Threat Intelligence Risk Management

THOMAS G. WINSTON

● LinkedIn: Tom Winston, Ph.D. ●******.*******.***@*****.***

SUMMARY

15+ YEARS IN DFIR, MANAGING FULL LIFE-CYCLE DIGITAL FORENSICS CHALLENGES. CYBER THREAT INTELLIGENCE THOUGHT LEADER, RESEARCHER, EDUCATOR AND HIGHLY EXPERIENCED PRACTITIONER WITH DEEP EXPERIENCE THREAT HUNTING FOR US GOVERNMENT AND PRIVATE SECTOR THROUGHOUT THE MIDDLE EAST, EURASIA, AND EUROPE. EXPERT AT CYBERSECURITY RISK MANAGEMENT AND TRANSLATING THREAT INTELLIGENCE INTO ACTIONABLE RESPONSE PLANS TO PROTECT CRITICAL INFRASTRUCTURE, INDUSTRIAL INFRASTRUCTURE, CORPORATE REPUTATIONS AND REVENUE. SOUGHT AFTER SPEAKER WITH MANY CYBERSECURITY PUBLICATIONS. EXPERIENCED COUNTERINTELLIGENCE PRACTITIONER. PROFICIENT IN RUSSIAN, FRENCH, GERMAN, GREEK, ITALIAN, SLOVAK, AND BASIC PROFICIENCY ARABIC AND TURKISH CORE COMPETENCIES

• Deep enterprise IT / ICS /OT protocols and DFIR

Knowledge

• Expert educator and thought leader

• Deep cyber security knowledge and leadership

• Extensive Sr. Leadership and strategic vision with tactical proficiency

• Expert at running webinars, PR events,

interviews, and other public appearances

• Program / Project Management /Proficient in adversary hunting tools and methodologies

• Expert researcher, highly competent with data

analytics, Ransomware, Insider Threat

• Theoretical and practical ML, AI in various modalities: image processing. LLMs, NLP

• Intelligence Operations, foreign lang. proficiency

• Expert Cyber Threat Intelligence Practitioner/leader

• Extensive national security experience, leading and practicing

• Expert investigator using OSINT, HUMINT, SIGINT, and MASINT

• ISO 2700x, NIST 800-53, 800-82, MITRE

ATT&CK, Diamond Threat Model, FTK, EnCase

• C, C++, Python, Assembly (x86)

• TCP/IP, Unix, Windows, Linux (many

flavors)OS

EXPERIENCE

Lead Intelligence Analyst – Two Six Technologies, Inc.08/2023 – 05/2025

• Served as subject matter expert for creating cross-functional, cross-platform intelligence activities for DoD.

• Created operational and strategic intelligence simulations for risk management programs in the DoD

• Work with co-PIs to plan, develop and implement complex systems for CTI processing

• Wrote Decision Support Analytics for a DOD program involving maritime environments

• Conducted DFIR research on complex, ambiguous data sets to develop analytic lines of thinking

• Utilize ML and AI to enhance processing of data into Large Language Models (LLMs)

• Work across organizational teams and functions as redesign existing system to enhance capabilities.

• Participate in highly technical briefings, and exercises to prototype systems.

• Manipulate existing system to develop more robust data dictionaries and topically focused systems.

• Manage a burgeoning team of senior and mid-level intelligence analysts.

• Mentor less experienced employees.

Director, Global Cyber Threat Intelligence – Dragos, Inc. 8/2021 – 6/2023

• Managed quality and precision of all intelligence content produced by several analytic teams (30 people).

• Successfully implemented risk management program through use of intelligence collection, threat detection and mitigation as well as cyber threat intelligence production.

• Elevated Dragos through SME public speaking, webinars, podcasts and media interviews to be world-class cyber threat intelligence organization.

• Managed high-volume, critical production cycles. Increased efficiency of intel editing and production process.

• Directed production of the Year in Review report that yielded $80 million in pipeline year 1, and $990 million year two.

• Provided expert level technical guidance for both public and private corporate publications, raised millions in pipeline revenue through webinars, whitepapers, and blogs.

• Managed, mentored and trained small team, produced a highly technical, professional yearly report of cyber threats which generates millions of dollars in revenue for the organization.

• Wrote deep dive technical white papers on Insider Threat and created new algorithm for Ransomware Management in OT space.

• Develop short- and long-term, complex production plans based on mission needs, and staffing.

• Served with executive team on critical cross-organization projects.

• Leveraged SIEM and SOAR products in support of threat-hunting duties

• Developed OKRs and KPIs for direct reports and provided continuous feedback on a quarterly basis for same. Principal Adversary Hunter, – Dragos, Inc. 1/2021 – 8/2021

• Wrote high quality, impactful intelligence products based on telemetry, research and OSINT.

• Conducted hunts in various industrial verticals to find adversarial activity.

• Reverse engineered malware samples and created IOCs, signatures using YARA, Threat Connect, Virus Total, Intezer and IDA-Pro in a virtualized / hypervisor environment.

• Created ideations and detections for EDR.

• Extensively developed detections, and ideations using MITRE ATT&CK and ATT&CK for ICS

• Produced top-quality threat intelligence that garnered top readership numbers.

• Conducted primary research on ransomware and insider threat and produced published papers.

• Led my team in producing high-quality, high-impact intelligence, frequently receiving most read status.

• Performed threat hunting activities on multiple data sources daily

• Built hypotheses for hunting, executed manual hunting techniques, gathered and analyzed results and performed forensic activities to uncover root causes and attribution

• Stayed current with latest cyber security research projects and attacks

• Published and shared knowledge and findings to make the world safer in cyberspace Assistant Professor –Cyber Security Engineering (CYSE) – George Mason University 2019 – May 2021

• Managed several teams to produce working prototypes and to publish papers in the areas of supervised and unsupervised machine learning, artificial intelligence, natural language processing, generative adversarial networks.

• Directed and coordinated courses and served as a principal instructor for core cyber security engineering classes as well as senior level electives. Achieved very high (4.45+/5.00) rankings for all semesters.

• Spearheaded the charge to develop Cyber Security Engineering courses by creating classes in Software Reverse engineering

• Masterfully created partnerships between leading industry entities and George Mason University Volgenau School of Engineering.

Assistant Professor –Information Sciences and Technology – George Mason University 2014 – 2018

• Managed and coordinated courses and served as a principal instructor for core cyber security engineering classes as well as senior level electives. Achieved very high (4.35+/5.00) rankings for all semesters. Cyber Exploitation Analyst / Science, Weapons and Tech Analyst – CIA: 2 0 0 9 - August 2018

• Award winning work for USIC in areas of analysis and operations utilizing OSINT, HUMINT, SIGINT and MASINT

• Implemented worldwide operational intelligence collection program regarding ICS/SCADA intelligence.

• Hunted for new and evolving cyber threats in large datasets.

• Assessed sophistication of code complexity in python, java, and C/C++ code

• DFIR expertise, both removable and fixed media as well as video, and imagery forensics.

• Drafted hundreds of reports based on forensic findings for field offices and policy makers in DC.

• Built and used RDBMS for data mining; Integrated with Kibana and ELK

• Worked with overseas and domestic intelligence community partners to solve complex issues, and to draft comprehensive reports.

• Expert usage of Ghidra, Intezer, IDA Pro, FTK, EnCase in digital forensic activities

• Led crisis teams through incident response and dissemination of high-quality and comprehensive threat intelligence

• Developed specific, structured processes for incident response and proper handling of forensic data.

• Managed team of 8-12 when needed.

• Investigate and analyze foreign cyber threats and counterintelligence threats to US critical infrastructure to include ICS/SCADA

• Produced research papers on foreign cyber threats as well as mitigation strategies using MITRE kill-chain.

• Managed relationships between US intelligence community partners

• Liaised successfully with operational elements abroad to both assist and provide technical direction for mission- critical challenges.

• Briefed senior level policy makers to further guide policy development.

• Managed technical operations domestically and abroad.

• Leveraged SIEM and SOAR products in support of threat-hunting duties

• Developed and executed strategic plans for proactive threat-hunting initiatives to identify and mitigate potential security threats before they escalate.

• Lead teams of threat hunters, providing guidance, training, and mentorship to enhance their skills in threat detection and response.

• Utilized advanced threat-hunting techniques and tools to proactively search for and identify emerging threats and vulnerabilities within the organization's infrastructure.

• Developed and maintain threat-hunting playbooks, methodologies, and standard operating procedures (SOPs) to streamline and enhance the effectiveness of threat-hunting activities.

• Stayed abreast of the latest cyber threats, attack techniques, and industry best practices to continually improve threat-hunting capabilities.

• Collaborated with threat intelligence teams to integrate external threat intelligence feeds and contextual information into threat- hunting operations.

• Drove continuous improvement initiatives to optimize threat-hunting processes, tools, and techniques based on lessons learned and industry trends.

C4ISR Analyst – Defense Intelligence Agency 1/2008 – 10/2009 Liaison Officer / Foreign Policy Officer –US Department of State 2008-2009 (Joint Duty Assignment)

• Created new office of cyber affairs at State, that recently became a Bureau.

• Coordinated cyber operations between State, USCC, and CIA.

• Worked across the USIC on many projects to include PPDs.

• Briefed Principals, and Deputies on complex cyber security issues.

• Drafted foreign policy documents.

• Received award for my service there from AMB John Dinger. Assistant Professor, Computer Science – Endicott College 2001-2008 Sr. Network Security Consultant / Pen-Tester – Fleet Bank 2001-2002

• Led a team of 10+ analysts and provide oversight of situational awareness in a 24/7/365 security operations center Manager of IS Infrastructure/Technical Trainer – Lucent Network Prof. Serv. 1999 Speech/Language Recognition Scientist BBN Technologies 1996-98

• Used Hidden Markov Models to optimize Natural Language Processing Part-time Work

Adjunct Professor, Applied Information Technology – George Mason University 2012 – present

• Teach courses in cryptography, advanced cryptography, secure C coding and intelligence analysis Adjunct Professor, Homeland Security Studies Program – Endicott College 2022 - present SELECTED PUBLICATIONS

Dissertation: An Empirical Investigation of Privacy and Security Concerns on Doctors’ and Nurses’ Behavioral Intentions to Use RFID in Hospitals

Whitepapers:

The 4 Qualities of Good Cyber Threat Intelligence

Protect Your ICS Environment from Ransomware with Risk Assessments Software in the Supply Chain: The Newest Insider Threat to ICS Networks 09/16 S. Olson, I. Rytikova, T. Winston, M. Boicu. “Creating the Research and Innovation Ecosystem”. 2016 Innovations in Teaching & Learning (ITL) conference, “The Science of Learning: Using Research to Improve Teaching”, George Mason University, Fairfax, Virginia, September 16, 2016 http://journals.gmu.edu/ITLCP/article/view/1542 01/16 – Published dissertation précis to HICSS 49 (accepted) “An empirical investigation of privacy and security concerns on nurses’ behavioral intentions to use RFID in Hospitals.” EDUCATION

Ph.D. Information Systems – Nova Southeastern University, FL MS Telecommunications – Boston University, Boston, MA MS Law, Policy and Society – Northeastern University, Boston MA MS Education – State University of NY (SUNY) at Albany BA Linguistics/Russian, SUNY Albany

Graduate - Career Analyst Program – Sherman Kent School, CIA

Contact this candidate