XOR Security is currently seeking a Senior Cyber Hunt/Incident Response SME to support an Agency-level Focused Operations (FO) team at DHS. The FO program is part of a purple team that provides comprehensive Computer Network Defense (CND) and Response support through monitoring and analysis of potential threat activity targeting the enterprise. To support this vital mission, XOR staff are on the forefront of providing Advanced CND Operations, and Systems Engineering support to include the development of advanced analytics and countermeasures to protect critical assets from hostile adversaries. Cyber Hunt/IR SMEs will conduct hunt activities, advanced analytics, and response activities in support of the CND operational mission. The position will focus on hunting activity, which includes using targeted data ingestion and searching in order to find anomalous and malicious activity on networks while working towards remediating sophisticated security threats to the environment. Skills from Cyber Hunt, Detective Content Development, Malware Analysis, and Cyber Threat Intelligence (more than one cyber discipline is preferred) are sought. Strong written and verbal communications skills are a must. The ideal candidate will have a solid understanding of cyber threats and information security in the domains of TTP’s, Threat Actors, Campaigns, and Observables. Additionally, the ideal candidate would be familiar with intrusion detection systems (HIDS/NIDS), intrusion analysis, security information event management (SIEM) platforms, endpoint threat detection tools (e.g., EDR), and security operations ticket management. Hunt operations, while not staffed 24x7, will be on-call seven days a way, 24 hours a day.
Corporate duties such as solution/proposal development, corporate culture development, mentoring employees, supporting recruiting efforts, will also be required. Program has on-site requirements in Springfield, VA one or more day a week for all staff.
In support of this task and the activities listed above, the Contractor shall:
- Lead a team of Threat Hunt/Network Intrusion Identification and Detection and IR staff within a large FECB Security Operations organizational unit as part of 24x7 operational capability.
- Search for abnormal behaviors on the network, to include network traffic, host information, user activities, and other sources of information.
- Support improvement of Cyber Defense capabilities through development of threat or exploitation use-cases and detection techniques.
- Perform hunt operations to analyze the overall data systems security posture and to propose improvements.
- Develop implementation plans for improvement to existing processes and procedures and provide recommendations and assistance regarding implementation requirements.
- Be responsible for the application of defensive cyber counter infiltration operations against APTs and perform host level analysis; this includes identifying incidents, malicious code, malicious binary network traffic, and behavioral analysis.
- Assist with production, QA, and dissemination of all reports in both a classified and unclassified version for distribution to other departments or other agencies and organizations as required.
- Properly validate threats/vulnerabilities in accordance with the source, criticality of the device, availability of test devices, and share with other FO team members.
- Develop cyber indicators to maintain awareness of the status of the highly dynamic operating environment.
- Analyze data/information from one or multiple sources to conduct preparation of the environment, respond to requests for information, and submit intelligence collection and production requirements in support of planning and operations.
- Analyze digital evidence and investigate computer security incidents to derive useful information in support of system/network vulnerability mitigation.
- Assist to generate threat intelligence indicators during Hunt Operations and apply/fine tune them across the enterprise network.
- Maintain procedural documentation and updates monthly.
Candidate must have the required Qualifications:
- Cyber Hunt SMEs must have at least 3 years of experience in a cyber network defense environment with lead position experience preferred.
- Bachelor’s Degree in Information Technology, Cyber Security, Computer Science, Computer Engineering, or Electrical Engineering.
- Active Top Secret Clearance and SCI Eligibility.
- Strong analytical and technical skills in computer network defense operations, ability to lead efforts in Incident Handling (Detection, Analysis, Triage), Hunting (anomalous pattern detection and content management) and Malware Analysis.
- Prior experience and ability to analyze information technology security events to discern events that qualify as a legitimate security incident as opposed to non-incidents. This includes security event triage, incident investigation, implementing countermeasures, and conducting incident response.
- Previous hands-on experience with a Security Information and Event Monitoring (SIEM) platforms and log management systems that perform log collection, analysis, correlation, and alerting is required (preferably within Splunk or ArcSight).
- Ability to develop rules, filters, views, signatures, countermeasures and operationally relevant applications and scripts to support analysis and detection efforts.
- Strong logical/critical thinking abilities, especially analyzing security events (windows event logs, Tanium queries, network traffic, IDS events for malicious intent).
- Strong proficiency Report writing – a technical writing sample and technical editing test will be required if the candidate has no prior published intelligence analysis reporting, excellent verbal and written communications skills and ability produce clear and thorough security incident reports and briefings.
- Excellent organizational and attention to details in tracking activities within various Security Operation workflows.
- A working knowledge of the various operating systems (e.g. Windows, OS X, Linux, etc.) commonly deployed in enterprise networks, a conceptual understanding of Windows Active Directory is also required, and a working knowledge of network communications and routing protocols (e.g. TCP, UDP, ICMP, BGP, MPLS, etc.) and common internet applications and standards (e.g. SMTP, DNS, DHCP, SQL, HTTP, HTTPS, etc.).
- Experience with the identification and implementation of countermeasures or mitigating controls for deployment and implementation in the enterprise network environment.
- Experience in mentoring and training junior and mid-level analysts.
- Knowledge of different operational threat environments (e.g., first generation [script kiddies], second generation [non-nation state sponsored], and third generation [nation state sponsored])
- Knowledge of general attack stages (e.g., foot-printing and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks, etc.)
- Knowledge of incident categories, incident responses, and timelines for responses.
- One or more certifications for CND Analysts: GCIA, GCED, GCFE, GCTI, GNFA, GCIH, CND, ECSA, OSCP, OSEE, OSCE.
- One or more certifications for malware or forensic analysts: GCFA, GCFE, GREM, CHFI.
- Existing Subject Matter Expertise of Advanced Persistent Threat or Emerging Threats.
- Expertise on policies, industry trends, techniques related to penetration testing.
- Proficiency in utilizing various packet capture (PCAP) applications/engines and in the analysis of PCAP data.
- Experience with one or more of the following technologies Network Threat Hunting (Sqrrl), Big Data Analytics (Splunk), Endpoint Threat Detection (Tanium), SIEM (ArcSight), workflow and ticketing (HP Service Manager), Intrusion Detection System (IBM ISS).
- Ability to work on-call during critical incidents or to support coverage requirements (including weekends and holidays when required).
- Familiarity with scripting languages (BASH, Powershell, Python, PERL, RUBY etc.) or software development frameworks (.NET).
XOR Security offers a very competitive benefits package including health insurance coverage from the first day of employment, 401k with a vested company match, vacation and supplemental insurance benefits.
XOR Security is an Equal Opportunity Employer (EOE). M/F/D/V.
Citizenship Clearance Requirement
Applicants selected may be subject to a government security investigation and must meet eligibility requirements - US CITIZENSHIP and TOP SECRET CLEARANCE REQUIRED!
One day a week onsight, ad hoc in Springfield, VA
- Salary: $140000 - $170000
- Citizenship: Top Secret
- Incentives: Not Provided
- Education: Bachelors Degree
- Travel: Not Provided
- Telework: Hybrid Telecommute