+1-703-505-9880

Christopher C. Granger

counterforce@protonmail.com

https://www.linkedin.com/in/chris -granger-7961568

Employment
Senior Threat Intelligence Analyst
Attack Investigation Team

July 2013 March 2015

Promoted to special projects team formed by the Office of the CTO to conduct in-depth investigations into high priority
cyberattacks, structuralize intelligence analysis practices, and maintain tracking and intelligence on a number of cyber attack
groups.
Identified members of a hypothesized Eurasian crime syndicate believed responsible for a popular identity theft store
(SSNDOB.ru) and at least 13 known data breach incidents, ca. 2012-2013. Findings were given to law enforcement and
investigative journalist, Brian Krebs, whom broke the first public stories on this group & posted the following article which
sources Symantec research: (March, 2014) Who Built the ID Theft Service SSNDOB.ru?, Krebs on Security
Participated as joint lead analyst in AITs investigation into attacks attributed to the Dragonfly group (a/k/a Energetic Bear)
and wrote the initial draft of Symantecs whitepaper on the attacks
Improved team analytics, efficiency, and technical collection capabilities by creating tools to automate analysis and
collection tasks, such as:
o
Python/SQL scripts to:

Identify & compare related samples based on static & dynamic characteristics captured by the team
malware sandbox

Identify steganographically concealed command -and-control instructions embedded in web pages

Perform PE compilation timestamp comparisons of sandboxed samples

Retrieve and model malware sample metadata (inspired by the Diamond Model)

Inform detection logic for Network Intrusion Prevention System signatures (one such example led to
Symantecs discovery of the OnionDuke malware)
o
Custom Maltego transforms to interface with Symantec data warehouses
o
Personal databases pertaining to hacking and carding forums, which allowed quick queries across multiple sources
for personally identifiable information (e.g. email addresses, ICQ numbers, account & messaging handles ) during
investigations or in response to team member queries

Senior Analyst
Global Threat Response Team

Symantec Corporation
Security Technology & Response

Symantec Corporation
Managed Security Services

December 2010 June 2013

Proposed, managed and developed SQL-based analytics for a 14 month-term, seven phase project (SIG2.X) aimed at:
o
Enhancing the businesss high severity incident detection capabilities this entailed researching & tuning the SOC
Technology Platforms (STP) incident creation logic for signatures from 26 supported host & network monitoring
platforms
o
Establishing a semi-automated process to ensure proper review & settings of STP detection logic for new signatures
from supported vendors
o
Establishing procedures to modify client notification/alerting processes in cases of widespread malware infections,
many of which were discovered as a result of this project
Deepsight Reputation Feeds Integration
o
Performed detailed quality & analytics integration testing, and provided requested detection logic recommendations
for Symantecs Hostname and IP Reputation feeds ; a Collective Intelligence Framework (CIF) server was used to
assist research of feed entries
o
Troubleshot technical issues with the SOC Development Team, reported multiple bugs in the newly developed
analytics module and assisted with testing of bug fixes
Provided research & recommendations to the SOC Analysis Team s Hunter Project an initiative to solicit and capture
detection enhancement recommendations from senior members of the SOC Analysis Team including:
o
A proposal for a cost-effective and technically practical means of enhancing the SOC Technology Platform s IP
correlation models which would require only minor changes to the STP and log collection logic
o
Recommendations to enhance the SOCs DDoS detection analytics, based on results from a proof -of-concept
Vertica SQL query that applied alternate means of detection vs. existing SOC analytics in cases where attacks
were advertised via Twitter (therefore somewhat or seemingly reliably verifiable) the proof-of-concept was able to
detect DDoS attacks in multiple instances where existing SOC analytics were false negative, or were unable to
distinguish attacks from other statistically anomalous increases in network traffic flows
o
Recommended NID/PS and STP correlation-based detection for data staging and exfiltration activity

Served as technical & research assistant for project aimed at enhancing the services APT (Advanced Persistent Threat)
detection
o
Created intelligence-only SOC detection using supplied tranches of data, and analyzed & reported results
o
Identified several client-confirmed instances of intrusions by sophisticated actors and used related indicators to
establish the first Emergency severity suspected live intruder detection logic and incident guidelines for the SOC
o
Used related research to write Snort signatures for HTran-tunneled commands which were included in a rule
release by Sourcefire VRT
o
Used volatile memory analysis techniques to extract actionable intelligence from an in the wild Adobe Flash zeroday exploit, including evidence which connected the exploit to a suspected cyberespionage group

Senior Analyst
Security Operations Center

March 2010 December 2010

Served as SOC Analysis team lead and point-of-contact for nineteen of Symantec MSSs highest contract value clients, and
was personally cited by many assigned clients as a key factor in raising their overall NPS (Net Promoter Scores) ratings from
service detractors to promoters
Contributed to SOC pre-canned Incident Types and Comments
Identified multiple bugs and rule enhancement opportunities in open-source Network Intrusion Detection/Prevention rules ,
and escalated these to supported vendors on behalf of clients , e.g.
o
Layer 2 Reassembly/Pseudo Packet Logging flaws in the Sourcefire/Snort detection engine
o
Flaws in detection logic for CVE-2006-0007
o
Emerging Threats rules for: W32.Dis ttrack, GhostClick Trojan, et al.

Intrusion Detection Analyst

Security Operations Center

Symantec Corporation
Managed Security Services

Symantec Corporation
Managed Security Services

June 2008 March 2010

Identified Indicators of Compromise (IoCs) for use in SOC detection analytics, for multiple malware families, e.g. Conficker,
ZeroAccess, Zeus/Zbot, Ponmocup, etc.
Frequently awarded & cited by clients and managers for providing quality, in-depth intrusion detection analysis

Languages and Technologies

SQL, Python, Perl (some, but less experience with: C/C++, JavaScript, PHP, Shell & CGI Scripting)
Internet Protocol Suite, IPv4 & IPv6, REST, JSON, XML, YAML
Regular Expressions, Snort rules, YARA rules, Custom Maltego Transforms
Wireshark/tcpdump, Cuckoo Sandbox, VMWare, VirtualBox, (some familiarity with: Volatile Memory Forensics Tools
& IDA Pro)
Maltego, Splunk, Collective Intelligence Framework, MATLAB
Metasploit, Kali Linux, Nmap, OpenVAS
PyCharm, BIND, Apache, Dovecot

Research Papers/Briefs

Lead Analyst; co-author (2014) Meet Cyclosa, the Gang Behind 2013's Biggest Data Thefts, Security Response
Blog http://www.symantec.com/connect/blogs/meet-cyclosa-gang-behind-2013s-biggest-data-thefts
Lead Analyst, co-author (2014) Dragonfly: Cyberespionage Attacks Against Energy Suppliers
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against
_Western_Energy_Suppliers.pdf