Incident Response Lead

Job Description: 

XOR Security is currently seeking an Incident Response Lead to support an IR team for a federal agency.  The program provides comprehensive Computer Network Defense and Response support through 24×7×365 monitoring and analysis of potential threat activity targeting the enterprise.  The IR team conducts security investigations for potential threat activity identified within the organization, conduct deep-dive forensic investigations (host-based and network), identify and implement countermeasures, as well as track and report on incident activity to senior management.  To support this vital mission, XOR staff are on the forefront of providing Advanced SOC Operations to include the development of advanced analytics and countermeasures to protect critical assets from various cyber threats. To ensure the integrity, security and resiliency of critical operations, we are seeking candidates with diverse backgrounds in cyber security systems operations, analysis and incident response. A strong work ethic, diligent time and attendance, written and verbal communications skills are a must. The ideal candidate will have a solid understanding of cyber threats and information security in the domains of TTP’s, Threat Actors, Campaigns, and Observables. Additionally, the ideal candidate would be familiar with intrusion detection systems, intrusion analysis, security information event management platforms, endpoint threat detection tools, and security operations ticket management.  While the position is primarily remote currently, onsite in Alexandria, VA work may be required in the future. 

The hours of operation for this position are Monday through Friday during core hours with on-call support as required. 

Corporate duties such as solution/proposal development, corporate culture development, mentoring employees, supporting recruiting efforts, will also be required.  The program is currently operating remotely but will be performed onsite in Alexandria, VA when directed to do so by the customer.   

Position is contingent on successfully completing a program-based background investigation. 

Required Qualifications: 

• Bachelor’s Degree in Information Technology, Cyber Security, Computer Science, Computer Engineering, or Electrical Engineering.   
• Active Top Secret Clearance, with SCI eligibility. 
• Active CISSP. 
• One or more of the following certifications: GCIA, GCIH, GCFA, GCED, or other Information Assurance Technician (IAT) Level III certification (CASP+ CE, CCNP Security, CISA, CCSP). 

• A minimum of seven (7) years of professional experience in total with a solid understanding of incident response, insider threat investigations, forensics, cyber threats and information security. A minimum of five (5) years of hands-on experience with experience that includes host-based and network-based security monitoring, identifying and analyzing anomalous activities with familiarity in insider threat monitoring software, host- based forensic tools, intrusion detection systems, intrusion analysis functions, security information event management (SIEM) platforms, endpoint threat detection tools, security operations ticket management.  
• Demonstrated proficiency in use of cyber tools, including the following related security activities: Security Information and Event Management (SIEM) endpoint detection and response tools Intrusion Prevention/Detections Systems (IPS/IDS) and case management platforms. 
• Strong logical/critical thinking abilities, especially analyzing security events from host and network event sources e.g. windows event logs, AV, EDR, network traffic, IDS events for malicious intent). 
• Experience  collecting  data  and  reporting  results;  handling  and escalating  security  issues  or  emergency  situations  appropriately;  providing incident  response  capabilities  to  isolate  and  mitigate  threats  to  maintain confidentiality, integrity, and availability for protected data.  
• Experience with ad-hoc training to junior, mid, senior members of a cyber work force in a collaborative environment. 

• Existing Subject Matter Expertise of Advanced Persistent Threat or Emerging Threats. 
• Proficiency in utilizing various packet capture (PCAP) applications/engines and in the analysis of PCAP data. 
• Ability to work on-call during critical incidents or to support coverage requirements (including weekends and holidays when required). 
• Strong documentation and written communication skills with technical report writing experience. 

Note:  Eight (8) years of relevant work experience may substitute in lieu of a degree.  Certifications may be obtained within 180 days of employment.   

Desired Qualifications: 

• Experience handling and responding to an APT actors. 
• Leadership experience of SOC or IR team. 
• Familiarity with coding, scripting languages (BASH, Powershell, Python, PERL, RUBY etc.) or software development frameworks (.NET). 
• Previous hands-on experience with a Security Information and Event Monitoring (SIEM) platforms, Data Loss Prevention (DLP) systems, and log management systems that perform log collection, analysis, correlation, and alerting is required (preferably within Splunk or ArcSight). 

• Ability to develop rules, filters, views, signatures, countermeasures and operationally relevant applications and scripts to support analysis and detection efforts. 

Closing Statement: 

XOR Security offers a very competitive benefits package including paid health insurance coverage from first day of employment, 401k with a vested company match, vacation and supplemental insurance benefits. 

XOR Security is an Equal Opportunity Employer (EOE). M/F/D/V. 

Citizenship Clearance Requirement 
Applicants selected may be subject to a government security investigation - Applicants must meet eligibility requirements – US CITIZENSHIP REQUIRED and Active Top Secret Clearance, with SCI eligibility.