legal contact rss
 

Security projects since 2015

I've started a new career as Sen. Security Architect in 2020 at Finanz Informatik Technologie Service.

The below list covers most of my actions in the new role as Senior Security Architect CDC

Soley and self-responsible design, build and run a cyber security lab environment and all below services for the team of analysts to build, test and "play":

Technical activities:

  • Design and Build of a new and comprehensive commercial Threat Intel solution for a customer contract including MISP, commercial feeds and the data of my personal Malwarecrawler and OSINT-Analysis.
  • Design, build and run a comprehesive automatic data leak monitoring system for information relating FI-TS  and its customers an OSINT-Analysis.
  • Lecturer at the University of Bavarian Economics for "Digital Forensics and Incident Response"
  • First Incident Responder at several customers (NDA) dealing with abuse, mw outbreak, data exfil and netw. takeover.
  • Forensik analysis of several customer (NDA) server systems incl. complete documentation for management and law enforcement.
  • GPDR conform OSINT automation: Automatic monitoring, Telegram, Pastebin, reddit, Discord for dedicated IOC matches and leaks of customers including automated ticketing.
  • Running a CDC News-Webpage for customer related information of ongoing threats and activities.
  • Sandbox: Cuckoo and drakfuv
  • AlienVault OSSIM
  • Nameserver (internal and external)
  • ext. IPv4/IPv6 design and build to support all the needs of the lab
  • Honeypots
  • Splunk (log management)
  • Application aware Firewalling
  • VPN-Access with AD-auth
  • Confluence documentation with more than 1000 pages documenting my doings in the lab)
  • TheHive/Cortex for incident response actions
  • Official MISP including IOC  lookup within the productive environment of FI-TS
  • Linked to several partners for IOC  exchange
  • malware-crawler using "ph0neutria" to crawl, analyse and ioc-extract into MISP  and Splunk
  • Complete monitoring the lab using CheckMK
  • Design, build and run a "Krypto-Register" reporting all relevant cryptographical servers and services within the production network at FI-TS using Splunk and Qualys.
  • "GRR" as EDR within the lab
  • automatic patchmanagement (Windows &  Linux) using a central managed solution
  • BGP  HiJack-Monitoring for several AS'es using "ARTEMIS"
  • Pastebin monitoring with support of Splunk
  • Telegram monitoring for leaks and messages relevant for FI-TS  and it's customers
  • Monitoring the external available information of FI-TS and it's customers
  • completed SANS FOR508 training
  • Examination as GCFA

Non-technical activities:

  • Top-management support of cybersecurity incidents and processes 
  • Training the CDC-team (L1-L3) on several cyber related topics
  • Permanent member of the Cyber-Defence-Center (CDC) management-cyrcle at FI-TS
  • Member of the CDC  Incident-Response team dealing with all major security incidents at FI-TS
  • Member of the periodic customer IT-security meeting
  • Periodic speaker (audio, video and live) at the "Innovation Days"  of FI-TS and it's customers
  • Several complete incident responses at customers and inhouse locations as Incident-Handler, Incident-Responder
  • Several complete forensic investigations at customers and inhouse locations as forensic analyst.
  • Since 2023 examined member of the Federal Agency for Technical Relief (THW) as member of "Emergency supply and repair specialist group." Additional responsibilities  in the IT- and Public Relations team.

Another new and special task was the Incident-Response and Forensics for FI-TS  and it's customers. Within this scope my responsibiities are:

  • Personal design and build a complete homeautomation build on ESP32/ESP8266 using MQTT.
  • Incident "First-Responder" for FI-TS  and Customer incidents including actions at customer and local sites
  • Writing comprehensive forensic reports that withstand official investigations
  • Presenting conclusions and techniques infront of management
  • Successfuly completed SANS  FOR610 in 2022 
  • Successfuly completed SANS  FOR508 and GCFA  exam in 2020
  • Responsible design, build and run a comprehensive Forensic-Lab including:
    • Write-blocker duplication hardware
    • Writing for and training the team on forensic action and processes
    • Building a physical and a virtual forensic workstation to compute the images and samples
    • Self-training on Magnet AXIOM, TSK Autopsy
    • Self-training on hardware imaging
    • Self-training on law related limitation of forensic actions
  • Responsible design, build and run a comprehensive Cyber-Defense-Center-Lab including:
    • Malware Crawling
    • Automated OSINT leak analysis
    • Internet connection 
    • Mail
    • AD  DC
    • Sandboxing
    • Malware harvesting
    • Reverse Eng. 
    • SPLUNK (LogMgnt)
    • GRR  as EDR
    • VPN
    • evaluation of new and "cool" tools and gadgets
    • Backup/Recovery
    • Vuln. Scans
    • OSINT (MISP, TheHive/Cortex, ph0neutria, Artemis, Ache, etc.)

This is still an incomplete list, so stay tuned for further updates ....  ;-)


The below section covers most of the topics that I was responsible for in my role as a Security Analyst Level 3

  • Incident response at Airbus and it's subsidaries including analysis of flight equipment
  • Design, build and run of malware harvesting and IOC generation using MISP,  Cuckoo  
  • Conducting, designining and running a company-wide IOC-sharing platform  
  • Static malware analysis  
  • Analysis of ongoing threats within the Airbus premises  
  • Forensic network analysis  
  • Design, build, run, securing, monitoring and documentation of the  SOC-Lab (Windows AD, VMware, mail, dns, dhcp, FW, AV, proxy)  
  • Run, monitor, administer company-wide Vuln. Assessment using Greenbone  and Nessus.  
  • Comprehensive VA reporting using own Splunk views  
  • VA Ticket automation using Splunk and OTRS  
  • Supporting several Cyber Audits as Analyst L3  
  • UseCase definition, implementation and testing of new and upcoming threats  
  • Training of internal teams (TCP/IP, ip routing, VA, OSINT, IOC-Sharing,  Splunk, MISP, Cuckoo)  
  • Analysing live data in terms of unwanted behaviour  
  • Joining Airbus “Cyber Task Force” for identifying and defining new threat  mitigations  
  • Internal and external advice on strategic, process-oriented and  technological issues relating to IT and Cyber Security  
  • Designing, building and running:  
    • Vulnerability Assesment using Greenbone/OpenVAS        
    • Comprehensive Splunk-VA dashboarding and reporting        
    • Automation of VA-Ticketing using Splunk and otrs        
    • IntelThreat exchange internaly and external using MISP, Soltra and        several OSINT tools        
    • Technical management of our Level2-Analysts within the  SOC
  • Building up knowledge within threat sharing
    • Using CIF      
    • Using MISP      
    • Using IntelMQ      
    • Using Soltra
  • Designing, buildung and running live data correlations with
    • Splunk      
    • MISP      
    • IntelMQ
  • Starting a new personal development as "Data Analyst"