IronNet Blog

Meet the CyOC: Billy Trobbiani

Written by IronNet | Apr 22, 2020 5:49:58 PM

Cybersecurity is largely a technical field, with battles every day being waged on a field of networks and algorithms. But humans are the real heroes here at IronNet. We wanted to shine the spotlight on one group in particular: the expert analysts and hunters in our Cyber Operations Center (CyOC). These are the men and women who work on the front lines investigating cyber anomalies, advising IronNet customers every day, and driving many of the innovations behind IronNet’s technologies.

Meet Billy Trobbiani, IronNet Hunt Operations Specialist:  

 

What’s your background and education?

I spent thirteen years (minus two weeks) working for the Department of Defense in a variety of roles ranging from a contracting specialist to leading operations against state-sponsored intrusion sets as an exploitation analyst. Before that, I attended James Madison University for undergrad and Johns Hopkins University for grad school. 

Prior to all of my civilian service training and education at a research university, I also worked at an arcade. I've come a long way from turning dollars into tokens for Tekken Tag and Marvel vs Capcom. Fun fact: the claw machine is rigged against players. If you don't believe me, look up various repair manuals on how they operate. That is why you can't get that tie-dye Minion plush toy.

What skills help you most in your current role?

Gap analysis is one. I often have to measure the distance between discoveries within IronDefense and the risk threshold of the customer. Large enterprises have to prioritize security risks that are a clear and present danger over hairline fractures in their infrastructure—network misconfigurations or user activity. Something that is a potential risk does not preclude a real security incident. But it still pays dividends in the long run to address these vulnerabilities and reduce the attack surface.

Influence is another useful skill. When you are surrounded by, and involved with,  technical people, your knowledge will likely be commonplace. You may have expert power, which speaks to certain personalities in this field. However, if you develop referent power (through trust and admiration) it will speak to many more personalities.  One of IronNet’s values is to “be the most  trusted, respected and loved cybersecurity company in the world.”

When did you figure out you wanted to work in cybersecurity? What motivated you?

I can’t say for certain when I decided to commit my professional career to information security, but there’s a lot to be said about my motivation.

Finding the delta between how something is meant to work and how it can be changed to work differently is a memorable motivator. For me, that started with overwriting or freezing memory addresses in video games to get unlimited lives with a Game Genie. Then you get older and learn how buffer overflows can make an application connect back to your computer and grant you command-line access. Technology can be very complex, and it’s always interesting to see what the original designers did very well or how they left themselves open to an exciting new vulnerability.

Taking bad people to task is another motivator for me. Malicious actors often believe that they can act with impunity because they are above the boundaries set by law, policy, and morality. These individuals will inevitably cause undue stress and harm to well-intentioned processes and people and get away with it. If I have the chance to disrupt the activity of someone who operates maliciously, I’ll take it.

What is your specific role in the CyOC?

IronNet’s CyOC (short for Cyber Operations Center) is composed of three teams: hunt operations, SOC operations, and threat intelligence. I am assigned to the hunt operations team, specifically for our energy and government customers.

Each customer has a primary hunter, an alternate hunter, and support hunters (2-3 people with access). The workload is spread out so that no single hunter is burdened while maintaining consistent overwatch for each customer environment.

What’s your job like? Is there a typical day or is each day different? Can you give us a basic idea of what you do and the kind of projects you work on?

My day is comprised of 60% expected activities and 40% surprises.

On any given day, I will access our customers’ environments where I am a primary hunter. I’ll do a spot check on alerts in IronVue that are rated over 900 to see what can be triaged in seconds based on what I know about the network infrastructure and activity I have seen before. I run the activity to ground, determine if it is anomalous or simply benign behavior, and report the results to the customer where applicable. Often, customers will indicate what anomalous activity or activities warrant their immediate attention. It is important to get a sense of what they're looking for so that you can deliver it consistently.

The surprise 40% are special requests that I get from customers or IronNet employees. Sometimes we will receive a request for information (RFI) from our customers asking for insight in activity taking place in their network. We are also tapped to perform sensor visibility testing (also known as dye tests) for various deployments. We also work with the Red Team for Cyber Threat Emulations (CTEs), where the Red Team emulates malware activity in a customer deployment and our job is to find alerts associated with the activity in IronDefense.

 

Fire Truck, a 1978 Atari racing game.

 

What do you enjoy doing in your spare time?

Outside of the house, my wife and I like to see what dining options are available in the great state of Maryland. Fine dining to bar food, whatever we can catalog and later invite friends and family to enjoy. We’ve also been getting into escape rooms, both physical and virtual.

I am also an amateur video game historian; I use the term amateur because I don’t really commit to documenting any findings. I have this unusual fascination from the period of the late 70’s to the early 2000’s of electronic entertainment that has evolved into the billion-dollar industry that it is today. From the engineering challenges of chasing the beam on the Atari 2600 to what game design features left on the cutting room floor, I absorb all of it. It mostly ends up getting shared to an audience of zero people.

What’s your biggest challenge?

My biggest challenge is with the internet.

No, really.

The internet is a construct that has far outdistanced any and all noble intent as imagined by its progenitors or even their successors. A big part of my job when working with an NTA solution like IronDefense is investigating anomalous behavior. However, there is a lot of benign network behavior that bears the mark of a malicious actor's TTPs in action.

Take advertising operations, for example. Advertising is a $1.2T industry, and getting those promotions to consumers is a high-value proposition. Said consumers despise ads, and invest a meaningful amount of energy finding solutions to avoid seeing ads (DNS sinkholes, ad-blocking plug-ins, etc). So some advertising operations entities employ heavily-obfuscated JavaScript hosted on a VPS to get around ad-blocking. That might look similar to someone attempting to deploy a cryptominer within a network. So I could end up reviewing an alert for activity that is not coercing a user's CPU cycles to mine bitcoin. Instead, all of my time was spent finding one weird trick for personal health from someone (and apparently doctors hate them!)

What’s your favorite new technology or app?

Probably my sous-vide cooking appliance. With a plastic bag and a pot of water, I can make sirloin steak taste as tender as filet mignon. The downside is that it takes a lot longer to cook your food (e.g., two hours for steak, one hour for chicken breast). But you can let the protein cook while getting your vegetables and starch ready for the main event.

It’s also dead simple to use for those that are hesitant to grill or roast their own food.

 

Sous-vide cooking at Billy's house.