After our Fortune 80 client was impacted by the NotPetya ransomware, our firm prepared several recommendations to improve their cyber defense posture. Our recommendation was to build a CyberFusion Center (CFC), which is Booz Allen Hamilton’s proprietary approach at establishing cohesive cybersecurity functions. As part of the resiliency effort, my responsibility was to co-lead the design and run of the Threat Defense Operations (TDO) cybersecurity function. The TDO function is responsible for proactively and reactively looking for patterns of malicious activity within the environment, analyzing gaps in existing security control visibility, and engineering solutions to cover discovered gaps.
Roles and Responsibilities:
- TDO Design – The TDO function was a new function for the client and design work required identifying the existing cybersecurity tools in the environment and ensuring that they were properly tuned and configured to support threat hunting in the environment. Ex. Splunk used as a SIEM required additional indexers to be added and additional storage for extension of data retention limits.
- Threat Hunting – Threat hunting required proactively and reactively looking for patterns of malicious activity within the environment. This process involves reviewing several log sources such as web proxy logs, Windows authentication logs, AV logs, etc. to identify any events that indicate malicious activity.
- Splunk Content Development – The SIEM used by the client was Splunk and contained minimal dashboards for cybersecurity use cases. Content development required creating custom searches and dashboards for continuous monitoring and alerting on malicious activity. Ex. Excessive attempts to reach out to a blocked IP address in the firewall – potential C2 activity.
- Security Control Gap Analysis – As threats are identified in the organization, the extent to which the threat can be investigated is limited by the security controls in the environment. Gaps in visibility were documented and business cases were created for additional tool onboarding and/or security tool tuning to enhance TDO capabilities.
- Fusion Between other Cybersecurity Functions – TDO functions requires accepting input from both the Cyber Threat Intelligence (CTI) and Incident Response (IR) teams to enhance threat hunting efforts. As threat intelligence is passed from CTI, TDO provides expansive hunts on the Indicators of Compromise (IOCs) provided to ensure malware campaigns were not active in the local environment. As the IR team handled and contained malware outbreaks, the TDO team performed additional hunting on the endpoint(s) impacted to ensure that all IOCs were captured and no further malicious activity was detected beyond what the IR team was able to observe.
- SME for IR Team Members – As malware events were identified by the IR team, incidents that were beyond their scope were escalated to the TDO team for advanced handling of incidents.
- Python Scripting for Hunting Automation – Python scripting was used for IOC hunting automation. As IOCs were provided from the CTI team (domains, IPs, email addresses, etc.), hunts were performed manually to ensure malicious activity was not found in the environment. To automate this process, I created a Python script to parse lists of IOCs and connect to the Splunk API to launch the relevant searches. This automation cut down on manual-IOC hunting efforts and allowed the TDO team to focus their efforts on other areas such as content development and improving detection logic within the existing security controls.
