Ahmad Elhamad

Primary responder to security incidents on a daily basis, responding to incidents of all scales to include high-profile nation-state intrusion events.

• Developed security software as part of a development team for mission-critical project, using Git to contribute to vulnerability monitoring solution that distributed accountability for vulnerability management into the hands of internal stakeholders by providing real-time vulnerability reports for owned assets, providing incentive for remediation.

• Implemented security operation automations in AWS Lambda, MS Azure/Sentinel, and JupyterHub to automate alert enrichments as well as threat hunts performed with AWS Athena.

• Created automation to query for high-confidence DGA connections to be input into machine-learning model to predict likelihood of connection showing malicious activity.

• Continuously tuned alerts towards higher fidelity's, integrating alerting system with open-source intel sources, aggregating in Azure to enrich existing alerts and tune out known false positives.

• Enabled monitoring of all public-facing assets with Shodan Monitor.

Implemented automation into incident response processes using Python and REST API's, automating phishing email analysis process and enriching anomalous authentication alerts with host response data from Shodan and more, minimizing the gap between incident identification and resolution.

Responsible for the daily monitoring of anomalous geographic & VPN authentication alerts alongside host-based alerts, developing automation to reach out to employees on post-investigation confirmation of suspicious activity, while promptly reaching out to any employee observed performing unreported / unvalidated logins from atypical locations across the globe.

Owned, developed and managed the process around cloud configuration vulnerability management. Performed vendor research and eventually deployed, developed and implemented processes for DAST and open-source component vulnerability implementing automated ticketing functions into process. Established Secure Software Development Policy across the enterprise, based on OWASP Top 10 vulnerabilities.

Auxiliary duties outlined below;
Security Monitoring: Primarily responsible for security event monitoring, and for creating and tuning custom detection rules.
Security Incident Management: Identify incidents and lead investigations, reporting, and resolution
Threat Management: Analyze threat intel, identify threat vectors, perform threat modeling, and develop use cases for security monitoring
Reporting: Creation of reports, dashboards, metrics for security operations based on detected incidents / events
Contribute to the design, development, and implementation of strategic IT security projects & initiatives

Served as key member of the Cubic Cyber Fusion Center (CCFC) responsible for leading threat actor based investigations, directing new detection methodology and providing expert support to incident response and monitoring functions. Responsible for all investigative aspects in information security to include but not limited to external attacks by Advanced Persistent Threats (APTs) conducted by foreign intelligence agencies; criminal computer intrusions and attacks by social hacker groups; and insider threats. Worked the intelligence collection and incident response activities of the Computer Incident Response Team (CIRT), detecting, disrupting and eradicating threat actors from enterprise networks using data analysis, threat intelligence, and cutting-edge security technologies.

24/7 SOC, worked alternating shifts to include morning, day, and graveyard shifts.

Responsibilities of the Security Analysts included but were not limited to:
• Initial responders to security event investigations and escalations
• Perform intrusion analysis using SIEM technology, packet captures, reports, data visualization, log analysis and pattern analysis.
• Detect, escalate, and assign required remediation efforts during security incidents.
• Clearly document and communicate evidence, interact with customers and stakeholders, and perform initial remediation efforts.
• Improve and challenge existing processes and procedures in a very agile and fast moving information security environment.
• Corporate communication monitoring (MS Teams, slack, etc)
• Maintains knowledge of information security policies and goals
• Keeps current on the current IT threat landscape and upcoming trends in security
• Other duties that are assigned

24/7 SOC, worked the night shift 11am-7pm. My life was cyber security.

For every hour of the day or night, I've spent it in the office responding to attacks by malicious nation-state actors and remediating potential incidents, while concurrently developing automations to enhance existing security operations.

Responsibilities of the Security Analysts included but were not limited to:
• Initial responders to security event investigations and escalations
• Perform intrusion analysis using SIEM technology, packet captures, reports, data visualization, log analysis and pattern analysis.
• Detect, escalate, and assign required remediation efforts during security incidents.
• Clearly document and communicate evidence, interact with customers and stakeholders, and perform initial remediation efforts.
• Improve and challenge existing processes and procedures in a very agile and fast moving information security environment.
• Corporate communication monitoring (MS Teams, slack, etc)
• Maintains knowledge of information security policies and goals
• Keeps current on the current IT threat landscape and upcoming trends in security
• Other duties as assigned

Developed on embedded systems. Acquired Secret Clearance and pushed to work on security engineering initiatives. Used Git and applied CI/CD principles, driving project from the requirements phase to testing. Left to focus on certifications in order to pursue full-time security/IR focused role.

Experiences ranged from Incident Response to GRC product implementation.

- Level 1 analyst responding to and escalating security incidents.
- Utilized OSINT resources to aggregate indicators to be added to internal threat intelligence databases (Twitter, Blogs, Databases, etc) focusing on APT groups mentioned as current threats in intelligence briefings.
- Managed critical company-wide ServiceNow GRC implementation project, tracking work progress of dozens of employees and ensuring deadlines were met.