototypes!
Legal Audit/Training/CapDev is easier
You can even use it on a iphone or laptop
Unexpected Benefits Eve
6)
Nexus Peering We can link our Palantir, to
the BSD version, or maybe Special Forces?
Interacts with anything! DISTILLERY,
Hadoop, Google Earth (Incl. DSLive!)
Security Model is core to the system
Exploit system, enabling Prototypes!
Legal Audit/Training/CapDev is easier
You can even use it on a iphone or laptop
Potential Downsides Eve
Looks Expensive! Well not really. That
depends on your Data size, not users.
Development Servers are free. Live isn?t
as expensive as expected
Is it scalable? Well seems to work for us,
have much bigger
implementations.
<9 What can?t it do? Well it isn?t perfect!
However we ask, Palantir answer.
Potential Downsides Eve
Looks Expensive! Well not really. That
depends on your Data size, not users.
Development Servers are free. Live isn?t
as expensive as expected
Is it scalable? Well seems to work for us,
have much bigger
implementations.
<9 What can?t it do? Well it isn?t perfect!
However we ask, Palantir answer.
What is next?
Standard Targeting/Testing system Evolved Targeting.
ar Cloud Analytics.
Discovery Behavioural Analysis
Active Defence options
Mid Data Acquisition (Open Source?).
Near More SPAY deployments
Optimising of GK More advanced heuristics.
What is next?
Standard Targeting/Testing system Evolved Targeting.
ar Cloud Analytics.
Discovery Behavioural Analysis
Active Defence options
Mid Data Acquisition (Open Source?).
Near More SPAY deployments
Optimising of GK More advanced heuristics.
