TASC Cybersecurity Operations Center Protects Digital Assets in Record Time

Ensuring security operations while transitioning to a new IT infrastructure is a big enough job on its own. Add a verifiable threat to that equation and many companies would not survive. That’s just where TASC found itself in early 2011. As the company designed its own enterprise systems, it also opened a brand new Cybersecurity Operations Center (CSOC) within 90 days while fighting off a hacktivist collective wreaking havoc on governments and countries around the globe.

---

This cyber threat intelligence and analytical function is extremely unique in commercial cyber operations. But what’s even more important is that TASC’s aptitude in this area resulted in zero business disruption of the TASC infrastructure and business applications. The capability and achievements of the TASC CSOC provide a reference for customers seeking cybersecurity support.

The Challenge

Drivers in establishing a cybersecurity capability are regulatory requirements, customer requirements and immediate threats. In the case of TASC, most cybersecurity requirements flow from our intelligence, defense and other government customers. The requirements range from government regulations and directives to contractual obligations to meet special requirements to protect specific programs. Many of these requirements are then translated into technical operational capabilities.

From a cybersecurity professional’s perspective—and beyond regulatory requirements—a company’s intellectual property and customer information are core to its business. Moreover, a company’s reputation and ultimate success rely heavily on how well it protects its IT infrastructure and digital assets. A working system is necessary to maintain constant, consistent service delivery to its customers and to ensure employee productivity. And in the world of federal contractors, where there are heightened security requirements, a functioning, protected IT infrastructure is even more critical.

The Situation

In late 2009, TASC separated from Northrop Grumman Corporation, of which it had been a division for eight years. From planning to “go live,” TASC had less than 12 months to stand up a completely new enterprise IT function from scratch –– infrastructure, application and cybersecurity services. In 2010, TASC began designing the CSOC as a “purposebuilt” cybersecurity capability to protect TASC digital assets. Within 90 days, the Center was operational.

Today, the Center supports more than 5,000 employees and contractors and four enterprise data centers. The newly established CSOC provides a range of capabilities in security monitoring, incident handling, threat and vulnerability management, forensics and reverse engineering and cyber threat intelligence.

A Tested Solution

Prior to reaching its full operational capability, TASC was targeted by a hacktivist collective. The threat group is associated with international hacktivism: undertaking Internet protests, disrupting or disabling foreign government websites, and launching successful denial-of-service attacks on large businesses. In February 2011, the threat group targeted and completely brought down a defense contractor company; many companies in the defense contractor community were at a high level of concern and vigilance.

Although it had been operating for less than 45 days, the CSOC correlated suspicious events as warnings that TASC was now actively targeted. Nontechnical indicators encompassed “spear phishing” by unconfirmed threat actors or the threat actor group “spokesman.” Technical indicators included increased activity at TASC’s network border. The CSOC identified several instances of probing and reconnaissance from external addresses. This real threat possessed both the history and capability to critically—if not completely—disrupt TASC business operations.

Averting the Threat

The TASC CSOC, along with other corporate services, coordinated strategies to focus on the imminent threat. Using technical and nontechnical defenses, the team brought together their collective experience, interim procedures and equipment into a coordinated strategy.

• Establish a crisis management team to address specific events, author a crisis management policy manual and establish a business continuity strategy and implementation plan.
• Hold briefings and awareness sessions to help limit targeted employees’ exposure from the Internet, with special attention paid to social networking site risks.
• Conduct executive briefings to summarize the threat environment and actions underway. The meetings eventually tapered off and were cancelled as threat conditions decreased to normal levels.
• Coordinate with federal law enforcement and assist in their efforts.
• Employ an outsourcing firm to audit logs to provide the security team a level of visibility that extended cyber situation awareness.
• Observe non-signature-based attacks that firewalls and intrusion detection cannot detect through vendor-provided signatures.
• Correlate discrete behavior-based tools with the log data for intrusion detection by using unique deep packet inspection and analysis tools to augment knowledge and traditional logs and to monitor advanced attempts to gain network access.
• Restrict the enterprise points of presence to the Internet as needed.
• Review and require security patching at the client and server platforms. Deploy a patch management and compliance solution with the infrastructure service provider.
• Require an enterprise password change to strengthen the identification and authentication controls at the host, application and services.
• Develop a tiered external communications response to potential scenarios surrounding data breach. A series of external communications was developed in the event of an attack, an Internet outage and data breach.
• Identify theft insurance or protection as an offering the company could provide to those whose identity could be affected during an attack.

Prior to the security incident, a Defense Security Service agent commented that the CSOC was “getting it” in terms of combating national threats, and that TASC’s capability is notably advanced within the defense industry. This knowledge was put to the test.

No successful infiltration occurred, despite numerous attempts. The flexibility, agility and creativity of the CSOC resulted in a 24x7 defense and zero business disruption. After the incident, the FBI Special Agent in charge of the investigation remarked TASC had a deep understanding of the threat, remarkable capability and was “clearly on top of their game.”

Download PDF