business model, business model canvas, mission model, mission model canvas, customer development, hacking for defense, H4D, lean launchpad, lean startup, stanford, startup, steve blank, pete newell, bmnt, entrepreneurship, I-Corps, Security, NSIN, NSA, disposable infrastructure, cyber, Joe Felter, DOD
1. TeamMongoose
Keertan Kini Zoe Durand Ricardo Rosales Frances Schroeder
INITIAL PROBLEM STATEMENT
Enable the NSA to rapidly
identify disposable
infrastructure used in
cyber-attacks
CURRENT PROBLEM STATEMENT
Democratize threat
intelligence by providing an
automatic “pivoting”
solution
100 Interviews
BS Symbolic Systems ‘22
Hipster
MBA ‘22
Hustler
MBA ‘22
Hound
MBA + MPP
Hacker
Problem Sponsor:
National Security
Agency Cybersecurity
Directorate
2. Over the past 10 weeks, we conducted 100 interviews.
Academic
Commercial
Government
3. We didn’t fully understand the beneficiary nor the
problem statement...
What is the full mission of the NSA?
What data does the NSA have
access to?
What is the organizational structure
between the NSA and all the other
agencies that it defends?
What is disposable infrastructure?
How is it used by adversaries in an
attack?
Week 1
4. Since we didn’t know what “disposable infrastructure” was… we
decided to start with the data where we could find it!
1. “The NSA does not have access to network data if it is domestic” - from Sponsor
1. “There is a clear reason for which the NSA doesn’t have access to that data - they should just work more
effectively with the FBI” - from cyber-crime / cyber-security diplomat
1. “What is missing is the defense agreement to get the data, not the data itself.” - from sponsor & DoD
representative
Week 1
5. We realized that the world was much
more complicated than we had originally
thought
Confused mongoose
Week 3
7. All Agencies in
National
Security System
DoD Agencies in
National
Security
System
Critical
infrastructure,
private
companies
NSA
The interplay between agencies is even more complicated that we had originally thought!
Cybersecurity and
Infrastructure
Security Agency
CISA
FBI
Cloud
Providers
MALICIOUS CYBER
ACTOR
Disposable
Infrastructure
Already gone!
USCYBERCOM
Private Incident
Response
Companies
Week 4
8. Mission Model Canvas had a lot of other players involved
KEY PARTNERS
- NSA (analysts and
expertise)
- DHS CISA
- Private sector - -
Cloud provider Trust
and Security Teams
- FBI Cybercrime
Division
- Private Network
security firms
KEY RESOURCES
- Security Clearance
- IT Security Accreditation
- Examples of concerning
malware for categorization
and analysis
- Traffic Data (labeled
instances of disposable
infrastructure)
VALUE PROPOSITIONS
One or several of the
following:
-Reduce time required to
identify persistent
infrastructure used by
multiple malware
installations
- Identify temporary
infrastructure used by
malware installation
previously unidentified
and share to Cloud
Providers to shutdown
- Reduce time to serve
Data Preservation notices
to Cloud Providers to help
attribution
KEY ACTIVITIES
- Software Engineering:
- Identify common data for
behavioral analysis of
specific attacks
- Create analytics which
plugs into existing
engines
- Organizational: Fast Path
for data sharing
- Security Accreditation
MISSION ACHIEVEMENT/IMPACT FACTORS
Our mission will be successful if we develop a scalable solution to help
the NSA identify persistent infrastructure used by multiple malware
installations in a timely manner.
DEPLOYMENT
1. Back-end algorithm not
running in real time as
proof of concept
2. Back-end algorithm
running in real time
(streaming)
3. Dashboard updated in
real time deployed to the
cloud or on-prem and
accessible NSA/CISA/FBI
stakeholders
BUY-IN & SUPPORT
-Need IT Approvals
from NSA/CISA/FBI
for their systems
-Need demand
MISSION BUDGET/COST
BENEFICIARIES
Primary: Cyber
defenders at the NSA,
Secondary: Cyber
investigators at the FBI
Tertiary: All entities that
the NSA serves and the
DoD in general
Fixed:
- Software design & engineering
- Helpdesk/support functions
- Labelling Costs
Variable:
- Subscription API usage for External tools, cloud computation/storage
9. “Attack” can mean different things, and even the lifecycle of an
attack is broad - where could Mongoose help?
Prevention
Incident
response
Attribution
Week 4
10. Big identity crisis for the team!
A picture of a Mongoose team member boiling the ocean, circa Week 4
Prevention
Attribution
Incident
response
Team
Mongoose
NSA DoD
Critical infra
Lighthouse of the
teaching team
FBI
Flocks of
beneficiaries
11. Lightbulb moment!
Disposable
infrastructure isn’t in
and of itself a
problem, is it?
“Attacks” isn’t
specific enough.
You need to
narrow it down to a
specific attack!
“We were originally given a
solution, not a problem.”
Week 4
12. Pivot! Focus on a specific attack type: Data exfiltration.
Week 5 Problem Statement
WHAT: improve the early detection of
nation-state data exfiltration cyber-
attacks on the NSA corporate network
conducted through ephemeral cloud
infrastructure, where the initial attack
vector is a zero-day or supply chain
attack, by quickly identifying the C2
servers owned in full by the attackers
FOR WHO: NSA cyber analysts as early
adopter, later DoD agencies.
Week 5
13. To solve the problem of NSA’s access to domestic
data, we decide to focus on the NSA as a corporate
network
Week 5
We still have a data problem...
15. At this point, we still weren’t sure that Mongoose could really
bring anything to the table.
Week 6
16. Despite the new problem statement, we hit a new low.
We write an email to the teaching team outlining
our concerns: “Our problem statement is either too
broad, or too technical. People have tried to solve
these problems for years, and it’s unclear what we
might be able to contribute. ‘Redefine
cybersecurity’ is better suited to a PhD in
cybersecurity than to H4D”
Week 6
Week 1
Week 2
Week 3
Week 4 Week 5
“The NSA is a bit of a black
box in terms of their
processes and heir prior
attacks. Proxies don’t seem
to be working either as no
company seems keen to
discuss the ways in which
they’ve been breached.”
17. We talk to our sponsor and have a breakthrough moment.
What if I already had an
indicator of
compromise… and I
asked you to find similar
things?
! !
18. Major breakthrough: we redefine both the problem statement
and the beneficiary
WHAT: flag infrastructure on the public internet that “correlates” or
“matches” to a known malicious infrastructure (seed)
FOR WHO: NSA Discovery Team in conjunction with JFHQ-DODIN
Network Defenders.
Week 6
20. We define a high-level product!
Mongoose Intelligence will provide analysis automation through
an entity matching API
Mongoose entity
matching API
Malicious IP
or domain
Similar IP or
Domain
Week 7
21. We learn that visualization seems to be a compelling product in and of
itself for many beneficiaries
IP 1
IP 2
DoD
Endpoint 1
Domain
aws.com
Domain
XYZ.com
IP 3
IP 4
DoD
Endpoint 2
JFHQ-DoDIN network
- Country
- Date of first
connection
- Account holder
- # of connections
- Port
- Protocol
INPUT
OUTPUT
“Love the visualization! It would be great if you displayed context
and confidence scores.”
22. Why hadn’t the NSA ever built this before?
They might have.
Legal framework Large siloed
organization?
Week 8
23. We start to understand more about the details of the
specific data sources and systems that we would need to
plug into
“Nobody is doing anything with all the log data that is produced by Akamai
on DoD networks.”
“You should plug into Acropolis that is already doing data collection. DMA
is already dumping several terabytes of logs per day. Basically all of the
DoD is feeding in data.” -- Defense Digital Service
Week 9
24. With our MVPs, we got good signal that this is something that is
interesting to the NSA Discovery Team
“There are rules against me saying we would purchase this. But
this is a problem, and it needs to be solved ASAP.” -- NSA CSD
TD
Week 9
25. Several types of potential customers
Small/Medium
Enterprises
NSA/JFHQ-DODIN
Telecoms
Week 10
26. We’re still thinking about whether or not we want to
continue on the project after the class.
Week 10
27. Thank you to everyone who made this possible!
Special thanks to:
● Neal Ziring, NSA CSD Technical Director
● Jennifer Quarrie and Jason Chen
● Our defense mentor
● H4D TA Joel Johnson
● The entire H4D teaching team
● Our 100 interviewees
TeamMongoose
Problem Sponsor:
National Security
Agency, Cybersecurity
Directorate
Keertan Kini Zoe Durand Ricardo
Rosales
Frances
Schroeder
Hinweis der Redaktion
Disposable infrastructure - didn’t quite know what it meant, but then decided it sounded interesting and wanted to dive deeper
“If it sounds ambiguous to you, it sounded the same to us as well :)” - ,
5 second slide
First three questions might seem obvious to people working in the govt or agencies, but we’re Stanford students - remind them who we are :)
We don’t know what disposable infrastructure is, but let’s start with the data ! Make the data <> infrastructure link clear in the title. Current title is subtitle. Cartoon of someone looking under rocks :)
the NSA is severely restricted in what they can look at in terms of US person information (including IP addresses)
I can’t tell what this means -> Say: we are thinking of continuing, looking for some advice