legal contact

Security projects since 2015

I've started a new career as Security Analyst (Level 3) in 2020 at Finanz Informatik Technologie Service.

The below list covers most of my actions in the new role as Senior Architect SOC

Soley and self-responsible design, build and run a cyber security lab environment and all below services for:the team of analysts to build, test and "play":

Technical activities:

  • Sandbox: Cuckoo and drakfuv
  • AlienVault OSSIM
  • Nameserver (internal and external)
  • ext. IPv4/IPv6 design and build to support all the needs of the lab
  • Honeypots
  • Splunk (log management)
  • Application aware Firewalling
  • VPN-Access with AD-auth
  • Confluence dokumentation with more than 1000 pages dokumenting my doings in the lab)
  • TheHive/Cortex for incident response actions
  • Official MISP including IOC  lookup within the productive environment of FI-TS
  • Linked to several partners for IOC  exchange
  • malware-crawler using "ph0neutria" to crawl, analyse and ioc-extract into MISP  and Splunk
  • Complete monitoring using CheckMK
  • Design, build and run a "Krypto-Register" reporting all relevant cryptographical servers and services within the production network at FI-TS.
  • "GRR" as EDR within the lab
  • automatic patchmanagement (Windows &  Linux) using a cetral managed solution
  • BGP  HiJack-Monitoring for several AS'es using "ARTEMIS"
  • Pastebin monitoring with support of Splunk
  • Telegram monitoring for leaks and messages relevant for FI-TS  and it's customers
  • SANS FOR610 (REM) training
  • Monitoring the external available information of FI-TS and it's customers

Non-technical activities:

  • Top-management support of cybersecurity incidents and processes 
  • Training the CDC-team on several cyber related topics
  • Permanent member of the Cyber-Defence-Center (CDC) management-cyrcle
  • Member of the CDC  Incident-Response team dealing with all major security incidents at FI-TS
  • Member of the periodic customer IT-security meeting
  • Periodic speaker (audio, video and live) at the "Innovation Days"  of FI-TS and it's customers

Another new and special task was the Incident-Response and Forensics for FI-TS  and it's customers. Within this scope my responsibiities are:

  • Incident "First-Responder" for FI-TS  and Customer incidents including actions at customer sites
  • Writing comprehensive forensic reports that withstand official investigations
  • Presenting conclusions and techniques infront of management
  • Successfuly SANS  FOR508 and GCFA  exam in 2020
  • Responsible design, build and run a comprehensive Forensic-Lab including:
    • Write-blocker duplication hardware
    • Writing for and training the team on forensic action and processes
    • Building a physical and a virtual forensic workstation to compute the images and samples
    • Self-training on Magnet AXIOM, TSK Autopsy
    • Self-training on hardware imaging
    • Self-training on law related limitation of forensic actions

This is still an incomplete list, so stay tuned for further updates ....  ;-)

The below section covers most of the topics that I was responsible for in my role as a Security Analyst Level 3

  • Incident response at Airbus and it's subsidaries including analysis of flight equipment
  • Design, build and run of malware harvesting and IOC generation using MISP,  Cuckoo  
  • Conducting, designining and running a company-wide IOC-sharing platform  
  • Static malware analysis  
  • Analysis of ongoing threats within the Airbus premises  
  • Forensic network analysis  
  • Design, build, run, securing, monitoring and documentation of the  SOC-Lab (Windows AD, VMware, mail, dns, dhcp, FW, AV, proxy)  
  • Run, monitor, administer company-wide Vuln. Assessment using Greenbone  and Nessus.  
  • Comprehensive VA reporting using own Splunk views  
  • VA Ticket automation using Splunk and OTRS  
  • Supporting several Cyber Audits as Analyst L3  
  • UseCase definition, implementation and testing of new and upcoming threats  
  • Training of internal teams (TCP/IP, ip routing, VA, OSINT, IOC-Sharing,  Splunk, MISP, Cuckoo)  
  • Analysing live data in terms of unwanted behaviour  
  • Joining Airbus “Cyber Task Force” for identifying and defining new threat  mitigations  
  • Internal and external advice on strategic, process-oriented and  technological issues relating to IT and Cyber Security  
  • Designing, building and running:  
    • Vulnerability Assesment using Greenbone/OpenVAS        
    • Comprehensive Splunk-VA dashboarding and reporting        
    • Automation of VA-Ticketing using Splunk and otrs        
    • IntelThreat exchange internaly and external using MISP, Soltra and        several OSINT tools        
    • Technical management of our Level2-Analysts within the  SOC
  • Building up knowledge within threat sharing
    • Using CIF      
    • Using MISP      
    • Using IntelMQ      
    • Using Soltra
  • Designing, buildung and running live data correlations with
    • Splunk      
    • MISP      
    • IntelMQ
  • Starting a new personal development as "Data Analyst"