Cyber Situational Awareness
- Wed 30, Jun 2010
- Sat 13, Jul 2013
- Northrop Grumman
What is Cyber Situational Awareness?
Cyber Situational Awareness (CSA) is exactly what standard situational awareness would be, except for in the Cyber world. Having an accurate understanding of the situation at hand is crucial to make important decisions in real time, and in cyber warfare that knowledge is just as important as in real world battlefield situations. The idea of CSA is for a analyst or commander to be able to quickly understand the events that are happening on their network, allowing them to make the necessary decisions to react correctly.
The Standard Approach
Many existing tools that attempt to provide Cyber Situational Awareness use geospatial information to map IP addresses on a geographical map; however this is a very weak way to present information though for several reasons:
- Geospatial look-ups of IP addresses just aren't that accurate, often times being off by several miles or more.
- The knowledge gained by placing the IP address on the map by physical location does not communicate any functional or particularly useful information to the analyst.
- This approach is limited to publicly facing IP addresses - if you need to find out any information about a private IP space you'll have to provide your own look-up locations.
There are other significant flaws in limiting oneself to this approach, yet the basic premise of mapping cyber space holds promise.
What We Change
With CSA we've provided an improved solution to this problem. By taking advantage of the ease of understanding that comes with maps, but removing all the geospatial information and replacing it with more relevant data, we can create functional and relevant visualizations of computer networks. Our approach to scalable IP-space visualization is based on organizing the one-dimensional IP-space into hierarchical tiers represented as a two-dimensional space or map. Using tiling, layers, and zoom/pan capabilities the tool allows for analysts to move about this custom generated map of the network. These maps can be generated out of any type of network using whatever hierarchy fits for the mission at hand, allowing for fully realized mappings of private networks.
Scalability is also a prime area of interest with this application, therefore using commercial data we have run the entire IPv4 space through our mapping algorithm to create a map of the entire internet - coming in at around 4 billion unique IP addresses. On the opposite side of that, the application also must be able to cleanly display much smaller customer networks, so we have developed algorithms to ensure that the visualization looks just as good when working with a network of a few hundred IPs as a few billion.
When I joined the CSA team, the project had already been running for a year, during that time a lot of things had changed from the original vision, and the new goal was to move to a web based application instead of the Java thick client that it had been written in. One of the first things that I did was implement a SVN requirement, and spin up a development server for the team to work on - as prior to that they had done all their editing on one single production server copy without any versioning system. Once a basic sense of order had been obtained, I set myself to porting the core of the application. At that point CSA was split between PHP and Java - I refactored all of the Java code into PHP, creating a drastic speed up in database search time as well as a consistent codebase.
Once I'd restored base functionality to the application after completing the port - and thus gained a through understanding of the project, I then began work on a second refactoring to move the code base to PHP5 classes. The reason for doing this move was to create a more structured code base by implementing a dynamic model based system for easy extension: the first step in developing a framework. While creating these models I also implemented full unit tests on them, providing a quick way to ensure no regressions enter the application.
When I joined the team, the application had no understanding of users and permissions. Using my new models I was able to quickly build a User and Group based permission system allowing for administrators to add and remove users from groups, grant access to specific maps to groups, and for users to share their custom uploaded files with other members of their group.
To speed up the loading of user uploaded files into the visualization, I created a background process that generates cached versions of every file the user uploads into CSA to allow for near instant rendering of the points onto a map. CSA also needed to handle dynamic data sources as well, so I developed a generic feed reader that is easy to extend to add additional data formats; currently CSA is able to obtain and process and display data on the maps through Network Links (polling of remote files) or through JMS services.
Because the tool is meant to be able to work with many different sources of data and integrate into different projects, I created a full plugin feature set that allows for additional functionality to be installed into the CSA tool through RPM packages without modifying the core code base at all. One of the requirements when developing the plugin system was that there needed to be a way to issue C2 (Command and Control) messages to other services allowing them to take specific actions to either defend or attack a specific computer in some fashion. To accomplish this I created a system that allows for the user to issue predefined commands through JMS to other applications, and then be informed of the results of the commands through visual changes of icons and new notifications. These predefined C2 messages, along with the actions and responses that they allow, are created and defined in the external plugin using a basic framework to integrate into the main CSA tool.
Leading Development Forward
As the project matured, I moved into the lead engineer position for the team, and had to take on additional responsibility both in managing fellow team mates by providing tasking and mentorship, serving as a point of contact for all of the other teams interested in using CSA's capabilities and providing demos for potential customers.
CSA has now been successfully integrated into several other projects that Northrop Grumman is developing, and the future seems bright for new contracts.