Cybercontrol. How can Palantir catch snowdens?
Together with Edison, we continue to investigate the capabilities of the Palantir system.
The Palantir system allows you to catch "snowduns" before they become world heroes, but were simply spies with whom anything could happen to anice ax .
Despite the fact that the leadership of Palantir fights for freedom and logs every single action in the system, such systems pose a great danger to future snowmen. Forewarned is forearmed.
')
Consider the case when, thanks to the Palantir platform, a special investigation was carried out to calculate the unreliable embassy employee who was merging information from a third party.
The investigation analyzed network traffic, information of routers, data of contact cards and badges of employees, events, data of social networks, data of video surveillance. Due to the static, temporary analysis, geodata analysis and visual analysis, the “mole” was revealed.
Thirtieth to destroy.
(For assistance in preparing the article, special thanks to Alexey Vorsin, Russian expert on the Palantir system)
0:00 This video uses data from the logs of using access cards, IP logs and a list of staff identification numbers.
0:07 On the Palantir platform, we can combine and combine all this data into one investigation to identify a suspicious exchange of information and link it with a possible suspect.
0:20 First we import the data.
0:25 The Palantir Import Wizard (Palantir Import Wizard) allows the user to partition data by building a structure dynamically, depending on the source.
0:30 The Import Wizard automatically imports data, creates objects and assigns properties to them, binds objects according to specified conditions, and removes the resulting duplicates identified based on customizable constraints.
0:43 We will start our investigation with all the events related to the access cards to the secret area (classified space - the territory or information is not fully understood) and displayed on the graph.
0:49 Each of these events contains access time and access termination time, but we also see several unfinished events when someone jumped behind a colleague (piggybacking, one of the meanings is to go on someone's back) while using the themes of his card.
0:57 We see an interesting pattern: Three times a week, a Thirty employee gets access to a secret area.
1:03 Using office 30 employee neighbors as a starting point, we’ll track down possible episodes of unauthorized use of computers by examining data transfer events related to accessing secret data.
1:13 Partially coincident events indicate unauthorized access to data, due to computers outside the secret area.
1:21 Our search revealed unauthorized data transfer to IP address 100.59.151.133.
1:30 pm “Search around” (Palantir tool) applied to a suspicious IP showed 18 data transfer cases to 12 different embassy computers.
1:37 We auto-order (autoarrange, apparently also a tool) graph, and colored objects by type, for greater clarity.
1:43 On the histogram, we see that all these 18 cases use port 8080 and the entire amount of data transferred came from the organization.
1:50 At the timewheel helper, we see that the data was transmitted for four weeks, every Tuesday and Wednesday, and one transmission per day at the beginning, up to three per day at the end.
2:01 We added authorized users and their office neighbors to the graph using “search around”.
2:07 Now, by selecting these employees individually, we will find all related events related to accessing or transferring information, and then, over the timeline, we will track when data transfer to a suspicious IP has been authorized.
2:21 We see an unauthorized transfer, while employee 40 had access to a secret area.
2:29 By repeating this procedure for the rest of the workers, we found 14 cases in which the relevant employee had access to the secret area during the data transfer, 13 cases in which they were probably not in the office, and 6 when they were seen far from their workplace.
2:43 Only employee 30 was present at the time that employee computer 31 was transmitting data, which suggests that the thirtieth saw the suspect or was himself.
2:51 To confirm suspicion about Thirtieth, we can conduct an additional test by creating several time filters that correspond to the time of suspicious data transfer. Using these filters, we investigate possible intersections with the time when the suspect had access to a secret area.
3:09 The suspect should have access to the computer all eighteen times when data was transferred.
3:11 On the graph, all events related to access to the secret area. We can add our filters to see all intersecting events.
3:22 “Searching around” gave us all the employees associated with the events that we might perceive as suspects.
3:29 Finally, the filter among the embassy staff gives us two potential suspects, one of them, of course, the Thirtieth.
3:39 Our workflow confirmed suspicions: Thirtieth - a malicious insider. Time analysis of IP logs and access logs, not only gave us the opportunity to identify unauthorized use of computers, but also to link this with a specific individual.
0:00 Analysis of social networks and spatial analysis - written on the screen.
We received intelligence data suggesting that the employee of the embassy, ​​driven by malicious intent, uses social networks for contacts with the criminal organization and data transfer.
0:10 Our data: a list of 6000 users of some kind (Flickr? Or a made-up Flitter network?) Social networks and a list of links between their accounts.
[0:15 The Palantir Import Wizard (Palantir Import Wizard) allows the user to lay out data, building a structure dynamically, depending on the source.
0:23 The Import Wizard automatically imports data, creates objects and assigns properties to them, binds objects according to specified conditions, and removes the duplicates detected based on customizable constraints.] This entire piece is repeated in the first video.
0:41 There is information that our suspect has more than 40 contacts in Flickr. We can conduct a quick search on 6000 accounts to select all containing 42 to 48 contacts.
1:01 We also know that this embassy employee is associated with three accomplices, each of whom has from 30 to 40 contacts.
1:09 Using search around, we find these characters and add them to the graph.
1:16 This search around has identified 5 accounts that have three contacts that match the description.
1:28 After highlighting one of these accounts, we will explore his social network.
1:34 Let's start with Lafouge and return all of his potential accomplices using the saved search around search.
1:44 Now we’ll find out if they are communicating with the leader through a common intermediary, or whether everyone has an intermediary. To do this, we will find all users who are associated with accomplices, and who have no more than six contacts, since intelligence has reported that the intermediary has only one or two contacts, except for accomplices.
2:06 We see an obvious common mediator, right in the center of the graph. Nevertheless, in order to make sure that there is only one intermediary in this network, we will look for contacts among the contacts with a potential leader among the contacts of the accomplices.
2:23 The leader has hundreds of contacts, many of them are international. The search revealed that in our case, a common intermediary is used to bring all contacts together, to a leader named Cornell.
2:36 I think we found our network. Of course, the result is still raw, as we have to confirm that the leader is not directly connected with the embassy employee or accomplices.
2:47 Our search shows that this potential leader is connected with an accomplice; this information allows us to remove Lafouge from the list of suspects.
2:55 Now let's apply the same logic to the remaining four suspects.
3:02 In the end, we received 3 networks that almost completely coincided with the description given by intelligence.
3:09 One of these networks is built around Shafter, details of his network can be seen through spatial analysis. For such an analysis, we added to the Palantir the coordinates of the city indicated in the profile by users of the social network.
3:23 Geodata does not completely coincide with the intelligence provided.
3:30 am Both the embassy employee and his accomplices live in Prunow, the mediator in Kenwich, and the leader in Kuvnich. The only possible explanation for this is that for some reason the accomplices must be within the reach of the embassy staff.
3:45 The mediator may not be physically connected to the network, for better security, and the leader can live close to the border to control the transfer of data outside Florence.
3:57 The location of the leader may also indicate that the criminal organization has connections in the neighboring state Trium.
Analysis of surveillance records.
0:00 We have ten hours of recordings from surveillance cameras that capture the meeting of our suspects.
0:09 Dates and times of entries: Wednesday, January 24, from 10:00 to 15:00 and Saturday, January 26, from 8:00 to 13:00.
0:18 We also know that the camcorder is located within walking distance from the embassy.
0:24 For our investigation, we imported video metadata as additional events in Palantir, and each is associated with a ten-minute excerpt.
0:36 Based on our suspicion of Thirtieth, we will look for passages corresponding to the time when he was outside the embassy.
0:45 To do this, we will create temporary filters for the time when the Thirtieth was to leave the embassy.
0:55 We found four such events on Wednesday, and unfortunately none on Saturday, since Thirtieth was not at the embassy that day.
1:10 Watching the video, we can create events related to every suspicious moment that we find.
1:18 Earlier, we’ve already watched the video for Wednesday and found nothing interesting.
1:23 Saturday video, however, contains an interesting point: two meet and exchange portfolios.
1:31 We created the corresponding “meeting” event, which includes a description, a screenshot, and other metadata.
1:48 Here we see a complete record of the event: time, duration, comments, related media files.
1:55 By creating this event, we integrate it into the investigation.
2:00 If we confirm that one of the participants of the meeting is the Thirtieth, we will be able to link him and the meeting.
2:17 Finally, we can publish this new data, making it available to other Palantir users.
2:26 With Palantir’s advanced analysis capabilities, we were able to link disparate data sources and conducted time, statistical, social, spatial analysis, and interdependence analysis in one unified analytic environment.
2:40 Our investigation on the Palantir platform not only quickly revealed the use of embassy computers for information retrieval, but also the employee responsible for this, and also made it possible to draw up a map of his social connections.
More about Palantir:
The Palantir system allows you to catch "snowduns" before they become world heroes, but were simply spies with whom anything could happen to an
Despite the fact that the leadership of Palantir fights for freedom and logs every single action in the system, such systems pose a great danger to future snowmen. Forewarned is forearmed.
')
Consider the case when, thanks to the Palantir platform, a special investigation was carried out to calculate the unreliable embassy employee who was merging information from a third party.
The investigation analyzed network traffic, information of routers, data of contact cards and badges of employees, events, data of social networks, data of video surveillance. Due to the static, temporary analysis, geodata analysis and visual analysis, the “mole” was revealed.
Thirtieth to destroy.
(For assistance in preparing the article, special thanks to Alexey Vorsin, Russian expert on the Palantir system)
Part 1
0:00 This video uses data from the logs of using access cards, IP logs and a list of staff identification numbers.
0:07 On the Palantir platform, we can combine and combine all this data into one investigation to identify a suspicious exchange of information and link it with a possible suspect.
0:20 First we import the data.
0:25 The Palantir Import Wizard (Palantir Import Wizard) allows the user to partition data by building a structure dynamically, depending on the source.
0:30 The Import Wizard automatically imports data, creates objects and assigns properties to them, binds objects according to specified conditions, and removes the resulting duplicates identified based on customizable constraints.
0:43 We will start our investigation with all the events related to the access cards to the secret area (classified space - the territory or information is not fully understood) and displayed on the graph.
0:49 Each of these events contains access time and access termination time, but we also see several unfinished events when someone jumped behind a colleague (piggybacking, one of the meanings is to go on someone's back) while using the themes of his card.
0:57 We see an interesting pattern: Three times a week, a Thirty employee gets access to a secret area.
1:03 Using office 30 employee neighbors as a starting point, we’ll track down possible episodes of unauthorized use of computers by examining data transfer events related to accessing secret data.
1:13 Partially coincident events indicate unauthorized access to data, due to computers outside the secret area.
1:21 Our search revealed unauthorized data transfer to IP address 100.59.151.133.
1:30 pm “Search around” (Palantir tool) applied to a suspicious IP showed 18 data transfer cases to 12 different embassy computers.
1:37 We auto-order (autoarrange, apparently also a tool) graph, and colored objects by type, for greater clarity.
1:43 On the histogram, we see that all these 18 cases use port 8080 and the entire amount of data transferred came from the organization.
1:50 At the timewheel helper, we see that the data was transmitted for four weeks, every Tuesday and Wednesday, and one transmission per day at the beginning, up to three per day at the end.
2:01 We added authorized users and their office neighbors to the graph using “search around”.
2:07 Now, by selecting these employees individually, we will find all related events related to accessing or transferring information, and then, over the timeline, we will track when data transfer to a suspicious IP has been authorized.
2:21 We see an unauthorized transfer, while employee 40 had access to a secret area.
2:29 By repeating this procedure for the rest of the workers, we found 14 cases in which the relevant employee had access to the secret area during the data transfer, 13 cases in which they were probably not in the office, and 6 when they were seen far from their workplace.
2:43 Only employee 30 was present at the time that employee computer 31 was transmitting data, which suggests that the thirtieth saw the suspect or was himself.
2:51 To confirm suspicion about Thirtieth, we can conduct an additional test by creating several time filters that correspond to the time of suspicious data transfer. Using these filters, we investigate possible intersections with the time when the suspect had access to a secret area.
3:09 The suspect should have access to the computer all eighteen times when data was transferred.
3:11 On the graph, all events related to access to the secret area. We can add our filters to see all intersecting events.
3:22 “Searching around” gave us all the employees associated with the events that we might perceive as suspects.
3:29 Finally, the filter among the embassy staff gives us two potential suspects, one of them, of course, the Thirtieth.
3:39 Our workflow confirmed suspicions: Thirtieth - a malicious insider. Time analysis of IP logs and access logs, not only gave us the opportunity to identify unauthorized use of computers, but also to link this with a specific individual.
Part 2
0:00 Analysis of social networks and spatial analysis - written on the screen.
We received intelligence data suggesting that the employee of the embassy, ​​driven by malicious intent, uses social networks for contacts with the criminal organization and data transfer.
0:10 Our data: a list of 6000 users of some kind (Flickr? Or a made-up Flitter network?) Social networks and a list of links between their accounts.
[0:15 The Palantir Import Wizard (Palantir Import Wizard) allows the user to lay out data, building a structure dynamically, depending on the source.
0:23 The Import Wizard automatically imports data, creates objects and assigns properties to them, binds objects according to specified conditions, and removes the duplicates detected based on customizable constraints.] This entire piece is repeated in the first video.
0:41 There is information that our suspect has more than 40 contacts in Flickr. We can conduct a quick search on 6000 accounts to select all containing 42 to 48 contacts.
1:01 We also know that this embassy employee is associated with three accomplices, each of whom has from 30 to 40 contacts.
1:09 Using search around, we find these characters and add them to the graph.
1:16 This search around has identified 5 accounts that have three contacts that match the description.
1:28 After highlighting one of these accounts, we will explore his social network.
1:34 Let's start with Lafouge and return all of his potential accomplices using the saved search around search.
1:44 Now we’ll find out if they are communicating with the leader through a common intermediary, or whether everyone has an intermediary. To do this, we will find all users who are associated with accomplices, and who have no more than six contacts, since intelligence has reported that the intermediary has only one or two contacts, except for accomplices.
2:06 We see an obvious common mediator, right in the center of the graph. Nevertheless, in order to make sure that there is only one intermediary in this network, we will look for contacts among the contacts with a potential leader among the contacts of the accomplices.
2:23 The leader has hundreds of contacts, many of them are international. The search revealed that in our case, a common intermediary is used to bring all contacts together, to a leader named Cornell.
2:36 I think we found our network. Of course, the result is still raw, as we have to confirm that the leader is not directly connected with the embassy employee or accomplices.
2:47 Our search shows that this potential leader is connected with an accomplice; this information allows us to remove Lafouge from the list of suspects.
2:55 Now let's apply the same logic to the remaining four suspects.
3:02 In the end, we received 3 networks that almost completely coincided with the description given by intelligence.
3:09 One of these networks is built around Shafter, details of his network can be seen through spatial analysis. For such an analysis, we added to the Palantir the coordinates of the city indicated in the profile by users of the social network.
3:23 Geodata does not completely coincide with the intelligence provided.
3:30 am Both the embassy employee and his accomplices live in Prunow, the mediator in Kenwich, and the leader in Kuvnich. The only possible explanation for this is that for some reason the accomplices must be within the reach of the embassy staff.
3:45 The mediator may not be physically connected to the network, for better security, and the leader can live close to the border to control the transfer of data outside Florence.
3:57 The location of the leader may also indicate that the criminal organization has connections in the neighboring state Trium.
Part 3
Analysis of surveillance records.
0:00 We have ten hours of recordings from surveillance cameras that capture the meeting of our suspects.
0:09 Dates and times of entries: Wednesday, January 24, from 10:00 to 15:00 and Saturday, January 26, from 8:00 to 13:00.
0:18 We also know that the camcorder is located within walking distance from the embassy.
0:24 For our investigation, we imported video metadata as additional events in Palantir, and each is associated with a ten-minute excerpt.
0:36 Based on our suspicion of Thirtieth, we will look for passages corresponding to the time when he was outside the embassy.
0:45 To do this, we will create temporary filters for the time when the Thirtieth was to leave the embassy.
0:55 We found four such events on Wednesday, and unfortunately none on Saturday, since Thirtieth was not at the embassy that day.
1:10 Watching the video, we can create events related to every suspicious moment that we find.
1:18 Earlier, we’ve already watched the video for Wednesday and found nothing interesting.
1:23 Saturday video, however, contains an interesting point: two meet and exchange portfolios.
1:31 We created the corresponding “meeting” event, which includes a description, a screenshot, and other metadata.
1:48 Here we see a complete record of the event: time, duration, comments, related media files.
1:55 By creating this event, we integrate it into the investigation.
2:00 If we confirm that one of the participants of the meeting is the Thirtieth, we will be able to link him and the meeting.
2:17 Finally, we can publish this new data, making it available to other Palantir users.
2:26 With Palantir’s advanced analysis capabilities, we were able to link disparate data sources and conducted time, statistical, social, spatial analysis, and interdependence analysis in one unified analytic environment.
2:40 Our investigation on the Palantir platform not only quickly revealed the use of embassy computers for information retrieval, but also the employee responsible for this, and also made it possible to draw up a map of his social connections.
More about Palantir:
Source: https://habr.com/ru/post/281112/
All Articles