I’m a freelance security consultant specialising in the area of detection engineering, security engineering and purple teaming. I enjoy finding new ways to use data for security.

Workshops, Talks and Hackathons

  • MCH2022 NLP Vulnerability Monitoring: Demonstrating basic NLP usage to monitor trending vulnerabilities. Participants were given a Virtual Machine and code to monitor RSS feeds, tweets and the NVD database and extract important keywords using basic Natural Language Processing. The results were saved in ElasticSearch to create graphs about what’s currently trending.
  • Detecting brand abuse using CT logs and logo detection: Customer facing companies are often targetted by phishing campaigns using similar domains/pages. Using a simplistic aproach we can detect malicious phishing campaigns being planned at the moment they’re being created. For this Hackathon I built custom integrations for Palo Alto’s XSOAR platform to enrich potential phishing domains with visual brand detection based on automatically created screenshots of a page to determine what company is being targeted.

Open Source Projects

  • Decon: A search engine for publicly available threat detection and threat hunting content. Aggregates content for Microsoft Sentinel, Splunk, Elastic and Sigma;
  • Prevalidate: An open source CLI tool to validate Microsoft Sentinel analytical rules in CICD pipelines;
  • Reternal: a centralised purple team PoC orchestration service to manage third-party C2 frameworks. Agents are installed on endpoints to to execute various known red-teaming techniques in order to test blue-teaming capabilities. The simulations are mapped to the MITRE ATT&CK framework;
  • Streamio: An API and VueJS-based UI to manage plain and simple keyword monitoring via Certificate Transparency. You have the ability to add regular expressions and fuzzy terms and monitor newly requested certificates. The application makes use of Faust tables to persist transparency offsets. In the case of a crash, the application will still fetch all the missed certificitates during downtime.

Courses, Training and/or Certifications

  • Red Team Operations (RTO) Currently ongoing :)
  • Offensive Security Certified Professional (OSCP): Hands-on course and certification convering the exploitation of various vulnerabilities in a provided lab environment. Certification includes the submition of a detailed vulnerability assessment report.
  • Prompt Engineering with LLama2: Course covering best practices for prompting and model selection for the LLama 2 models and experimentation with prompt engineering techniques;
  • Microsoft’s Days of the Defenders: Three day learning experience covering Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft 365 Defender, Defender for IoT;
  • GoDataDriven Data Engineering: Hands-on training covering advanced Python for data engineering, productionization of machine learning models, streaming data with Apache Kafka + Apache Spark and building workflows with Apache Airflow;
  • Applied Data Science for Security Professionals: Hands-on introduction to machine learning with a focus on direct applicability to cyber security;
  • ArcSight Analist Training: Hands-on training covering the management and usage of ArcSight;
  • RSA Security Analytics: Hands-on training covering the management and usage of RSA Security Analytics (previously NetWitness);
  • HackLab Covert Operations: Internal Deloitte course in performing red-teaming and social engineering;
  • HackLab Malware: Internal course covering reverse-engineering and analysis of different variants of malware.

Previous experience

Wortell

  • Built a custom integration for msticpy (https://github.com/microsoft/msticpy) to support Threat Hunting activities for multiple Microsoft Sentinel workspaces/customers in paralell;
  • Developed a CICD pipeline to validate/test Microsoft Sentinel queries in Azure Devops;

Schuberg Philis

  • Performing incident response activities for the internal organisation and various customer teams;
  • Built a solution to deploy an adversary emulation network in Azure and run automated/periodic campaigns executing various attacks. The service reports on corresponding detection coverage based on existing Azure Sentinel detection content;
  • Act as point of contact for security related topics or reviews for several customer teams within the company;
  • Developed an automated pipeline to deploy and configure Splunk clusters using Terraform and Chef/Ansible;
  • Developed custom tooling to manage use-cases for Splunk via existing CI/CD methods. The tool automatically performs config- uration validation and deployment;
  • Built tooling for automated security reports which show the overall state of security at the individual customer teams. Data from various AWS sources and Splunk are combined to provide monthly scores;
  • Participate in RFPs for managed security services.

ING Bank

  • Developed scenarios and content to detect IT-related threats related using the on-prem datalake;
  • Performed L3 incident response activities which include identification (initial access) and recovery of reported threats;
  • Developed a custom application to assist with threat hunting and incident response activities. The application correlates data sources to provide a single overview with context of a host/user/email;
  • Developed a custom streaming tool which identifies potential brand abuse / phishing campaign websites targeting ING Bank.

Deloitte

  • Performed penetration tests on different IT systems, networks and applications. The tests include web-applications, networks, databases and mobile applications;
  • Implemented and managed a wide range of security monitoring services. Using products such as ArcSight, QRadar, Splunk and Suricata/Snort for monitoring activities. This also includes the development of use cases and detection content;
  • Developed a PoC for a customized Intrusion Detection System based on Suricata for small/medium sized organisations. Includes a centralised management portal for signature management.