SUMMARY:

• Excellent verbal and written communication skills
• Strong Analytical skills and background
• Extensive knowledge in Network Security and monitoring tools.
• Extensive knowledge in cryptography, cryptographic algorithms and PKI architecture.
• Work efficiently with little or no supervision, and meets deadline
• Eager and willing to learn.

TECHNICAL SKILLS:

Programming Languages: C/C++, Visual Basic, JAVA.

Operating Systems: Windows, Unix, Mac OS.

Intrusion Detection Systems: NIDS (Snort, SourceFire IDS, Enterasys Dragon). HIDS/Forensic (Carbon Black, Tanium)

Network devices and Servers: Dell PowerEdge Devices, Checkpoint Firewall, Pix Firewall, Raptor Firewall, Norton Personal Firewall, Cisco VPN configuration, VM ware Workstation, Server, GSX/ESX Server.

Security Management: ArcSight (SIM/ESM), NITRO, FireEye, BigFix management console, SourceFire Defense Center, Enterasys Console manager, BlueCoat Proxy Console, Remote Administration (VNC, Putty), LogRythm, Imperva Web Application Firewall, TripWire Enterprise SIEM, SPLUNK.

Scanning and logging: Nmap network scanner, Retina, Tenable, SPLUNK.

Incident Management: Risk and threat Analysis, Research and assessment, ServiceNow, Remedy.

Network Compliance and security remediation: McAfee AV software, Symantec Endpoint Protection (SEP), BigFix, Cylance.

PROFESSIONAL EXPERIENCE:

Cyber/Detection Engineer

Confidential

Responsibilities:

• Reviewed Intel reports (daily) pertaining to different Actor groups and determining TTPs, attribution and different tools used by the groups. This was used to create detection artifacts and Content to identify such activities directed at the organization.
• Intensive review of malware artifacts attributed to most actor groups. Obtaining samples of the malware and analyzing them in a Sandbox to determine its behavior. Ensuring that coverage (hash, signature, content) exists in the environment for the malware.
• Extensive Phishing Email Campaign analysis to determine if they were targeted and the group behind the campaign. Working in Phishme Triage and Proofpoint to determine recipients and take appropriate actions as necessary.
• Using Tanium for endpoint investigation. Writing queries on process modifications, registry modifications, file modifications, installations and seeping endpoints for specific behaviors to detect intrusion and malicious activity.
• Hunting for anomalous traffic using Splunk Enterprise Security, Security Analytics and Imperva to detect malicious traffic and initiate remediation procedures.
• Using in - house forensics package, conducted deep dive analysis on systems including memory analysis, traffic/timestamp analysis to determine cause of infection. Using the same package, analyzed malicious documents and links embedded in emails.
• Worked as an incident management analyst to set up incident bridges, bring all affected parties together and quarterback incident analysis and management session to remediate the incident and put together a lessons learned document on the incident.
• Packet level analysis of triggered alerts (log analysis, port and protocol analysis, Hex pattern matching analysis, Source and Destination IP address analysis) to more accurately determine an intrusion or hacking attempt and to distinguish false positives from true positives.
• Indicator-driven hunting and searching for malicious events. Using IOCs obtained from OSINT and proprietary INTEL sources, performing log searches using these indicators to determine if these indicators match (have been seen in) traffic logs.
• Using MITREs ATT&CK Post Infection framework to map behaviors of threat groups and malware and drive detection based on these behaviors.
• Snort Signature management and support in Sourcefire by uploading external signatures and self-written signatures to Source to monitor for specific threats. Tuning these signatures in a DEV environment before uploading to the PROD environment.
• Worked with Foreground’s Proprietary Automated Threat intelligence Platform to review data and Intel on indicators generated by the Platform and use the indicators for hunting and traffic matching in the environment.

Security Analyst/Engineer

Confidential . Herndon, VA

Responsibilities:

• Worked as a security analyst in HP’s Managed Security Services SOC in Herndon VA. Using Arcsight as the main Events SIEM in which all events data from 18 clients are fed into, I monitoring traffic and events data on self-created channels using self-created filters to determine malicious traffic and patterns.
• Performed Incident Response tasks by triaging events, creating tickets, performing remediation duties and writing technical reports and lessons learned reports to be delivered to external clients.
• Extensive knowledge of SPLUNK Enterprise Security Setup, Alerts and Reports and using SPLUNk as the main Log Analysis and search tool to correlate events across multiple Sourcetypes.
• Indicator-driven hunting and searching for malicious events. Using IOCs obtained from OSINT and proprietary INTEL sources, performing log searches using these indicators to determine if these indicators match (have been seen in) traffic logs for any of the multiple clients.
• Threat management using Enterprise CylancePROTECT solution to quarantine file, push policies to Client’s machines and maintaining a safe and secure environment by globally quarantining files that have been determined to be malicious.
• Scanned for vulnerabilities using Tenable to determine critical, medium and low vulnerabilities on systems. Initiate a patch management Schedule to patch systems with vulnerabilities that exceeds predetermined risks levels.
• Host forensics and monitoring using Carbon Black to delve into host systems to analyze processes, netconns, file mods and registry data to perform forensics on individual hosts involved in incidents.
• Snort Signature management and support in Sourcefire by uploading External signatures and self-written signatures to Source to monitor for specific threats. Tuning these signatures in a DEV environment before uploading to the PROD environment.
• Malware Analysis using built malware analysis tools and sandboxes to detonate malware, extract string and IOCs for detection, extract C2 and callout domains from malware behavior during execution and using the extracted data to build detection artifacts.
• Knowledge of APT Actors and their TTPs as well as specific tools/malware leveraged in their activities. Keeps up-to-date with various APT Actor’s expanding activities across government, financial institutions Aerospace, Defense and Hospital infrastructure to steal data and confidential information.

Security Analyst

Confidential, WASHINGTON DC

Responsibilities:

• Monitoring of ARCSIGHT SIEM to determine intrusion and malicious events from logs of IDS, firewall and AV that is fed into the SIEM.
• Monitoring and configuration of a plurality of event SIEMS such as Dragon Enterprise console, Imperva Web Application Firewall, TripWire Enterprise SIEM, SPLUNK, SiteProtector Host Based IDS console to correlate events and determine malicious traffic.
• Packet-level analysis of data captured using wireshark including repackaging of detected executables to determine maliciousness such as specific callouts or backdoors.
• Using specific tools such as Blue Coat proxy, SourceFire IDS and security web sites to analyze security events and detect malicious traffic.
• Recommending specific signatures to be tuned in order to reduce the amount of false positives detected by the IDS.
• Logging of malicious hosts and domains and investigating phishing emails to determine if links are malicious.
• Using SEP Manager Console to determine the health status (patches, infections, etc) of systems and scanning hosts, subnets for infection.
• Daily review of authentication logs (failed and successful) to parse them according to predetermined thresholds for client reports and deliverables.
• Scanning network segments using NMAP and NESSUS to determine open ports, installed software and version, operating system and vulnerabilities.
• Actively involved with day to day SOC activities such as configuration, monitoring, remediation, incident handling, product review and analysis.
• IOC-driven detection of threats and malicious actors as well as expert knowledge of existing Threat Actor groups and TTP attribution.

Security Analyst

Confidential, Woodlawn, MD

Responsibilities:

• Writing virus and intrusion detection signatures for vulnerabilities and exploits by analyzing packet data and patterns for viruses and exploit codes to enable detection of such viruses and exploits.
• Packet level analysis of triggered alerts (log analysis, port and protocol analysis, Hex pattern matching analysis, Source and Destination IP address analysis) to more accurately determine an intrusion or hacking attempt and to distinguish false positives from true positives.
• Daily research and monitoring of security websites (Internet Storm Center, etc) for the most recent vulnerabilities and for patches to existing vulnerabilities.
• Configured Servers to be used in Intrusion detection. Installed the Operating system and snort rules to be monitored for.
• Installed the servers, plugged them to the core of network traffic and ensured they were receiving traffic and actively alerting on the baseline signatures which I created for the intrusion process.
• Continuously updated the snort ruleset, adding new signatures which monitor for future vulnerabilities, removing signatures which are no longer needed and tweaking signatures to meet with network requirement and specifications. Performed signatures updates remotely and on-site ensuring that the Network remains hacker-free 24 hours a day and quickly responded from any location whenever I get an alert from other IDS Team members.
• Daily research of existing and new security vulnerabilities including 0-day vulnerabilities. These vulnerabilities are documented and network hosts are patched against these vulnerabilities and threats.
• Scanned for rogue (unknown) hosts on the network, which includes unauthorized network peripherals such as printers, laptops, PDAs, and taking them of the network for compliance and proper identification.
• Was in charge of malware (adware and spyware) remediation for the organization. Identified new malware infections and removed those remotely using admin tools or by identifying the user and guiding them through a removal process.
• Analyzed security event data from the network (IDS sensors, firewall traffic and routers). Made decisions on ports to monitor for threats and harmful sites to be blocked by the firewall. Established a Baseline for all the sensors that was deployed in various regions to monitor traffic. This baseline was created based on extensive research of various Bleeding-edge signatures.
• Made decisions on threats or vulnerabilities and responded to them by either shutting of the ports from which the attack occurred or pulling the system off the network to curb the attack while checking for the source of the attack and taking necessary action to restore the system to our network standard.
• Generated monthly FEDCIRC reports (of which the SSA is best amongst all government agencies) detailing our security status against threats and vulnerabilities. This report also contained details of the IDS, number of infections and intrusions and the steps taken to curb such actions.
• Scanned infected hosts using McAfee Antivirus tool. Scan results are analyzed for possible virus and malware infections and the malicious files are deleted or quarantined after the analysis. Manually updates AV signatures or removes AV signatures that have yielded high amounts of false positives.
• Forensic analysis of exploited boxes and systems to trace source of attack, mode and method of attack and extent of damage to information resources as well as proposing solutions to combat future attacks through that means
• As a member of the Intrusion Detection and Protection Team, my daily tasks includes