Elegant Chaos: collect it all, exploit it all (plus notes)

Small team = faster development Specialities: : project vision, keeping on track with partner sharing and end-toend automation goals : project vision, MySQL support, analytic perspective : project organization, Whizbang/Cloudbase development, developers perspective : code support for new data flows, MySQL, Whizbang development Other contributors: Cloud Support Team 1

Sniff it all: Maximize receiving capabilities within our viewing arc Know it all: Survey enough to keep our finger on the pulse of the whole environment Collect it all: Maximize how many signals we can bring in the door simultaneously Process it all: Find the data in the signal Exploit it all: Find the intelligence in the signal Partner it all: Collaborate on techniques and share data with partners 2

We have about 9100 signals in our view In 2008, we were only processing maybe 100-140 of these Director’s edict to “collect it all” ASPHALT -> software modems processing low bit rate signals added a 300signal capability STORMFORCE modems -> combination of hardware and software control increase capacity from 4 signals to 40 TORUS antenna -> 12 receivers (feeds) in place of 1 Now we are at ~500, moving quickly towards 1,000 Over the next year, we anticipate collecting 3,000 signals simultaneously When a resource comes available, which signal do you place on collection??? 3

Sniff it all: TORUS adds 12 new feeds to existing 20-some Know it all: DARKQUEST COMSAT development automates survey to capture all signals, at MHS, in a 2-week span. Collect it all: Increased modem capacity with software (APLUS) & STORMFORCE modems. Process it all: Scale XKS, consider Deep Dive XKS, use MVR techniques such as map/reduce and Cloudbase capabilities Exploit it all: Query focused datasets - Analysis of data at scale means automate, automate, automate. This is the motivation for ELEGANTCHAOS. Optimize automation to include: automate scoring of links based on current analytical priorities, and feeding prioritized list back to survey tools including DARKQUEST and modems. Secondary goals: transparent process; flexible scoring. Partner it all: Collaborate on techniques and share data with partners. Cloud solution = TINT; XKS scaling = JCE. First partner: GCHQ/Bude. 4

SECRETHREL TU USA. AUS. CAN. GER. ELEGANTCHAOS Goals Goal: perform basic, time-sensitive analysis on all of MHS collection Goal: create a prioritized list of signals (case notations) in our viewing arc . Goal: use this list to automatically drive collection as collection capabilities increase Offshoot goal: create a product that and collection managers can use to see into the system TO USA. ALIS. CHN. GER. DE

SECRETHREL TU USA. AUB. CAN. GER. ELEGANTCHAOS Cloud The MHS Cloud provides an excellent platform for this project: data ingest, normalization, tagging access to SIGINT data from various processors, from sustained mission survey access to a huge body of enrichment data processing, storage, and web-hosting - considering decoupling these TO USA. ALIS. CHN. GER. Ell!-

TARMAC provides target activity, network space, XKS provides target activity, network space, technologies POPQUIZ provides malicious discovery across sessions using heuristic-type approaches. Flexibility in terms of QFD’s: derived from XKS, SLR, Popquiz, etc. Target activity Technology Geo-location Questions: can combine QFDs VPNs involving Ivory Coast? Paired links carrying VOIP or VPN? Malicious Activity on networks used by targets? Experiment by doing Will challenge current tasking methods, hopefully make them easier ;-) 7

This is a simplified view of the ELEGANTCHAOS machinery. Note: a key component that is not shown is the feedback loop into collection. 1) SIGINT and enrichment data enters the system by being copied to the Cloud servers. This may take the form of a MAILORDER flow, a wget grab, or a database file transfer from another system. 2) Data is processed. Some data is processed through the SIGDEV Cloud Stack, which formally validates/normalizes/tags the data. All SIGINT data goes through this process, as well as some of the enrichment data. The remaining enrichment data usually requires some minimal processing or reformatting. 3) The results of step 2, whether pulled from the SIGDEV Cloud Stack via the WhizBang map/reduce API, or copied from an external source, are stored in Question Focused Datasets (QFDs). Some QFDs serve multiple analytic interests, and some analytic interests require an intersection of QFDs to evaluate. 4) ELEGANTCHAOS MySql code pulls analytical questions from a database, queries the QFDs to find case notations satisfying each question, and writes scores to another database. These scoring databases at the heart of EC populate the GUI. 8

SECRETHREL TU USJH. AUS. CAN. GER. NZUEZOGZDIDB Data Sources (May 2011) SIGINT Feeds . XKEYSCORE DTUfLive - ASDF (Turmoil LIVE) SLR (TARMAC) JSLR POPQUIZ (Turmoil DEV) JWCE IXKS - Enrichment Feeds . lPGeoTrap TRAVELLINGWAVE Scores Event counts over a 12?hour period. BILBOBADGER Daily Summaries Total events: 335553.931 - Target Network Service list CNO Target list DRINKYBIRD monitoring info GLOBETROTTER OH Geo - MASTERSHAKE Geo Quantumable Case Notation list TO USA. ALIS. GER. DE

Analytic Questions (May 2011) SECRETHREL TU USA. AUS. CAN. GER. Target - Dictionary hits - Target Networks TNS, . PLUS Reports, CRNs. etc. Technology - VPNs - Twitter, Facebook, Vol - CNO behavior Loca?on - lP-based - MAC-based . Geo-based Surge Countries Libya, Egypt, Afghanistan, Syriar Yemen Ivory Coast, etc. Miscellany - Modem Capacity - Paired Links - Quantumable TO USA. AUS. CAN. GER. Don?t forget combinations (paired links with VPNs, VPNs with target IP networks)

SECRETHREL TU USA. AUS. CAN. GER. NZUEZOSZDIDB Questions Scoring - Each question is represented by a SQL query applied to one or more QFDs QFDs are case notation-based repositories of signal information - eg, IPs and registries for all case notations eg, category hits for all case notations eg, GLOBETROTTER geos for all case notations - All questions are asked once per day across all case notations - Points are assigned to each question based on current analytic priorities - Points for any particular question are ?active? for a window of time (eg, 1 day, 7 days, 30 days) - The sum of ?active? points fora case notation, across all uestions forms the score USA. ALIS. NEH-QUEEN DB 11

SECRETHREL TU USA. AUB. CAN. GER. Interfaces Different interfaces for different customers - ELEGANTCHAOS GUI made for to examine scores and the impact of the different questions - eventually, control over the algorithms may reside here - REST interface made for programmatic query, precursor to auto tasking - DRINKYBIRD GUI made for collection personnel to determine if resources are available, easy to VIEW what's on cover TO USA. ALIS. CHN. GER. Ell!- 12

Continual assessment of bearers helps to determine when a bearer becomes less interesting, then it’d be possible to remove it from sustained collection. 13

bin all-sauna: mi pun-n .ummu .H-l wan- w- Iii-u. Btu-9" Humqucm-umnuva :hu- Em um? an: M2: Ann-an ants-nu? urn-cl Mr I- in? bu? .wu Elli-lulu? wwdf?la SECRETHRELTD USA. MM, GER, 14

Important to remember, this is our attempt to best utilize increasing capacity. Sits between sustained/CRN collection and continual survey. Provides ability to turn the dials on “hot topic” of the day. Can adjust the length of time an event remains interesting and affects prioritization. Some Questions will always be run. TT hit, confirmed target activity, , etc. Maintains history, so progress can be tracked. Are there more target hits, , paired VOIP signals, etc. 15

sedurmm usn', M~cm.u. uzumom EC. GUI: Question View . . on rub-Im? twm-n-Idw-d-IM WIF- Bh-? 13-" inn?H Emma? a a I v- Ml u-l-lSECRETHRELTD USA. nus. CAM. GER, MZURMIMDG

USA. ALB, CAN, GER. NZLNIDHDMI Focus Areas: Custom Views? I 50.0mm 3 largel all-e- U1 1 lechnacqy I USA. Allin. CAN. GER. Iccus on Ialgel rrmwi had my [-ii an 933?? dulcnaw hl] tnus on signal primates. loam-1 raver 2t: tcus on alpha-an .1 11:01am mu} pl? tcus 1 21110119 KIM-0133 mm- EL-DIE Migh1 curllrihuled la-II uhya mm IOIIJ Mum-1?3 51115-8? E- Eggpl Km 3011435? 2?3 Jnrdan 10m: 311143117 35m EFUI 3311-1133?- 337'; #933? 301' E- thanslan 35541 9] 3110-12-25 ?bra ICU 3311-01-01 2d Timer mm IOII 3011-03-1? I Zalar 3111-03428 1E Ba?wn 5103 31111-03133 3H 'rWr? Ia? EH 15 Orr-an 3111-03-03 2: Aqeua IEIJ ICU BIN-0305 331-43429 2' Mn'nxc 1CD ICU 3311 03W Jrfa Facebna El 31114338 29 LIIJII thal 0 INHIGII 3? ICF 'i jun-03.39 9 Cum nul BII JJIDJZIHZG 3111M 17

Interface to ASPHALT is easy with the developers on site !! – CSV file with required case notations FTP’d Interface kludge into DRINKYBIRD – In-House network and tasking management GUI 18

SECRETHREL TU USJI. AUS. CAN. GER. DRINKYBIRD [Inn-1e Ink-nu my Sun-H lies-:41 lime-w Ema: Prawn-cw Poe-u IMH- Em PM: 125?.? 1995? 1'0? 57' VPH MW mu 12563033 VER :?dtl PI091:er FIGF ?07 u- ?:me run- H31 macro: 45:15:: 0.5.9 3700 ?x 5-9 1258-5495 UEP NW UVEIB JIM Survey Gas en Casen DRINKYBIRD Tasking Priority View EC Prioriv 0n Cover? T300 no TO USA. AUS. CAN. GER. DB 19

TU USA. AUS. CAN. GER. NZLHEOE 20105 Libya Surge PROBLEM Which of the 1000?s of signals surveyed have Libyan Egyptian [Afghan networks on the VSAT-side? SOLUTION - Pre-run analytics determine ?significance? - Quick identification of 25 11 I 10 candidate signals - Combine other analytics: target hits, pairing, etc. - (Repeat for next country) TO USA. ALIS. CHN. GER. Ell!- 2O

•Correlated IRC Botnet Activity to ASR Intrusion set (IRGC-QF Ramazan Corps Headquarters.) •Discovered New Victims in Iraq and Iran •Multiple targets associated with S2E tasked selectors •Discovered New Infrastructure •Engaged TAO for Vulnerability Assessment Evaluation •Discovered potential C2, update and exfiltration nodes •Evaluating 4th Party Collection Opportunities •Tipped: SSG, S2E, NTOC-G, TAO CCNE, documented in CROSSBONES. •No specific fingerprints highlight this as ASR activity •Develop new “Infrastructure Agnostic” ASR fingerprints •Use AES keys for decrypt and potential 4th party collection opportunity 21

SECRETHREL TU USA. AUB. CAN. GER. Ongoing Work New data feeds (FOGHORN, MATCHMAKER, ROADBED) More fields from XKS (HTTP language, NetStrings) - XKS from MOONPENNY - Fine tuning of GUI for Link Characterization NetStrings study Better use of Cloud resources {Link Direction} - Detailed study of scoring methodology (math hire) . Close the auto-tasking loop (RSE) - Increase awareness and partnership with similar efforts - Training TO USA. ALIS. CHN. GER. Ell!- 22

SECIETIMETO LISA, ma. DAN. GER. Questions? Is the enterprise considering SLR generation? 23