Experiences
The current responsibilities as the incident response team leader involving many aspects of cyber defense such as providing technical skills to improve for better detection, handling and responding for security incidents.
- Conduct digital forensic to support goals of incident response in various scenarios, including insider data theft investigation, ATM hacking, fraud, and data leakage
- Conduct realistic adversary simulation and incident response plan readiness assessment based-on customer requirements
- Analyze malware discovered during incident response or as requested by customers. The analysis involving various kinds of crypto-jacking malware, initial access dropper, and ransomware to help our customers contain and eradicate threats in their environment.
- Develop a cyber threat intelligence platform to enhance the visibility of SOC operation. By relying on open source intelligence techniques, the platform can support and process more than two hundred thousand unstructured indicators from a hundred sources a day
- Contributing to various open-source projects, such as
- Malware Intelligence Sharing Platform (MISP) and its container version (misp-docker)
- minemeld-node-prototypes for Palo Alto Network's MineMeld engine
- Integrating MISP, TheHive and Cortex into one single container-based environment, called mthc.
- Develop a data leakage detection platform for faster remediation once appeared. The platform can be used to detect and alert for data leakage on public sites, including Pastebin
- Develop hardening toolkit on many operation systems platform based-on CIS guideline to enhance operation security and automation with Ansible and Docker
- Have experience with various endpoint protection and endpoint detection and response platforms, including CarbonBlack, SentinelOne, Cylance, Symantec, CrowdStrike, Sysmon, GRR, and osquery.
Certification
- GIAC Reverse Engineering Malware (GREM) - 6282
- GIAC Certified Incident Handler (GCIH) - 32837
- EC-Council Certified Incident Handler (ECIH) - ECC88454796053
- CompTIA Security+ CE - FG46WHTHLP4E1XSK
Presentation
- As ExSec Academy instructor, I'm responsible for passive information gathering and post-exploitation techniques courses. The slides can be found below.
- Passive information gathering - A short introduction of passive reconnaissance for security assessment
- Fileless attack, lateral movement, and data exfiltration
- Presented at MissConf#(SP5) on APT-based Security Assessment and Detection - Adversary simulation/emulation from a blue team perspective
Contact
- Twitter @pe3zx
- PGP available on Keybase.io
- Chat with me via Keybase Chat