2024-0325 Cyberspace Operations Threat Hunting Support (NS) - TUE 14 Jan

Deadline Date: Tuesday 14 January 2025

Requirement: Cyberspace Operations Threat Hunting Support

Location: Mons, BE

Full Time On-Site: Yes

Time On-Site: 100%

Period of Performance: 2025 BASE: 03 MAR 2025 to 23 DEC 2025, with the possibility to exercise following options:

• 2026 option: 5 JAN 2026 to 23 DEC 2026

• 2027 option: 4 JAN 2027 to 23 DEC 2027

• 2028 option: 3 JAN 2028 to 22 DEC 2028

Required Security Clearance: NATO SECRET

1. BACKGROUND

The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.

2. INTRODUCTION

The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC’s role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services.

The Portfolio ranges from Programme of Work (POW) activities funded via the NATO Military Budget (MB) to Critical / Urgent Requirements (CURs/URs) and NATO Security Investment Programme (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB).

Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework (CFCDGM). In order to execute this work, the NCI Agency requires support with the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations. This Statement of Work (SoW) specifies the required skillset and experience.

3. PURPOSE

The NCSC is responsible to defend NATO networks on a 24/7 basis and to proactively look for signs of malicious activities by performing threat hunting. The Threat Hunting activities encompass threat intelligence hypotheses based searches on existing security logs sources, anomaly detection and more generally compromise assessment.

4. OBJECTIVES

This Statement of Work (SoW) outlines the services to be provided by the Supplier to NCSC for providing support to Cyber Operations Threat Hunting.

5. DELIVERABLES

The contractor shall deliver the following functions:

D1. Based on threat intelligence reports, create or modify corresponding threat hunting hypotheses and queries in specific tools languages such as Splunk Search Processing Language (SPL), Kusto Query (KQL), Yara, Sigma or Fidelis Endpoint rules to look for traces of malicious activities in existing logs and systems.

D1 Outcome: New or updated Confluence page(s) containing the extracted hypothesis and a link to the original report analysed

D1 Acceptance Criteria: A threat hunting hypothesis is to be understood as defined in the TaHiTi Threat Hunting methodology and should contain

1. An abstract of what malicious activity is carried out

2. Required data sources and data analysis techniques to detect such activity

3. The MITRE Att&CK techniques used by the threat actors

4. The queries in the different formats for each relevant tool

The format will follow the NCSC template defined in Confluence.

The page(s) shall be created within 48 hours of the reception of the report.

D2. Define the list of systems as scope for a threat hunting campaign based on input such as technology targeted, responsible entity, network area and classification. As source for this list, the contractor will use and correlate the following resources:

Internal database of systems and entities in the NCSC Wiki

NCIA CMDB

External CMDBs made available by the NCIA customers

If the information cannot be found in any database, the IT administrators or other relevant stakeholders must be contacted.

D2 Outcome: An Excel sheet containing the systems in scope for the given threat hunt together with their characteristics

D2 Acceptance Criteria: It needs to contain the details of each system (IP, name, network zone, operating system, function, entity responsible).

The format is an Excel table.

The Excel sheet should be delivered at most 2 weeks after the initial assignment.

D3. Participate in Threat Hunting campaigns by running adequate queries on systems in scope and follow-up to confirm or infirm findings by correlating computer forensics artefacts by using available EDR or telemetry from the endpoints.

D3 Outcome: Results report of a task assigned in the context of a threat hunting campaign.

D3 Acceptance Criteria: The report includes whether the hypothesis could be verified or not for each system in scope and whether malicious activity was spotted.

The format should follow the Word template for Threat Hunting reports provided by NCSC.

The report should be delivered 3 days after the end of the campaign at the latest.

D4. Produce briefings in Microsoft PowerPoint or Word format to describe the Threat Hunting campaign, methodology, findings and recommendations.

D4 Outcome: Report and/or briefing for threat hunting customers

D4 Acceptance Criteria: The briefing contains details about the campaign, scope, queries run, hypotheses and findings.

The format follows the templates provided by NCSC in either Microsoft PowerPoint or Microsoft Word.

The briefing should be delivered 2 days after the request for such briefing and after the completion of the campaign.

D5. Use and configure security tools such as Azure Sentinel, Microsoft Defender for Endpoint, Fidelis Endpoint, Sysmon and THOR APT scanner to collect the required logs to spot malicious activities.

D5 Outcome: Documentation about the configuration change.

D5 Acceptance Criteria: The change of configuration has been documented in the knowledge base (Confluence). When the tool is using configuration as code, the appropriate documented pull request in the Git repository must also be raised.

The format should follow the template already in use by NCSC.

The change should be documented at least 24 hours before the change is expected to take place.

D6. Brainstorm during weekly meetings with the rest of the Cyber Threat Investigation Team how to improve visibility to catch the ongoing Cyber Threat Activities as per intelligence reports.

D6 Outcome: Participation in the meetings

D6 Acceptance Criteria: Participation is reported and tracked in the meeting minutes which need to be prepared before the meeting and updated during the meeting (Confluence).

Weekly participation is expected.

D7. Perform supporting activities around Threat Hunting campaigns such as informing relevant stakeholders, liaising with intelligence sources and preparing administrative documents to allow the execution of the campaign (change requests, authorized service interruption).

D7 Outcome: List of documents produced and emails sent to support the execution of a Threat Hunting campaign.

D7 Acceptance Criteria: The list contains the title of documents or subject of emails, the stakeholders informed and the link to issues in Jira (TASK #)

The format expected is an Excel document with the following columns: Title/Subject, Stakeholders, Link to Issue.

This deliverable is expected at 24 hours after the start of the campaign at the latest.

Rejection Criteria

• The client may reject deliverables if they do not meet the specified acceptance criteria or if they contain critical errors.

• A rejected deliverable must be corrected and resubmitted within 1 (one) business day.

Further details:

• Each deliverable will be assessed by a supervisor or team member on a scale from 1 to 5 based on the criteria defined above. This score is used for the monthly KPI, an overall score below 80% introduces a financial penalty.

Further, the contractor must conduct the following reviews:

• A bi-weekly ‘touch point’ between NCSC – Threat Hunting Service Delivery Manager, or any other NCSC personnel designated by NCSC.

Structure and formatting of the deliverables

In addition to their specific acceptance criteria, each deliverable shall meet the following requirements:

• Language: the product shall be written in English, meeting the NATO STANAG 6001 Level 3 “Professional Proficiency”.

• Intended Audience: the product shall be intended for Cyber Security Professional, Senior Military personnel and decision makers in the field of Cyber Security and Cyberspace Operations.

• Accuracy: the product shall accurately reflect what was done.

• Clarity and Conciseness: Information shall be presented clearly and concisely, avoiding unnecessary jargon or complex language.

• Objectivity: the content shall be impartial and objective, presenting information without bias or personal interpretation.

• Structure: the product shall follow a logical structure such as template when available.

• Timeliness: the product shall be prepared and distributed promptly after the assignment, ensuring that information is fresh and actionable.

• Formatting: Consistent formatting shall be used throughout the document, including font style, size, headings, and spacing further directed by the Information and Knowledge Management Steering Group.

• Confidentiality: Information processed by analysing threat intelligence reports or acquired during threat hunting campaigns shall be handled in accordance with the NATO policy on Information Management.

6. COORDINATION AND REPORTING

R1. A monthly performance report (see Annex A) will be provided at the end of the month, in NCSC tool and using NCSC provided template. The report shall contain the number of each deliverable provided during the month.

The report will be prefilled by the service provider and includes as supporting documentation the list of deliverables produced during that month including references to NCSC tools containing the information.

The report will be completed by NCSC to include the overall score received for the deliverables in that month. It is computed as follows: the sum of the score for each deliverable (from 1 to 5) divided by the number of deliverables and converted in percentage.

7. DELIVERABLES MILESTONES AND PAYMENT SCHEDULE

Term and Timeline

Period of performance of this SOW will commence on 03 MAR 2025 and continue for maximum 40 weeks until 23 DEC 2025.

The payments shall be dependent upon successful acceptance of the Monthly Performance Report (R1) (Annex A) – including the EBA Receipt number.

Invoices shall be accompanied with the Monthly Performance Report (R1) (Annex A) signed by the Contractor and project authority.

Related invoice will be accompanied by a Monthly Performance Report (R1) (Annex A) signed by the project authority.

Payment is done at the end of each month following the approval of the R1.

7.1 2025 Base: Period of Performance From 03 Mar 2025 To 23 Dec 2025:

~40 weeks

Payment will be done as per the milestones below:

Item R1: Deliverables D1-D7

Deliverable Due Date: Last day of each month

Payment Schedule: At the end of each month linked to the successful delivery of D1-D7 as tracked in R1

Note: For any given month, the payment amount will be calculated pro-rata, based on the number of weeks during which services have been delivered

Penalty scheme:

>= 80% Satisfaction on deliverables - Penalty 0%

60 – 79% Satisfaction on deliverables - Penalty 25%

40 – 59 % Satisfaction on deliverables - Penalty 50%

< 40 % Satisfaction on deliverables - Penalty 75%

Method of Surveillance The overall satisfaction for the month is reported on the R1 (Annex A)

7.2 2026, 2027, 2028 Options: ~50 weeks

Item R1: Deliverables D1-D7

Deliverable Due Date: Last day of each month

Payment Schedule: At the end of each month linked to the successful delivery of D1-D7 as tracked in R1

Note: For any given month, the payment amount will be calculated pro-rata, based on the number of weeks during which services have been delivered

Penalty scheme:

>= 80% Satisfaction on deliverables - Penalty 0%

60 – 79% Satisfaction on deliverables - Penalty 25%

40 – 59 % Satisfaction on deliverables - Penalty 50%

< 40 % Satisfaction on deliverables - Penalty 75%

Method of Surveillance The overall satisfaction for the month is reported on the R1 (Annex A)

8. SKILLS

[See Requirements]

Further Details:

The contractor shall be dressed suitably for meetings with high ranked officials. No religious sign shall be worn during such meeting.

Each provider of this service must pass an assessment to demonstrate proficiency before being approved to provide the service. The assessment will then be followed by a one week on-site familiarisation period with key NCSC personnel and tools to be introduced to the environment.

NCSC reserves the right to perform a technical evaluation of the candidate(s) designated by the supplier under the form of technical challenges that will test the skills required by the candidate(s). Would the candidate(s) fail the test, the supplier would need to propose other candidate(s).

The provider shall minimize the rotation of resources performing the contract to the absolute minimum to ensure continuity of service and to maintain the on-boarding overhead on NCSC side at a reasonable level.

The first 5 working days of a new resource (starting at the date the SHAPE ID was obtained) are considered familiarisation and handover/takeover period for which no payment will be made as no deliverable can reasonably be expected during that time.

After approval of the resource, the provider must communicate the starting date and all on boarding documents, at least 3 weeks prior to the starting date to the NCSC point of contact.

It is the responsibility of the provider to inform and make sure each resource can comply with the requirements to obtain a SHAPE ID on their starting day. This includes among others the clearance (RFV) and the mandatory registration in a Belgium commune. The list of documents required can be consulted here: https://www.shape2day.com/arrivingleaving/inprocessing/are-you-a-national-civilian-component/contractorconsultant

9. WORK EXECUTION

The services will be mainly executed on premise in SHAPE, Mons Belgium.

Occasionally, remote working will be allowed at the discretion of NCSC when it does not negatively impact the delivery.

NCIA IT equipment will be provided (NCSC NROP laptop and/or NCIA NRAIS laptop) + access to NCSC NSOP workstation.

Results of the work will be provided as stated in paragraph 6 – Coordination and Reporting.

10. TRAVEL

Daily presence on SHAPE, Mons, Belgium is expected to deliver according to performance goals. Maximum 2 travels per month to other locations in Belgium (NATO HQ in Brussels, NCIA offices in Braine L’Alleud) for meetings might be requested. No overnight stay required.

All travel costs associated with the delivery of the service are included in the quoted price. No additional cost for travel (including accommodation, per diem, travel expenses, etc.,) will be claimed separately. All travel arrangements are the responsibility of the contractor.

11. SECURITY AND NON-DISCLOSURE AGREEMENT

Any resource providing services under this SOW must be in possession of a security clearance NATO SECRET or above. The signature of a Non-Disclosure Agreement between any Service Provider’s individuals contributing to this task and NCIA will be required prior to execution.

Requirements

11. SECURITY AND NON-DISCLOSURE AGREEMENT

• Any resource providing services under this SOW must be in possession of a security clearance NATO SECRET or above. The signature of a Non-Disclosure Agreement between any Service Provider’s individuals contributing to this task and NCIA will be required prior to execution.

8. SKILLS

Services under the current SOW are to be delivered by ONE resource that must meet the following experience, qualities and qualifications:

• Experience in threat hunting and threat hunting methodologies
• Experience in writing Splunk queries using SPL
• Experience in analysing Sysmon events
• Good knowledge of networking protocols
• Experience in analysing Windows forensics artefacts such as Windows Event logs, UAL, MFT…
• Knowledge of Python and/or Powershell is an asset
• Knowledge of Fidelis EDR is an asset
• Knowledge of THOR, Asgard analysis cockpit is an asset
• Language proficiency in English meet or exceed the NATO STANAG 6001 Level 3 “Professional Proficiency”.