# Ryan Marcotte Cobb

`````{div} full-width

::::{grid}

:::{grid-item}
:columns: 4
:child-align: center
:margin: 0 

```{image} images/rmc-photo.jpg
:alt: portrait
:width: 385px
:align: center
```

:::

:::{grid-item}
:columns: 5

**Ryan Marcotte Cobb** is a principal security researcher in the Secureworks Counter Threat Unit (CTU). Ryan serves in a cross-functional role supporting detection engineering, threat hunting, and incident response teams. Ryan joined Secureworks in 2013 as a consultant on the Incident Response team and led investigations into complex nation-state intrusions. He is the author of a Jupyter-based threat hunting platform and an active contributor to open source projects. Ryan has a B.A. in Philosophy and a Graduate Certificate in Digital Forensics from the University of Rhode Island.

:::

::::
`````

## Education

| Institution  |  Program    | Completed |
| :--- | ---: | ---: |
| University of Rhode Island | Graduate Certificate, [Digital Forensics](https://web.uri.edu/osi/programs/digitalforensics/) | January 2013 |
| University of Rhode Island | B.A., Philosophy (Summa Cum Laude) | May 2011 |


## Work History

````{card}

|  Principal Security Researcher | Start Date | End Date |
| :--- | ---: | ---: |
| *Secureworks Counter Threat Unit (CTU)* | March 2022 | Present |

- Embedded in multiple product teams to facilitate collaboration between detection engineers and researchers
- Assisted product managers and engineers in the prioritization, design, and development of security features for the Taegis XDR platform
- Developed a framework for continuous testing of complex detection systems running in AWS through telemetry snapshotting and replay

+++
{bdg-secondary}`Detection Engineering` {bdg-secondary}`XDR/EDR` {bdg-secondary}`Data Engineering` {bdg-secondary}`CI/CD` {bdg-secondary}`Software Development`
````


````{card}

| Information Security Researcher  | Start Date | End Date |
| :--- | ---: | ---: |
| *Secureworks Counter Threat Unit (CTU)* | August 2018 | March 2022 |

- Served as technical lead for Secureworks global threat hunting team
- Created a Jupyter notebook-based security analysis toolkit that was broadly adopted by multiple teams across the organization
- Designed and executed adversary emulation scenarios in bespoke cloud lab environments
- Helped delivery teams respond to global crises, such as SolarWinds and HAFNIUM
- Primary instructor for the incident response college hire program which involved the recruitment, training, and on-going mentorship of seven junior IR analysts over a four year period
- Authored multiple advanced analyst training courses covering threat hunting, digital forensics, data analysis, and EDR internals

+++
{bdg-secondary}`Threat Hunting` {bdg-secondary}`Jupyter` {bdg-secondary}`Security Research` {bdg-secondary}`Azure AD` {bdg-secondary}`Purple Teaming`
````

````{card}

| Incident Response Consultant  | Start Date | End Date |
| :--- | ---: | ---: |
| *Secureworks* | June 2013 | August 2018 |

- Delivered proactive and reactive DFIR professional services for medium business and enterprise customers
- Responsible for analyzing digital evidence and communicating findings to decision-makers
- Investigated multiple intrusions by sophisticated nation-state threat actors
- Focused on automating digital forensics tasks to improve team efficiency

+++
{bdg-secondary}`Incident Response` {bdg-secondary}`Digital Forensics` {bdg-secondary}`Python` {bdg-secondary}`pandas` {bdg-secondary}`Blue Teaming` {bdg-secondary}`Automation`
````


## Open Source Contributions

| Project  | Language | Contribution |
| :--- | :--- | :--- |
| [Family of Client IDs Research](https://github.com/secureworks/family-of-client-ids-research) | python | Published an interactive whitepaper demonstrating how an undocumented feature in Microsoft's OAuth 2.0 implementation can be abused for privilege escalation using refresh tokens |
| [Stratus Red Team](https://stratus-red-team.cloud/) | golang | Contributed the Azure provider, which enables automated attacks against Microsoft cloud resources |
| [MSTICpy](https://msticpy.readthedocs.io/en/latest/) | python | Active member of the `msticpy` community on Discord and author of the Azure Resource Graph driver |
| [ROADtools](https://github.com/dirkjanm/ROADtools) | python | Created a plugin that generates [Log2Timeline](https://plaso.readthedocs.io/en/latest/)-compatible super timelines from the timestamps in Azure AD objects |


## Talks

- Magic Tricks: Demystifying IPython Magics. Ryan Marcotte Cobb. [Infosec Jupyterthon](https://infosecjupyterthon.com/). December 02 2022. [video](https://youtu.be/8Mw1yyYkeqM?t=11005), [slides](https://github.com/secureworks/infosec-jupyterthon-2022-ipython-magics)
- [Threat-Driven Development](https://www.dashcon.io/talks/threat-driven-development-with-stratus-red-team/). Ryan Marcotte Cobb. Dash. October 18-19 2022. [video](https://youtu.be/AbWwcqLwcYI), [slides](https://github.com/ryan-detect-dot-dev/presentations/blob/main/Threat-Driven%20Development%20DASH-2022.pdf)
- [Abusing Family Refresh Tokens for Unauthorized Access and Persistence in Azure Active Directory](https://troopers.de/troopers22/talks/crffp3/). Ryan Marcotte Cobb. TROOPERS. June 2022. [video](https://youtu.be/fTLzi9GCfBA)
- FOCI: Abusing Undocumented Features in Azure Active Directory Refresh Tokens. Cybersecurity & Infrastructure Security Agency (CISA) Advanced Technical Threat Exchange. March 2022. [slides](https://github.com/secureworks/family-of-client-ids-research/blob/main/atte22.md)
- [Managing Mischief: Collaborative Conflict between Red and Blue](https://events.securityweekly.com/unlocked2021/session/668577/managing-mischief-collaborative-conflict-between-red-and-blue). Trenton Ivey, Ryan Marcotte Cobb. Security Weekly Unlocked. December 2021.
- [Threat Hunting Intelligently](https://www.blackhat.com/us-20/sponsored-sessions/schedule/index.html#threat-hunting-intelligently-21583). Ryan Marcotte Cobb. Black Hat USA 2020 _(sponsored session)_. August 2020.


## Writings

```{bibliography}
:all:
:style: plain
```


## Certifications


|Certification|Status|Obtained|
|-------------|------|--------|
|[GIAC Cloud Penetration Tester (GCPN)](https://www.giac.org/certifications/cloud-penetration-tester-gcpn)|Active|2022-03-16|
|[GIAC Cloud Security Automation (GCSA)](https://www.giac.org/certifications/cloud-security-automation-gcsa)|Active|2021-01-28|
|[GIAC Certified Forensic Examiner (GCFE)](https://www.giac.org/certifications/certified-forensic-examiner-gcfe)|Inactive|2018-12-07|
|[GIAC Network Forensic Analyst (GNFA)](https://www.giac.org/certifications/network-forensic-analyst-gnfa)|Inactive|2014-11-03|
|[GIAC Certified Detection Analyst (GCDA)](https://www.giac.org/certifications/certified-detection-analyst-gcda)|Inactive|2018-05-30|
|[GIAC Certified Incident Handler (GCIH)](https://www.giac.org/certifications/certified-incident-handler-gcih)|Inactive|2013-07-10|


## Contact

| Details  |      |
| :--- | ---: |
|Location | Providence, Rhode Island, USA |
|Blog | [blog.detect.dev](https://blog.detect.dev) |
|Twitter | @detectdotdev |
|Email | [ryan@detect.dev](mailto:ryan@detect.dev) |
|Github | [ryan-detect-dot-dev](https://github.com/ryan-detect-dot-dev), [rcobb-scwx](https://github.com/rcobb-scwx) |
|LinkedIn | [Profile](https://www.linkedin.com/in/ryan-marcotte-cobb-93165791/) |
|GIAC Analyst ID | [135181](https://www.giac.org/certified-professional/Ryan-Marcotte%20Cobb/135181) |