Casey Wilfling | Summer Intern | 8 June 2026

Introduction

Throughout February and March 2026, I had the opportunity to participate in Fortian's Summer Internship Program within the Managed Security Services (MSS) team. This experience allowed me to apply my Bachelor of Cyber Security studies in a real-world environment, while taking practical steps toward my career goal of becoming a SOC Analyst.

During the program, I was entrusted with two key projects that aligned closely with my previous experience and technical interests.

1. Ransomware Attack Analysis & Detection Engineering
   I produced a detailed technical report analysing a ransomware attack, mapping the adversary's activities to the Cyber Kill Chain and identifying the exploited vulnerabilities. From there, I proposed targeted security controls to mitigate the observed vulnerabilities. I also needed to develop a custom detection rule in Microsoft Sentinel to proactively alert on behaviours consistent with the attack techniques observed.
2. Automated IoC Extraction & Threat Intelligence Distribution
   The second project involved designing and building a system capable of extracting Indicators of Compromise (IoCs) from security incidents observed in Sentinel. I then had to ingest this data into OpenCTI for aggregation and validation then distribute this enriched threat intelligence across Fortian's customers' Azure tenants. The goal was to create a streamlined process that ensures consistent, up-to-date intelligence sharing across a multi-tenant environment.

Ransomware Attack Analysis & Detection Engineering

The ransomware case study I analysed was based on an incident report published by The DFIR Report, titled "Hide Your RDP: Password Spray Leads to RansomHub Deployment."

This real-world investigation provided a detailed breakdown of how a simple initial access vector escalated into a full domain-wide ransomware deployment.

Quick summary of the attack:

• A public-facing RDP server was targeted with a password spraying attack.
• A privileged account with Domain Controller access was successfully compromised.
• The threat actor leveraged credential-dumping tools such as Mimikatz and CredentialFilesView, alongside enumeration tools including IPScanner and SoftPerfect NetScan, to perform lateral movement across the network.
• Approximately 2GB of data was exfiltrated to the attacker's command-and-control (C2) infrastructure.
• Once their objectives were complete, ransomware was deployed across the entire domain.

Following my technical analysis of the attack, I developed a custom Microsoft Sentinel detection rule to address one of the key weaknesses observed during the intrusion.

The goal of this detection rule is to identify repeated outbound connections to the same external IP address — behaviour that can indicate data exfiltration. Rather than casting a wide net and generating excessive noise, the rule focuses specifically on SSH traffic over port 443. The reason being that threat actors often use SSH tunnelling to encrypt their traffic while disguising it within legitimate ports and services.

Automated IoC Extraction & Threat Intelligence Distribution

When I began this project, my experience with Azure was limited. I had worked with cloud platforms before, but I hadn't yet built an end-to-end workflow using multiple Azure services working together.

That meant the first phase of the project was dedicated to learning more about Azure's capabilities. I needed to understand how Azure resources — such as Storage Accounts, Blob containers, Logic Apps, and Azure Functions — operate individually and how they integrate to form an automated workflow.

Beyond just understanding the services themselves, I also needed to develop a solid grasp of Azure's identity and access model. Managed identities, service principals, and role-based access control (RBAC) were critical components of the design. This ensured that each resource had the appropriate permissions when accessing their logical scope of resources.

Once I had a clear understanding of these components, I mapped out the full architecture and workflow in a diagram as shown below. Creating this visual blueprint allowed me to plan the build process logically and guarantee that each step of the workflow aligned with the project's requirements.

The success of this project ultimately depended on one key factor: how effectively the Logic Apps could extract Indicators of Compromise (IoCs) from a Sentinel incident.

Very early in development, I identified a technical limitation. Microsoft Sentinel can export incident data, but the output is in raw JSON. While this is useful, it doesn't meet the requirements of OpenCTI. OpenCTI expects threat intelligence to be ingested in STIX 2.1 format, which is also JSON-based, but follows a very specific schema and object structure.

This meant there was a gap in the workflow.

Sentinel does not provide a native mechanism to convert its incident output directly into STIX 2.1. Rather than trying to force a workaround inside the Logic App itself, I decided early on that the cleanest and most scalable approach would be to develop a custom conversion application.

To achieve this, I built Python scripts using the stix2 library. This allowed me to construct properly formatted STIX objects and bundles from the raw Sentinel entity data. Through this process, I was able to extract artefacts across multiple entity types including file hashes, DNS records, IP addresses, and URLs. This would convert these artefacts into compliant STIX 2.1 output ready for ingestion into OpenCTI.

With the data transformation layer working as intended, I could then move forward with building the Logic App that would automate the end-to-end workflow by extracting potentially malicious artefacts from an incident, converting them into the required format, and preparing them for threat intelligence aggregation within OpenCTI.

With the conversion layer complete, I was able to design the full automated workflow. The logic behind the system follows a structured sequence:

1. When an incident in Microsoft Sentinel is classified as a True Positive, it automatically triggers the Logic App.
2. All entity types contained in the incident are extracted and composed into a structured JSON object.
3. This structured output is stored as a JSON blob in Azure Storage, creating an object ready for transformation.
4. The Logic App sends an HTTP request to the custom Python conversion function which transforms the raw JSON into a properly formatted STIX 2.1 bundle.
5. The converted STIX file is saved alongside the original JSON blob in Azure, and a notification email is generated to inform the IoC reviewer that new intelligence has been created.

The screenshot below illustrates the output of an email containing the initial raw JSON export from Sentinel, followed by its converted STIX 2.1 counterpart:

At this stage, I considered the front-end automation component of the project complete.

However, OpenCTI itself was not yet ready to be deployed within the Fortian production environment. Rather than pausing the project there, I decided to take it one step further and develop a Proof of Concept to demonstrate how the full integration would operate once OpenCTI becomes available.

In this Proof of Concept, I outlined:

• How Sentinel connectors would ingest validated IoCs from OpenCTI.
• How enriched threat intelligence could then be pushed back into Fortian's environment in near-real-time.
• And how an additional Logic App could be constructed to effectively reverse the original workflow by taking intelligence from OpenCTI and distributing it across the relevant Azure environments.

This ensured the solution was not just a one-way pipeline, but part of a continuous intelligence lifecycle.

To complete the proposal, I also demonstrated how Azure Lighthouse could be leveraged to securely access customer tenants. This would enable Fortian to distribute updated threat intelligence across multiple environments from a centralised management plane — ensuring consistency, scalability, and operational efficiency.

Conclusion

Participating in this internship has given me significant progression towards my career development as a cybersecurity professional. The projects I was given allowed me to fully explore my problem-solving and solution designing capabilities while boosting my confidence in tackling new tasks and resilience to overcome issues when implementing my chosen solution. The project design skills and first-hand SOC experience that I gained during my time with Fortian are experience that I will take with me through the rest of my career.

It needs to be mentioned that the team was fantastic to work with. Every team member I approached for their advice was always welcoming and very forthcoming with imparting their knowledge onto me. I recommend anyone who is interested in applying to do so; if you've got the drive you'll be impressed by what you will achieve.