Sean O’Connor has predominately worked in the Intelligence Community (IC), starting his career, like many do, in the US military, where he worked in various intelligence disciplines, ranging from Human Intelligence (HUMINT) to tactical Signals Intelligence (SIGINT), and later serving as a Counterintelligence (CI) contractor for the Department of Defense (DoD).
Sean has always been passionate about all things intelligence and all things cyber. With this combined passion, Sean decided after his third tour in Afghanistan, to transition to the private sector as a Cyber Threat Intelligence (CTI) researcher for Dell Secureworks in the exclusive Counter Threat Unit (CTU). "The intelligence training and experience I obtained throughout my military career and in the DoD gave me the tools necessary to build the CTU's first ever virtual HUMINT team." By applying traditional HUMINT tradecraft through sock puppet accounts, the CTU vHUMINT team was able to infiltrate dark web cybercriminal networks for the purpose of collecting, analyzing and producing intelligence.
After six years in the Secureworks CTU, Sean took on a new opportunity with KPMG US as their head of Threat Intelligence, where he built the CTI program for the US, LATAM, and Israel member firms. Fast forward to today, Sean is the Global Head of the Equinix Threat Analysis Center (ETAC), which is comprised of teams focused on threat intelligence research, threat hunting, consulting services and data analytics.
Sean is a Partnered Faculty member, instructor, and Project Coordinator at Georgia State University’s Evidence-Based Cybersecurity (EBCS) Research Group. Sean partnered with EBCS to coauthor GSU's first ever Darknet Intelligence course, which is taught to various Law Enforcement agencies. Sean is a firm believer in continuing education, especially in the field of CTI. “As analysts we should always be trying to keep up with the ever-evolving threat landscape, and as an instructor, I enjoy teaching these topics to anyone who has the willingness to learn," he says.
Through years of covert cybercrime intelligence operations, Sean identified how these criminals were laundering their money, such as through the use of cryptocurrency mixing/tumbling services, illicit exchanges, and Dark Web marketplaces. "Intelligence is a crucial piece of the puzzle that can significantly benefit cyber professionals in the DFIR cases they respond to. However, the cyber threat landscape continues to evolve, and as such, so should the intelligence supporting these DFIR cases," says Sean. With Blockchain and Dark Web Intelligence, responders can better understand the criminals involved in their investigations. In some cases, this intelligence can give Law Enforcement (LE) agencies the evidence they need to attribute activity to individuals, allowing LE to make arrests.
These kind of observations are captured in the all new SANS FOR589: Cybercrime Intelligence course, which will be available to the public in 2023. As the lead author of FOR589, Sean takes CTI a step further by teaching students how to collect, analyze, and produce intelligence derived from cybercriminals' cryptocurrency activity and from the dark web. Take a sneak peek at SANS first ever cybercrime intelligence course.
Sean's unique background enables him to share his experience with his students through the courses he has authored and through mentorship opportunities. An example of this that Sean is most proud of is the mentorship he provides to veterans who are transitioning out of the military and into the civilian workforce. "I was so fortunate to have had a successful transition out of the defense sector because I was able to translate the skills that I had obtained while in the military into the needs of the private sector, and I want to help as many veterans as I can do the same thing," Sean explains.
In his spare time, Sean enjoys traveling, playing soccer (futbol), reading, working out, and spending time with his family and friends. Sean also likes to volunteer his time to non-profit organizations and causes that he supports in both the physical and cyber space, such as the CTI-League, which works side by side with law enforcement to protect healthcare organizations from cybercriminals, and was recognized by SANS as a 2020 Difference Maker. Sean founded the CTI-League's Darknet team (CTIL Dark), which publishes an annual dark web threat landscape report on cybercriminal threats to the healthcare sector.
- Nearly 15 years of experience in various intelligence and cybersecurity disciplines
- Author of SANS FOR589: Cybercrime Intelligence course
- Global Head of the Equinix Threat Analysis Center (ETAC)
- Faculty Member, Instructor, & Project Coordinator for Georgia State University’s Evidence-Based Cyber Security (EBCS) Research Group
- Author of Georgia State University's Darknet Intelligence Collector and Investigator course
- CTI-League’s Head of Darknet Intelligence Operations and Founder of the CTIL Dark team
- Contributing Member of the Curated Intelligence trust group
Presentations and Podcasts
- EC-Council Hacker Halted - Ransomware Data Leak Site TTPs
- CTI-League Hackathon summit - Introduction to Darknet Hunting
- The Cyber5 by Nisos Podcast - Defining Metrics for Attribution in Cyber Threat Intelligence and Investigations
- Dark Reading - Growing Collaboration Among Criminal Groups Heightens Ransomware Threat for Healthcare Sector
- WIRED - The Cyber-Avengers Protecting Hospitals From Ransomware
- Bloomberg - Dark Web Has Become a Marketplace for ‘Vaccines’ and Other Pandemic Scams
- Australia Computer Society - Cyber Experts give their Time to Tackle Criminals
- Wall Street Journal - Hacker for Hire Market is Booming
Publications and Papers
- Dell Secureworks CTU - Cybercriminals Target U.S. Citizens for COVID-19 Stimulus Fraud
- Dell Secureworks CTU - 2016 Underground Hacker Markets Annual Report
- CTI League - 2021 Annual Darknet Report
- Curated Intelligence - Curated Intelligence Stands With Ukraine
- Curated Intelligence - Curated Intel's Response To Log4Shell
- Equinix - Top 5 Cyberthreats to Your Digital Infrastructure
- Equinix Threat Analysis Center (ETAC) - Ukraine Cyber Operations
- Equinix Threat Analysis Center (ETAC) - Log4Shell
- Carnegie Mellon University: Chief Information Security Officer (CISO) Executive Certification
- Georgia Southern University: Master of Business Administration (MBA)
- University of Arizona: Bachelor in Business Information Systems
- Cochise College: Advanced Subsidiary Level in Intelligence Operations
- GCFA - GIAC Certified Forensic Analyst
- GCTI - GIAC Cyber Threat Intelligence
- GCED - GIAC Certified Enterprise Defender
- CEH - EC-Council Certified Ethical Hacker
- FOR578: Cyber Threat Intelligence
- FOR508: Advanced Incident Response and Threat Hunting
- SEC401: Security Essentials
- SEC504: Hacker Tools, Techniques, & Incident Handling
- SEC501: Advanced Security Essentials - Enterprise Defender
- MGT415: A Practical Introduction to Cyber Security Risk Management
- MGT551: Building & Leading Security Operation Centers
- Department of Defense (DOD): Human Intelligence (HUMINT) Collector (35M)
- National Ground Intelligence Center (NGIC): Digital Media Exploitation
- Department of Defense Cyber Crime Center (DC3): Digital Forensics Examiner
- Foundry: Military Source Operations Training
- Foundry: Media Exploitation (MEDEX)
- Foundry: Sensitive Site Exploitation - Document & Media Exploitation (DOMEX) Analysis