📄 Ankur Tyagi
🏡 Blog • 🤖 GitHub • 🔗 LinkedIn • 🐤 Twitter • 📧 Email
Introduction
- I'm an infosec enthusiast with a strong background in network security (IDS/IPS), anti-malware technologies (EDR/XDR), research methodologies and innovation.
Experience
Principal Engineer @ Qualys Inc.
-
Jan/2019 - Present (3 years and 8 months)- Product research, design and PoC: Breach Simulation, Security Control Validation, Attack Surface Mapping, Asset Remediation Trendmap
- Research and automation: Threat Intelligence feeds evaluation and aggregation, False Positive validation, event whitelisting, risk scoring, rule parsers and converters
- MITRE ATT&CK TTP correlation (adversary killchain), quantification and scoring
- Subject Matter Expert for research/innovation and multiple automation worflows
-
Sr. Malware Research Engineer @ Qualys Inc.
-
Jan/2017 - Jan/2019 (2 years and 1 month)- Research towards automated aggregation of threat behavior, filed for US patent and implemented as part of a customer facing product
- Worked with various teams as a Subject Matter Expert for AntiMalware and network security research initiatives
- Worked on multiple research ideas that could be leveraged as Intellectual Property
- First responder to provide detection against active malware campaigns
-
Malware Research Engineer @ Qualys Inc.
-
Apr/2015 - Jan/2017 (1 year and 10 months)- Research automated (Yara/IoC) rule creation for generic threat coverage
- Automated sourcing, filtering and scanning of malware samples
- Reverse engineering and analysis of malware samples
- Worked on various in-house automation and development projects
- Technologies: Python, Shell, Unix, Windows, AntiMalware, EDR
-
Security Research Engineer @ Juniper Networks
-
Apr/2012 - Feb/2015 (2 years and 11 months)- Testing and updating in-house automation tools that help with coverage against various exploitation frameworks
- Ensured coverage against latest vulnerabilities and exploits through signature development for Juniper's security portfolio devices
- Regular updates of active signatures to ensure coverage against evolving IDS/IPS evasion techniques as well as for quality assurance
- Technologies: Python, Shell, Unix, Windows, IDS, IPS
-
Information Security Engineer @ SecurView Systems
-
Dec/2010 - Apr/2012 (1 year and 5 months)- Vulnerability Researcher / Security Analyst for the Cisco Security IntelliShield Alert Manager Service
- Active member of the Secur-I Research Group with activities spanning monthly publication of critical vulnerability assessments and concentrated vulnerability research
- Technologies: Python, Shell, Unix, Windows
-
Research
Patents
-
Jul/2019: Attack Path and Graph Creation Based on User and System Profiling -
Apr/2019: Attack Kill Chain Generation and Utilization for Threat Analysis -
Apr/2019: Asset Remediation Trend Map Generation and Utilization for Threat Mitigation -
Apr/2019: DSL for Simulating a Threat-Actor and Adversarial TTPs -
Apr/2019: DSL for Defending Against a Threat-Actor and Adversarial TTPs -
Apr/2019: DSL for Threat-Actor Deception -
Apr/2017: Method and Apparatus for Intelligent Aggregation of Threat Behavior -
Dec/2014: Using A Probability-based Model To Detect Random Content In Network Traffic -
Sep/2014: Deobfuscating Scripted Language For Network Intrusion Detection
-
Talks/Papers/Demos
svachal + machinescli
Writeups for CTF challenges and machines are a critical learning resource for our community. For the author, it presents an opportunity to document their methodology, tips/tricks and progress. For the audience, it serves as reference material. Oftentimes, authors switch roles and become the audience to learn from their own work. This demo aims to showcase tools, svachal and machinescli, developed with these insights. These work in conjunction to help users curate their learning in .yml structured files, find insights and query this knowledge base as and when needed.
13/Aug/2022: DEF CON 30 Demo Labs
Angad - Malware Detection using Multi-Dimensional Visualization
Angad is a framework to automate classification of an unlabelled malware dataset using multi-dimensional modelling. The input dataset is analyzed to collect various attributes which are then arranged in a number of feature vectors. These vectors are then individually visualized, indexed and then queried for each new input file. Matching vectors are labelled as per their AV detection categories (could be changed to a heuristics approach if needed). If dynamic behavior or network traffic details are available, respective vectors are converted into activity graphs that depict evolution on a predefined time scale. This results into an animation of a malware or a malware category's behaviorial traits and is useful in identifying activity overlaps across the input dataset.
13/Oct/2018: SecTor 201814/Sep/2018: BSides Zurich 201807/Sep/2018: GrrCON 201811/Aug/2018: DEF CON 26 Demo Labs
Visual Network and File Forensics
This presentation aims to demo the effectiveness of visual tooling for malware and file-format forensics. It will cover structural analysis and visualization of malware and network artifacts. Various techniques like entropy/n-gram visualization, using compression-ratio and theoretical minsize to identify file type and packed content will be shown. Along with this, a framework that helps automate these tasks will be presented. Attendees with an interest in network monitoring, signature writing, malware analysis and forensics will find this presentation to be useful.
29/Jul/2017: DEF CON 25 Packet Hacking Village(could not attend): Virus Bulletin 2017
Rudra - The Destroyer of Evil
Rudra aims to provide a developer-friendly framework for exhaustive analysis of PCAP and PE files. It provides features to scan and generate reports that include file's structural properties, entropy visualization, compression ratio, theoretical minsize, etc. These details, alongwith file-format specific analysis information, help an analyst to understand the type of data embedded in a file and quickly decide if it deserves further investigation. It supports scanning PE files and can perform API scans, anti{debug, vm, sandbox} detection, packer detection, authenticode verification, alongwith Yara, shellcode, and regex detection upon them.
06/Aug/2016: DEF CON 24 Demo Labs03/Aug/2016: Black Hat USA 2016 Arsenal28/Jul/2016: OWASP Pune Meet31/Mar/2016: Black Hat Asia 2016 Arsenal13/Nov/2015: Black Hat EU 2015 Arsenal08/Aug/2015: DEF CON 23 Demo Labs05/Aug/2015: Black Hat USA 2015 Arsenal
Flowinspect - Network Inspection Tool on Steroids
Flowinspect is a tool developed specifically for network monitoring and inspection purposes. It takes network traffic as input and extracts layer 4 flows from it. These flows are then passed through an inspection engine that filters and extracts interesting network sessions. For flows that meet inspection criteria, the output mode dumps match statistics to either stdout or a file or both.
06/Aug/2014: Black Hat USA 2014 Arsenal14/Feb/2014: Nullcon 2014
Media
Sep/2017: Bossie Awards 2017 - The best networking and security software (InfoWorld)Sep/2017: Visual network and file forensics with Rudra (HelpNet Security)Sep/2015: Rudra - Framework for automated inspection of network capture files (HelpNet Security)Mar/2014: Network Sorcery with ChopShop and Libemu (PenTest Magazine)
Academics
University
Dec/2014: M.Tech Software Systems @ BITS-PilaniJul/2010: BE Information Technology @ Pune University
Certification
Aug/2022: Amateur Radio Operator (KN6VLB)Mar/2012: GIAC Penetration Tester (GPEN)May/2011: Certified Ethical Hacker (CEH)Jan/2010: Cisco Certified Network Security Associate (CCNA)
Last updated: 22/Aug/2022