I joined the Keppel Cyber Security Centre (KCSC) in Keppel Corporation from May - July 2023, where I had the opportunity to intern with the Cyber Defence team.

KCSC seeks to enable the business to operate safely in Cyber through the establishment of Secure-by-Design guidelines and standards, as well as to educate staff in becoming aware of the Cyber Security best practices. On top of those, Keppel proactively acquires next-generation solutions for Cyber Defence to counter emerging cyber threats while adopting a risk-based approach in prioritizing critical assets when detecting and responding to potential breaches.

Background

As an intern, I had the opportunity to develop automation scripts to streamline the consolidation of Endpoint and Cyber Operations Reports. In addition, the physical exposure at the Security Operations Centre (SOC) enabled me to shadow experienced SOC analysts in their incident triaging and response process especially when it comes to the handling of email phishing and Security Event and Information Management (SIEM) related logs. Following which, I proposed a Security Orchestration, Automation and Response (SOAR) playbook to automate the investigation and response process for email phishing incidents ingested into Microsoft Sentinel. To top it all, I was invited to participate in weekly SIEM use case discussions with our Managed Security Services (MSS) vendor where I gained valuable insights in the organisation’s Cyber Security posture.

Learning Progression

I recognized the importance of effective communication and adaptability in navigating various challenges and aligning with the management’s perspective. Regular check-in meetings with my supervisor and documenting weekly updates on Microsoft Teams ensured continuous transparency regarding my progress. As the internship progressed, I shifted my focus from emphasizing the technical details of my work to highlighting the reasoning behind my decisions and how they aligned with my colleagues’ preferences. This required me to understand their perspectives, which prioritized project outcomes and the potential benefits of the automated tools rather than the underlying technical intricacies. Engaging in frequent discussions with my colleagues, I also overcame differences in software requirements and dedicated time to explore possibilities for improvement and finding common ground.

The projects enhanced my skills in API utilization, backend code development and best practices of software engineering. Despite facing limited documentation, I adapted to the circumstances and willingly made modifications as per my supervisor’s requests to meet specific requirements. I now feel confident in leveraging API calls for tasks such as data extraction and manipulation. Furthermore, I learnt to make incremental changes through iterative development and conducted User Acceptance Testing (UAT) with my colleagues at each iteration of the projects. When working on the Endpoint Reports consolidation tool, this collaborative approach identified discrepancies between manual and automated extraction results from the server, leading to continuous improvement of the program. I also developed a thorough understanding of the interplay between code functionality and user requirements, ensuring the final product met the desired outcomes.

In addition, when initially coding the Cyber Operations Reports consolidation in Python, I realized that the code became lengthy and complex, making it difficult for others to understand. This prompted me to start afresh, leveraging the power of Power Query and Microsoft Power BI to simplify the maintainenance of the automation tool and improve the code comprehensibility.

Internship Takeaways

The knowledge and experience gained through my assignments have a wide range of applicability across organizations of different industries. The Python-based Process Automation and Microsoft Power BI skills enable me to automate mundane and repetitive tasks in areas where rules-based business processes exist, as well as to gain proficiency in creating visually compelling reports that provide real time visibility into critical cybersecurity metrics and empowers data-driven decision making.

When shadowing the experienced SOC analysts in their triage and response towards email phishing incidents, I got to witness a threatening email demanding the remittance of virtual currency, under the threat of leaking suspected altered photos. Leveraging our existing Cyber Security policies, such emails were blocked swiftly in the Email Threat Protection (ETP) system and VirusTotal was used by the team to search for reported history based on image file hashes. Furthermore, I learnt how to analyze the email headers to assess the legitimacy of the IP address and identify other malicious emails associated with the sender.

Employing the principle of feature engineering, I also learnt that threat intelligence involves researching similar scams, alerts and advisories on news forums to identify related incidents and potentially establish a connection to broader categories such as Sextortion. Basic forensic techniques were employed, including image analysis, to extract metadata from the image file. The absence of EXIF information indicated that the image had been digitally edited, despite being legitimately taken using a smartphone or camera. Additionally, error level analysis was performed to identify variations in compression levels within the images, further confirming the presence of edits.

My firsthand experience shadowing SOC analysts and observing their utilization of advanced techniques such as threat intelligence and forensic analysis has enhanced my understanding of incident response capabilities and fortified security measures. This knowledge equips me with the expertise to safeguard sensitive information and maintain the trust of stakeholders. By staying abreast of emerging threats and employing proactive measures to uncover malicious activities, I can contribute to the preservation of organizational integrity and the protection of critical assets.

Outcome

I am grateful towards my supervisor, mentors and other colleagues from the Keppel Cyber Security Centre (KCSC) whom guided and worked with me during my internship.

The opportunity to work in the Cyber Defence team has exposed me to the fundamentals of process optimization and digitization, and allowed me to further hone my technical competencies in Python, Microsoft Power BI, Power Query and even picked up knowledge in Microsoft Sentinel. Due to the confidentiality of the work, I am not able to reveal more information about how the work was done, etc.

Below is a summary of some work that I did in Keppel Corporation:

  • Developed automation scripts with Python and Microsoft Power BI to streamline the consolidation of Endpoint Security and Cyber Operations Reports

  • Proposed a SOAR playbook to automate the investigation and response process for triaging and responding to reported phishing emails in Microsoft Sentinel