Projects

AI/LLM

  • L3
  • Honeywell
  • 9/2024 - *

Identification of procedures and processes in SOC/CERT that can be automated using AI/LLM. From triage of phishing emails and report summarization to complex tasks.

SOAR

  • SOAR Liaison
  • DBG
  • 11/2023 - 8/2024

Identification of procedures and processes in SOC/CERT that can be automated. Refactoring of current playbooks. Design and testing of playbooks.

BCP & DR for a client in the banking sector

  • SME in DFIR
  • PwC
  • 9/2021 - 1/2022

The client requested two scenarios: a ransomware attack and an attack on the supply chain.
My role in the team was to ensure compliance with best practices in terms of incident response, forensic analysis, and related activities (recovery, lessons learned). We incorporated all our experience in dealing with these cases into plans and procedures for what to do in the event of such attacks.

DFIR

  • DFIR Lead
  • PwC
  • 4/2021 - 10/2023

Forensic analysis and Incident Response/Threat Hunting for clients.

In April 2021, our colleagues from PwC Canada and Norway asked us to help them deal with a ransomware (DarkSide) attack on a global client in the retail segment. My task was to perform forensic analysis of the affected stations and collaborate with other colleagues. The goal was to restore operations as soon as possible with minimal impact on the business.

In March 2022, colleagues from the DACH region asked us for help when a client in the transportation segment was hit by ransomware (Conti). My task was to search for possible artifacts that the attacker might have left behind in the environment. A month later, colleagues from Canada contacted us and asked for help in analyzing an attack by the LockBit group.

Threat Hunting

  • Senior Security Analyst
  • Oracle
  • 6/2020 - 9/2020

"Hunting" is a proven approach to verifying communication indicators or searching data to find artifacts left behind by an attacker. I created a standard operating procedure (SOP) that analysts can use when they need to verify indicators of compromise. This procedure can also be used to search data, but this requires analytical skills and a sense of where to look for data—what to focus on and how to piece together the big picture.

The SOP includes sample solutions and documentation to provide junior analysts with enough examples to refer to when they don't know how to proceed. Everything has its templates so that the analyst can focus on searching and documenting the process, which leads them to the goal.

Anomaly Detection

  • Senior Security Analyst
  • Oracle
  • 2/2019 - 8/2019

Part of the implementation of the Splunk and Splunk Enterprise Security tools was the creation of detections of deviations from normal behavior. Based on previous analysis, basic detections were identified (brute force attacks, suspicious outgoing communication, incorrectly entered password during privilege escalation, etc.) and these were implemented.

The basic detections are followed by advanced detections, which will further exploit integrated resources and thus expand detection capabilities with the help of the Splunk tool. The detections include standard operating procedures (SOPs) - what to do when... including sample examples of events and how to resolve them.

Flow probe deployment

  • Technical project manager
  • GovCERT.CZ
  • 9/2015 - 12/2018

The aim of this project is to enable state institutions to see into the network and solve problems within it. From GovCERT's perspective, this involves a global view of what is happening in the networks of state institutions. Together with a colleague, we devised and created the entire concept of deploying network probes into state administration networks.

The project can be divided into several parts. The first part was to identify the needs of individual institutions, followed by the creation of a technical concept, and finally the creation of tender documentation. The project also includes an analytical part, which will process and correlate all incoming data from institutions.

Cyber exercises (Locked Shields, Cyber Czech, Cyber Coalition)

  • Network traffic/log analysis
  • GovCERT.CZ, Oracle, PwC, AČR
  • 2014 - 2025

As a member of Blue Team, I participated in the Locked Shields and Cyber Coalition cyber exercises. Their purpose is to practice procedures in case of network compromise, forensic investigation, etc. Based on my specialization, I was responsible for analyzing network traffic (flow, pcaps, and logs). We mainly used open source tools (molo.ch, wireshark, tshark, nfdump, grep, awk, MISP, OpenCTI).

I participated in the national Cyber Czech exercise as a member of the Red Team. Its task was to put pressure on the trainees (Blue Team) so that they could test their acquired knowledge in practice against attackers. The most commonly used tools were Metasploit and ad-hoc scripts.

Methodological assistance

  • SIEM/IDS/probe expert
  • GovCERT.CZ
  • 2/207 - 4/2017

As a member of the analytical team, I was responsible for processing logs, checking SIEM/IDS, and other security tools. Always in accordance with best practices, taking into account the benefits for the specific organization under investigation.

Lecturer

  • ParaCENTRUM FENIX, GovCERT.CZ, Czechitas, AČR
  • 3/2008 - *

I taught photography courses for several years as part of a non-profit organization. But I didn't stop there. I also offered courses on working with computers, working with the Office suite, and Windows administration.

I taught several lessons (one of them in English) focused on network traffic analysis. The goal was to give students as much information as possible so that they could make the most of it in their environment.

I also share my knowledge and skills through Czechitas, which offers git courses and courses focused on security.