SB50: Case study

The brief

A team of 67 analysts from Norwich University, the oldest private military college in the U.S., was tasked with using open source intelligence to assist security operations for Super Bowl 50 by the Santa Clara Police Department. Having previously partnered with Silobreaker for education and training purposes in their classes, Norwich knew that that the service’s suite of data collection and analysis tools were ideally suited to the task.

Norwich's team in the SB50 security centre.

Members of the Norwich intelligence team at work in the SB50 security centre.

Through Silobreaker, Norwich University’s analysts worked to identify and monitor threats before and during SB50. The team collected and analysed open source intelligence related to personnel for both teams, ranging from players and executives to VIP guests, as well as monitoring information related to physical venues and assets, local criminal activity, protests and other instabilities in the San Francisco Bay Area.

The operation

In the days leading up to the Super Bowl, Norwich University sent a core team of 5 representatives to an undisclosed location within the San Francisco Bay Area, where they joined the Super Bowl’s on-site security operation. Here, the team would work with a collection of public and private security experts under the command of both local and Federal law enforcement.

Logged into Silobreaker and supporting the operation were a further 30 intelligence analysts and additional support personnel, situated over 3000 miles to the east on Norwich University’s campus in Vermont.

“We were heavily integrated into the information technology systems being operated by Levi’s Stadium, and, by extension, were connected to the NFL’s CISO,” – said Phil Susmann, Norwich University Vice President for Strategic Partners.

Members of Norwich University's on-site security team at Levi Stadium | Image source: Norwich University.

Members of Norwich University’s on-site security team at Levi’s Stadium | Image source: Norwich University

Silobreaker Tools

Watch Lists

Our support team worked closely with Norwich University to create the customised lists needed to monitor and cross-reference everything from geographic locations and names to instabilities and leaked credentials. By filtering through lists containing hundreds of entities, Norwich’s SB50 team were able to make single-click queries and cross-reference them across all of Silobreaker’s tools. Norwich University’s Global Thread Observatory allowed the data to be shared amongst the whole 67-strong team across different time zones. These lists and other Silobreaker queries formed the foundation of Norwich’s open source intelligence gathering and analysis throughout the operation. 

Norwich's analysts worked with a wide range of custom Silobreaker watch lists for SB50.

Norwich’s analysts worked with a wide range of custom Silobreaker watch lists for SB50.

“One day we’ve got this set of information and then we want to change or add something. The Silobreaker team were really awesome with being able to develop the things that we needed as we went along.” – Emily Fernald, Norwich University SB50 Remote Operation Lead.

“When we had custom lists that needed to be created and there was a lot of fine tuning to be done in the background that would’ve been beyond the average user, Silobreaker were fabulous in creating some really difficult to set up custom lists for us.” – Phil Sussman, Norwich University Vice President for Strategic Partners.

Social Media

Silobreaker’s ability to collect and aggregate data in multiple languages from news, blogs, feeds, alerts and social media was essential to the operation. In particular, the cross-referencing of key terms and customised watch lists with multiple Twitter widgets was one of Norwich’s key tactics.  

Using Silobreaker, Norwich's SB50 analyst team were able to monitor multiple social media sources at any one time.

Using Silobreaker, Norwich’s SB50 analyst team were able to monitor multiple social media sources at the same time.

“There were players and team staff staying at hotels near the convention centre. We asked Silobreaker to create lists that would help us specifically monitor for anything coming up in social media relating to these hotels and their surrounding geographic areas. These are not easy to filter for in social media and Silobreaker’s team came up with filters that were really helpful.”– Matt Bovee, Norwich University Assoc. Dir. for CS/CSIA.

“Silobreaker works in real-time, is highly flexible and really adaptable. If we needed somebody monitoring nothing but Twitter feeds, they were able to drop a couple of tools and multiple Twitter widgets on a single dashboard, then drill down on that information. Setting that up took a matter of minutes.

You’re often going to want to look at more than one feed. You can then drop in 2 or 3 or 4 modules for Twitter so that people could actually look at slices of that information all on the same page. That was really really helpful.” – Matt Bovee, Norwich University Assoc. Dir. for CS/CSIA.

Heat

Assisted by Silobreaker’s Heat tool, Norwich University’s team were the first to uncover several security threats that could be sent up the chain of command. The Heat index measures mentions by volume and rate of emergence against a moving average, meaning that unusual activity shows up quickly. The second a relevant cyber or non-cyber threat appeared on any blog, microblog, feed or website, it was on Norwich’s radar. Once the team knew of a threat, they were able to quickly drill down to establish the necessary details and submit reports.

SF Bay Area instabilities Heat tool

A snapshot of the Silobreaker Heat tool used to monitor instabilities around the San Francisco Bay Area before and during SB50.

“Everybody on my team was very happy being able to use Silobreaker. It was way more than a search engine used in an attempt to find out stuff. Silobreaker helped guide us and its heat indexes really helped to determine what actually mattered.” – Emily Fernald, Norwich University SB50 Remote Operation Lead.

“Even when there wasn’t a lot of activity, being able to tell that there wasn’t much going on was extremely valuable. Silobreaker’s Heat tool was perfect for this.” –  Matt Bovee, Norwich University Assoc. Dir. for CS/CSIA.

Outcomes & results

Norwich’s team used Silobreaker as an early warning tool as well as to investigate potential threats. As one of the few organisations involved that made use of open source intelligence, Norwich played a substantial role in the overall operation at SB50.

Uber protest pamphlet.

A leaflet to aid the organisation of an Uber strike to disrupt SB50.

Below are just 3 examples of occasions in which Silobreaker proved its value:

Uber Drivers’ Protest

Thousands of Uber drivers, disgruntled over recent fare deductions, were planning a major protest during Super Bowl Sunday in San Francisco. Though Santa Clara Police knew about the protest and had identified it as a threat, they lacked essential details.

Using Silobreaker, Norwich’s analysts scanned social media networks and were quickly able to pick up key pieces of intelligence, including videos uploaded by the protest’s leader and a host of relevant Tweets. After processing this data the team was able to inform law enforcement exactly where and when the protest was most likely to take place.

Pitch Invasion Prank

While Uber drivers were planning events to occur outside Levi’s’s stadium, another individual was planning something inside it. After receiving a tip off from Santa Clara Police, Norwich’s analysts both on-site in California and back in Vermont were able to identify the individual in question. In a matter of minutes, his details, including a profile photo and Twitter account, had been located and sent on to the police and stadium security.

Youtube screenshot of the arrest.

After using Silobreaker to identify the suspect, police apprehend him moments before he’d planned to invade the Levi’s Stadium pitch.

This information, discovered through Silobreaker, enabled Police in the stadium to apprehend the individual moments before they had planned to run onto the pitch. Had the prank been successful, the costs to the NFL are estimated to have been around $167,000 for each second that the individual was on the pitch.

‘Crazy Water Guy’

By cross referencing terms in Silobreaker, Norwich’s team identified an individual they immediately deemed a person of interest. Due to the danger they might have posed, the threats that the individual had made were sent straight up the chain of command.

Immediately after passing on the threat actor’s details, Norwich’s analysts began to uncover more information through Silobreaker. By looking at this individual’s history, it was determined that he had continually displayed similar behaviour since 2013 and it was not unusual for him to make such drastic threats. By harvesting and analyzing this information through Silobreaker, the team was able to quickly communicate an update through the chain of command. The individual’s threat level was decreased and security was able to shift resources elsewhere.

“When the extent of his threats was understood, it was immediately sent up the chain. Then we took the time to dig back in. Within 10 minutes [of Silobreaker operation] we were able to turn around a report on this guy and include all the reasons why we didn’t think he was a threat.” – Eric Tomlin, Norwich University SB50 Intelligence Team Lead.


More comments from the Norwich University SB50 team.

wcax_tv_superbowl_cybersecurity_norwichWatch a TV interview with students from Norwich University’s SB50 on-site team.

“For an event like the Super Bowl open source intelligence is essential. Silobreaker is one of the best tools I’ve seen for that purpose.” – Audrey Wyman, Norwich University SB50 On-Site Operations Lead.

“Silobreaker enabled us to successfully plan for and monitor both cyber and non-cyber threats during this highly complex, national security event. We were able to keep an eye on relevant activity specifically within the Bay area and around Levi’s’s Stadium. The intelligence generated was then fed to law enforcement, ensuring that the Super Bowl was a safe and successful event.” – Phil Susmann, Norwich University Vice President for Strategic Partners.

“Silobreaker’s degree of customisation, real-time data monitoring, and the flexibility to shift to different points of focus and follow numerous information streams, was fantastic. Once you’ve identified something that needs to be looked at specifically, it’s easy to do so.” –  Matt Bovee, Norwich University Assoc. Dir. for CS/CSIA.

 


 

About Norwich UniversityImage source: Norwich UniversityImage source: Norwich University
Norwich University is a diversified academic institution that educates traditional-age students and adults in a Corps of Cadets and as civilians. Norwich offers a broad selection of traditional and distance-learning programs culminating in Baccalaureate and Graduate Degrees. Norwich University was founded in 1819 by Captain Alden Partridge of the U.S. Army and is the oldest private military college in the United States of America. Norwich is one of our nation’s six senior military colleges and the birthplace of the Reserve Officers’ Training Corps (ROTC). 
www.norwich.edu