Documents
Elegant Chaos: collect it all, exploit it all (plus notes)
Sep. 6 2016 — 4:53 a.m.

Small team = faster development
Specialities:
: project vision, keeping on track with partner sharing and end-toend automation goals
: project vision, MySQL support, analytic perspective
: project organization, Whizbang/Cloudbase
development, developers perspective
: code support for new data flows, MySQL, Whizbang
development
Other contributors:
Cloud Support Team
1

Sniff it all: Maximize receiving capabilities within our viewing arc
Know it all: Survey enough to keep our finger on the pulse of the whole
environment
Collect it all: Maximize how many signals we can bring in the door
simultaneously
Process it all: Find the data in the signal
Exploit it all: Find the intelligence in the signal
Partner it all: Collaborate on techniques and share data with partners
2

We have about 9100 signals in our view
In 2008, we were only processing maybe 100-140 of these
Director’s edict to “collect it all”
ASPHALT -> software modems processing low bit rate signals added a 300signal capability
STORMFORCE modems -> combination of hardware and software control
increase capacity from 4 signals to 40
TORUS antenna -> 12 receivers (feeds) in place of 1
Now we are at ~500, moving quickly towards 1,000
Over the next year, we anticipate collecting 3,000 signals simultaneously
When a resource comes available, which signal do you place on collection???
3

Sniff it all: TORUS adds 12 new feeds to existing 20-some
Know it all: DARKQUEST COMSAT development automates survey to capture
all signals, at MHS, in a 2-week span.
Collect it all: Increased modem capacity with software (APLUS) &
STORMFORCE modems.
Process it all: Scale XKS, consider Deep Dive XKS, use MVR techniques such
as map/reduce and Cloudbase capabilities
Exploit it all: Query focused datasets - Analysis of data at scale means
automate, automate, automate. This is the motivation for ELEGANTCHAOS.
Optimize automation to include: automate scoring of links based on current
analytical priorities, and feeding prioritized list back to survey tools including
DARKQUEST and modems. Secondary goals: transparent process; flexible
scoring.
Partner it all: Collaborate on techniques and share data with partners. Cloud
solution = TINT; XKS scaling = JCE. First partner: GCHQ/Bude.
4

SECRETHREL TU USA. AUS. CAN. GER.
ELEGANTCHAOS Goals
Goal: perform basic, time-sensitive analysis on
all of MHS collection
Goal: create a prioritized list of signals (case
notations) in our viewing arc
. Goal: use this list to automatically drive
collection as collection capabilities increase
Offshoot goal: create a product that and
collection managers can use to see into the
system
TO USA. ALIS. CHN. GER. DE

SECRETHREL TU USA. AUB. CAN. GER.
ELEGANTCHAOS Cloud
The MHS Cloud provides an excellent
platform for this project:
data ingest, normalization, tagging
access to SIGINT data from various
processors, from sustained mission survey
access to a huge body of enrichment data
processing, storage, and web-hosting
- considering decoupling these
TO USA. ALIS. CHN. GER. Ell!-

TARMAC provides target activity, network space,
XKS provides target activity, network space, technologies
POPQUIZ provides malicious discovery across sessions using heuristic-type
approaches.
Flexibility in terms of
QFD’s: derived from XKS, SLR, Popquiz, etc.
Target activity
Technology
Geo-location
Questions: can combine QFDs
VPNs involving Ivory Coast?
Paired links carrying VOIP or VPN?
Malicious Activity on networks used by targets?
Experiment by doing
Will challenge current tasking methods, hopefully make them
easier ;-)
7

This is a simplified view of the ELEGANTCHAOS machinery. Note: a key
component that is not shown is the feedback loop into collection.
1) SIGINT and enrichment data enters the system by being copied to the
Cloud servers. This may take the form of a MAILORDER flow, a wget
grab, or a database file transfer from another system.
2) Data is processed. Some data is processed through the SIGDEV Cloud
Stack, which formally validates/normalizes/tags the data. All SIGINT data
goes through this process, as well as some of the enrichment data. The
remaining enrichment data usually requires some minimal processing or
reformatting.
3) The results of step 2, whether pulled from the SIGDEV Cloud Stack via the
WhizBang map/reduce API, or copied from an external source, are stored
in Question Focused Datasets (QFDs). Some QFDs serve multiple analytic
interests, and some analytic interests require an intersection of QFDs to
evaluate.
4) ELEGANTCHAOS MySql code pulls analytical questions from a database,
queries the QFDs to find case notations satisfying each question, and
writes scores to another database. These scoring databases at the heart
of EC populate the GUI.
8

SECRETHREL TU USJH. AUS. CAN. GER. NZUEZOGZDIDB
Data Sources (May 2011)
SIGINT Feeds
. XKEYSCORE
DTUfLive
- ASDF (Turmoil LIVE)
SLR (TARMAC) JSLR
POPQUIZ (Turmoil DEV) JWCE
IXKS
-
Enrichment Feeds
. lPGeoTrap
TRAVELLINGWAVE Scores Event counts over a 12?hour period.
BILBOBADGER Daily Summaries Total events: 335553.931
- Target Network Service list CNO Target list
DRINKYBIRD monitoring info
GLOBETROTTER OH Geo
- MASTERSHAKE Geo
Quantumable Case Notation list
TO USA. ALIS. GER. DE

Analytic Questions (May 2011)
SECRETHREL TU USA. AUS. CAN. GER.
Target
- Dictionary hits
- Target Networks
TNS,
. PLUS Reports, CRNs. etc.
Technology
- VPNs
- Twitter, Facebook, Vol
- CNO behavior
Loca?on
- lP-based
- MAC-based
. Geo-based
Surge Countries
Libya, Egypt, Afghanistan,
Syriar Yemen Ivory Coast,
etc.
Miscellany
- Modem Capacity
- Paired Links
- Quantumable
TO USA. AUS. CAN. GER.
Don?t forget combinations (paired links with VPNs, VPNs with target IP
networks)

SECRETHREL TU USA. AUS. CAN. GER. NZUEZOSZDIDB
Questions Scoring
- Each question is represented by a SQL query applied to
one or more QFDs
QFDs are case notation-based repositories of signal
information
- eg, IPs and registries for all case notations
eg, category hits for all case notations
eg, GLOBETROTTER geos for all case notations
- All questions are asked once per day across all case
notations
- Points are assigned to each question based on current
analytic priorities
- Points for any particular question are ?active? for a
window of time (eg, 1 day, 7 days, 30 days)
- The sum of ?active? points fora case notation, across all
uestions forms the score
USA. ALIS. NEH-QUEEN DB
11

SECRETHREL TU USA. AUB. CAN. GER.
Interfaces
Different interfaces for different customers
- ELEGANTCHAOS GUI
made for to examine scores and the impact
of the different questions
- eventually, control over the algorithms may reside
here
- REST interface
made for programmatic query, precursor to auto
tasking
- DRINKYBIRD GUI
made for collection personnel to determine if
resources are available, easy to VIEW what's on cover
TO USA. ALIS. CHN. GER. Ell!-
12

Continual assessment of bearers helps to determine when a bearer becomes
less interesting, then it’d be possible to remove it from sustained collection.
13

bin all-sauna: mi pun-n .ummu .H-l wan- w- Iii-u. Btu-9"
Humqucm-umnuva
:hu- Em um?
an: M2:
Ann-an
ants-nu?
urn-cl Mr I-
in? bu? .wu Elli-lulu?
wwdf?la
SECRETHRELTD USA. MM, GER,
14

Important to remember, this is our attempt to best utilize
increasing capacity. Sits between sustained/CRN collection and
continual survey.
Provides ability to turn the dials on “hot topic” of the day.
Can adjust the length of time an event remains interesting and
affects prioritization.
Some Questions will always be run. TT hit, confirmed target
activity,
, etc.
Maintains history, so progress can be tracked. Are there more
target hits,
, paired VOIP signals, etc.
15

sedurmm usn', M~cm.u. uzumom
EC. GUI: Question View
. .
on rub-Im? twm-n-Idw-d-IM WIF- Bh-? 13-"
inn?H Emma?
a
a
I v- Ml u-l-lSECRETHRELTD USA. nus. CAM. GER, MZURMIMDG

USA. ALB, CAN, GER. NZLNIDHDMI
Focus Areas: Custom Views?
I 50.0mm
3 largel
all-e-
U1
1 lechnacqy
I
USA. Allin. CAN. GER.
Iccus on Ialgel
rrmwi had
my [-ii an 933??
dulcnaw
hl]
tnus on signal
primates.
loam-1
raver 2t:
tcus on
alpha-an .1
11:01am
mu} pl? tcus 1
21110119
KIM-0133
mm- EL-DIE Migh1 curllrihuled la-II
uhya mm IOIIJ Mum-1?3 51115-8?
E- Eggpl Km 3011435?
2?3 Jnrdan 10m: 311143117
35m EFUI 3311-1133?-
337'; #933? 301'
E- thanslan 35541 9] 3110-12-25
?bra ICU 3311-01-01
2d Timer mm IOII 3011-03-1?
I Zalar 3111-03428
1E Ba?wn 5103 31111-03133
3H 'rWr? Ia? EH
15 Orr-an 3111-03-03
2: Aqeua IEIJ ICU BIN-0305 331-43429
2' Mn'nxc 1CD ICU 3311 03W
Jrfa Facebna El 31114338
29 LIIJII thal 0 INHIGII
3? ICF 'i jun-03.39
9 Cum nul BII JJIDJZIHZG 3111M
17

Interface to ASPHALT is easy with the developers on site !! – CSV file with
required case notations FTP’d
Interface kludge into DRINKYBIRD – In-House network and tasking
management GUI
18

SECRETHREL TU USJI. AUS. CAN. GER.
DRINKYBIRD
[Inn-1e Ink-nu my
Sun-H lies-:41 lime-w Ema: Prawn-cw Poe-u IMH- Em PM:
125?.? 1995? 1'0?
57' VPH MW mu
12563033 VER :?dtl
PI091:er FIGF ?07
u- ?:me run- H31 macro: 45:15::
0.5.9 3700
?x 5-9 1258-5495 UEP NW UVEIB JIM
Survey Gas en Casen
DRINKYBIRD Tasking Priority View
EC Prioriv 0n Cover?
T300 no
TO USA. AUS. CAN. GER. DB
19

TU USA. AUS. CAN. GER. NZLHEOE 20105
Libya Surge
PROBLEM
Which of the 1000?s of signals surveyed have
Libyan Egyptian [Afghan networks on the
VSAT-side?
SOLUTION
- Pre-run analytics determine ?significance?
- Quick identification of 25 11 I 10
candidate signals
- Combine other analytics: target hits, pairing, etc.
- (Repeat for next country)
TO USA. ALIS. CHN. GER. Ell!-
2O

•Correlated IRC Botnet Activity to ASR Intrusion set (IRGC-QF Ramazan
Corps Headquarters.)
•Discovered New Victims in Iraq and Iran
•Multiple targets associated with S2E tasked selectors
•Discovered New Infrastructure
•Engaged TAO for Vulnerability Assessment Evaluation
•Discovered potential C2, update and exfiltration nodes
•Evaluating 4th Party Collection Opportunities
•Tipped: SSG, S2E, NTOC-G, TAO CCNE, documented in CROSSBONES.
•No specific fingerprints highlight this as ASR activity
•Develop new “Infrastructure Agnostic” ASR fingerprints
•Use AES keys for decrypt and potential 4th party collection opportunity
21

SECRETHREL TU USA. AUB. CAN. GER.
Ongoing Work
New data feeds (FOGHORN, MATCHMAKER,
ROADBED)
More fields from XKS (HTTP language, NetStrings)
- XKS from MOONPENNY
- Fine tuning of GUI for Link Characterization
NetStrings study
Better use of Cloud resources {Link Direction}
- Detailed study of scoring methodology (math hire)
. Close the auto-tasking loop (RSE)
- Increase awareness and partnership with similar efforts
- Training
TO USA. ALIS. CHN. GER. Ell!-
22

SECIETIMETO LISA, ma. DAN. GER.
Questions?
Is the enterprise considering SLR generation?
23