SUMMARY:

• Outbound network traffic to known malicious websites
• Abnormal outbound communication with higher - risk geographical regions
• Anomalous outbound network traffic (to include non-standard HTML and UDP traffic)
• Anomalous internal system communication
• Unusual movement of data between internal systems
• Unexpected login usage (times, locations)
• Irregular access by privileged user accounts
• Cloud storage data exfil and C2 beaconing
• Large number of requests for the same file
• Symmetric sessions non-varying quantity cumulating to large data-exfil
• Provide breach response within the following measures:
• After an indicator has been identified: resolve suspect IP to a hostname or DNS
• Uncover the authentication dates & times of compromised user accounts or Active Directory computer accounts
• Develop leads and quarantine as required based upon network and host forensics until a scope of breach has been determined
• Enhance, increase visibility and awareness to address Indicators of Compromise
• Create capabilities to further enhance incident response and triage function
• Decrease attacker surface by effective system hardening, stifling attempts of lateral movement, credential theft, and evasion
• Creating tactical defenses for the gaps left-behind of vendor "white-box" solutions
• Tracking and analysis of the development and proliferation of these threats and group actors:
• ExploitKits: Fiesta, Sweet Orange, RIG, Nuclear, FlashPak
• APT's: APT Axiom, Hikit/HiddenLynx "Panda" APT groups, Carberp, APT12, Sandworm
• Point-of-Sale Malware: Chewbacca, Backoff, BrutPOS, BlackPOS
• Bots/Botnets: GameOverZeus, ZeusCoiner, Asprox, Pandemiya, iBanking, Sality, Kargen
• Currently buried in document, research, and threat analysis produced by vendors and Large private sector consulting/IR firms.
• Enhancing already founded powershell skillset through the use of IR-related products such as: PowerSploit, IRCollect, PoshSec, invoke-Ninjacopy, PCAT, Kansa, Admon.ps1, ServerRiskReport.ps1 <- Contact.Josh.com
• Collection and advance research patterns DNS researchers and passive DNS technologies methods of threat analysis, such as Damballa and other whitepapers
• Enlist attributes of system administration threat-model into analyst methodolgy, active directory, powershell, exchange administration, group policy, built-in windows firewall utilization for network segmentation
• Development of interrogating infosec policy frameworks NERC, FISMA, SOX, PCI for benefits and gaps
• In corporate existing framework methodologies into easier to implement step-by-step mandates, reducing FUD
• Update statistical modal approaches, large data-set models of threat vectors, to include, RSA enVision, Netwitness, Hadoop, massive malware analysis and triage, strings, and reverse engineering using big data
• Creating on-hand ruleset of implementation guidelines of threat-vectors for SIEM integration
• IDS/IPS evasion techniques and vendors best equipped to provide actual/legitimate threat reduction
• State up to date on latest development of actionable intelligence feeds and blogs RSA FirstWatch, CrowdStrike, ImmunitySec, MalwareDontNeedCofee, KrebsOnSecurity, GRC Security Now, Xylibox, TrendMicro, Spiderlabs, ThreatConnect, ThreatGrid, FireEye, ObscureSec, McAfee, Verisign, and Damballa.
• Firewall and Monitoring specialization .
• Maintain online presence in communities of ThreatConnect, AlienVault OTX, CrowdStrike communities, with future plans to join Invincea Research CrowdSource initiative and NSSLabs.

PROFESSIONAL EXPERIENCE:

Confidential, Clearwater, FL

Senior Security Analyst

Responsibilities:

• Securing the Incident Response process by vetting undetermined yet apparent links in the threat-killchain. Protecting the global WAN/LAN from areas of compromise such as: malware, APT groups, internal asset, misuse, and improbably identifiable threats by conventional IPS
• Perform digital forensics in incident response using common freeware tools. Examining host to further develops IOCs for internal use, reporting, and threat vectoring.
• Proficiency in power shell scripting to add to an already developed skill set in windows command line and debugging tools.
• Creating firewall and IDPS signature rules with ease using Regex queries to delineate false-positives to truthful malicious behavior.
• Picked routinely to deliver statements and communications within and external to the department and organization for the purposes of translation of technical objectives to business end-goals.
• Proficient in the area of security response through PCAP analysis.
• Work in tandem with analyst partners from Mandiant as incidents/breaches happen. Convey logs, analysis of intrusion, working timeline of intrusion to Mandiant consultants to broaden the perspective of analysis and speedup resolution or closure of the incident
• Group Policy recommendations and hardening based upon best guidance and practice by NIST and Defense standard publications
• Event correlation of logs through personal analysis through the use of log parsing and basic scripting by creating pivots and swivels that the current in-house SIEM would not duplicate.
• Vet log alerts and IDS warnings through the use of packet captures, post-intrusion or event or correlate markers with up-to-date open-source intelligence verifiable and known threat vectors.
• Verify that the use of tools in the corporate suite of products were capturing real-time relevant events and had up to date signatures and were providing helpful details to the team and event correlation amongst these products: Symantec Cloud Security, Symantec SEM, Sourcefire FirePOWER, Cascade NetFlows, Mandiant Intelligent
• Utilize scripting to facilitate group policy changes to harden the system level if group policy processing is circumvented
• Standardize settings across LAN and WAN of GPO objects to ease and ameliorate attack surface and reduce troubleshooting conflicts

Confidential, Tampa, FL

Senior Systems Administrator

Responsibilities:

• Perform T2/T3 Exchange duties as requested or if need-impact arises due to service outage, and draft SOP policy troubleshooting manual for all onboard engineers and admins to expedite resolution, diagnose, and clarify Exchange system failures or SLA dives
• Triage to root-cause analysis and network forensics on servers to dispute ticket resolution, management conflicts, and create in-depth understanding for fellow admins and create analysis reports to deconflict management-to management resolution across service departments
• Familiarize junior administrators on the use and benefits of powershell scripts for the use of Active Directory auditing, log-file analysis, commandline based querying to include wmi, enhance Exchange system daily system checks through the use of powershell
• Exchange message tracking and perform message routing resolution within the environment, across the enterprise resolving conflicts with third-party accounts, email forensics and secure removal as required
• Log file analysis and correlation of events to troubleshoot the cause of service failure, drop in connectivity, or administrative misconfiguration or human-error
• Group Policy alterations based on service manager’s request tracked through BMC Remedy, and include Group Policy Object rectification when cause linked to server performance problem or incident arises
• Create solutions when ‘no quick easy-fix’ is clear then route team-members to most stable way to solution

Confidential, Miami, FL

Senior Systems Engineer - CyberSecurity Analyst

Responsibilities:

• Perform daily network traffic analysis, investigating possible threats, providing ongoing risk evaluation of session data through the use of monitoring tools such as Netwitness, Snort, and Arbor Networks Peakflow
• Validate efficacy and safety of firewall rules through session-data analysis
• Analyze incoming packet sessions with RSA Netwitness and outbound traffic sessions to identify possible and confirmed threats covering an array of threat vectors such as: email, reconnaissance, service misuse, file downloads, Black Hole and other exploit kits, beaconing of infected/compromised hosts, correlation of uncommon relationships such as non-HTTP traffic on port 80 with uncommon user-agent strings, one-way single packet sessions with a same time-period, java jar in proximity to PDF and executable download directly from an IP and not an alias domain
• Constructed malware analysis virtual machines, incorporating freeware and opensource software to determine “post-infection” behaviors of malware for identification of compromised hosts. Thus decreasing delays between identification and further investigative action, by circumventing wait-times by a 3rd-party service and an upper-tier in-house analysis department who supported efforts of this program.
• Utilized sandbox technologies, such as CWSandbox, Norman, Anubis, Sandboxie for dynamic analysis of malware samples
• Manipulating data sets during incidents to further tell the tale of clarity to the client regarding a breach or misuse of network resources, understanding the difference between the “right data” and “too much” data for the clients' eyes, understanding a big-data mentality is required to handle this generation's cyber threat qualms.
• Performed independent work and research for mal-analysis threat assessment lab.
• Organized team objectives and tasks based upon necessity and opportunity, as collective mission aligned with team orientated exercises
• Vulnerability assessment and reporting using Retina eEye and recommendations of correction of finding
• Research latest “in the wild” threat-vectors and apply threat intelligence with RSA Netwitness within the scope of the customer’s environment and applicable to customer's LAN/WAN behavioral characteristics, thus improving rules to enhance detection accuracy and vetting
• Pentesting analysis, scope and draft proposal of areas of risk
• Relate log file traces to threat activity and parse entries to undermine unrelated activity to threat relationship among systems and user generate activity
• ALL FINDS IDENTIFIED ONLY THROUGH HUNTING WITH NETWITNESS 9.8v (Security Analytics) not much of any IDS work required. *** This role/duty provided Managed-Services in a SOC level environment ***

Confidential, Tampa, FL

Systems Engineer

Responsibilities:

• Responsible for patching and security updates to command desktop systems, coordinating implementation with Information Assurance and Change Management, and resolving other client-based issues
• Meet semi-weekly with Information Assurance and Change Management to discuss ongoing remediation efforts, maintaining patch-level mandates, and attaining requirements of service level agreements
• Mitigate high-priority and lesser Information Assurance Vulnerability Alerts (IAVA) with respect to mandatory deadlines and lower priority IAVAs and Information Assurance Vulnerability Bulletins (IAVB)
• Openly clarify risk exposure and methodology required to reach service objectives
• Patch Management of USSOCOM LAN/WAN 8,000+ command-wide systems (application updates, security patches, and anti-virus) and reporting
• Perform security vulnerability assessments and remediation to harden windows systems, build servers and workstations according to JAFAN and DISA requirements
• Troubleshoot connectivity issues between network nodes for the resolution of service connectivity
• Convey to the data custodian where technological resources are supporting mission requirements, impacting negatively mission objectives, or pose risk to compromise
• Contribute to the drafting of initial and maintaining of SSAA documentation for multiple airgapped systems and served as agent to proxy high-to-low classification transfers
• Reviewed practices and procedures to minimize threat to data exposure and data leakage to security incidents
• Assist customers in minimizing risk to security incidents by encouraging adherence to best practice and the structure of implemented MAC and DAC
• Consulted customers on the review of non-attributable solutions and obfuscation of client-side footprint via lessermore-feasible than-high-economical approaches to lessening digital/cyber footprint via practical analysis and software tools
• Unix DBA of security database, responsible for running back up and consistency checks

Confidential, Tampa, FL

Network Administrator

Responsibilities:

• Develop end-user acceptable use and network use policies
• Draft disaster recovery and IT-centric BCP
• Patch management of network systems and servers
• Server maintenance of ailing hardware
• Windows 2003 Active Directory Domain administration, with file and print
• ACT 6.0-9.1 administrator
• Customer liason between Corporate IT and subsidary
• Rack infrastructure repair and cable genie
• Hardware troubleshooting to include, server upgrade, drive and disk, rackmount chassis installation, back drive and rape replacement, optical drive, SCSI adapter
• Backup engineer and offsite coordination of routine/weekly/monthly archives
• Windows 2003 Group Policy

Confidential, Tampa, FL

IT Consultant

Responsibilities:

• Server rehaul and adjustments
• Client-facing administration
• Backup services, file and print tweaking/upgrades, installation of new client software
• Inhouse maintenance and provision of new hardware of back-end services
• Rebranding of key concepts to encourage loyal customer reception

Confidential

Office Technology Coordinator / Server Engineer

Responsibilities:

• Create accounts, manage permissions, grant network requests, monitor file replication from satellite offices, and recover data from email, backup, and hard drives
• Spam and wireless security administrator
• Test backup restores, price and purchase software, equipment, and licenses, maintain server images, lifecycle and roll-out desktops
• Coordinate system use and security efforts with regards and compliance to HIPAA standards
• Policy creation, and IT Hardware and Software Budget Executor, from needs requirements assessed to product hand-off to department or end-client/user
• Windows 2003 Server file and print administration
• Citrix Metaframe Presentation server desktop published application creation and maintenance
• Server hardware replacement to include: CPU socket and board, RAM, backplane, drive arrays, and chassis reconfiguration
• Test lab creation for pre-deployment and patch efficacy, pre-break-fix analysis
• SUSE Linux firewall/vpn troubleshooting, when required

Confidential

Network Administrator

Responsibilities:

• GroupWise email distribution list and mailbox setup and maintenance
• Group Policy configuration and tweaking, as needed, to prevent system and settings tampering/misconfiguration
• File and Print services management, including DAC file permissions as well as MAC
• Server hardware replacement and remediation as hardware failures occurred
• ArcServ and BackupExec services admin
• Windows 95/98 SE/ XP Pro client upgrade migration
• Malware cleaning on reoccurring instances
• Website maintenance
• Novell eDirectory Admin, and Windows Active Directory Administrator