Post on 02-Jun-2020
UNCLASSIFED
TRACT: Threat Rating and Assessment Collaboration Tool
Robert Hollinger and Doran Smestad Advised by: George Heineman (WPI), Philip Marquardt (MIT/LL)
Worcester Polytechnic Institute Major Qualifying Project Presentation
October 16th, 2013
Group 51: Cyber Systems and Operations This work is sponsored by the Assistant
Secretary of Defense for Research & Engineering under Air Force Contract
#FA8721-05-C-0002. Opinions, interpretations, conclusions and
recommendations are those of the author and are not necessarily endorsed by the
United States Government.
TRACT - 2 RH, DS – 10/16/13 UNCLASSIFED
Network Analyst
• Identify cyber vulnerabilities and threats – The possibility of a malicious attempt to damage or disrupt a
computer network or system.
• Take necessary steps to protect their network against such threats
• Sources of Information – Intrusion Detection System (IDS) – Intrusion Prevention System (IPS) – Server Logs – Online Sources
• Analyst Tools – Tools exist to process many of these sources (e.g. Splunk) – However, no tool exists to process the noisy online source data
TRACT - 3 RH, DS – 10/16/13 UNCLASSIFED
Problem Area - Sources
Sources of Information:
Security Updates
Blogs
Reported Vulnerabilities
Bruce Schneier
ZDnet
Microsoft
Apple
MITRE
Rapid7 Madient
McAfee Madient
BAE
Intel
Symantec
Comodo
Verisign
Tennable
Tennable Sophos
RSA
TRACT - 4 RH, DS – 10/16/13 UNCLASSIFED
Determine which threats apply to us
Background
LLAN
– Lincoln Research Network Operation Center (LRNOC)
• Holds Lincoln Laboratory Network Data
• Research Environment to Build Better Cyber Tools
• Isolated Network
– Lincoln Laboratory Cyber Situational Awareness (LLCySA) Platform • Framework to query data from the LRNOC
TRACT - 5 RH, DS – 10/16/13 UNCLASSIFED
Problem Statement
Sources
Analyst: “Is there a threat?”
1 2
1,2 – Analysts receive large amounts of data from online sources.
TRACT - 6 RH, DS – 10/16/13 UNCLASSIFED
Problem Statement
Threats Sources
Analyst: “Is there a threat?”
1 2
4
3
3,4 – Analysts review source data for possible threats.
TRACT - 7 RH, DS – 10/16/13 UNCLASSIFED
Problem Statement
Threats Sources
Analyst: “Is there a threat?”
1 2
4
5
6 3
5,6 – Analysts can query LLCySA to determine relevance.
Analysts are required to manually review search, sort, and organize data.
TRACT - 8 RH, DS – 10/16/13 UNCLASSIFED
Threat Rating and Assessment Collaboration Tool
Threats Sources
Analysts: “Is there a threat?”
1 2
TRACT
1,2 – Analysts search data held by TRACT
TRACT - 9 RH, DS – 10/16/13 UNCLASSIFED
TRACT
Threat Rating and Assessment Collaboration Tool
Threats Sources
Analysts: “Is there a threat?”
1 2 3
4
3,4 – Analysts query LLCySA to determine relevance
TRACT allows Analysts to collectively process more data with less noise.
TRACT - 10 RH, DS – 10/16/13 UNCLASSIFED
Information Retrieval
Examples: – (Firefox) – (Firefox)|(Chrome) – (Firefox).{0-5}(4) – ([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})\.([0-9]{1,3})
Information Retrieval: Location of relevant documents from a corpus of information
Regular Expression:
Sequence of characters describing a text pattern
TRACT - 11 RH, DS – 10/16/13 UNCLASSIFED
– Transfer of Information
– Permanent Storage of Information
– User Interface communication with the database
– Collaboration between Analysts
Design Considerations
LLAN
TRACT - 12 RH, DS – 10/16/13 UNCLASSIFED
User Interface - Welcome
TRACT - 13 RH, DS – 10/16/13 UNCLASSIFED
User Interface - Search
TRACT - 14 RH, DS – 10/16/13 UNCLASSIFED
User Interface - Search
TRACT - 15 RH, DS – 10/16/13 UNCLASSIFED
User Interface - Refine
TRACT - 16 RH, DS – 10/16/13 UNCLASSIFED
User Interface - Refine
TRACT - 17 RH, DS – 10/16/13 UNCLASSIFED
User Interface - LLCySA
TRACT - 18 RH, DS – 10/16/13 UNCLASSIFED
User Interface - LLCySA
0
5
10
15
20
25
30
35
40
Firefox 5.0 Firefox 4.0 Firefox 3.6 Firefox 3.0
Use of Firefox in Lincoln Laboratory
Firefox 5.0
Firefox 4.0
Firefox 3.6
Firefox 3.0
Per
cent
of U
sers
Browser Version
Example Purposes Only Not Actual Data
TRACT - 19 RH, DS – 10/16/13 UNCLASSIFED
User Interface - Dashboard
TRACT - 20 RH, DS – 10/16/13 UNCLASSIFED
User Interface - Dashboard
TRACT - 21 RH, DS – 10/16/13 UNCLASSIFED
User Interface - Dashboard
TRACT - 22 RH, DS – 10/16/13 UNCLASSIFED
User Interface - Dashboard
TRACT - 23 RH, DS – 10/16/13 UNCLASSIFED
Evaluation
Analysts
– Dedicated display to show our Dashboard in the LRNOC
– Ingestion of user refinement data into the LLCySA platform
– Received positive reaction from Analysts and they plan to use it in their work
TRACT - 24 RH, DS – 10/16/13 UNCLASSIFED
Conclusion
– Identified a gap in the analyst toolset
– Developed system to assist analysts in the process of gaining relevant threat information from online sources
– Reviewed system with analysts
TRACT - 25 RH, DS – 10/16/13 UNCLASSIFED
Future Work
Full Graphing of Refinements
Advanced Information Retrieval
Full integration with LRNOC
TRACT - 26 RH, DS – 10/16/13 UNCLASSIFED
Acknowledgements
Philip Marquardt, MIT/LL Advisor, LRNOC Lead
George Heineman, WPI Advisor
David O’Gwynn, LLCySA Technical Staff
Kathleen Haas, MQP Coordinator
Ted Clancy, WPI Project Site Lead
TRACT - 27 RH, DS – 10/16/13 UNCLASSIFED
Backup Slides
BACKUP SLIDES
TRACT - 28 RH, DS – 10/16/13 UNCLASSIFED
Twi$er, RSS, Atom
Ingester
SQLite LRNOC
DB Transfer
MySQL
ApplicaAon
User Login
User Queries
Display Posts
Refine Query
System Flow of Information
SQLite