Experience of an InfoSec Intern at Acko India
Quick Intro
I have been working as an Information Security Intern with Acko for the past four months. So far, the journey has been enjoyable, with numerous learning opportunities.
My grasp of the SOC process has really expanded, particularly in cloud and
endpoint security. All my teammates have all helped me improve professionally and personally. I have not been confined to a certain task and have been given the freedom to explore and experiment for a better learning experience.
My Position
My main responsibility as an intern in the Information Security department of Acko General Insurance is the Security Operations Center (SOC) process.
SOC analysts are at the vanguard of the cyber security effort, responsible for detecting and responding to cyber attacks in real time.
Timeline
July 2022 — Implemented CASB solution for monitoring network traffic between server and endpoint
August 2022 — Implemented IP rules in XDR and reviewed and researched the vulnerabilities associated
September 2022 — Exploring AWS services from security point of view and daily monitoring of services
October 2022 — Monitoring for VPC and ELB API Actions and start sending logs to Coralogix and monitoring on daily basis
November 2022 — Implementing Traffic mirroring to detect threats in network traffic and analyze the data through Zeek (this is in-progress due to traffic mirroring being resource intensive, both financially and infrastructurally)
Current Project Problem Statement and Approach
The current project is concerned with cloud security. In our environment, we use AWS. Monitoring the API operations performed by various services is critical for an organization’s security because a mistake could lead to a blunder.
For example, if a bucket that should be private is left open to the public, it could provide a pivot point for a threat actor to acquire an early footing in the organization’s network.
The problem statement calls for the investigation and monitoring of services that may result in breaches in the cloud environment.
The most difficult aspect of this project is determining the scope of boundaryless infrastructure, i.e. the cloud environment. I began by thoroughly investigating the services and determining the API activities connected with each service. Virtual Private Cloud (VPC) and Elastic Load Balancing were assigned to me (ELB). According to the security risk, I assigned priority and severity to each API action in the aforementioned AWS services. After then, alerts would be generated by the AWS Alert centre and routed to Coralogix for central logging and monitoring.
Projects at a glance
Currently, I am in charge of tracking, monitoring, and responding to any and all actions that occur across the whole network traffic flow, as well as any configuration and system changes that occur anywhere within the organization’s infrastructure. This is accomplished by establishing safeguards like firewalls, network detection and response (NDR), and endpoint detection and response (EDR) to recognise, evaluate, and report network problems.
I am responsible for managing the corporation’s endpoint and cloud security, together with the other members of my team. We just implemented a Cloud Access Security Broker, or CASB, to monitor the entire traffic flow for anomalies and malicious behaviour. I have discovered a vulnerability in the AWS Kubernetes authenticator that allows unauthorised users to have more access than the user is allowed.
I am also working on a project that was assigned to me at the start of the internship: creating intrusion prevention (IP) rules to block out certain vulnerabilities with a high CVSS score. We are asked to submit the findings of the study we conducted on the scope vulnerabilities, including an explanation of how the issue affects our company’s system and a proof of concept (POC) to go with it.
I was charged with creating a lambda function that, when invoked, will retrieve indications of compromise (IOCs) from Alien Vault (an open threat exchange global intelligence community) via trusted automated exchange of intelligence information (TAXII) feeds. In order to improve the effectiveness of our security operations, we will compare any possibly dangerous or unknown action with the feed that we receive.
Conclusion
I was always treated like a team member, and my opinions and proposals were given were given the same weight as those of any other team member. Our CISO, Manager, and Team Leader, have been tremendously helpful throughout (and the coolest) and have built a welcoming surrounding that actually improves the learning environment in our team.
Over the course of just 4 months, my knowledge in the domain has grown tremendously. The internship’s intended purpose is to comprehend the entire process and lifecycle of a SOC analyst as well as the concept of coordinated act of resistance that protects information, systems, and networks from cyber-attacks.
