Analytics Affectin Europg e and Africa€¦ · Europe Metadata for geolocation; content for...
Transcript of Analytics Affectin Europg e and Africa€¦ · Europe Metadata for geolocation; content for...
Analytics Affecting Europe and Africa
Region: Europe, Middle East (Israel), and Africa :
ECC
The overall classification of this briefing is:
TOP SECRET//COMINT//REL USA, FVEYS//20291
Outline
• (U) Background • (U) Problem Definition & Challenge • (U)OurAOR: Europe-Africa • (U) Examples forEurope-Africa • (U) Enrichment and Data Flow • (U) Real-time, batch, XKEYSCORE • (U) Conclusions
33 UNCLASSIFIED//FOR OFFICIAL USE ONLY
(U) Terrorists Transit via Europe
• (U) Communication • Transit Points
• (U) Partners • Second Party • Third Party
• (U) Relationships • EUCOM • AFRICOM • CENTCOM
«aui.oui,' ^^àìSl , fffOSRJiclt 0«»J tVMstal XT . . rV" "
srtTEWen - L ü b e c k AWîHTefrristvaven * •Harr . Burg
Brenoer
B r e m e n B E R L I N „ o l
Hannover^ •*• •f / lagcJet)urg
Leipzig Duisburg
/ . E s s e n •Düsse ldor f ' K a s s e l • C o l o g n e D r e s d e n • B o n n
. W i e s b a d e n . .Frankfur t
V M a n n h e i m a r b r ü c k e n 'Nürnberg
• KänSrunG
F R A N C E M u n j c h
, i-T^rtr.
hIMi tfV'H
n<Ar>( r
rrXi-*
NCEUR Support to EUCOM
UKKA1C
f 'S
V j
(U) Challenge: Integrating Tactical & National Collection
• (C//FVEY) Collection with HF/ VHF/UHF - Digital packets - Analog comms - Noise issues, lack of experience with
these types of signals • (C//FVEY) Tactical versus National
(Strategic) Collection - RTRG - DISTILLERY
37 CONFIDENTIAL//REL USA, FVEYS
(U) Analytics for Targets iri Europe • (C//FVEY) OPSEC Savvy Targets
* .most terrorists stop thru Europe" • (TS//FVEY) Use advanced
techniques * Steganography
* Forensics or Analytics on front end
* Encryption * Takes time and has "black hole" issue
• (TS//SI//FVEY) Reliance on "special" collection * GCHQ and FAA * Problems processing w/r to TS
TOP SECRET//SI//REL USA, FVEYS
(U) Analytics for Identity Intelligence
(U) Human Trafficking
(C//FVEY) Operations from Jordan to Syria in both directions; Sahel
Metadata for geolocation; content for confirmation
(U) Weapons Smuggling
(C//FVEY) From Libya to Sahel
Metadata for geolocation; content for confirmation
(U) Drug Smuggling
(C//FVEY) Sahel and financing of terrorism; Balkans into Europe
Metadata for geolocation; content for confirmation
(U) Biometrics & Elections
(C//FVEY) Used in Africa
Need collection assets
41 CONFIDENTIAL//REL USA, FVEYS
(U) Enrichment Sources
(U) Air Breather, HF & UHF/VHF (C//FVEY) Big Pipe & FORNSAT QRCPackage
(U) Military SIGINT Services (U//FOUO) Forensics (U) Third Party Sources (C//FVEY) Second Party • GCHQ is critical for mission
3rd Party Partner Sharing
CONFIDENTIAL//REL USA, FVEYS
(U) Enrichment: SIGDEV & GCHQ QFDs
Account Allocations by TOPI
FGS.
5 %
FHS
2%.
V 2 2
1%.
V 2 3
1%
FTS
8%
O t h e r
12%
S2A S2B S2C S 2 D 4%̂ 0%_io/o 3% S2E
5? F 6% fc. 2%
SSG
1% F22
1 7 % F6
9 %
March 2012
Slide taken from ECC archives. /
S2I
22%
(S//FVEY) 54% of current ECC DNI tasking based on QFD data (S//FVEY) QFDs provide better access to metadata for European & North African targets than any other access at ECC due to poor passive collection ( C//FVEY) Flexibility provided by the use of TDIs and the first stage query allows for better target discovery and development
SECRET//REL USA, FVEYS
(U) Data Flow Integration is Constant Headache Access
Signal Signal Receiver/ Acquisition (RF Conditioning: Downconverter
or Optical) Amplification, Distribution
(RF) Amplification, Distribution
Signal Demodulation
(RF)
Transport
Data Mgmt
Events
Exploitation
Signal Demultiplexing
• g T r a n s p o r t e tada ta Capture
Channel Processing
Target Selection
Voice/Fax/Data Processing and
Recording
Whose job? S1, S3, T? 46
SECRET//REL USA, FVEYS
(U) "Real Time" Analytics (U) Nascent Analytics with unclear definition of "real
time" • How fast is alerting?
(C//FVEY) DISTILLERY • Pulled from GHOSTMACHINE stack
(U) NIAGARAFILES • File based • Starting to gain experience
(C//FVEY) RTRG • Tools not integrated into ECC • Data Sets are sparse • Tactically oriented • Unregulated alerts can quickly spam user
(C//FVEY) ECC Current Effort: • Focused on NTOC and Distributed Denial of
Service attack alerting • Uses DISTITT ERY
47 CONFIDENTIAL//REL USA, FVEYS
(U) Batch: MapReduce Analytics (U) Batch oriented versus streaming
• Run every 15 min to once a day or so • Not streaming
(U) Good Data Storage • Good access outward to MDR-1, MDR-2 • Days to years of storage • Promotion (?)
(U) Complex Analytics like "Pattern of Life" • Reasonable amount of processing cycles at the
front end collection system (not yet tested) (U) Session can be quite long and still captured (not yet
tested) (U) UUID's (identifying sessions) are workable (U) No experience yet sharing with second and third
party partners (U) Unknown level of entry training required
M e n w i th Will W WHI7BANG
UNCLASSIFIED//FOR OFFICIAL USE ONLY
(U) Xkeyscore Fingerprints
(C//FVEY) Streaming • Data available one hour later? • Most do pulls up to yesterday
(U) Good Data Storage • RAW content: 3 days to a couple of weeks • Metadata: 90+ days
(U) Complex Analytics like "Pattern of Life" • Reasonable amount of processing cycles at the
front end collection system (U) Session can be quite long and still captured (U) UUID's are workable (U) Good for sharing with second and third party (U) Relatively low level of entry training required
49 CONFIDENTIAL//REL USA, FVEYS
(U) Key Take Aways
• (U//FOUO) Discovery in Africa is based on "we do not know what we do not see" - Unknown Unknown from uri: https://wiki.nsa.ic.gov/
wiki/NTOC-E_discovery_tradecraft • (U) Europe has Opsec savvy CT targets • (U) Analytics involve partners
-- 3rd Party in future • (U) Limited Resources: Processing Power & BW
50 UNCLASSIFIED//FOR OFFICIAL USE ONLY
NSA/CSS Europe & Africa
mim?
QUESTIONS?
51 UNCLASSIFIED//FOR OFFICIAL USE ONLY