NetWitness Mid-Level Threat Intelligence Logic / Detection Engineer

NetWitness Mid-Level Threat Intelligence Logic / Detection Engineer

Remote - North America

NetWitness is the leader in network threat detection and response for hybrid and multi-cloud enterprises.
The NetWitness Platform delivers complete visibility combined with applied threat intelligence and user behavior analytics to detect threats, prioritize activities, investigate, and automate response. All this empowers security analysts with better, faster efficiency to keep security operations well ahead of business-impacting threats. The NetWitness Platform captures packets and logs across network, public cloud, SaaS, and identity by applying patented security-led technology that enables the user to surface and prioritize threats for rapid threat response. NetWitness’ threat intelligence detections are powered by a deep understanding of attacker methods, the threat landscape, and data & meta-data generated by the platform. Alerts uncover attacker methods in action and are correlated across customer environments to expose real attacks. Organizations around the world rely on NetWitness to see and stop threats before a breach occurs. For more information, visit www.netwitness.com

NetWitness FirstWatch Threat Research and Intelligence Organization represents the core security knowledge and research capability within the company – tasked with powering our leading-edge technologies and aiding customers. As a member of the NetWitness FirstWatch Security Research organization, you will be part of a highly experienced organization and respected authority on security threats and attack techniques.
Serving in the role of Threat Intelligence Logic / Detection Engineer at NetWitness, you will have a direct impact on the direction of the company by researching threats, understanding how they appear on the network and in the cloud, helping technically shape the product direction and defining industry leading intelligence driven detection logic and content.
 
Qualifications

• Join a team of motivated and proactive detection engineers ready to delve into all manners of adversary tradecraft, tools, and behaviors to secure the 99% of businesses below the enterprise security poverty line
• You will serve as the core of our service delivery by creating detection content, evaluating our capabilities, and collaborating internally to improve our products and services to secure our partner and customer networks.
• You will write, test, and validate custom detection content, delve into the latest intelligence, parse data, consult with security operations, assist in threat hunting and purple team engagements, analyze data on a massive scale, and generally do whatever it takes to solve issues quickly, effectively, and permanently
• Conduct research against adversary TTPs and known malware trends
• Develop and maintain detection logic to support NetWitness products and service delivery goals
• Simulate adversary techniques to both develop and validate new and existing detection logic to improve our detection efficacy and resilience
• Collaborate with NetWitness FirstWatch Threat Research and Intelligence Analysts and Hunters, Incident Responders, Red Team Members, Professional Services, Sales Engineers, Technical Product Managers, and Product Line Managers to evaluate and close gaps in our detection coverage
• Provide support to the aforementioned teams concerning detection review, mentorship, and triage assistance in the scope of creating new or improving our existing detection logic
• Take ownership of developing documentation to support internal tracking, metrics, and knowledge transfer
• Writing and publication of blogs and white-papers
• Public speaking opportunities
 
NetWitness offers the opportunity to be on the leading edge of cyber security – helping us grow a world-renowned security research organization. As a researcher tasked with inventing and improving security detection technologies, you will be an integral part of our success.
When not working on new detection technologies, as a Threat Researcher, you are expected to research new security topics, engage in bug-hunts, develop new tactics and techniques relevant to our product areas, and contribute to the community in a way that helps grow both your personal and company brands.

Responsibilities:

• Research and understand attacker TTPs to remain current as a subject matter expert within NetWitness
• Research new threat detection technologies and investigate innovative approaches to finding attackers operating within customer environments
• Collaborate across NetWitness to identify, research, and develop new detection models – working hand-in-hand with members of data science, consulting services, incident response, and other product teams
• Replicate attacker techniques and tooling to produce samples for use during detection development and for detection validation and gap identification
• Pursue security research topics that contribute to the knowledge and enumeration of new threats, tactics, and techniques in network, cloud, and hybrid environments
• Provide an attackers-eye-view to the evidence presented by NetWitness products and educate customers to the technical nature of the threat

Requirements:

• 3 – 7+ years of attack and penetration testing experience in a network environment; or
• 3 – 7+ years direct experience in areas of security research, malware analysis, or incident response
• 2 – 5 years malware analysis and reverse engineering
• Knowledge of corporate security investigation and incident response processes, along with malware detection and mitigation technologies
• Solid programming skills with scripting languages such as Python, Lua etc.
• Strong problem solving, troubleshooting and analysis skills
• Excellent written and verbal communication skills
• Excellent inter-personal and teamwork skills
• Network experience:
- Solid, deep knowledgeable in network and application protocols, and traffic analysis (network forensics)
- Proficiency with network traffic analysis and network forensics tools such as Wireshark and tcpdump among others
- Proficiency with host forensics and memory analysis tools to study advanced threat actor activities
- Strong knowledge of internetworking, IANA governed protocols, protocol analysis, and internetworking design
• Deep understanding of the Internet threat landscape and adversaries operating within it
• Solid knowledge and understanding of the MITRE ATT&CK Framework, the Lockheed Martin Killchain, the Pyramid of Pain, and the Diamond and Mosaic models
• Experience with common malware families and methods adversaries use to compromise and maintain access to victim networks
• Experience with MITRE ATT&CK matrix, Bro, Suricata, Yara, SIGMA, Atomic Red Team, MITRE Caldera, and Elasticsearch/Kibana
• Familiarity with the Windows, MacOS, Linux Operating Systems
• Attack simulation experience:
• Knowledge of the Tools, Techniques, Procedures (TTPs) and patterns of behavior of advanced threat actors
• Proficiency with common attacker and red team tools and frameworks: Cobalt Strike, Metasploit, Empire, Mimikatz, impacket, CrackMapExec, etc.
• Ability to realistically recreate advanced threat actor TTPs within controlled environments

What Will Help You

• Professional or academic research in advanced security threats
• Operational experience in infosec as an incident handler/responder, red teamer, administrator, or internal consultant
• Experience with big data technologies
• Participation in the broader infosec community with requisite contacts and access to external intelligence sources
• Understanding the lifecycle and economics of modern malware and advanced threats
• Proactive, hard-working team player with a good sense of humor
• Self-driven, able to efficiently work remotely without close supervision
• Familiarity with Amazon AWS or comparable Cloud Providers
• Familiarity with the NetWitness Suite of Products or comparable full packet capture offerings, SIEM, and EDR a plus!

RSA is committed to the principle of equal employment opportunity for all employees and applicants for employment and to providing employees with a work environment free of discrimination and harassment. All employment decisions at RSA are based on business needs, job requirements and individual qualifications, without regard to race, color, religion, national origin, sex (including pregnancy), age, disability, sexual orientation, gender identity and/or expression, marital, civil union or domestic partnership status, protected veteran status, genetic information, or any other characteristic protected by federal, state or local laws. RSA will not tolerate discrimination or harassment based on any of these characteristics. This policy applies to all terms and conditions of employment, including recruiting, hiring, placement, promotion, termination, layoff, recall, transfer, leaves of absence, compensation, and training. All RSA employees are expected to support this policy and contribute to an environment of equal opportunity.

If you need a reasonable accommodation during the application process, please contact rsa.global.talent.acquisition@rsa.com. All employees must be legally authorized to work in the US. RSA and its approved consultants will never ask you for a fee to process or consider your application for a career with RSA. RSA reserves the right to amend or withdraw any job posting at any time, including prior to the advertised closing date.