Cyber Security Incident Response
Resume:
Hammad Rafique
Leesburg VA ***** ady83p@r.postjobfree.com 703-***-****
OBJECTIVE: Result driven and highly dependable individual; passionate about advancing a career in Cyber Security leadership role.
EDUCATION:
Bachelor of Science, Information Technology, Networking
George Mason University, Fairfax VA May, 2009
Associate of Science, Information Technology
Northern Virginia Community College, Annandale VA June, 2007
Related Coursework: Modern Telecommunications; Networking Essentials; Information Security Fundamentals; Programming Fundamentals; Managing People and Organization, Database Fundamentals and Computer Hardware Fundamentals.
COMPUTER SKILLS:
Languages: Java, Java Script
Endpoint Detection Response (EDR): CrowdStrike, Carbon Black
SIEM: Splunk ES, ArcSight, QRadar
Email Gateway: ProofPoint, KnowBe4
Ticketing: ServiceNow, Remedy, IBM Resilient
Other Applications:, FireEye, Imperva, SourceFire, WireShark, AirDefense, Fortify 360, Archer, Microsoft Word, PowerPoint, Excel, Microsoft Office Visio 2007, Wireshark, Adobe Acrobat 8 Standard, dotDefender, Microsoft SQL Server 2005, and Microsoft Visual Basic 6.0
Networking: LAN/WAN, TCP/IP, Data Encryption, Router Configuration, Intrusion Detection, and Intrusion Prevention.
Operating Systems: Windows XP, NT, 2000, UNIX, Windows 7/10
Certification(s):
Certified Ethical Hacker (CEH)
Security +
Microsoft SharePoint 2007 Configuration
Clearance:
Active Secret Clearance
Foreign languages:
Urdu, Punjabi, and can read Arabic
PROFESSIONAL EXPERIENCE:
Ernst & Young
McLean, VA
Senior Cyber Security Consultant Feb 2017 – Present
Performed Client Tasks:
Managed onshore and offshore SOC analysts to ensure there are no gaps in coverage.
Provided assistance in multiple cyber security investigation: Phishing campaign, DDoS attack, infected removable media, and SQL injection attack etc.
Developed and updated Incident Response Plan (IRP) to enhance commercial/government client’s incident response strategies.
Performed tabletop exercises with various SOC to develop playbooks related to phishing, DDoS, and ransomware.
Maintained health check for each engagement by producing monthly financial reports, and weekly hour’s metrics for each EY employee (i.e., Director, Senior Manager, Incident Responder and SOC analysts etc.) weekly to ensure all tasks were performed within client budget.
Held weekly calls with EY and client leadership to highlight Critical and any notable cyber incidents and remediation actions.
Developed and participated in After Action Report (AAR) which included analysis, remediation actions and lesson learned from a cyber-incident.
Assisted SOC analysts and incident responder with various types of investigation by leveraging multiple security tools (i.e., CrowdStrike, Splunk, ProofPoint etc.)
Worked multiple engagements related Cyber Audit and Cyber Assessments to identify key gaps and providing clients with actionable recommendations.
oPrepared questionnaire session for each group (i.e., SOC analysts, Incident Responder, Active Directory Team, and key leaders etc.) within the client team to provide answers and documentation to ensure there are no discrepancy.
oHeld multiple knowledge transfer sessions with various SOC to improve their triage workflow.
Participated in multiple Request for Proposal (RFP) for bids to complete a new project proposed by the potential client/company.
oPresented key workflow related SOC/Incident Response/Ticketing/Documentation (i.e., playbooks, Incident Response Plan (IRP) etc.)
Developed Incident Response (IR) procedure for department of Justice.
Identified and worked with IR tools such as Redline collector, McAfee and Malwarebytes.
Triage and ticketed various notables such as IPS/IDS, Peer-to-peer, SQL injection and malware FireEye alerts.
Developed various Splunk use cases to capture and aggregate relevant data for triaging, analysis, and incident response of notable security events.
Monitored various SIEM tools Splunk, SourceFire, and FireEye to detect any malicious activity at client network.
Downloaded PCAP file from SourceFire into WireShark to verify internal to external or external to internal connection.
Triaged a variety of notable security events in Splunk and phishing emails via a company-wide inbox
Used Proof Point to determine total number of recipients in order to place block on sender email.
Performed analysis in VM to identify malicious URL and PDF.
Led documentation effort across SOC kill chains to record all processes, procedures, and helpful notes into single runbook
Served as Shift and Phish Lead on multiple occasions, including on night shifts with limited oversight
Created and managed tickets in SONIC.
Developed multiple SOPs to provide support/assistance to new hires.
Created high level executive reports and PowerPoint slides to deliver solutions to improve Cyber Security infrastructure.
Worked with a large oil & gas firm in Calgary, Canada to refine their Incident Response process by interviewing analysts, engineers, and IT managers.
Created high level executive reports and PowerPoint slides to deliver solutions to improve Cyber Security infrastructure.
Operated a 24/7 SOC as a senior analyst for an American multinational insurance corporation.
Triaged Splunk notables by investigating various network logs to identify potential risks to the client environment
Analyzed phishing emails and employed a virtual machine to determine malicious activity
-Utilized the following tools for in-depth triage of notables: Imperva, FireEye, Proof Point, SourceFire, ServiceNow, Wireshark.
Ticketed confirmed attacks to ensure risk is addressed and mitigated
-Defined standard operating procedures for daily monitoring operations and new hire onboarding by leveraging OneNote for documentation
-Designed and worked in a rotating, eight-month 24/7 schedule with a mixture of limited client and EY team members, including weekend and night shifts
-Developed various dashboards in Splunk for heightened monitoring purposes
Conducted an assessment of a cybersecurity program's capabilities and maturity for a large health insurance provider.
Developed Incident Response (IR) procedure for big, large insurance company.
Identified and worked with IR tools such as Redline collector, McAfee and Malwarebytes.
Triage and ticketed various notables such as IPS/IDS, Peer-to-peer, SQL injection and malware FireEye alerts.
Developed various Splunk use cases to capture and aggregate relevant data for triaging, analysis, and incident response of notable security events.
Monitored various SIEM tools Splunk, SourceFire, and FireEye to detect any malicious activity at client network.
Downloaded PCAP file from SourceFire into WireShark to verify internal to external or external to internal connection.
Triaged a variety of notable security events in Splunk and phishing emails via a company-wide inbox
Used Proof Point in order to determine total number of recipients in order to place block on sender email.
Performed analysis in VM to identify malicious URL and PDF.
Led documentation effort across SOC kill chains to record all processes, procedures, and helpful notes into single runbook
Served as Shift and Phish Lead on multiple occasions, including on night shifts with limited oversight
Created and managed tickets in SONIC.
Developed multiple SOPs to provide support/assistance to new hires.
Verizon Business
Ashburn, VA
Specialist Network Security Engineer May 2014 – Feb 2017
One of four Computer Incident Response Team (CIRT) members overseeing the security posture of the Army Reserve (USAR) network comprised of approximately 40,000 users. Monitor ArcSight ESM, Sourcefire and FireEye for instances of intrusion attempts and research, confirm, and classify security events. Create approximately 20 incident tickets per week; work with the affected command to isolate and remediate identified threats, coordinate response with senior USAR management, and handle reported classified and personally identifiable information (PII) spillages. Analyze results of log collection from infected machines to determine the severity of the compromise and determine the next step action in remediation. Utilize Bluecoat Reporter proxy logs to determine the threat vector. Recommend actions to senior USAR management to prevent attack from occurring again.
Worked with Blue Coat Reporter 9.4 to create web browsing, client IP (Video), proxy and web searches reports.
Performed analysis and detection skill to locate any wireless rogue device by using Aruba tools.
Created high level threat reports to identify users who are downloading unauthorized software on DoD workstations.
Used HBSS logs to create high level threat reports to identify users who downloaded malicious attachments via email and unauthorized software.
Worked with Sourcefire to review payload for potential malicious activity on ARNET.
Monitored and reported various FireEye events such as for Trojan incident, Malicious URL, and download of unauthorized software.
Created multiple tickets using CA remedy to inform government personnel to block certain IPs.
Used ArcSight to report any compromised account within ARNET for more than 40,000 users.
Detected and analyzed ArcSight traffic by creating private channels, performing show event details, and annotated events for false positives or provided with incident number for any malicious /intrusion incident.
SRA International (FAA)
Leesburg, VA
Cyber Security Analyst October 2012 – May 2014
Supported Cyber Security Management Center (CSMC) as a member of the Detection Group.
Monitoring customers’ networks for malicious and anomalous traffic and reporting on suspicious activity with analysis and recommendations.
Used AirDefense Services Platform to detect wireless intrusion detection.
Created tickets for any intrusion detection in Cyber Security Management Center for further analysis.
Checked MAC addresses on regular basis to identify the floors and location.
Identified and created reports for Unauthorized Access Point, Rogue Access Point, and Unauthorized Wireless Printer using Cyber Security Management Center ticketing system.
Generated reports on a single or multiple mac address to determine last activity in AirDefense Services Platform.
Member of the Computer Emergency Response Team (CERT) responsible for installation, maintenance, and technical support while operating network monitoring software and wireless intrusion detection and prevention systems.
Lead team of engineers tasked with configuring and deploying new IDS sensors to various FAA facilities around the country.
Responsible for monitoring and maintenance of a Wireless Intrusion Detection System (WIDS) containing more than 2100 sensors in over 160 facilities.
Issue warnings and alerts for threats of unauthorized and Rogue devices on networks and information systems.
Investigate, analyze, and report on cyber security events and incidents utilizing intrusion detection systems.
Test and implement new server updates and sensor hardware/firmware.
Analyze TCP/IP packet data within AirDefense and Wireshark.
Adhered to best practices outlined by NIST.
Lockheed Martin
Manassas, VA.
Software Engineer April 2012 – Oct 2012
Created and added new transport images for Radio Frequency In-Transit Visibility Portal (RF-ITV).
Installed jDeveloper, Google Earth, and Toad for Oracle in order to perform daily tasks.
Used Subversion to transfer/share files within development group.
Modified the functions to support Web Redesign by providing a standardized to drill on data.
Briefed government personnel on certain Modification Requirements (MR) and Problems (PRB).
Developed minor 2 and 3 release in project ‘Radio Frequency In-Transit Visibility Portal (RF-ITV).
Added new menus and location activity using JavaScript and Java.
Created mouse over on icon ‘Class of Supply’.
Created web design documents for monthly IPR minor and major releases.
Northrop Grumman
Fort Belvoir, VA.
Cyber Security Analyst Jan 2010 – April 2012
Conducted risk and vulnerability assessments of planned and installed information systems to identify vulnerabilities, risks, and protection needs.
Assessed security events to determine impact and implementing corrective actions.
Utilized Vulnerability Management and scanning tools such as Retina and being able to analyze results and eliminate false positives.
Managed several spread sheets to update old POAMs and go through entire documents to cross check with DoD compliance.
Conducted Fortify scanning on software to determined backdoors and false positives.
Generated Fortify reports to identify vulnerabilities in the software to support the development team.
Worked with ArcSight version 4.0 & 4.5 to pull logs to identify potential compromise accounts.
Performed analysis on potential compromise accounts to look for foreign IPs, languages, and multiple authentications at a same time from one user.
Monitored and set filters in ArcSight for bad IPs and potential compromised accounts.
Facilitated the gathering, analysis, and preservation of evidence used in the prosecution of computer crimes;
Created Security InfoSpot in REMEDY which described executive summary of various compromise and spam accounts.
Deactivated and activated accounts through CAMEL in SIPRNet and NIPRNet.
Posted and reviewed high level files in SIPRNet.
Created charts for monthly IPRs to brief client.
Installed intrusion detection and intrusion prevention in order to catch bad IPs.
Updated patches and anti-virus on security and development team workstations.
Worked with mobile device to authenticate CAC and pin
Executed testing on Content Security Consoles: HelpDesk, MyAccount, Guest Approval Console, and Foreign Approval Console.
Developed over three hundred documentation for Content Security.
Installed and configured SharePoint on Windows Server 2008 Service Pack 2.
Installed Visual Studio 2010.
Installed Bugzilla in testing environment; to make collaboration easy for developers.
Checked security logs on daily basis.
Created, updated, and deleted tasks for developers on GRID.
Created, updated, and deleted tickets in REMEDY.
Avanti Technologies
Springfield, VA.
Junior Systems Engineer Supporting Customer Systems October 2009 – Jan 2010
Answering phones and assisting users with changing passwords, email, taking training on MTU, answering questions about Financials, HR, expenses.
Established WEBEX accounts, set up accounts for basic access on PeopleSoft
Created accounts on GOVWIN.
Entered tickets in Altris helpdesk as well call close tickets.
Provided Level 1 % Level 2 support.
Provided input on and support of ongoing initiatives to increase % of first call resolution and overall customer satisfaction.
PC troubleshooting level 1 and 2.
Trained with simple code in Microsoft Visual Basic 6.0.
Created simple applications by connecting to Microsoft SQL Server 2005.
Managed small tables through Microsoft SQL Server 2005.
Organized and written guidebooks for various modules.
Used Microsoft Office Visio 2007 to develop diagrams for guidebook to explain certain concepts.
Contact this candidate