"CRA-Farry-MC1"
VAST 2012 Challenge
Mini-Challenge 1: Bank of Money Enterprise: Cyber Situation Awareness
Team Members:
Michael Farry, Charles River Analytics, mfarry@cra.com PRIMARY
Robert Stark, Charles River Analytics, bstark@cra.com
Arthur Wollocko, Charles River Analytics, awollocko@cra.com
Michael Borys, Charles River Analytics, mborys@cra.com
Student Team: NO
Tool(s):
- Charles River's Connect™ network visualization and analysis toolkit
- NASA World Wind geospatial visualization tool
Video:
Answers to Mini-Challenge 1 Questions:
MC 1.1 Create a visualization of the health and policy status of the entire Bank of Money enterprise as of 2 pm BMT (BankWorld Mean Time) on February 2. What areas of concern do you observe?
To monitor system health, the CIO of Bank of Money (BOM) needs to understand the policy compliance of computers on the network, and find unusual computer activities. Policy compliance is important because computers that do not adhere to BOM policies on software updates and security patches are more vulnerable to attack, while unusual computer activities may be signs that an attack is currently taking place. The CIO user opens his geospatial display at 2 PM BMT showing current policy compliance levels of each region, with red indicating the significant presence of poor compliance, yellow indicating lower levels of poor compliance, and green showing satisfactory compliance. To find out more, the CIO clicks on region 9 and sees that, while a vast majority of the computers are in compliance with BOM's security policy, there are thousands that are suffering from moderate policy deviations, at least a hundred suffering from severe policy deviations, and five that are suffering from critical policy deviations, a major security threat (see Figure 1).
Figure 1: Regions 3, 4, 5 7, 9, and 36 are red, indicating they may be policy compliance areas of concern
The CIO can also view individual computer clusters around the world, where the size of each cluster is based on the number of computers it represents. If the CIO highlights the clusters that have invalid login attempts, he would notice--based on green clusters turning into blue--that all clusters in region 9 do. He zooms out to see repeated invalid login attempts common throughout the eastern region of Bank World. To find computers that may have a virus or suspicious files, which may be the cause of the invalid login attempts in eastern Bank World, the CIO looks for a policy status of 5 by highlighting clusters that contain it. He finds one in the northwest region of Bank World in region 36 (see Figure 2).
Figure 2: The critical policy deviation is in region 36, far away from the invalid login attempts
MC 1.2 Use your visualization tools to look at how the network’s status changes over time. Highlight up to five potential anomalies in the network and provide a visualization of each. When did each anomaly begin and end? What might be an explanation of each anomaly?
Did not attempt.