Skip to content

Instantly share code, notes, and snippets.

@Antonlovesdnb
Last active January 27, 2025 13:34
Show Gist options
  • Save Antonlovesdnb/37c8d50b3bb1514e34262eb72805bcf9 to your computer and use it in GitHub Desktop.
Save Antonlovesdnb/37c8d50b3bb1514e34262eb72805bcf9 to your computer and use it in GitHub Desktop.
Anton Ovrutsky Resume

Anton Ovrutsky, OSCP, OSCE, CISSP, CCSP, KCNA, B/M.A.

Relevant Experience

2024-Current - Principal Hunting & Response Analyst - Huntress

  • Member of “Tactical Response” team responsible for triaging hands-on-keyboard intrusions to aid Huntress partners in identification of initial access vectors.
  • Acted as final escalation point for complex SOC incidents.
  • Introduction of Azure Data Explorer (ADX) into the environment for rapid, automated analysis of telemetry via Kusto Query Language.
  • Utilizing Azure services, prototyped an AI-enabled chatbot for incident reports as well as a Slack bot integration with ADX.
  • Delivered technical webinars, including popular “Tradecraft Tuesdays”
  • Authored technical blog posts relating to threat actor tradecraft as well as threat hunting methodologies.

2022-2024 – Senior Threat Research Engineer/Team Lead – Sumo Logic

  • Lead team of three Senior Threat Research Engineers, including technical guidance, general mentorship and performance management.
  • Introducted “Campaign” process to organize and streamline Sumo Logic out of the box (OOTB) content generation work into sprints, including process documentation and automation for Jira ticket creation. Campaign process responsible for generation of over two-hundred new pieces of content in the form of SIEM rules.
  • Created lab environments utilized for content generation and validation using infrastructure-as-code paradigm, including creation of cloud lab environments using Terraform.
  • Authored various scripts designed for task automation including the creation of containerized development environments.
  • Creation of containerized honey pot network, including Kubernetes orchestration and deployment.
  • Performed gap analysis for existing content and put initiatives in place to address gaps, resulting in coverage for technologies such as Azure/Entra, Active Directory, Office 365, Docker, Kubernetes (Azure AKS and AWS EKS) as well as additional coverage for Linux and macOS operating systems.
  • Lead initiatives to create threat detection relevant content for User Behavior Analytics (UBA) rule types introduced to the Sumo platform.
  • Worked with marketing teams to create and deliver technical presentation material for the RSA Conference (2022) as well as webinars delivered in partnership with the SANS institute.
  • Sole author of numerous technical blog posts, resulting in thousands of additional views leading to high-ranking Google search results for key terms such as “Kubernetes lab”. Numerous blog posts also featured on popular security mailing lists such as “Detection Engineering Weekly” and “CloudSecList.”
  • Created a capture the flag (CTF) exercise, including all infrastructure build as well as challenge creation that spanned on-premises to cloud-native use cases; designed to get internal and external stakeholders more familiar with the Sumo Logic platform.

2020 – 2022 – Adversarial Collaboration Engineer – Lares Consulting

  • Worked with clients to plan, prepare and execute enterprise Purple Team engagements with actionable reporting deliverables.
  • Designed and executed realistic attack paths based on the MITRE ATT&CK framework in combination with publicly available threat intelligence material on the latest techniques used by threat actors.
  • Focused on visibility and defensive uplift, providing clients of varying sizes and across numerous industry verticals with boutique, high end white-glove style consultation regarding logging pipelines, queries and general defensive cyber security guidance.
  • Conducted Azure and Office 365 architecture and security reviews.
  • Conducted incident response and forensic investigation of both cloud and host-based intrusions.
  • Sole author of regular technical blog posts, including release of the SysmonConfigPusher tool - written in C# - that is designed to assist in Sysmon deployments at scale.
  • Creation and delivery of highly technical training material, focusing on telemetry pipelines, threat hunting and detection engineering.
  • Created and delivered various webinars, customer presentations and other technical marketing materials.
  • Responsible for conducting compromise assessments for clients of various sizes, including extremely large and complex Splunk deployments with data sources ranging from on-premises Active Directory to Kubernetes and custom application telemetry.
  • Assisted sales and other functions throughout the sales lifecycle, responding to request for proposals’ (RFP) as well as statement of work (SOW) generation.

2016 – 2020 – Senior Security Specialist - Equitable Life Insurance Company of Canada

  • Responsible for the configuration, maintenance and full operationalization of the McAfee Security Information & Event Management (SIEM).
  • Lead team of third-party SOC analysts, including training and documentation for new attacker tactics, tools and procedures.
  • Responsible for operation of Rapid 7 Nexpose vulnerability management system, including production of reports for senior IT leadership as well as prioritization and analysis of vulnerabilities.
  • Considered corporate subject matter expert on matters relating to malware, incident response, vulnerability management, Linux and Windows best-practice logging configurations and system hardening.
  • Worked with application and IT teams to remediate thousands of vulnerabilities across servers and workstations, resulting in a drastic reduction of risk to the organization.
  • Conducted simulation of malware and attacker activities in order to create and validate SIEM alerts and logging configurations as well as to identify any gaps in visibility.
  • Directly responsible for lowering third-party penetration test risk scores due to robustness of host and network-based detection capabilities.
  • Introduction of Splunk Enterprise into environment, including planning, architecting and executing a full deployment, complete with Windows Event Forwarding and logging best practices.
  • Project lead on various Azure Active Directory initiatives, including roll out of Azure Multi Factor Authentication as well as the implementation of Microsoft-recommended Conditional Access policies.
  • Introduction of Sysinternals Sysmon into environment, including custom-written PowerShell log scraper, SIEM parsers and relevant SIEM rules.

2014 – 2016 – Senior Security Analyst - TransUnion Canada

  • Responsible for ensuring day-to-day compliance with corporate information security policies and procedures.
  • Responding to customer questionnaires regarding information security in a timely and comprehensive manner.
  • Creating, editing and updating a large amount of documentation used for internal and external audits as well as PCI certification.
  • Worked with various project teams – often under tight deadlines - to ensure that project proposals and implementations met TransUnion security policies and industry best practices.
  • Responsible for reviewing and vetting of access requests to TransUnion internal systems.
  • Designed automated access review system and conducted regular logical access reviews for critical TransUnion systems in order to satisfy audit and policy requirements.
  • Provided general guidance to business units on various security issues. Acted as primary point of contact for various large-scale and high visibility projects.

2012-2014 – Service Desk Technician - TransUnion Canada

  • Provided external and internal customer support for a range of TransUnion products and services.
  • Communicated issues to team members in order to ensure uninterrupted and consistent client support.
  • Edited and produced service desk related documentation for TransUnion products, services and processes to ensure compliance with PCI standards.
  • Provided desktop support and assistance to TransUnion associates.
  • Entrusted with highly sensitive customer data on a regular basis.

Education

Year Description
2022 Obtained Kubernetes and Cloud Native Associate (KCNA) certificate.
2019 Obtained ISC² Certified Cloud Security Professional (CCSP) designation.
2017 Obtained Offensive Security Certified Security Expert (OSCE) Certification.
2015 Obtained Offensive Security Certified Security Expert (OSCP) Certification.
2014 Obtained Associate of ISC² Certified Information Systems Security Professional (CISSP) designation. Full designation achieved in 2016.
2010-2012 Earned a multidisciplinary Master of Arts degree from the Munk School of Global Affairs, University of Toronto, specializing in European History and Political Science. Ontario graduate scholarship awarded two consecutive years.
2006-2010 Earned a Combined Honours Bachelor of Arts degree specializing in History and Labour Studies with a Minor in Sociology from McMaster University. Summa cum laude standing achieved.
2002-2006 Earned a Network Engineering and Security Analyst Diploma from Mohawk College.

Published Blog Posts

Year Title Link
2016 Setting up Sysmon https://haveyousecured.blogspot.com/2016/12/setting-up-sysmon.html
2016 Working with Sysmon https://haveyousecured.blogspot.com/2016/12/working-with-sysmon.html
2016 (Attempting) to Detect Responder with Sysmon https://haveyousecured.blogspot.com/2016/12/attempting-to-detect-responder-with.html
2017 Offensive Security OSCE (CTP) Review https://haveyousecured.blogspot.com/2017/06/offensive-security-osce-ctp-review.html
2017 Device Guard - Fixing VMWare Tools https://haveyousecured.blogspot.com/2017/07/device-guard-fixing-vmware-tools.html
2017 Visualize Windows Logs With Neo4j https://haveyousecured.blogspot.com/2017/07/visualize-windows-logs-with-neo4j.html
2017 Taking a Closer Look at PowerShell Download Cradles https://haveyousecured.blogspot.com/2017/07/taking-closer-look-at-powershell.html
2017 Making Lateral Movement Difficult in an Active Directory Environment https://haveyousecured.blogspot.com/2017/09/making-lateral-movement-difficult-in.html
2018 Moloch + Suricata + JA3 https://haveyousecured.blogspot.com/2018/10/moloch-suricata-ja3.html
2019 (Very) Basic Elastic SIEM Set up https://haveyousecured.blogspot.com/2019/06/elastic-siem-set-up.html
2020 Wrangle Your PowerShell Transcript Logs with Apache Nifi https://haveyousecured.blogspot.com/2020/03/wrangle-your-powershell-transcript-logs.html
2020 Edit Your Sysmon Config in Style https://haveyousecured.blogspot.com/2020/03/edit-your-sysmon-config-in-style.html
2020 Get Azure Key Vault Data into Splunk https://haveyousecured.blogspot.com/2020/04/get-azure-key-vault-data-into-splunk.html
2020 Hunt Fast: Splunk and tstats https://www.lares.com/blog/hunt-fast-splunk-and-tstats/
2020 From Lares Labs: Defensive Guidance for ZeroLogon (CVE-2020-1472) https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/
2020 WFH Lateral Movement TTPs https://www.lares.com/blog/wfh-lateral-movement-ttps/
2020 Active Directory (AD) Attacks & Enumeration at the Network Layer https://www.lares.com/blog/active-directory-ad-attacks-enumeration-at-the-network-layer/
2020 Endpoint Hunting for UNC1878/KEGTAP TTPs https://www.lares.com/blog/endpoint-hunting-for-unc1878-kegtap-ttps/
2020 Taking a Look at Office 365 Logs https://www.lares.com/blog/taking-a-look-at-office-365-logs/
2021 Hunting in the Sysmon Call Trace https://www.lares.com/blog/hunting-in-the-sysmon-call-trace/
2021 Getting into the Blue Team: A Practical Guide https://www.lares.com/blog/getting-into-the-blue-team-a-practical-guide/
2021 Emails and Malicious Macros – What Can Go Wrong? https://www.lares.com/blog/emails-and-malicious-macros-what-can-go-wrong/
2021 Introducing Sysmon Config Pusher https://www.lares.com/blog/introducing-sysmon-config-pusher/
2021 Sysmon for Linux Test Drive https://www.lares.com/blog/sysmon-for-linux-test-drive/
2022 Kubernetes Hunting & Visibility https://www.lares.com/blog/kubernetes-hunting-visibility/
2022 The Lowdown on Lateral Movement https://www.lares.com/blog/the-lowdown-on-lateral-movement/
2022 Azure and Azure Active Directory Monitoring Use Cases https://www.lares.com/blog/azure-and-azure-active-directory-monitoring-use-cases/
2022 Find threats: Cloud credential theft on Windows endpoints https://www.sumologic.com/blog/threat-labs-cloud-theft-windows-credentials/
2022 Detection notes: In-memory Office application token theft https://www.sumologic.com/blog/threat-labs-detection-notes-office-token-theft/
2023 Find threats: Cloud credential theft on Linux endpoints https://www.sumologic.com/blog/threat-labs-cloud-theft-linux-credentials/
2023 Building a Kubernetes purple teaming lab https://www.sumologic.com/blog/threat-labs-kubernetes-home-lab/
2023 Responding to remote service appliance vulnerabilities with Sumo Logic https://www.sumologic.com/blog/appliance-vulnerabilities-sumo/
2023 Threat hunting with Sumo Logic: The Command Line https://www.sumologic.com/blog/threat-hunting-command-line/
2023 How to execute an Azure Cloud purple team exercise https://www.sumologic.com/blog/azure-cloud-purple-team/
2024 Protecting identities with the Sumo Logic platform https://www.sumologic.com/blog/protecting-identities-sumo-platform/
2024 Hunt for cloud session anomalies with Cloud SIEM https://www.sumologic.com/blog/hunt-cloud-session-anomalies/
2024 Responding to CVE-2024-3094 - Supply chain compromise of XZ Utils https://www.sumologic.com/blog/respond-xz-utils/
2024 What’s going on? The power of normalization in Cloud SIEM https://www.sumologic.com/blog/whats-going-on-normalization-cloud-siem/
2024 Building the foundations: A defedner's guide to AWS Bedrock https://www.sumologic.com/blog/defenders-guide-to-aws-bedrock/
2024 Analyzing Initial Access Across Today's Business Environment https://www.huntress.com/blog/analyzing-initial-access-across-todays-business-environment
2024 Hunting for M365 Password Spraying https://www.huntress.com/blog/hunting-for-m365-password-spraying

General Industry Contributions

Public Presentations

Year Description Link
2017 BSides Toronto – “Red and Blue Ping Pong” - Presented in conjunction with Lee Kagan, the talk outlined modern Windows attack and defense methodologies. https://www.youtube.com/watch?v=sDEEDZkIZGw&t=2s
2019 BSides & TASK Toronto - “Beyond Logs: Why It’s an exciting time to be a Defender” – an outline of modern defensive tools and methodologies in the defensive space of cyber security. https://www.youtube.com/watch?v=cnqDnrZxYkQ
2021 SANS Threat Hunting Summit - “Hunting Malicious Macros” – an overview of threat hunting and detection engineering techniques designed to track malicious Office macro usage. https://www.youtube.com/watch?v=soF5iyeeWDg&t=1s
2022 Defcon Blue Team Village - "Hunting Malicious Macros" https://www.youtube.com/watch?v=lrcAl_WD0HY
2023 Antisyphon Blue Team Summit - “Cloud Security: Does the endpoint still matter?” – an examination of lesser-appreciated credential access avenues such as file shares, cookies and cloud tokens with a particular focus on threat hunting through file access auditing events on Linux and Windows operating systems. https://youtu.be/dYJzEubKaNw?t=3699
2024 AtlSecCon - "Hunting for Cloud Session Anomalies - this talk outlined how to hunt for cloud session anomalies in cloud services like Microsoft Entra, Okta, Amazon Web Services and Kubernetes resulting from credential theft in the form of cookies or tokens. The talk covered telemetry sources, hunting strategies as well as testing and validation methodologies. https://atlseccon2024a.sched.com/?iframe=yes&w=100%&sidebar=yes&bg=dark#

Volunteer Experience

  • 2019-2021 - Part of The Canadian Collegiate Cyber Exercise (C3X) build team, designing and implementing a simulated corporate environment with various attack and defense paths for student participants.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment