OCIO-0008 Cyber Threat Engineer (NS) - FRI 16 Dec

Deadline Date: Friday 16 December 2022

Requirement: Cyber Threat Engineer

Location: Brussels, BE

Full time on-site: Yes

NATO Grade: G17/88

Total Scope of the request (hours): 1,824

Required Start Date: 2 February 2023 (or earlier if available)

End Contract Date: 31 December 2023

Required Security Clearance: NATO SECRET

Special Terms and Conditions:

The contractor will be responsible for complying with the respective national requirements for working permits, visas, taxes social security etc. whilst working on site at NATO HQ- Brussels, Belgium.

No special status is either conferred or implied by the host organisation, NATO HQ- Brussels, Belgium on to the contractor whilst working on site.

The contractor will be responsible for complying with all the respective National Health COVID-19 regulations for quarantine on arrival in Belgium before taking up the position.

1. INTRODUCTION

The NATO Office of the Chief Information Officer (OCIO) is responsible for Cyber Defence for the NATO Enterprise. The OCIO has been tasked to increase NATO’s Cyber Defence posture. As part of this initiative, the OCIO plans to enhance the ability of NATO’s Cyber Threat Analysis Branch (CTAB) to provide the quality and quality of cyber intelligence products required by the NATO Enterprise. The contractor will work for the OCIO, however, the CTAB has tasking authority.

The Cyber Threat Analysis Branch is responsible for providing evidence-based assessments of the cyber threat landscape to empower NATO stakeholders to make risk-informed decisions. The multidisciplinary team combines all-source data with cutting edge technologies to support and enhance the Alliance leaderships’ understanding on the nature of cyber competition and conflict. CTAB systematically identifies strategic patterns and trends in cyber space and generates tailored insights to support network defence and mission assurance with predictive analysis, cyber threat intelligence, and threat hunting.

The contractor will support the work of the OCIO and Cyber Threat Analysis Branch in the development of a threat analysis platform.

2. TASKS

To provide Cyber Threat Engineering services, the contractor will be responsible for supporting threat intelligence analysis by engineering the team’s infrastructure, extending the threat analysis platform and building data pipelines to enable identifying and tracking sophisticated threat actors. Specific tasks include:

2.1 Extend the cyber threat analysis platform with custom code (python and storm)

deployed in Docker containers.

• Measurement: Create python and storm extensions to the threat analysis platform in the form of git commits, describing the code commits and with additional comments in the code. Initial scripts developed within 60 days of arrival, and thereafter milestones will be ongoing and assessed on a quarterly basis
• Measurement: Write ‘user manuals’ and other documentation for the scripts and post on the team’s central document repository. This work is tied to the timelines of the script development: first user manual within 60 days of arrival, and thereafter milestones will be ongoing and assessed on a quarterly basis.

2.2 Build data pipelines between the backend database (Cortex hypergraph), data science tools and dashboards.

• Measurement: Store the developed code to connect the Cortex and other tooling on a git repository. Provide code within 30 days of arrival.
• Measurement: Include documentation on our central documentation repository. Provide first documentation within 30 days of arrival and provide additional documentation as required.

2.3 Improve the cloud architecture and help the team in migrating its more traditional cloud infrastructure to AWS cloud-native tooling (e.g. move Docker infrastructure to AWS ECS).

• Measurement: Migrated services in AWS. Documentation provided within 10 working days of tasking.

2.4 Create useful trending and threat card dashboards for the cyber threat analysts, by incorporating the analysts functional requirements.

• Measurement: Creation of dynamic dashboards that read data on the fly directly from the hypergraph database, using a python asyncio API.
• Measurement: Provide training to the analyst on how to use the dashboard and present its features.

3. PROFILE

[See Requirements]

4. LOCATION

The service will be executed on site at the NATO HQ offices in Brussels, Belgium and sometime remotely as agreed by the manager.

5. TIMELINES

6. The services of the contractor are required for the period starting 1st February 2023 until 31th December, 2023.

7. SPECIFIC WORKING CONDITIONS

Secure environment with standard working hours, with the exception of working in non-standard working hours up to 360 hours annually.

In addition, it may exceptionally be required to provide services on non-standard hours in support of a major Cyber Incident, or on a shift system for a limited period of time due to urgent operational needs.

8. TRAVEL

Occasional business travel may be required. Travel expenses will be reimbursed to the individual directly (in addition to the hourly rate) under NATO rules.

9. SECURITY AND NON-DISCLOSURE AGREEMENT

The contracted individual must be in possession or capable of possessing a security clearance of NATO Secret.

A signed Non-Disclosure Agreement will be required.

Requirements

3. PROFILE

• The candidate must have a currently active NATO SECRET security clearance

• A university degree from a nationally recognised/certified University in a technical subject with substantial Information Technology (IT) content and 3 years of specific experience. Exceptionally, the lack of a university degree may be compensated by the demonstration of a contractor’s particular abilities or experience that is/are of interest to the OCIO; that is, at least 7 years extensive and progressive expertise in the tasks related to the function of the cyber security threat research.

Mandatory

Expert level in at least three of the following areas and a high level of experience in the other areas:

• Knowledge of best practices for the software development life cycle, including coding standards, code reviews, and testing;
• Proficient in python;
• Experience in querying and manipulating data from a RESTful API;
• Experience in building dashboards using Splunk, Elastic, Grafana or other tools.
• Solid working knowledge of Linux command line;
• Experience in supporting an incident response or cyber threat intelligence team;
• Previous experience using and managing AWS VPCs;
• Have the ability to quickly learn tools and data languages with a steep learning curve;
• Experience in managing and orchestrating Docker containers.

Desirable

• Knowledge of Vertex Synapse and its data language.
• Experience with data analytics.
• DevOps experience with cloud CI/CD workflows implementation.
• Experience with graph and hypergraph databases.