My name is Jim Lee and I’m currently entering my fourth-year as a computer-science undergraduate at UC San Diego. This past summer from June 2017 to August 2017, I was hired by the folks at Haight Bey & Associates LLC (HBA) as a “Cybersecurity Technician Intern” to perform various duties related to configuration management and development of novel tools. I met the president of the company Aliahu Bey at the SANS Security West training conference in San Diego, CA. We exchanged contact information by the end of this event and eventually, I was offered an exciting opportunity: to become their first cybersecurity intern. What followed was an intriguing experience where I utilized problem solving, engineering, and analytical techniques to complete projects related to the company’s endeavors in providing cybersecurity services. The rest of this blog post highlights the accomplishments of my internship experience and how they have helped create a solid foundation in my knowledge of the cybersecurity field.
On a high-level, the internship consisted of three different projects:
- Imaging ruggedized laptops with a custom Windows patching solution
- Develop and implement a novel network monitoring solution targeted for small/mid-sized businesses
- Formally evaluate this network monitoring solution in the context of practicality and economic viability for small/mid-sized businesses
The process of individually imaging laptops was surprisingly a fulfilling experience. The lead cybersecurity engineer Adam Austin clarified the different levels of software we would be installing into these machines. This facilitated a coherent understanding of how the specific software configurations would uphold the principle of least privilege. Furthermore, I became exposed to the purpose of DISA Security Technical Implementation Guides (STIGs) and why they were critical for our purposes. Although I was not involved in the development of the Windows patching solution, I still gained valuable insight on how operating-system hardening is connected to configuration management. Ultimately, completing this project provided great hands on exposure with configuring security functionalities of a Windows system.
The remainder of the internship focused on developing LogRhythm NetMon Freemium, an open source network monitoring tool that is readily configurable once installed within an environment. The goal of the development process was relatively straightforward: given a set of formalized network traffic anomalies, how could we utilize the out of the box capabilities to create custom visualizations and dashboards to display each anomaly? Adam presented a resource from the SANS Institute that neatly outlined the metadata we would need to capture to facilitate specific detection methodologies. This resource displayed twelve different network behaviors which could require further attention and analysis by a network analyst; at HBA, we call this type of individual a “Hunter”.
Essentially, we utilized the SANS resource as a practical guide and ad hoc standard for baselining network traffic. Out of the twelve unique anomalies, we implemented visualizations and dashboards for nine anomalies using only the development environment of the user-interface. We successfully implemented the remaining three anomalies (“Autonomous System Communications”, “Top DNS Domains Queried”, “Newly-Registered/Observed Domains”) by creating Deep Packet Analytic Rules (DPAs) through the built-in Lua scripting engine. To encapsulate this experience with configuring LogRhythm Netmon Freemium, Adam and I wrote a white paper that outlines the lifecycle of this project and includes our evaluation of how this tool could empower the “Hunter” of a small or mid-sized business. This white paper is available for download here. I enjoyed the engineering aspect of this project, especially utilizing the scripting engine. After finishing an iteration for a specific visualization or dashboard, I would wonder how I could improve the intuitiveness of what I just created. Ultimately, I wanted to reduce the potential likelihood of confusion or doubt by the “Hunter”.
This has been an incredibly productive summer as I got a taste of how a business like HBA effectively executes configuration and risk management on a budget. I still have much to learn in the cybersecurity field but this internship served as a launch pad for developing an expertise in this industry. I hope to deepen my knowledge by attending more SANS events and meeting more cybersecurity experts. I’m excited to share with my colleagues at UC San Diego the accomplishments of this internship because of unique qualities of my experience.
Jim Lee – Computer Science Undergraduate @ UC San Diego