Job Musings

Here we are thinking by writing about past, current, and future roles and work. Feedback and questions always appreciated!

Public Blurb

@dfirnotes is a information security leader and educator in the Atlanta, Georgia, USA area. @dfirnotes presents at local groups and conferences on analysis, forensics, and security education, led Community classes on defense, response, and analysis with the SANS Institute, and has bugs and patches in a few public tools. Most recently they were a cybersecurity architect at a large corporation in the US.

  • 5 years sysadmin, NOC, IT service management
  • 7 years cybersecurity incident handling: CIRTs
  • 6 years technical leadership in cybersecurity operations (SOC, CTI)
  • taught for SANS community ~ 2015 - 2020
  • presented at Security Onion Con, B-Sides Atlanta, and DC404

ACE-T 7, GSEC, GCIH, GCIA, GNFA, GMLE, GMON, GCFA, GSE #175, GREM, GCTI, GRID, GDAT, GSTRT, GMLE, KLCP, ICS4ICS Type 4 ( Past: CISSP, A+, Net+, ITIL Foundations, LPIC-1, MAD20 CTI, et alia )

Specialties: education, incident response, intrusion analysis, explanations, process engineering

Most recent resume roles

as Security Architect

  • Leading multiple CTI automation efforts:
    • Selection, development, integration, and deployment of new threat intel platform (TIP)
    • Working with vendors and partners on SOAR, TIP integration and enrichment
    • Curating high fidelity internal threat data feeds and data products for IT and OT cybersecurity customers
  • Educational presentations and postings, formal and informal mentoring

as CTI Lead

  • Program lead for cybersecurity threat intelligence: multi-industry, with IT and OT customers
    • Guided analysis work and program development with stakeholders
  • Investigation support and products for sensitive high-impact investigations
    • Example product titles: INTSUM: SUNBURST C2 , INTSUM: RaaS Initial Access
  • Educational presentations and postings, formal and informal mentoring

Desired Direction

Want to do more of:

  • deep investigations and threat research, detections development
  • analysis, investigation, and response courses of action (CoA) preparation, testing, and enhancements. Key CoAs:
    • volatile evidence capture
    • threat environment manipulation (TEM)
    • deception techniques

Neutral, these are only means to an end:

  • Deploy and support technology platforms
  • Scripting and automation

Stretch

Would love to:

  • Build and run a community of practice (CoP) for intrusion analysis, tradecraft analysis, or other core cybersecurity analysis skills and practices to support individuals, teams, and programs.
  • Teach more/again
  • Learn about and improve my leadership skills

Cross-functional KSAs

  • Multi-level multi-audience communications and education
    • Knowledge management strategies, single-source publishing
  • Business process analysis, data design, and data flow modelling
  • Data analysis, data science, applied machine learning
  • Team, project, and program leadership and management
  • broad familiarity with computing, software development, and communications technologies
  • business strategy analysis and planning
  • Minor human and computer language familiarity

Full Recap

Previously on -The Vampire Diaries-, er, @dfirnotes: From a young age, we wanted to work in computer security (as it was called then) and learn hacking (all kinds). We worked in IT roles and learned customer service and troubleshooting and studied hard until we could get a full cybersecurity job. Then we worked cases and studied harder to skill up on analysis and become an incident responder: able to calm down upset people, stop some bad things from getting worse, study broken computers and explain what happened and what to do it about it … all by following a plan and processes.

We learned a little forensics and how to study malware. We learned much more about Windows and *nix systems from the intruder’s perspective than we ever had from being a system administrator. We started carrying a separate work phone (or two, still do). We got to teach a few small study groups and help folks working on some of the certifications we had and that would lead to getting to teach a few full week classes around North America for a few years.

From working cases, teaching, and talking to customers and leaders we saw many things that could be improved, especially to make incident response less awful for everyone … but especially the incident responders (the CIRT, the SOC, the incident response team … when we had enough people to call it that). These improvements are always a mix of “people stuff” like documentation, education, practice with “computer stuff” like automation, backups, engineering, and applying excellent free tools (mostly open source, some low cost and immensely valuable).

There’s always work to do on the technologies and automation to make analysis and response better for customers and responders. We found (and still find) that the “people stuff” is a) harder in every facet and b) much more effective at improving things. So, we can do things with technology and better: can explain all of the things you could do with technology … but are much more interested in people and process:

  • What are you trying to do?
    • Is that the right thing to do for the customer or the mission ?
      • Okay, here are some ways we can do that!
  • How can we enable smart, compassionate professionals (of diverse backgrounds and experiences) to solve problems, defend important system, and improve things for customers and our community?

So, we took a scary leap, or two, from “security engineering” (mostly straighforward, always frustrating) technology work to try and focus on people and leadership. We wanted to work on the harder more important issues: still trying to improve things for security folks and also customers. We knew we didn’t have all the people and politics skills needed … as a leadership book title points out “What Got You Here Won’t Get You There”. That’s when things got exciting. As in Minnesota ‘interesting’ mixed with fake Chinese proverb ‘interesting’, first with ideas from N. Machiavelli, and then straight to George. R. R. Martin themes.

And so, we were: CSOC Manager, CSO Technology Manager, CTI Lead, Security Architect … and, too briefly, Community Instructor

What’s next?

Written on August 28, 2025