1

DATA POOL DEVELOPMENT PROGRAM

PROPOSAL
For- SystemTwoSecurity

DATE: 09/07/2024 PLACE: BANGALORE

2

CONTENTS
EXECUTIVE SUMMERY ...................................................................................................... 3
DOCUMENT OBJECTIVE..................................................................................................... 4
DOCUMENT CONTROL ....................................................................................................... 4
OVERVIEW .......................................................................................................................... 4
Why choose us .................................................................................................................. 5
Meet the change makers ................................................................................................... 5
EXECUTION METHODOLOGY ............................................................................................ 6
Agreement and Scope Finalization .................................................................................... 6
Resource Allocation........................................................................................................... 6
Identification of Log Sources ............................................................................................. 6
Generation of Data: ........................................................................................................... 6
Project Completion ............................................................................................................ 6
COMMERCIALS ................................................................................................................... 7
Fee Breakdown ................................................................................................................. 7
Payment Schedule ............................................................................................................ 7
Payment Term ................................................................................................................... 7
TERMS AND CONDITIONS.................................................................................................. 8
3

EXECUTIVE SUMMERY

BLACKPERL DFIR wants to set up a Data Pool for validating detection rules created from Sigma
Rules, which will be converted to Splunk Query Language (SPL). The program will be conducted
by BlackPerl DFIR team of experienced cyber security professionals who have years of hands-on
experience in the field. While we propose program we focus on below high-level objectives, which
we:

1. Ingest benign data to Splunk from various feasible resources like- application servers,
operating systems, databases, email servers, web servers, miscellaneous files, non-log
files etc.

2. Ingest malicious data to Splunk from various feasible resources like- EDR, VM Tools.

3. Research on popular Malware and Attack Feeds and simulate the IOCs to perform the
attacks on endpoint and send the logs to Splunk via various logging- Sysmon, Windows
Event logs.

4. Leverage opensource attack library to frame the attacks like- ATP Simulator, Atomic Red
Team, Infection Monkey, Caldera etc.

5. Leverage Threat Intel repositories like- MalwareBazar, VirusTotal, Intezer, GitHub,

Pastebin, Telegram feeds etc. to download malware samples and send the logs after
detonating them on machines

6. Research on sending AWS logs to Splunk.

7. Populate index wise separation to each different types of logs being ingested.

8. Record and prepare document the data being populated with below specifics:

a. The number of threat actors and their names

b. The number of malware instances and their names
c. TTPs (Tactics, Techniques, and Procedures) coverage
d. Any CTI (Cyber Threat Intelligence) reports detailing an attack or threat actor for
which we have data in Splunk
4

DOCUMENT OBJECTIVE
This document has been prepared by BlackPerl DFIR to formalize the proposal for
creating Data Pool for SystemTwoSecurity.

DOCUMENT CONTROL

TYPE OWNER Date (DD/MM/YYYY)

First Version Archan Choudhury 08/07/2024

QA Sayan Kr Dey 08/07/2024

Final Edit Archan Choudhury 09/07/2024

QA Souvik Biswas 09/07/2024

Release Archan Choudhury 09/07/2024

OVERVIEW
We believe in equal learning opportunities, growth and solving Security Problems around the
world on InfoSec Domain. Our instructors design courses that are easily accessible to everyone
and MOST Budget friendly. Our Security Engineers work towards building successful Security
products, Research & Development and provide services for Security Operations, Detection
Engineering, VAPT and many more. You can download a handful of resources during each
course for better learning. We are dedicated to bringing more courses so you can have a larger
variety of courses to choose from. Our focus is to provide you BEST KNOWLEDGE yet in Cost
effective way!

BLACKPERL DFIR Academy team is much more than just course builders. We aim to facilitate
everyone, so they achieve their learning goals. We want you to become the change makers of
tomorrow so that you can inspire others around you.
More About us:
• Official Website- https://blackperldfir.com/
• LinkedIn- https://www.linkedin.com/company/blackperl/
5

We have our Service Line Vertical where we take care of below services for our clients:
1. Cloud Security Assessment
2. Cloud Security Posture Management
3. Security Operations- MSP Offerings
4. Detection Engineering as Service
5. Security QA as Service
6. Incident Response and Digital Forensics as Service

Why choose us
It’s our attention to the small stuff and making a big impact. You want results, we have found that
the best way to deliver them is to train through live hands-on best in class curriculum, which we
promise to deliver on each of our workshops and training programs. When we take up any
engagement projects for our clients, we work towards building Relations. Our prices are way too
fair. We don't believe in just making money; we believe in providing you with the best knowledge,
service and to help you grow.

All of our significant Training and Engagement program which also leads toward the scope of this
document is creating Labs and Simulations for our students, which is our flagship model
developed to teach professionals how to work on Detection Engineering pipeline and build out
Solid Detection Capability with ability to do sound Incident Response, Forensics and Threat
Hunt. We have been working closely with Global innovation partners around this space.

We make sure you as a learner have enough leads and skills to go into the jungle and hunt for
your own need!

Meet the change makers

• Archan Choudhury: CEO of BlackPerl DFIR, have been working in Security Operations
for more than 10 years now. Worked in different flavour of industry starting from IT, FMGC,
Retail, Banking Sector. Have extensive experience in handling DFIR, Threat Hunting,
Security Engineering, SecOps, Cloud DevSecOps and more.

• Debjani Bandyopadhyay: Co-Founder BlackPerl DFIR has worked in Security industry

for more than 8 years, while started the career as developer. Understands the SDLC
process inclusion in Security Operations and its impact in shift left strategy.
6

EXECUTION METHODOLOGY
Agreement and Scope Finalization
• In this phase we will finalize the work agreement and the scope of the.
• Necessary permissions and documentation (NDA, Contract) will be done.
• We will also get required access to perform this project.

Resource Allocation
• BlackPerl DFIR will allocate below resources to complete this project within timeline:
o Principal Security Engineer: 1
o Lead Security Engineer: 1
o Junior Security Engineer: 2

Identification of Log Sources

• In this phase, BlackPerl DFIR will identify the log sources and potential threat vectors
and attacker group against which the simulation will be built.
• After identification, BlackPerl DFIR will deploy the log sources in Cloud (AWS Infra
given by Client) and On-Prem (if required on BlackPerl DFIR site)
• BlackPerl DFIR will use opensource and custom-made simulators to ingest malicious
data. Hence this infrastructure will also be built in this phase.

Generation of Data:
• In this phase, BlackPerl DFIR will start working towards sending the logs to Splunk to
the identifiable indexes.
• BlackPerl DFIR will start documenting the work to display what kind of data is being
populated.

Project Completion
• Upon completion of the full set of rules, BlackPerl DFIR will provide a completion
report with all specifications of data being populated. A project completion can be
identified with below statistics:
o Approx of 500MB of data being ingested.
o Coverage of top 5-6 Attack group data being ingested which will consist of
different TTPs.
o Benign data being ingested from at least 3 different log sources.
o Malicious data being ingested from at least 3 different log sources.
o Coverage of different TTPs from ATT&CK framework relevant or in scope.
o Coverage of data being ingested against the TI reports given by client.
7

• Considering the approximate volume of work, the project will take 4 weeks to
complete. A tentative check-in date will be on 07/08/2024 (7th August 2024)

COMMERCIALS
We are committed to using our resources responsibly to assist you in obtaining maximum benefit
from this initiative. Our commitment to you is total client service for a fee that we believe is fair
and reasonable for the services provided. Our firm’s people and resources will be available to
you, when required, to work in a co-operative and interactive environment with the objective of
providing the maximum benefit to your organization.
We have carefully considered the approach required for the current project, and due to our strong
interest in developing an ongoing relationship with your organization, we have prepared the below
quote.

Fee Breakdown
The following table depicts the fee breakdown by engagement phases.

OFFSITE ENGAGEMENT USD

Completion of the 1st Phase of Data Ingestion as 7000

explained in Project Completion

• The above amounts are net payable to BlackPerl DFIR excluding any taxes, Octroi and transfer
fees.
• There will be a flat 18% IGST rate applicable on the cost.

Payment Schedule
Invoices shall be submitted and payable as follows:
• 50% of the program cost at the time of Contract and Agreement Sign-Off

• 30% of the program cost at the completion of the project at 80%.

• Final 20% of the program cost at the time of Delivery.

Payment Term
• 5 business days from the date of invoice
8

TERMS AND CONDITIONS

1. LIMITATION OF PERFORMANCE
BlackPerl DFIR cannot be responsible for extra costs, delays in completion, incorrect
information, or errant conclusions caused by any of the following:
▪ Accident or Disaster; including, but not limited to fire, water, wind, vandalism, acts of
war, terrorism, or other man-made or natural disasters.
▪ Insufficient time; including time required for BlackPerl DFIR to obtain any necessary
information from Customer or third parties.
▪ Lack of access; including adequate access to Customer personnel and data as
required or adequate access to third parties and data as required.
▪ Inaccurate or incomplete data; including data provided by Customer, its employees,
representatives, agents, or other Customer directed source, or industry sources
reasonably and professionally expected to be accurate.
▪ Defective material or workmanship or failure to perform by third parties; including but
not limited to software, hardware, communications systems, consulting, programming
and other provisions supplied by third parties.
▪ Obsolescence; including service on application or system programs no longer
supported by the manufacturer, publisher, or other industry.
▪ Internship and placement: We would like to inform you that while we make every effort
to assist our students in securing employment opportunities, we cannot guarantee job
placements. However, our program is designed with a comprehensive curriculum and
industry-relevant training to equip our students with the necessary skills and
knowledge to succeed in the job market with a high degree of confidence.

2. EMPLOYEE ASSIGNMENTS/SUBCONTRACTORS
BlackPerl DFIR reserves the right to determine the assignment of its employees in the
performance of the Statement of Work. BlackPerl DFIR reserves sole discretion to
subcontract any service or portion of service that it deems necessary.
3. TAXES
All GST, sales, use, or similar taxes imposed on the services or materials supplied if
applicable, shall be added to the charges stated herein and shall be paid by the
customer.
4. REMITTANCE
BlackPerl DFIR reserves the right to withhold services hereunder if Customer’s account
is past due. Customer shall pay all costs involved in collecting its overdue accounts
including reasonable attorney’s fees.
5. INCIDENTAL AND BLACKPERL DFIR QUENTIAL DAMAGES
BlackPerl DFIR shall not be liable for interruption of Customer’s business or operation,
for loss of profit by the Customer, for incidental or consequential damages or for claims
by third parties against Customer. BlackPerl DFIR’ total liability hereunder, including but
not limited to, any alleged negligence of BlackPerl DFIR shall not exceed the amount
paid for professional services by Customer to BlackPerl DFIR hereunder. BlackPerl
DFIR MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING
WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR
A PARTICULAR PURPOSE WITH RESPECT TO THE MATTER HEREOF, SERVICES
9

TO BE PERFORMED BY BlackPerl DFIR PURSUANT TO THE TERMS HEREOF, OR

MATERIAL TO BE SUPPLIED HEREUNDER.
6. ASSIGNMENT OF AGREEMENT
Customer shall not assign this Professional Services Agreement nor any of its rights
hereunder without prior written approval of BlackPerl DFIR. Any such assignment
without the consent of BlackPerl DFIR will cause immediate, automatic termination of
BlackPerl DFIR’ obligation hereunder.
7. DISPUTE RESOLUTION
The parties agree that any dispute arising hereunder will be resolved as quickly as
possible. This Agreement shall be governed by the laws of India and is deemed made
and to be performed at Bangalore, India.

8. NON-SOLICITATION OF STAFF
Customer and BlackPerl DFIR, shall not, directly or indirectly, on behalf of themselves or
for others, solicit each other’s employees or sub-contractors working on the project
defined by this SOW, during this or any subsequent service engagement for a period of
two year following completion of the most recent service engagement including Change
Orders.
9. CONFIDENTIALITY
Both parties agree to maintain in confidence and not to disclose to any third party or
organization, without prior written consent from the other, knowledge or data relating to
product, processes or operations of the other.
10. INDEMNIFICATION
Both parties shall indemnify each other and hold any of their affiliate companies,
officers, directors, agents and employees, free and harmless from and against all claims,
costs, liabilities, judgments, damages and expenses arising out of or related to:
• A party’s breach of any warranties or representations made in this Agreement;
• Any claimed infringement or violation of intellectual property rights to any third party;
• A party’s failure to comply in a material respect with any law, statue or regulation
unless the claim arises out of or is a result of its breach of the Agreement.

11. ENTIRE AGREEMENT

This Agreement contains the entire agreement and understanding of the parties hereto;
neither are relying on warranties, representations, and other matter extrinsic to this contract
except as otherwise specifically provided herein. The terms and conditions of the Agreement
shall prevail over any contrary items contained in any purchase order.