Cyber Hunt/Incident Response SME

Springfield, VA

XOR Security is currently seeking several Cyber Hunt/Incident Response SME to support an Agency-level Focused Operations (FO) team at DHS. The FO program is part of a purple team that provides comprehensive Computer Network Defense and Response support through monitoring and analysis of potential threat activity targeting the enterprise.  Cyber Hunt/IR SMEs will conduct hunt activities, advanced analytics and response activities in support of the CND operational mission.  The positions will respectively focus on Cyber Hunt, Detective Content Development, Malware Analysis, and Cyber Threat Intelligence (skills in more than one cyber discipline are preferred).  To support this vital mission, XOR staff are on the forefront of providing Advanced CND Operations, and Systems Engineering support to include the development of advanced analytics and countermeasures to protect critical assets from hostile adversaries.  To ensure the integrity, security and resiliency of critical operations, we are seeking candidates with diverse backgrounds in cyber security systems operations, analysis and incident response. Strong written and verbal communications skills are a must. The ideal candidate will have a solid understanding of cyber threats and information security in the domains of TTP’s, Threat Actors, Campaigns, and Observables. Additionally the ideal candidate would be familiar with intrusion detection systems, intrusion analysis, security information event management platforms, endpoint threat detection tools, and security operations ticket management.  Hunt operations, while not staffed 24x7, will be on-call seven days a way, 24 hours a day

Corporate duties such as solution/proposal development, corporate culture development, mentoring employees, supporting recruiting efforts, will also be required.  Program has on-site requirements in Springfield, VA one or more day a week for all staff.

Job Responsibilities:

In support of this task and the activities listed above, the Contractor shall:

  • Support improvement of Cyber Defense capabilities through development of SOC use cases and detection techniques.
  • Perform hunt operations to analyze the overall Agency data systems security posture and to propose improvements. The work will be performed over the period of the contract with a minimum of six trips to field sites to gain perspective from operational personnel.
  • Develop implementation plans for improvement.
  • Provide recommendations and assistance regarding implementation requirements.
  • Be responsible for the application of defensive cyber counter infiltration operations against APTs and perform host level analysis. This includes identifying incidents, malicious code, malicious binary network traffic, and behavioral analysis.
  • Produce all reports in both a classified and unclassified version for distribution to other Agency departments as well as other agencies and organizations within the IC.
  • Work with other agencies and organizations within the IC at the direction of the COR.
  • Research and apply pertinent cyber intelligence within two business day of issuance by the IC.
  • Create and deliver Cyber Security Incident Reports.
  • Provide support to SOC requests including the triage and analysis of requests from the SOC.
  • Provide support to the SOC and FO to perform host level analysis. This includes identifying incidents, continuing analysis to requests, malicious code, malicious binary network traffic, and behavioral analysis.
  • Provide threat and vulnerability findings within four hours of validation to the Agency SOC and FO Threat Analysts for tracking and the deployment of proactive countermeasures.
  • Properly validate threats/vulnerabilities in accordance with the source, criticality of the device, availability of test devices, etc.
  • Attend and participate in weekly Department-level meetings and participate in weekly Agency Network Intrusion Working Group meetings with the Agency SOC.
  • Accept escalation of suspected threats and vulnerabilities from multiple sources, internal and external.
  • Use data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs etc.) to analyze events that occur within their environments for the purposes of mitigating threats.
  • Develop cyber indicators to maintain awareness of the status of the highly dynamic operating environment. Collects, processes, analyzes, and disseminates cyber threat/warning assessments.
  • Analyze data/information from one or multiple sources to conduct preparation of the environment, respond to requests for information, and submit intelligence collection and production requirements in support of planning and operations.
  • Conduct advanced analysis of collection and open-source data to ensure target continuity, profile targets and their activities, and develop techniques to gain more target information. Determines how targets communicate, move, operate and live based on knowledge of target technologies, digital networks, and the applications on them.
  • Analyze digital evidence and investigates computer security incidents to derive useful information in support of system/network vulnerability mitigation.
  • Analyze threats and vulnerabilities to determine their impact upon the Agency IT systems.
  • Generate threat intelligence indicators during the course of Hunt operations and apply/fine tune them across the enterprise network.
  • Conduct cybersecurity analysis and research in support of FO investigations.
  • Examine malicious software, such as bots, worms, and Trojans, to understand the nature of the threat.
  • Follow department procedures and protocols for troubleshooting and resolving issues.
  • Use a wide range of software applications and tools to diagnose and resolve issues.
  • Identify the necessary actions to proactively mitigate risks posed by threats and vulnerabilities.
  • Develop, research and maintain proficiency in tools, techniques, countermeasures, and trends in computer and network vulnerabilities, data hiding, and encryption.
  • Successfully and continuously execute tests and analyze results that proactively alert on drift from a known-good baseline and validate control configuration.
  • Actively hunt the Agency network to identify suspicious, malicious, and anomalous activity.
  • Provide processes and procedures and created content within, Elastic, Splunk and Tanium.
  • Hunt Operations will be “on-call” on a 24x7 basis for emergency situations.
  • Conduct daily hunt analysis of data to identify and detect malicious and or anomalous activity.
  • Conduct special hunt ops that are generally related to specific incidents that require focused hunt analysis of a specific system’s architecture and security posture. Provide the associated final reports and briefs for information sharing and action to mitigation.
  • Be accountable for utilizing a range (3 or more) of intelligence and other cybersecurity resources to hunt for threat actors across the Enterprise.
  • Provide, maintain and brief all hunt successes bi-weekly and as requested. These should be accompanied by final reports that include the evidence discovered.
  • Supports the underlying business cases while identifying limitations and planning for contingencies.
  • Avoids major risks that aren’t part of the core, cybersecurity mission.
  • Establishes continuity clauses that ensure limited disruption to daily operations while improving the competitive posture.
  • Completes all required documentation prior to each hunt operation. The require documentation includes: a. Threat Hunt Operations plans to include: i. Notifications to “approved” stakeholders (Leadership, Agency SOC etc.), Provision of technical information to the “approved” stakeholders for de-confliction purposes, Complete all required activities upon completion of each Threat Hunt operation. a. Threat Hunt Final Reports that include: Findings, Recommendations, and Provision of all findings for the creation of POAMs for remediation.
  • Cyber Hunt SMEs will present Threat Hunt Oral Presentations that include the final report contents and oral brief of the operation at the Biweekly Brief oral brief to other stakeholders, as required.
  • All documentation is maintained and current. Updates are applied monthly (minimum).
  • Cyber Hunt SMEs will maintain documentation that must ensure that the follow documentation is updated monthly and remains current including Threat Hunt SOP(s) and Threat Hunt equipment and software (all current security updates/patches applied) .
  • Provides support, documentation to and other threat emulation duties required for the DHS CSP audit held every 3 years.

Candidate must have the required Qualifications:

  • Cyber Hunt SMEs must have at least 5 years of experience in a cyber network defense environment.
  • Active Top Secret Clearance and SCI Eligibility.
  • Strong analytical and technical skills in computer network defense operations, ability to lead efforts in Incident Handling (Detection, Analysis, Triage), Hunting (anomalous pattern detection and content management) and Malware Analysis.
  • Prior experience and ability to with analyzing information technology security events to discern events that qualify as a legitimate security incidents as opposed to non-incidents. This includes security event triage, incident investigation, implementing countermeasures, and conducting incident response.
  • Previous hands-on experience with a Security Information and Event Monitoring (SIEM) platforms and log management systems that perform log collection, analysis, correlation, and alerting is required (preferably within Splunk or ArcSight).
  • Ability to develop rules, filters, views, signatures, countermeasures and operationally relevant applications and scripts to support analysis and detection efforts.
  • Strong logical/critical thinking abilities, especially analyzing security events (windows event logs, Tanium queries, network traffic, IDS events for malicious intent).
  • Strong proficiency Report writing – a technical writing sample and technical editing test will be required if the candidate has no prior published intelligence analysis reporting, excellent verbal and written communications skills and ability produce clear and thorough security incident reports and briefings.
  • Excellent organizational and attention to details in tracking activities within various Security Operation workflows.
  • A working knowledge of the various operating systems (e.g. Windows, OS X, Linux, etc.) commonly deployed in enterprise networks, a conceptual understanding of Windows Active Directory is also required, and a working knowledge of network communications and routing protocols (e.g. TCP, UDP, ICMP, BGP, MPLS, etc.) and common internet applications and standards (e.g. SMTP, DNS, DHCP, SQL, HTTP, HTTPS, etc.).
  • Experience with the identification and implementation of counter-measures or mitigating controls for deployment and implementation in the enterprise network environment.
  • Experience in mentoring and training junior and mid-level analysts. 
  • Knowledge of different operational threat environments (e.g., first generation [script kiddies], second generation [non-nation state sponsored], and third generation [nation state sponsored])
  • Knowledge of general attack stages (e.g., foot-printing and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks, etc.)
  • Knowledge of incident categories, incident responses, and timelines for responses.

Desired Qualifications:

  • Bachelor’s Degree in Information Technology, Cyber Security, Computer Science, Computer Engineering, or Electrical Engineering.
  • One or more certifications for CND Analysts:  GCIA, GCED, GCFE, GCTI, GNFA, GCIH, CND, ECSA, OSCP, OSEE, OSCE.
  • One or more certifications for malware or forensic analysts:  GCFA, GCFE, GREM, CHFI.
  • Existing Subject Matter Expertise of Advanced Persistent Threat or Emerging Threats.
  • Expertise on policies, industry trends, techniques related to penetration testing.
  • Proficiency in utilizing various packet capture (PCAP) applications/engines and in the analysis of PCAP data.
  • Experience with one or more of the following technologies Network Threat Hunting (Sqrrl), Big Data Analytics (Splunk), Endpoint Threat Detection (Tanium), SIEM (ArcSight), workflow and ticketing (HP Service Manager), Intrusion Detection System (IBM ISS).
  • Ability to work on-call during critical incidents or to support coverage requirements (including weekends and holidays when required).
  • Familiarity with scripting languages (BASH, Powershell, Python, PERL, RUBY etc.) or software development frameworks (.NET).

Closing Statement:

XOR Security offers a very competitive benefits package including health insurance coverage from the first day of employment, 401k with a vested company match, vacation and supplemental insurance benefits.

XOR Security is an Equal Opportunity Employer (EOE). M/F/D/V.

Citizenship Clearance Requirement

Applicants selected may be subject to a government security investigation and must meet eligibility requirements - US CITIZENSHIP and TOP SECRET CLEARANCE REQUIRED!

 

* Salary range is an estimate based on our InfoSec / Cybersecurity Salary Index 💰

Tags: Active Directory Analytics ArcSight Bash Big Data Business Intelligence CHFI Clearance Clearance Required CND Computer Science Cyber defense Data Analytics DNS ECSA Encryption Firewalls GCED GCFA GCFE GCIA GCIH GCTI GNFA GREM IDS Incident response Intrusion detection Linux Malware Monitoring OSCE OSCP OSEE PCAP Pentesting Perl PowerShell Python Ruby Scripting SIEM SMTP SOC Splunk SQL Threat detection Threat intelligence Top Secret Top Secret Clearance Vulnerabilities Windows

Perks/benefits: 401(k) matching Health care Team events

Region: North America
Country: United States
Job stats:  6  0  0

More jobs like this

Explore more InfoSec / Cybersecurity career opportunities

Find even more open roles in Ethical Hacking, Pen Testing, Security Engineering, Threat Research, Vulnerability Management, Cryptography, Digital Forensics and Cyber Security in general - ordered by popularity of job title or skills, toolset and products used - below.