Technically, I introduced Sara near the end of book one, similar to how I introduced the major character of book three near the end of book two. I’m consistent like that. This is Sara’s introduction in the second chapter of Full Spectrum Cyberwar.
SARA Thomas was a serious-minded sixteen-year-old. With two years of high school behind her, her petite 5’1”, 95-pound frame led people to guess she was only headed into 8th grade. She got her share of double takes during night classes for the college level calculus she attended Tuesday and Thursday nights at Austin Community College. Most boys considered her pretty, but she didn’t know that. She wasn’t so dorky as to wear over-sized glasses, her specs were hip wireframes, but she’d yet to start thinking about boys. Sara’s focus was elsewhere.
This was her second month working at Response Software, in their modern office complex off Loop 360, overlooking Lake Austin. She got the job after meeting a Captain Calvert of the U.S. Cyber Command, the previous summer while attending a Black Hat conference in Las Vegas with her father. Captain Calvert, now a major, stayed in touch with her father, and Calvert’s wife K.C., who worked for the cybersecurity forensics firm, offered Sara the job in May.
She expected today to be like all the others. Jen, her team lead and official mentor as the only other female on-site, tended to sit down with her around 10 am on Wednesday mornings to teach her a new software tool. Software that Jen referred to as being part of their forensics toolkit or stack, which implied a set of tools that all work together.
Sara was in her cube before 8 am, reading her email. She had one marked urgent from Justin Peters, whom she understood to be pretty high up in the firm, one of the partners. Sara had never received an email before with the urgent flag set. She read it first.
Jen tells me you’re up to speed on the ELK stack. That’s awesome. I need you to query these 45 days worth of server logs six ways from Sunday and let me know if you find any interesting patterns. If you have time, download this server image too and compare it against the standard image we already have. I need your findings by EoD.
Sara googled “six ways from Sunday.” Oh, he wants an exhaustive search. Fun. Next, Sara googled “EoD.” My end of day or his?
Sara detached the archived file from the email, saved it to her hard drive, then decompressed it to find a trove of over a thousand log files from thirty-three separate servers. She added these logs to the data lake she had been building as part of her internship. That data store was comprised of massive storage in the Amazon cloud offering termed AWS S3 for Amazon Web Services Simple Storage Service.
She began to study the files by scrolling through their file names. It was apparent there were thirty-three different servers, as their hostnames contained unique numbers, each with forty-five logs, and that each log captured data over a twenty-four hour period. Fourteen hundred and eighty-five server logs.
She opened up all the logs at once using her ELK stack to color code each unique data point over the entire forty-five days. Her program determined the normal range of readings based on statistical analysis, and illustrated meaningful deviations from the norm with the colors. Color patterns emerged across most of the data points, for each server, on each day, until the final hour. Maybe that’s normal and the final day’s readings are anomalous because Justin didn’t get a full day?
Sara drilled down into the data points by clicking on them. The logs contained readings that she didn’t understand. She did understand each row of data was timestamped every thirty seconds. And she caught visually, by the color-coded representation, that the readings were entirely identical across each of the thirty-three servers, until the final hour of the last day. Her guess was that the data points flagged by her pattern-matching software should probably be more random, like the final hour readings.
She googled wind farms and stumbled upon some information from the Department of Energy that explained the readings to her. “rev/s” referenced the rotation of the turbine in revolutions per second. “m/s” was a meters per second reading of the wind speed. There were other readings for power output and pitch. Every color-coded reading was identical, until the final hour, as if all thirty-three servers were running the same control program. Sara wasn’t deep enough in her knowledge of this tech to know to what extent these systems were machine controlled, but clearly, windspeed came from nature and would have to be random.
She spent more of her time reading online details of how wind farms operated than reviewing the logs themselves. The ELK stack did all the log analysis for her within a few minutes. The real effort was in understanding the significance of her findings. She also had time to download the server image from a link included in Justin’s email, and run the compare. Sara emailed her findings back to Justin before her 10 am meeting with Jen.