Ryan Marcotte Cobb

Ryan Marcotte Cobb is a principal security researcher in the Secureworks Counter Threat Unit (CTU). Ryan serves in a cross-functional role supporting detection engineering, threat hunting, and incident response teams. Ryan joined Secureworks in 2013 as a consultant on the Incident Response team and led investigations into complex nation-state intrusions. He is the author of a Jupyter-based threat hunting platform and an active contributor to open source projects. Ryan has a B.A. in Philosophy and a Graduate Certificate in Digital Forensics from the University of Rhode Island.

Education

Institution	Program	Completed
University of Rhode Island	Graduate Certificate, Digital Forensics	January 2013
University of Rhode Island	B.A., Philosophy (Summa Cum Laude)	May 2011

Work History

Principal Security Researcher	Start Date	End Date
Secureworks Counter Threat Unit (CTU)	March 2022	Present

• Embedded in multiple product teams to facilitate collaboration between detection engineers and researchers

• Assisted product managers and engineers in the prioritization, design, and development of security features for the Taegis XDR platform

• Developed a framework for continuous testing of complex detection systems running in AWS through telemetry snapshotting and replay

Detection Engineering XDR/EDR Data Engineering CI/CD Software Development

Information Security Researcher	Start Date	End Date
Secureworks Counter Threat Unit (CTU)	August 2018	March 2022

• Served as technical lead for Secureworks global threat hunting team

• Created a Jupyter notebook-based security analysis toolkit that was broadly adopted by multiple teams across the organization

• Designed and executed adversary emulation scenarios in bespoke cloud lab environments

• Helped delivery teams respond to global crises, such as SolarWinds and HAFNIUM

• Primary instructor for the incident response college hire program which involved the recruitment, training, and on-going mentorship of seven junior IR analysts over a four year period

• Authored multiple advanced analyst training courses covering threat hunting, digital forensics, data analysis, and EDR internals

Threat Hunting Jupyter Security Research Azure AD Purple Teaming

Incident Response Consultant	Start Date	End Date
Secureworks	June 2013	August 2018

• Delivered proactive and reactive DFIR professional services for medium business and enterprise customers

• Responsible for analyzing digital evidence and communicating findings to decision-makers

• Investigated multiple intrusions by sophisticated nation-state threat actors

• Focused on automating digital forensics tasks to improve team efficiency

Incident Response Digital Forensics Python pandas Blue Teaming Automation

Open Source Contributions

Project	Language	Contribution
Family of Client IDs Research	python	Published an interactive whitepaper demonstrating how an undocumented feature in Microsoft’s OAuth 2.0 implementation can be abused for privilege escalation using refresh tokens
Stratus Red Team	golang	Contributed the Azure provider, which enables automated attacks against Microsoft cloud resources
MSTICpy	python	Active member of the msticpy community on Discord and author of the Azure Resource Graph driver
ROADtools	python	Created a plugin that generates Log2Timeline-compatible super timelines from the timestamps in Azure AD objects

Talks

• Magic Tricks: Demystifying IPython Magics. Ryan Marcotte Cobb. Infosec Jupyterthon. December 02 2022. video, slides

• Threat-Driven Development. Ryan Marcotte Cobb. Dash. October 18-19 2022. video, slides

• Abusing Family Refresh Tokens for Unauthorized Access and Persistence in Azure Active Directory. Ryan Marcotte Cobb. TROOPERS. June 2022. video

• FOCI: Abusing Undocumented Features in Azure Active Directory Refresh Tokens. Cybersecurity & Infrastructure Security Agency (CISA) Advanced Technical Threat Exchange. March 2022. slides

• Managing Mischief: Collaborative Conflict between Red and Blue. Trenton Ivey, Ryan Marcotte Cobb. Security Weekly Unlocked. December 2021.

• Threat Hunting Intelligently. Ryan Marcotte Cobb. Black Hat USA 2020 (sponsored session). August 2020.

Writings

1

Ryan Marcotte Cobb. Abusing azure application credentials to attack supply chains. Technical Report, Secureworks, 2021. URL: https://www.secureworks.com/research/abusing-azure-application-credentials-to-attack-supply-chains.

2

Ryan Marcotte Cobb. Family of client ids research. Github, 2022. URL: https://github.com/secureworks/family-of-client-ids-research.

3

Ryan Marcotte Cobb., Anthony Larcher-Gore., and Nestori Syynimaa. Family matters: abusing family refresh tokens to gain unauthorised access to microsoft cloud services exploratory study of azure active directory family of client ids. In Proceedings of the 24th International Conference on Enterprise Information Systems - Volume 2: ICEIS, 62–69. INSTICC, SciTePress, 2022. doi:10.5220/0011061200003179.

Certifications

Certification	Status	Obtained
GIAC Cloud Penetration Tester (GCPN)	Active	2022-03-16
GIAC Cloud Security Automation (GCSA)	Active	2021-01-28
GIAC Certified Forensic Examiner (GCFE)	Inactive	2018-12-07
GIAC Network Forensic Analyst (GNFA)	Inactive	2014-11-03
GIAC Certified Detection Analyst (GCDA)	Inactive	2018-05-30
GIAC Certified Incident Handler (GCIH)	Inactive	2013-07-10

Contact

Details
Location	Providence, Rhode Island, USA
Blog	blog.detect.dev
Twitter	@detectdotdev
Email	ryan@detect.dev
Github	ryan-detect-dot-dev, rcobb-scwx
LinkedIn	Profile
GIAC Analyst ID	135181