SB50: The case study
The Brief
A team of 67 analysts from Norwich University, the oldest private military college in the U.S.,
was tasked with using open source intelligence to assist security operations for Super Bowl
50 by the Santa Clara Police Department. Having previously partnered with Silobreaker for
education and training purposes in their classes, Norwich knew that that the service's suite of
data collection and analysis tools were ideally suited to the task.
Members of Norwich University's intelligence team at work in the SB50 security centre | Image source: Norwich University
Through Silobreaker, Norwich University’s analysts worked to identify and monitor threats
before and during SB50. The team collected and analysed open source intelligence related
to personnel for both teams, ranging from players and executives to VIP guests, as well as
monitoring information related to physical venues and assets, local criminal activity, protests
and other instabilities in the San Francisco Bay Area.
The Operation
In the days leading up to the Super Bowl, Norwich University sent a core team of 5
representatives to an undisclosed location within the San Francisco Bay Area, where they
joined the Super Bowl’s on-site security operation. Here, the team would work with a
collection of public and private security experts under the command of both local and
Federal law enforcement.
Logged into Silobreaker and supporting the operation were a further 30 intelligence analysts
and additional support personnel, situated over 3000 miles to the east on Norwich
University’s campus in Vermont.
“We were heavily integrated
into the information
technology systems being
operated by Levi’s Stadium,
and, by extension, were
connected to the NFL’s CISO,”
said Phil Susmann, Norwich
University Vice President for
Strategic Partners.
Members of Norwich University's on-site security team at Levi's Stadium | Image
source: Norwich University
Silobreaker Tools
Watch Lists
Our support team worked closely with Norwich University to create the customised lists
needed to monitor and cross-reference everything from geographic locations and names to
instabilities and leaked credentials. By filtering through lists containing hundreds of entities,
Norwich's SB50 team were able to make single-click queries and cross-reference them across
all of Silobreaker's tools. Norwich University’s Global Thread Observatory allowed the data to
be shared amongst the whole 67-strong team across different time zones. These lists and
other Silobreaker queries formed the foundation of Norwich's open source intelligence
gathering and analysis throughout the operation.
Norwich’s analysts worked with a wide range of custom Silobreaker lists for the SB50 security operation.
“When we had custom lists that
“One day we’ve got this set of
information and then we want to change
or add something. The Silobreaker team
were really awesome with being able to
develop the things we needed as we
went along” - Emily Fernald, Norwich
needed to be created and there was a
lot of fine tuning to be done in the
background that would’ve been
beyond the average user, Silobreaker
were fabulous in creating some really
difficult-to-set-up custom lists for us” -
Norwich University SB50 Remote
Phil Susmann, Norwich University Vice
Operation Lead.
President for Strategic Partners.
Social Media
Silobreaker's ability to collect and aggregate data in multiple languages from news, blogs,
feeds, alerts and social media was essential to the operation. In particular, the cross-referencing
of key terms and customised watch lists with multiple Twitter widgets was one of Norwich's
key tactics.
“There were players and team staff staying at hotels near the convention
centre. We asked Silobreaker to create lists that would help us specifically
monitor for anything coming up in social media relating to these hotels and
their surrounding geographic areas. These are not easy to filter for in social
media and Silobreaker’s team came p with filters that were really helpful” Matt Bovee, Norwich University Assoc. Dir for CS/CISA.
Using Silobreaker, Norwich’s SB50 analyst team were able to monitor multiple social media sources and feeds at once.
“Silobreaker works in real-time, is highly flexible and really adaptable. If we needed
somebody monitoring nothing but Twitter feeds, they were able to drop a couple of tools
and multiple Twitter widgets on a single dashboard, then drill down on that information.
Setting that up took a matter of minutes.
You’re often going to want to look at more than one feed. You can then drop in 2 or 3 or 4
modules for Twitter so that people could actually look at slices of that information al on the
same page. That was really helpful” - Matt Bovee, Norwich University Assoc. Dir for
CS/CISA.
Heat
Assisted by Silobreaker's Heat tool, Norwich University’s team were the first to uncover
several security threats that could be sent up the chain of command. The Heat index
measures mentions by volume and rate of emergence against a moving average, meaning
that unusual activity shows up quickly. The second a relevant cyber or non-cyber threat
appeared on any blog, microblog, feed or website, it was on Norwich's radar. Once the
team knew of a threat, they were able to quickly drill down to establish the necessary details
and submit reports.
A snapshot of the Silobreaker Heat tool used to monitor instabilities around the San Francisco Bay Area before and during SB50.
“Even when there wasn’t a lot of activity, being to tell that there wasn’t much going
on was extremely valuable. Silobreaker’s Heat tool was perfect for this” - Matt Bovee,
Norwich University Assoc. Dir for CS/CISA.
“Everybody on my team was very happy being able to use Silobreaker. It was way
more than a search engine used in an attempt to find out stuff. Silobreaker helped
guide us and its Heat indexes really helped to determine what actually mattered” Emily Fernald, Norwich University SB50 Remote Operation Lead.
Outcomes & results
Norwich’s team used Silobreaker as an early warning tool as well as to investigate potential
threats. As one of the few organisations involved that made use of open source intelligence,
Norwich played a substantial role in the overall operation at SB50.
Below are just 3 examples of occasions in which Silobreaker proved its value:
Uber Drivers’ Protest
Thousands of Uber drivers, disgruntled over recent
fare deductions, were planning a major protest during
Super Bowl Sunday in San Francisco. Though Santa
Clara Police knew about the protest and had identified
it as a threat, they lacked essential details.
Using Silobreaker, Norwich’s analysts scanned social
media networks and were quickly able to pick up key
pieces of intelligence, including videos uploaded by
the protest's leader and a host of relevant Tweets.
After processing this data the team was able to inform
law enforcement exactly where and when the protest
was most likely to take place.
A leaflet to aid the organisation of an Uber strike to
disrupt SB50.
Pitch Invasion Prank
While Uber drivers were planning events to occur outside Levi’s stadium, another individual
was planning something inside it. After receiving a tip off from Santa Clara Police, Norwich’s
analysts both on-site in California and back in Vermont were able to identify the individual in
question. In a matter of minutes, his details, including a profile photo and Twitter account,
had been located and sent on to the police and stadium security.
After using Silobreaker to identify the suspect, police apprehend him moments before his planned invasion of the Levi’s Stadium
pitch.
This information, discovered through Silobreaker, enabled Police in the stadium to
apprehend the individual moments before they had planned to run onto the pitch. Had the
prank been successful, the costs to the NFL are estimated to have been around $167,000 for
each second that the individual was on the pitch.
'Crazy Water Guy'
By cross referencing terms in Silobreaker,
Norwich’s team identified an individual they
immediately deemed a person of interest. Due to
the danger they might have posed, the threats that
the individual had made were sent straight up the
chain of command.
“When the extent of his threats were
understood, they were immediately
sent up the chain. Then we took the
time to dig back in. Within 10 minutes
[of Silobreaker operation] we were able
to turn around a report on this guy and
include all the reasons why we didn’t
Immediately after passing on the threat actor’s
think he was a threat” – Eric Tomlin,
details, Norwich’s analysts began to uncover more
Norwich University SB50 Intelligence
information through Silobreaker. By looking at this
individual's history, it was determined that he had
Team Lead.
continually displayed similar behaviour since 2013
and it was not unusual for him to make such drastic
threats. By harvesting and analysing this information through Silobreaker, the team was able
to quickly communicate an update through the chain of command. The individual’s threat
level was decreased and security was able to shift resources elsewhere.
More comments from Norwich University’s SB50 team:
Member’s of Norwich’s team on a Vermont state television network discussing their role in the SB50 security operation.
“For an event like the Super Bowl, open source intelligence is essential. Silobreaker
is one of the best tools I’ve seen for that purpose” – Audrey Wyman, Norwich
University SB50 On-Site Operations Lead.
___
“Silobreaker’s degree of customisation, real-time data monitoring, and the
flexibility to shift to different points of focus and follow numerous information
streams, was fantastic. Once you’ve identified something that needs to be looked at
specifically, it is easy to do so” – Matt Bovee, Norwich University Assoc. Dir. For
CS/CISA.
___
“Silobreaker enabled us to successfully plan for and monitor both cyber and noncyber threats during this highly complex, national security event. We were able to
keep an eye on relevant activity specifically within the Bay Area and around Levi’s
Stadium. The intelligence generated was then fed to law enforcement, ensuring that
the Super Bowl was a safe and successful event” – Phil Susmann, Norwich University
Vice President for Strategic Partners.