TeamMongoose Keertan Kini Zoe Durand
Ricardo Rosales Frances Schroeder INITIAL PROBLEM STATEMENT Enable the NSA to rapidly identify disposable infrastructure used in cyber-attacks CURRENT PROBLEM STATEMENT Democratize threat intelligence by providing an automatic “pivoting” solution 100 Interviews BS Symbolic Systems ‘22 Hipster MBA ‘22 Hustler MBA ‘22 Hound MBA + MPP Hacker Problem Sponsor: National Security Agency Cybersecurity Directorate

Over the past 10 weeks,
we conducted 100 interviews. Academic Commercial Government

We didn’t fully understand the
beneficiary nor the problem statement... What is the full mission of the NSA? What data does the NSA have access to? What is the organizational structure between the NSA and all the other agencies that it defends? What is disposable infrastructure? How is it used by adversaries in an attack? Week 1

Since we didn’t know what
“disposable infrastructure” was… we decided to start with the data where we could find it! 1. “The NSA does not have access to network data if it is domestic” - from Sponsor 1. “There is a clear reason for which the NSA doesn’t have access to that data - they should just work more effectively with the FBI” - from cyber-crime / cyber-security diplomat 1. “What is missing is the defense agreement to get the data, not the data itself.” - from sponsor & DoD representative Week 1

We realized that the world
was much more complicated than we had originally thought Confused mongoose Week 3

Aha moment! Disposable infrastructure =
servers leased through cloud providers Week 3

All Agencies in National Security
System DoD Agencies in National Security System Critical infrastructure, private companies NSA The interplay between agencies is even more complicated that we had originally thought! Cybersecurity and Infrastructure Security Agency CISA FBI Cloud Providers MALICIOUS CYBER ACTOR Disposable Infrastructure Already gone! USCYBERCOM Private Incident Response Companies Week 4

Mission Model Canvas had a
lot of other players involved KEY PARTNERS - NSA (analysts and expertise) - DHS CISA - Private sector - - Cloud provider Trust and Security Teams - FBI Cybercrime Division - Private Network security firms KEY RESOURCES - Security Clearance - IT Security Accreditation - Examples of concerning malware for categorization and analysis - Traffic Data (labeled instances of disposable infrastructure) VALUE PROPOSITIONS One or several of the following: -Reduce time required to identify persistent infrastructure used by multiple malware installations - Identify temporary infrastructure used by malware installation previously unidentified and share to Cloud Providers to shutdown - Reduce time to serve Data Preservation notices to Cloud Providers to help attribution KEY ACTIVITIES - Software Engineering: - Identify common data for behavioral analysis of specific attacks - Create analytics which plugs into existing engines - Organizational: Fast Path for data sharing - Security Accreditation MISSION ACHIEVEMENT/IMPACT FACTORS Our mission will be successful if we develop a scalable solution to help the NSA identify persistent infrastructure used by multiple malware installations in a timely manner. DEPLOYMENT 1. Back-end algorithm not running in real time as proof of concept 2. Back-end algorithm running in real time (streaming) 3. Dashboard updated in real time deployed to the cloud or on-prem and accessible NSA/CISA/FBI stakeholders BUY-IN & SUPPORT -Need IT Approvals from NSA/CISA/FBI for their systems -Need demand MISSION BUDGET/COST BENEFICIARIES Primary: Cyber defenders at the NSA, Secondary: Cyber investigators at the FBI Tertiary: All entities that the NSA serves and the DoD in general Fixed: - Software design & engineering - Helpdesk/support functions - Labelling Costs Variable: - Subscription API usage for External tools, cloud computation/storage

“Attack” can mean different things,
and even the lifecycle of an attack is broad - where could Mongoose help? Prevention Incident response Attribution Week 4

Big identity crisis for the
team! A picture of a Mongoose team member boiling the ocean, circa Week 4 Prevention Attribution Incident response Team Mongoose NSA DoD Critical infra Lighthouse of the teaching team FBI Flocks of beneficiaries

Lightbulb moment! Disposable infrastructure isn’t
in and of itself a problem, is it? “Attacks” isn’t specific enough. You need to narrow it down to a specific attack! “We were originally given a solution, not a problem.” Week 4

Pivot! Focus on a specific
attack type: Data exfiltration. Week 5 Problem Statement WHAT: improve the early detection of nation-state data exfiltration cyber- attacks on the NSA corporate network conducted through ephemeral cloud infrastructure, where the initial attack vector is a zero-day or supply chain attack, by quickly identifying the C2 servers owned in full by the attackers FOR WHO: NSA cyber analysts as early adopter, later DoD agencies. Week 5

To solve the problem of
NSA’s access to domestic data, we decide to focus on the NSA as a corporate network Week 5 We still have a data problem...

Intelligence and/or Firewall? Intelligence for
signal analysis Firewall to instantly block malicious traffic Week 6

At this point, we still
weren’t sure that Mongoose could really bring anything to the table. Week 6

Despite the new problem statement,
we hit a new low. We write an email to the teaching team outlining our concerns: “Our problem statement is either too broad, or too technical. People have tried to solve these problems for years, and it’s unclear what we might be able to contribute. ‘Redefine cybersecurity’ is better suited to a PhD in cybersecurity than to H4D” Week 6 Week 1 Week 2 Week 3 Week 4 Week 5 “The NSA is a bit of a black box in terms of their processes and heir prior attacks. Proxies don’t seem to be working either as no company seems keen to discuss the ways in which they’ve been breached.”

We talk to our sponsor
and have a breakthrough moment. What if I already had an indicator of compromise… and I asked you to find similar things? ! !

Major breakthrough: we redefine both
the problem statement and the beneficiary WHAT: flag infrastructure on the public internet that “correlates” or “matches” to a known malicious infrastructure (seed) FOR WHO: NSA Discovery Team in conjunction with JFHQ-DODIN Network Defenders. Week 6

Team Mongoose is back! Week
7

We define a high-level product!
Mongoose Intelligence will provide analysis automation through an entity matching API Mongoose entity matching API Malicious IP or domain Similar IP or Domain Week 7

We learn that visualization seems
to be a compelling product in and of itself for many beneficiaries IP 1 IP 2 DoD Endpoint 1 Domain aws.com Domain XYZ.com IP 3 IP 4 DoD Endpoint 2 JFHQ-DoDIN network - Country - Date of first connection - Account holder - # of connections - Port - Protocol INPUT OUTPUT “Love the visualization! It would be great if you displayed context and confidence scores.”

Why hadn’t the NSA ever
built this before? They might have. Legal framework Large siloed organization? Week 8

We start to understand more
about the details of the specific data sources and systems that we would need to plug into “Nobody is doing anything with all the log data that is produced by Akamai on DoD networks.” “You should plug into Acropolis that is already doing data collection. DMA is already dumping several terabytes of logs per day. Basically all of the DoD is feeding in data.” -- Defense Digital Service Week 9

With our MVPs, we got
good signal that this is something that is interesting to the NSA Discovery Team “There are rules against me saying we would purchase this. But this is a problem, and it needs to be solved ASAP.” -- NSA CSD TD Week 9

Several types of potential customers
Small/Medium Enterprises NSA/JFHQ-DODIN Telecoms Week 10

We’re still thinking about whether
or not we want to continue on the project after the class. Week 10

Thank you to everyone who
made this possible! Special thanks to: ● Neal Ziring, NSA CSD Technical Director ● Jennifer Quarrie and Jason Chen ● Our defense mentor ● H4D TA Joel Johnson ● The entire H4D teaching team ● Our 100 interviewees TeamMongoose Problem Sponsor: National Security Agency, Cybersecurity Directorate Keertan Kini Zoe Durand Ricardo Rosales Frances Schroeder