LISP (Lawful Intercept Support Platform)
As the “virtual space” spirals ever larger the Cyber world exists as a place for all to utilize. History has proven that the areas most prone to “lawlessness” are those that become most exploited by the criminal element. Cyber Space has this “new world” stigmatism where upon creation the task of mitigating criminal or malicious activity lagged in not only appropriate governance but also the tools to enforce and monitor such activities.
To date the methodologies for collection, mediation, delivery and analysis of Cyber Space (internet) session data (historically call data) or Intercept Related Information (IRI) often requires a good deal of technical understanding. Everis has, based off a spiral technology developed with the Air Force, recently introduced the LISP product that allows less skilled operators to perform initial verification and sorting while at the same time allowing more sophisticated analysts to then deal with the critical evidentiary or items of interest.
Classic lawful intercept of a voice call typically consists of destination of the voice call (e.g., called party’s telephone number), source of the call (caller’s phone number), time of the call, duration, content etc. Call content is namely the stream of data carrying the call. In order to effect this intercept the network operator communicates with the LEA and coordinate the target, schedule and handover interface. Whether for criminal investigation or national interest surveillance this was the basis for the forensics data base. The Public Switched Telephone Network (PSTN) existed as a well defined well governed communication network and afforded a reliable and uniform database that was relatively easy to “analyze” (anyone can listen to voice communication with little training). Seemingly this approach and architecture should be except now the PSTN is an IP-based service channel that transverses one switched network but many and at very high speeds over autonomously switched networks.
Though the method for gathering intelligence may be the same, the role of the technical intelligence analyst is more complex. The information being analyzed is rarely unambiguous — there are many ways a criminal or target may practice deception (tunneling, false-sourcing, manipulation of traffic or routes, etc.). The information is rarely complete – the Cyber medium again allows the criminal or target many ways to deny information to the analyst (log destruction, encryption, etc.).
The pace of change in network service, attacks, and defense is spiraling, and may lead to misleading assumptions by the analyst. All the more reason to structure intercept tools that support multiple levels of analyst skills. Doing so allows simplifying the methodology of technical analysis and accelerates scoping and phrasing of analytical results.
Having a more effective way to coordinate the review and sort of the relevant cyber intelligence information from a capture is one piece of the puzzle. The other is the notion of fusing event or target information in both time line and detail. This is ever truer for national defense as the economic viability, national infrastructure and kinetic weapon systems rely on Cyber communication channels that can be affected at the speed of light. The difficulty here lies in that some of the information does not match well with classic intelligence assumptions (like nation-state focus — physical geography really isn’t that relevant to modern global networks). Determining identity, intent, and capability is a big part of the work of the fusion analyst in cyber, and seamless hand off from the technical analyst, though not a holistic picture, still has value as validated target events of interest.
The Everis LISP platform does not reside on the analyst’s PC. As part of the flexibility to afford seamless hand-off of alarm, trigger, filter or analyst selected data; LISP resides on a controlled access host with multiple secure users via their PC browser. LISP further feeds ArcSIGHT and other snmp or mib based SIM applications. From an intelligence tool it provides that solution for unifying the intercept database, target information and fusion set that solidify a Cyber team. LISP in its basic set address LEA needs for simplifying analysis and digital evidence. In a fully integrated Cyber intelligence platform it addresses the needs of the US intelligence agencies and is currently selected for beta deployment with the Secret Service.