Cyber Threat Hunter
• Responsible for identifying system and network anomalies combined with threat intelligence artifacts to identify indicators of attack/compromise with the goal of detection & response as early in the kill chain as possible – Focused on developing baseline understanding of Launch Engineering environment through Discovery scans to create more accurate asset inventory and hunted anomalous traffic patterns using a variety of SPL approaches in Splunk and SplunkES• Used Nmap results and Wireshark to identify PPS misconfigurations on Launch Engineering systems – Communicated these findings to CFC team for coordinated remediation with system owners• Monitored external Threat Intelligence sources to determine applicability to ULA systems and proved/disproved hypotheses pertaining to ULA’s susceptibility to successful attacks through targeted threat hunts based on Splunk ES notables• Used MITRE ATT&CK Framework as a guide to identifying system and network behaviors/configurations that increase the attack surface• Created reports and alerts in Splunk to meet NIST 800-53, NIST 800-171 & CNSSI 1253 compliance requirements resulting in successful closure of associated POAMs – Recognized with award from management• Created Threat Hunting dashboard in Splunk to graphically visualize anomalous outbound network traffic destinations, timing and patterns• Fed results from pingsweeps and Nmap scans to members of CFC team to improve coverage levels for toolsets requiring agents (such as Nessus, Device42 and Wazuh)• Worked as part of engineering team to implement improved log aggregation from log sources originating from restricted environment – Initial solution involved creation of Linux service file calling custom script running tcpdump to capture raw log traffic to a Splunk-ingested file – Solution evolved into more permanent design featuring syslog-ng aggregators running on dedicated VMs using Splunk Universal Forwarders to direct logs toward Splunk Search Head for ingestion