Written by: Katherine MacGilvray May 22, 2018 UAH students Justin Cole, Iain Deason, Kris Khemphavanh, and Kyle O’Rear (l-r), led by associate professor of information systems Dr. Ravi Patnayakuni, placed in the top 10 at the 2018 National Cyber Analyst Challenge and Conference. Michael Mercier | UAH A team of four students from The University of Alabama in Huntsville (UAH) were among 10 finalists selected to participate in the third annual National Cyber Analyst Challenge and Conference (NCAC) this past spring: Justin Cole, Iain Deason, and Kyle O’Rear, master’s candidates in an interdisciplinary cybersecurity program offered by the Colleges of Business, Science, and Engineering; and undergraduate information systems major Kris Khemphavanh. The competition, which encourages the development of strategic skills involving analysis, threat identification, and mitigation planning, is a joint initiative by Leidos, NBCUniversal, Vanguard, Pfizer, and the Institute for Business and Information Technology at Temple University. Cole says the team was drawn together "like bees to honey" after receiving an email about the competition from Dr. Ravi Patnayakuni, an associate professor of information systems. Each saw it as an opportunity to showcase the skills they had developed, get valuable hands-on experience, and learn from their fellow teammates. In December, the four students submitted their resumes and a statement of interest that highlighted their cybersecurity backgrounds. They were then selected from the pool of applicants by Dr. Patnayakuni, who has served as the UAH team’s faculty advisor since the challenge’s inception in 2015. "Then," says Cole, "we had to wait." The team members would not receive their case analysis, the first phase of the three-phase competition, until February. "We had to wait for the NCAC to develop the real-world materials we would be analyzing and we had no idea what that was going to entail." Thanks to their cybersecurity expertise, the UAH team was able identify the source of a hypothetical network breach using tools and methodologies like MITRE ATT&CK and Cyber Kill Chain®. NCAC It was nerve-racking, but the team wasn’t idle. They reached out Kell Rozman, a UAH graduate who had led his team to the finals of the 2015 NCAC competition in Washington, D.C. While there wasn’t anything they could study beforehand without knowing case specifics, Rozman did offer some pointers. "He gave us some ideas on approaches, tools to use, and some frameworks to look at when it came to putting together the presentation we would submit for phase one," Cole recalls. On Feb. 1, the team received their challenge. The invented case revolved around an individual, concerned about a potential breach in their company’s network, who submitted a ticket to the IT help desk that said network traffic was moving slowly. "And that was all the information we got," says Deason. "That synopsis and, I think the technical term is, a ‘boatload’ of files." That "boatload" consisted of about 210 GB worth of data, including system images, memory dumps, and network traffic updates. With teams across the country simultaneously trying to access the data, the system froze and the UAH team was unable to get the necessary materials until three days after the challenge started. With only two weeks to examine the data, that loss of time was critical. "Thankfully, the NCAC extended the deadline because of the delay," Deason says. With their dataset finally in hand, the team hit the ground running, taking a divide-and-conquer approach. "We had four computers to look at that were basically images of four separate workstations, and there are four of us, so we each took one," explains Cole. "That worked out well." Now, they had to figure out what went wrong. "The case presented a real challenge because none of us had a forensics background," explains O’Rear, who served as the team lead. "So we had to learn many different tools and methodologies, like MITRE ATT&CK and Cyber Kill Chain®, in very little time." As a result, adds Deason, "a lot of it came down to learning as you go – just sitting down with the problem at hand and trying to figure it out." Working around the clock – and course schedules and jobs – the team was able to attribute the network slowdown to the intrusion of a malicious actor who was exfiltrating data and maintaining a connection to the company’s network. They compiled the results of their investigations into a case analysis template supplied by the challenge organizers. "The deliverable for the first phase of the competition was a PowerPoint presentation that explained our findings, the tools we used, where and how we found evidence of the intrusion, and the team’s proposed solutions," explains O’Rear. A panel of judges consisting of cybersecurity industry experts critiqued their findings and rated them on presentation, incident analysis/content, and technical skills. The UAH team received an exemplary score in all three categories and was awarded $10,000 by the NCAC for qualifying. They then moved on to the next two phases of the competition: an advanced-training workshop, during which they were mentored by cybersecurity professionals, and the final competition, which took place April 12-13 in Philadelphia. While they didn’t end up winning the latter two, the team members are quick to offer encouragement and advice to other UAH students who may be interested in competing in future challenges. "Don’t let the time commitment intimidate you," says Cole. "You aren’t going to get that kind of experience anywhere else." Khemphavanah seconds this, and as the team’s only undergraduate, offers his "rookie" perspective. "You just have to put in your part and keep up," he says. "No problem is too big." Learn More UAH Center for Cybersecurity Research and Education UAH Graduate School Contact Information Systems 256.824.6680 mgt.mkt.is@uah.edu