analytics affectin europg e and africa€¦ · europe metadata for geolocation; content for...

Analytics Affecting Europe and Africa

Region: Europe, Middle East (Israel), and Africa :

ECC

The overall classification of this briefing is:

TOP SECRET//COMINT//REL USA, FVEYS//20291

Outline

• (U) Background • (U) Problem Definition & Challenge • (U)OurAOR: Europe-Africa • (U) Examples forEurope-Africa • (U) Enrichment and Data Flow • (U) Real-time, batch, XKEYSCORE • (U) Conclusions

33 UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) Terrorists Transit via Europe

• (U) Communication • Transit Points

• (U) Partners • Second Party • Third Party

• (U) Relationships • EUCOM • AFRICOM • CENTCOM

«aui.oui,' ^^àìSl , fffOSRJiclt 0«»J tVMstal XT . . rV" "

srtTEWen - L ü b e c k AWîHTefrristvaven * •Harr . Burg

Brenoer

B r e m e n B E R L I N „ o l

Hannover^ •*• •f / lagcJet)urg

Leipzig Duisburg

/ . E s s e n •Düsse ldor f ' K a s s e l • C o l o g n e D r e s d e n • B o n n

. W i e s b a d e n . .Frankfur t

V M a n n h e i m a r b r ü c k e n 'Nürnberg

• KänSrunG

F R A N C E M u n j c h

, i-T^rtr.

hIMi tfV'H

n<Ar>( r

rrXi-*

NCEUR Support to EUCOM

UKKA1C

f 'S

V j

(U) Challenge: Integrating Tactical & National Collection

• (C//FVEY) Collection with HF/ VHF/UHF - Digital packets - Analog comms - Noise issues, lack of experience with

these types of signals • (C//FVEY) Tactical versus National

(Strategic) Collection - RTRG - DISTILLERY

37 CONFIDENTIAL//REL USA, FVEYS

(U) Analytics for Targets iri Europe • (C//FVEY) OPSEC Savvy Targets

* .most terrorists stop thru Europe" • (TS//FVEY) Use advanced

techniques * Steganography

* Forensics or Analytics on front end

* Encryption * Takes time and has "black hole" issue

• (TS//SI//FVEY) Reliance on "special" collection * GCHQ and FAA * Problems processing w/r to TS

TOP SECRET//SI//REL USA, FVEYS

(U) Analytics for Identity Intelligence

(U) Human Trafficking

(C//FVEY) Operations from Jordan to Syria in both directions; Sahel

Metadata for geolocation; content for confirmation

(U) Weapons Smuggling

(C//FVEY) From Libya to Sahel


(U) Drug Smuggling

(C//FVEY) Sahel and financing of terrorism; Balkans into Europe


(U) Biometrics & Elections

(C//FVEY) Used in Africa

Need collection assets


(U) Enrichment Sources

(U) Air Breather, HF & UHF/VHF (C//FVEY) Big Pipe & FORNSAT QRCPackage

(U) Military SIGINT Services (U//FOUO) Forensics (U) Third Party Sources (C//FVEY) Second Party • GCHQ is critical for mission

3rd Party Partner Sharing

CONFIDENTIAL//REL USA, FVEYS

(U) Enrichment: SIGDEV & GCHQ QFDs

Account Allocations by TOPI

FGS.

5 %

FHS

2%.

V 2 2

1%.

V 2 3

1%

FTS

8%

O t h e r

12%

S2A S2B S2C S 2 D 4%̂ 0%_io/o 3% S2E

5? F 6% fc. 2%

SSG

1% F22

1 7 % F6

9 %

March 2012

Slide taken from ECC archives. /

S2I

22%

(S//FVEY) 54% of current ECC DNI tasking based on QFD data (S//FVEY) QFDs provide better access to metadata for European & North African targets than any other access at ECC due to poor passive collection ( C//FVEY) Flexibility provided by the use of TDIs and the first stage query allows for better target discovery and development

SECRET//REL USA, FVEYS

(U) Data Flow Integration is Constant Headache Access

Signal Signal Receiver/ Acquisition (RF Conditioning: Downconverter

or Optical) Amplification, Distribution

(RF) Amplification, Distribution

Signal Demodulation

(RF)

Transport

Data Mgmt

Events

Exploitation

Signal Demultiplexing

• g T r a n s p o r t e tada ta Capture

Channel Processing

Target Selection

Voice/Fax/Data Processing and

Recording

Whose job? S1, S3, T? 46

SECRET//REL USA, FVEYS

(U) "Real Time" Analytics (U) Nascent Analytics with unclear definition of "real

time" • How fast is alerting?

(C//FVEY) DISTILLERY • Pulled from GHOSTMACHINE stack

(U) NIAGARAFILES • File based • Starting to gain experience

(C//FVEY) RTRG • Tools not integrated into ECC • Data Sets are sparse • Tactically oriented • Unregulated alerts can quickly spam user

(C//FVEY) ECC Current Effort: • Focused on NTOC and Distributed Denial of

Service attack alerting • Uses DISTITT ERY


(U) Batch: MapReduce Analytics (U) Batch oriented versus streaming

• Run every 15 min to once a day or so • Not streaming

(U) Good Data Storage • Good access outward to MDR-1, MDR-2 • Days to years of storage • Promotion (?)

(U) Complex Analytics like "Pattern of Life" • Reasonable amount of processing cycles at the

front end collection system (not yet tested) (U) Session can be quite long and still captured (not yet

tested) (U) UUID's (identifying sessions) are workable (U) No experience yet sharing with second and third

party partners (U) Unknown level of entry training required

M e n w i th Will W WHI7BANG

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) Xkeyscore Fingerprints

(C//FVEY) Streaming • Data available one hour later? • Most do pulls up to yesterday

(U) Good Data Storage • RAW content: 3 days to a couple of weeks • Metadata: 90+ days

(U) Complex Analytics like "Pattern of Life" • Reasonable amount of processing cycles at the

front end collection system (U) Session can be quite long and still captured (U) UUID's are workable (U) Good for sharing with second and third party (U) Relatively low level of entry training required


(U) Key Take Aways

• (U//FOUO) Discovery in Africa is based on "we do not know what we do not see" - Unknown Unknown from uri: https://wiki.nsa.ic.gov/

wiki/NTOC-E_discovery_tradecraft • (U) Europe has Opsec savvy CT targets • (U) Analytics involve partners

-- 3rd Party in future • (U) Limited Resources: Processing Power & BW


https://wiki.nsa.ic.gov/

NSA/CSS Europe & Africa

mim?

QUESTIONS?


analytics affectin europg e and africa€¦ · europe metadata for geolocation; content for...

Documents