Threat Analysis
Threat hunting, malware analysis, and security monitoring through coursework, online labs, and my work production environment.
I have worked with several tools for threat analysis and have deployed them for a few different client enviornments.
Connect Secure - I have deployed this within several organizations on a mini-pc to set up as a discovery agent for all network connected devices. This gives me a full spectrum picture of everything that is in the network, along with what vulnerabilities there are that will need to be assessed. I set it up to scan active directory and build a report to show the organization what the security posture of the network looks like.
Huntress EDR - I vetted, deployed and tested this tool in my lab environment. I build malicous files and scripts to launch on my test server to see how long it took for the product to respond and to see what it responded with. After testing for a couple of weeks, I deployed this tool for the organization.
Datto EDR - I used this tool for several months in a production environment. My experience with it while somewhat in depth, was not the best. I found that it was causing PCs to lock up and become unresponsive to the point that they are no longer productive. After removing this product, these issues seemed to stop. After weeks of investigation and working with the company's EDR team, I was not able to find a cause or resolution to this issue.
Incident Response
Gather in depth; all information after an incident has been reported and write up my findings.
I have worked two ransomware inicidents since 2023 and while they were both the same cause and effect, they were very different scenarios due to organizational structure. My first inicident, I had noticed for a couple of weeks that the client's network was not functioning as normal. In that, access points would go down temporarily, switches would power cycle, and files that once were, seemed to go missing for users temporarily. Reading through logs I wasn't really finding anything out of the ordinary. I brushed it off to the numerous updates that the servers were missing and decided to schedule a maintenance window for the weekend. The next morning, there were alerts from the ticketing system that the servers had gone offline. Employees began showing up for work and finding a the ransomware letter on their desktops. That sinking feeling in the pit of my stomach hit and I knew what I had to do. The biggest mountain I had to climb was to dig through all of the logs that I could get to, which was only the firewall and start trying to figure out what to tell the client. Unfortunately, this client did not have a BCDR or any sort of plan for this type of incident. I spent the next 10 days straight working eighteen-hour days to rebuild the entire network and get this office back operational again. Many different issues came up as I worked through this mess but after 2 full weeks we were able to get the business fully operational again. We never found the cause of the inicident but I have a suspicion that it was a business email compromise (BEC).
My second incident was caused by a non-patched sonic-wall firewall (CVE-2024-53704 – SSL VPN Authentication Bypass) and was attacked by the Akira Ransomware group. This client was new to me and we hadn't completed the full change-over from the last IT company. That needed patch had been a hot topic internally for a couple of weeks. We knew if that didn't get resolved by us, it wasn't going to be patched. Unfortunately, the device was left exposed to the exploit and it was compromised. The threat actors encypted the VHDX files on each VM which is how the attackers were able to get in and ransom so quickly. We deployed the incident response plan and the disaster recovery plan in order to get the office productive again.
Cybersecurity Compliance
Worked as the incident response coordinator for ransomware attacks on clients.
In my current position, I have worked as the inicident command for these investigations and remediations. I was the liason for the C-Suite and the investors of both organizations that I wrote about above. Having a calm demeanor and staying focused on the facts only is important in these situations. After the first incident, I began researching how to write out an incident response plan and implemented what I learned for each of our clients one at a time. I spent many hours digging through the organization's network to find all of the information on every device and built an asset management system and sketched all of the networks to have the proper documentation of the organization.
Operating Systems
Windows OS - The majority of my experience is with Windows PCs. I have worked in windows since the launch of Windows 95. I have experience with Windows Server versions 2012 through 2025 with the majority of my experience with the 2019 version and 2016 exchange.
Linux OS - I started learning linux in 2022 and have built a few different set-ups. I have Kali linux running on my old laptop that I use for pen testing and playing in capture the flag challenges. I have Parrot OS running on an old Dell Precision desktop that I use for testing and building malicous projects for my testing environment.
National Cyber League
I was tasked with joining the National Cyber League this spring. I played as an individual and was the team captain for our team of 7 players in the team game. Our team ranked in the top 10% of 5000.
Home Lab
I have built a home computer lab that is used to replicatate a small business. I have taken a Dell Power Edge R620 and have upgraded the storage and memory to run ESXi as the hypervisor and am running Windows Server 2022 for the domain controller, Windows Server 2022 for the file server, and am running an instance of Windows Server 2025 (Evaluation) to learn about the new operation system. I have installed an Fortinet 40F firewall as part of the mock enterprise set-up in my home.
Tool Experience
Wireshark
During the National Cyber League competition, I utilized Wireshark to analyze captured network traffic pcap files provided in the Packet Analysis and Forensics challenges. By inspecting specific TCP streams and applying filters such as http, ftp, and tcp contains, I was able to reconstruct communication sessions and extract plaintext credentials transmitted over unencrypted protocols. This exercise demonstrated my ability to recognize insecure network behavior and apply real-time analysis skills to identify sensitive data exposure.
Nmap
I used Nmap to perform targeted network scanning and enumeration during reconnaissance and penetration testing challenges. I conducted service/version detection (-sV), OS fingerprinting (-O), and aggressive scans (-A) to identify open ports, running services, and potential vulnerabilities on simulated hosts. This process allowed me to map the attack surface, prioritize potential entry points, and inform further exploitation steps.
Key Skills
-
Port scanning and service enumeration
-
Interpreting Nmap output to identify misconfigurations and vulnerabilities
-
Crafting targeted scan commands to avoid detection or reduce noise
-
Applying scanning results to guide next steps in the attack lifecycle
Splunk
Completed the following Splunk Trainings
-
Intro to Splunk
-
Intro to Splunk SOAR
-
Splunk Infrastructure Monitoring
-
Enterprise Security
4 Credit Hours
Hashcat
In the National Cyber League competition, I used Hashcat to crack hashed passwords as part of the Password Cracking and Cryptography challenges. After identifying the hash type using tools like hashid or through manual analysis, I leveraged wordlists and rule-based attacks to recover plaintext passwords efficiently. I also customized attack modes (e.g., dictionary, combinator, and mask attacks) to adapt to time constraints and hash complexity.
Key Skills
-
Hash identification and analysis (e.g., MD5, SHA-1, bcrypt)
-
Use of GPU acceleration to optimize cracking speed
-
Effective use of common and custom wordlists (e.g., RockYou, hybrid rules)
-
Understanding password entropy and attack surface
Python
-
During the National Cyber League competition, I developed and used custom Python scripts to automate portions of forensic investigations. These scripts helped extract and analyze metadata, parse encoded files, and uncover hidden data within image files and binary dumps. For example, I wrote a script to recursively scan directories for files with suspicious EXIF metadata, and another to decode base64 and hex-encoded payloads found in memory dumps and steganographic challenges.Skills:
-
Automate repetitive forensics tasks
-
Analyze file metadata and artifacts efficiently
-
Parse encoded or obfuscated data
-
Apply scripting to accelerate real-time decision-making in CTF-style environments.
Log Analysis
During the National Cyber League competition, I performed in-depth log analysis to investigate suspicious activity and identify indicators of compromise across various datasets. Using a combination of tools—including Splunk, ELK Stack, grep, and custom Python scripts—I parsed logs from firewalls, web servers, and endpoint systems. I searched for anomalies such as unusual login patterns, command execution trails, timestamp discrepancies, and IP-based scanning behavior. These exercises reinforced my ability to correlate events across multiple sources and build a timeline of attacker behavior.
Key Skills
-
Log parsing and pattern matching with tools like grep, awk, and sed
-
Querying and filtering structured data in Splunk and Kibana
-
Detecting brute-force attacks, privilege escalation, and lateral movement
-
Using timestamps and event correlation to reconstruct attack chains
-
Writing Python scripts to automate log parsing and extraction of relevant indicators
