Booz Allen Commercial delivers advanced cyber defenses to the Fortune 500 and Global 2000. We are technical practitioners and cyber-focused management consultants with unparalleled experience – we know how cyber-attacks happen and how to defend against them.
Our strategy and technology consultants have empowered our international clients with the knowledge and experience they need to build their own local resources and capabilities.
In facing challenges of modernization, our Middle East and North Africa clients have complex requirements that benefit from our proven experience in guiding major programs and projects for governments and private-sector organizations. The services we offer in UAE, Qatar, Egypt, Turkey, Kuwait, Morocco, Jordan, and other regional countries build on our consulting legacy.
Our clients call upon us to work on their hardest problems—delivering effective health care, protecting warfighters and their families, keeping our national infrastructure secure, bringing into focus the traditional boundaries between consumer products and manufacturing as those boundaries blur.
Booz Allen was founded on the notion that we could help companies succeed by bringing them expert, candid advice and an outside perspective on their business. The analysis and perspective generated by that talent can be found in the case studies and thought leadership produced by our people.
Explore our featured teams and missions. Search openings and find out how you can support our meaningful missions.
Continue your mission with us. Get advice from our recruiting team, and browse our FAQs.
Seeking an internship or entry-level position? Learn about the impact you can make on our team.
Find out more about our application process, explore our benefits, and review our FAQs.
Learn more about Booz Allen's diverse culture and environment of inclusion that fosters respect and opportunity for all employees.
Our 26,300 engineers, scientists, software developers, technologists, and consultants live to solve problems that matter. We’re proud of the diversity throughout our organization, from our most junior ranks to our board of directors and leadership team.
Booz Allen takes pride in a culture that encourages and rewards the many dimensions of leadership—innovative thinking, active collaboration, and personal service. We’re particularly proud of the diversity of our Leadership Team and Board of Directors, among the most diverse in corporate America today.
The Booz Allen Dark Labs’ Threat Hunt team discovered a unique form of adware lurking on networks that evades all traditional forms of cyber defense. The adware is a previously known threat that is commonly used to inject advertisements into a user’s browser and covertly collect information about the user’s browsing activity. This adware employs advanced techniques commonly seen in Nation-State-level APTs to evade detection, maintain persistence, and connect to Command and Control (C2) servers to initiate a stage 2 attack.
The Booz Allen Dark Labs’ Threat Hunt team recently discovered a unique form of adware lurking on networks that evades all traditional forms of cyber defenses. The adware is a previously known threat that is commonly used to inject advertisements into a user’s browser and covertly collect information about the user’s browsing activity.
Adware is often ignored during security operations because it is generally considered unsophisticated, is prevalent, and has a low perceived threat level. This adware, which we are calling Advanced Persistent Adware (APA), is unique because it leverages advanced techniques, typically only seen in attacks attributed to Nation-State-level Advanced Persistent Threats (APTs), to evade detection, maintain persistence, and connect to a Command and Control (C2) server to facilitate the second stage of the attack. This APA is similar to adware detected by Carbon Black’s Endpoint Detection and Response (EDR) platform. Both examples demonstrate the growing need for advanced detection as the playing field continues to evolve in favor of these threats.
Leveraging built-in windows tools, such as Scheduled Tasks (taskeng.exe) or wscript.exe, the APA decrypts and executes its payload in memory, rather than on disk, which further allows it to avoid anti-virus detection. The first function of the APA is to look for two files in its parent directory. If both files exist, the APA sends an HTTP POST request to a C2 server. All communications to and from the C2 server are encrypted to avoid network-based detection by the SIEM or IDS platform. When an HTTP 200 Response is received from the C2 server, the APA initiates stage two, which involves extracting the contents of the C2’s Response, decrypting the extracted code, and executing the code in memory. The full functionality and impact of stage two is still being analyzed, but from the details that we have uncovered, we can say that the additional code retrieved from the C2 server is advanced and given its ability to execute arbitrary code could be used as an implant for exfiltrating data and receiving further tasking outside of its adware capabilities.
We discovered the APA by leveraging Dark Labs Threat Hunt (TH) platform, using hypothesis-driven behavioral based analytics. These rules are generalizations based on predictions made about how a threat actor or their weapon will act within a network and behaviors that a threat hunter would expect to see in the data. We developed methods to elevate EDR functionality in networks, allowing us to query all endpoints and correlate their responses at scale. Through this process, events related to this APA were automatically identified as potentially malicious by a rule designed to look for wscript execution in atypical or suspicious directories. These events were hay-stacked and presented to our threat hunt team for further investigation. Our hunters then pivoted to our analytics platform that conducts automated dynamic malware analysis, which determined that the payload was, in-fact, malicious.
While existence of the APA within a network might not be necessarily nefarious, it provides the opportunity for maliciousness, either by the adware creator, a client of theirs, or even through the possibility of hijacking in the future (for example, through a breach of the adware provider’s network). Elimination and future prevention through behavioral based analytics is advised.
As seen with this APA, cyber adversaries are skilled at defeating reactive, IOC based defenses by constantly developing and evolving malicious tools, techniques, and procedures (TTPs), allowing them to gain access and cause harm to an organization. In contrast to traditional network defenses, our ATH offering involves creating new datasets rich with endpoint data, allowing us to hunt alerts that may be missed by SIEMs, IDSs, and Anti-Virus products. Our proactive approach relies on sophisticated tools and tradecraft, such as automation, threat intelligence, threat analytics, and machine intelligence, to gather and analyze huge reams of data for malicious activity. These tools can identify and mitigate threats at machine speed using customized delivery models.
At Booz Allen, we have spent the last decade refining our tradecraft and assembling teams of analysts who can think like adversaries and know how to identify warning signs. Our analysts specialize in global malware hunt operations, anti-malware research, development of APT countermeasures, and use measurable processes to strengthen network defenses and identify adversary activity. By regularly evaluating their networks for threat activity, organizations can detect attacks in progress and mitigate these risks before it’s too late.
Join our elite Dark Labs Threat Hunting team to protect our nation’s cyber infrastructure.
Our ability to recruit and retain top-tier cyber talent allows us to build teams with the true diversity of skill sets required to overcome our clients’ toughest, most specialized cybersecurity challenges. Read More