UNCLASSIFED

TRACT: Threat Rating and Assessment Collaboration Tool

Robert Hollinger and Doran Smestad Advised by: George Heineman (WPI), Philip Marquardt (MIT/LL)

Worcester Polytechnic Institute Major Qualifying Project Presentation

October 16th, 2013

Group 51: Cyber Systems and Operations This work is sponsored by the Assistant

Secretary of Defense for Research & Engineering under Air Force Contract

#FA8721-05-C-0002. Opinions, interpretations, conclusions and

recommendations are those of the author and are not necessarily endorsed by the

United States Government.

TRACT - 2 RH, DS – 10/16/13 UNCLASSIFED

Network Analyst

•  Identify cyber vulnerabilities and threats –  The possibility of a malicious attempt to damage or disrupt a

computer network or system.

•  Take necessary steps to protect their network against such threats

•  Sources of Information –  Intrusion Detection System (IDS) –  Intrusion Prevention System (IPS) –  Server Logs –  Online Sources

•  Analyst Tools –  Tools exist to process many of these sources (e.g. Splunk) –  However, no tool exists to process the noisy online source data

TRACT - 3 RH, DS – 10/16/13 UNCLASSIFED

Problem Area - Sources

Sources of Information:

Twitter

Security Updates

Blogs

Reported Vulnerabilities

Bruce Schneier

ZDnet

Microsoft

Apple

MITRE

Rapid7 Madient

McAfee Madient

BAE

Intel

Symantec

Comodo

Verisign

Tennable

Tennable Sophos

RSA

TRACT - 4 RH, DS – 10/16/13 UNCLASSIFED

Determine which threats apply to us

Background

LLAN

–  Lincoln Research Network Operation Center (LRNOC)

•  Holds Lincoln Laboratory Network Data

•  Research Environment to Build Better Cyber Tools

•  Isolated Network

–  Lincoln Laboratory Cyber Situational Awareness (LLCySA) Platform •  Framework to query data from the LRNOC

TRACT - 5 RH, DS – 10/16/13 UNCLASSIFED

Problem Statement

Sources

Analyst: “Is there a threat?”

1 2

1,2 – Analysts receive large amounts of data from online sources.

TRACT - 6 RH, DS – 10/16/13 UNCLASSIFED

Problem Statement

Threats Sources

Analyst: “Is there a threat?”

1 2

4

3

3,4 – Analysts review source data for possible threats.

TRACT - 7 RH, DS – 10/16/13 UNCLASSIFED

Problem Statement

Threats Sources

Analyst: “Is there a threat?”

1 2

4

5

6 3

5,6 – Analysts can query LLCySA to determine relevance.

Analysts are required to manually review search, sort, and organize data.

TRACT - 8 RH, DS – 10/16/13 UNCLASSIFED

Threat Rating and Assessment Collaboration Tool

Threats Sources

Analysts: “Is there a threat?”

1 2

TRACT

1,2 – Analysts search data held by TRACT

TRACT - 9 RH, DS – 10/16/13 UNCLASSIFED

TRACT

Threat Rating and Assessment Collaboration Tool

Threats Sources

Analysts: “Is there a threat?”

1 2 3

4

3,4 – Analysts query LLCySA to determine relevance

TRACT allows Analysts to collectively process more data with less noise.

TRACT - 10 RH, DS – 10/16/13 UNCLASSIFED

Information Retrieval

Examples: –  (Firefox) –  (Firefox)|(Chrome) –  (Firefox).{0-5}(4) –  ([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})

Information Retrieval: Location of relevant documents from a corpus of information

Regular Expression:

Sequence of characters describing a text pattern

TRACT - 11 RH, DS – 10/16/13 UNCLASSIFED

– Transfer of Information

– Permanent Storage of Information

– User Interface communication with the database

– Collaboration between Analysts

Design Considerations

LLAN

TRACT - 12 RH, DS – 10/16/13 UNCLASSIFED

User Interface - Welcome

TRACT - 13 RH, DS – 10/16/13 UNCLASSIFED

User Interface - Search

TRACT - 14 RH, DS – 10/16/13 UNCLASSIFED

User Interface - Search

TRACT - 15 RH, DS – 10/16/13 UNCLASSIFED

User Interface - Refine

TRACT - 16 RH, DS – 10/16/13 UNCLASSIFED

User Interface - Refine

TRACT - 17 RH, DS – 10/16/13 UNCLASSIFED

User Interface - LLCySA

TRACT - 18 RH, DS – 10/16/13 UNCLASSIFED

User Interface - LLCySA

0

5

10

15

20

25

30

35

40

Firefox 5.0 Firefox 4.0 Firefox 3.6 Firefox 3.0

Use of Firefox in Lincoln Laboratory

Firefox 5.0

Firefox 4.0

Firefox 3.6

Firefox 3.0

Per

cent

of U

sers

Browser Version

Example Purposes Only Not Actual Data

TRACT - 19 RH, DS – 10/16/13 UNCLASSIFED

User Interface - Dashboard

TRACT - 20 RH, DS – 10/16/13 UNCLASSIFED

User Interface - Dashboard

TRACT - 21 RH, DS – 10/16/13 UNCLASSIFED

User Interface - Dashboard

TRACT - 22 RH, DS – 10/16/13 UNCLASSIFED

User Interface - Dashboard

TRACT - 23 RH, DS – 10/16/13 UNCLASSIFED

Evaluation

Analysts

–  Dedicated display to show our Dashboard in the LRNOC

–  Ingestion of user refinement data into the LLCySA platform

–  Received positive reaction from Analysts and they plan to use it in their work

TRACT - 24 RH, DS – 10/16/13 UNCLASSIFED

Conclusion

–  Identified a gap in the analyst toolset

–  Developed system to assist analysts in the process of gaining relevant threat information from online sources

–  Reviewed system with analysts

TRACT - 25 RH, DS – 10/16/13 UNCLASSIFED

Future Work

Full Graphing of Refinements

Advanced Information Retrieval

Full integration with LRNOC

TRACT - 26 RH, DS – 10/16/13 UNCLASSIFED

Acknowledgements

Philip Marquardt, MIT/LL Advisor, LRNOC Lead

George Heineman, WPI Advisor

David O’Gwynn, LLCySA Technical Staff

Kathleen Haas, MQP Coordinator

Ted Clancy, WPI Project Site Lead

TRACT - 27 RH, DS – 10/16/13 UNCLASSIFED

Backup Slides

BACKUP SLIDES

TRACT - 28 RH, DS – 10/16/13 UNCLASSIFED

Twi$er,  RSS,  Atom  

Ingester  

SQLite   LRNOC  

DB  Transfer  

MySQL  

ApplicaAon  

User  Login  

User  Queries  

Display  Posts  

Refine  Query  

System Flow of Information

SQLite