Malware Reverse Engineer/Exploitation Engineer
XOR Security is currently seeking a Malware Reverse Engineering (MRE)/Exploitation Engineering Specialist to support an Agency-level Focused Operations (FO) at DHS. FO is a Purple Team of elite cyber professionals including Cyber Hunt SMEs, Red Team/Threat Emulation SMEs, Cyber Intelligence SMEs, Forensics, DevOps SMEs, Security Engineers, and Data Scientists. The program supports expert level cyber operations for the agency and malware analysis services are provided to the separate 24x7 SOC program. To support Agency cyber mission, XOR staff are on the forefront of providing Advanced CND Operations, and Systems Engineering support to include the development of advanced analytics and countermeasures to protect critical assets from hostile adversaries. The MRE will conduct dynamic and static malware analysis of potentially malicious files identified from the Agency SOC and Focused Operations personnel. In addition, the MRE will work with Threat Emulation SMEs, Cyber Intelligence SMEs, and Cyber Hunt SMEs to develop exploits for use as part of Red Team operations. The ideal candidate will have abilities in reversing and developing malware.
This task will provide these services on a 24x7 (24 hours, 7 days a week) basis. While the contractor will perform “onsite” malware tasks during normal business hours. The malware staff shall maintain their availability on a 24x7 basis as cyber incidents requiring action can occur at any time and on any day. Corporate duties such as solution/proposal development, corporate culture development, mentoring employees, supporting recruiting efforts, will also be required. Program has on-site requirements in Springfield, VA one or more day a week for all staff.
- Provide reverse engineering of all malicious artifacts which includes the dynamic and static malware analysis of potentially malicious files.
- Research available malware from open and closed sources and support the development of threat actor profiles.
- Deploy and maintain a malware analysis lab.
- Create “benign” malware products for all assessments and ad-hoc projects. This includes testing internal/external defenses through custom exploitation development contextual to the TSA environment. This also involves designing, implementing and maintaining a threat simulation lab managed for use during Threat Emulation exercises.
- Create and deliver classified and unclassified intelligence reports based on intelligence, threats, and vulnerabilities utilizing proper safeguards.
- Test internal/external defenses through “custom” exploitation development contextual to the TSA environment.
- Design, implement, maintain a threat simulation lab managed for use during Threat Emulation exercises.
- Set up and maintain a lab network to test exploitation techniques and software, and also provide an environment for training defenders on attack scenarios.
- Provide leadership in coordinating, assessing, and developing Advanced Threat Emulation Team operations.
- Automate tasks via scripting and/or custom code programs.
- Maintain and gather intelligence from daily operations and disseminate within 24 hours of discovery.
- Support improvement of Cyber Defense capabilities through development of SOC use cases and detection techniques.
- Produce After action reports with findings in addition to details on how the target could have mitigated or prevented the action on objective.
- Follow department procedures, protocols, and rules of engagement when conducting Advanced Threat Emulation Team operations.
- Be responsible for the application of defensive cyber counter infiltration operations against APTs and perform host level analysis. This includes identifying incidents, malicious code, malicious binary network traffic, and behavioral analysis.
- Malware Operations will be “on-call” on a 24x7 basis for emergency situations.
- Maintain malware analysis and development documentation is maintained and current. Updates are applied monthly (minimum).
- Be accountable for utilizing a range (3 or more) of intelligence and other cybersecurity resources for malware development and execution to support the threat emulation operations.
- Provide, maintain and brief the malware development and execution portion of all threat emulation exercises at the completion of each operation and as requested.
- Support the underlying business cases while identifying limitations and planning for contingencies to avoids major risk that aren’t part of the core, cybersecurity mission and establishes continuity clauses that ensure limited disruption to daily operations while improving the competitive posture.
- Support the completion of all required documentation prior to each Threat Emulation operation.
- Provides support, documentation to and other threat emulation duties required for the DHS CSP audit held every 3 years.
Candidate must have the required Qualifications:
- At least 7 years of experience in a cyber network defense environment with 2 or more years conducting malware analysis.
- Active Top Secret and/or DHS Agency Clearance.
- Bachelor’s Degree in Information Technology, Cyber Security, Computer Science, Computer Engineering, or Electrical Engineering.
- Prior experience and ability to analyze information technology security events to discern events that qualify as a legitimate security incident as opposed to non-incidents. This includes security event triage, incident investigation, implementing countermeasures, and conducting incident response.
- Strong analytical and technical skills in computer network defense operations, ability to lead efforts in Malware Analysis, Forensic Investigations, Incident Handling (Detection, Analysis, Triage), Hunting (anomalous pattern detection and content management) and Malware Analysis.
- Strong logical/critical thinking abilities, especially analyzing potentially malicious artifacts and infected hosts.
- Strong proficiency Report writing – a technical writing sample and technical editing test may be required if the candidate has no prior published intelligence analysis reporting, excellent verbal and written communications skills and ability produce clear and thorough security incident reports and briefings.
- Experience with working with analysis tools such as OllyDbg, IdaPro, Volatility, Cuckoo Sandbox.
- Ability to deploy and maintain malware analysis environments.
- Excellent organizational and attention to details in tracking activities within various Security Operation workflows.
- A working knowledge of the various operating systems (e.g. Windows, OS X, Linux, etc.) commonly deployed in enterprise networks, a conceptual understanding of Windows Active Directory is also required, and a working knowledge of network communications and routing protocols (e.g. TCP, UDP, ICMP, BGP, MPLS, etc.) and common internet applications and standards (e.g. SMTP, DNS, DHCP, SQL, HTTP, HTTPS, etc.).
- Experience with the identification and implementation of counter-measures or mitigating controls for deployment and implementation in the enterprise network environment.
- Experience in mentoring and training junior and mid-level analysts.
- The SANS GREM certification is highly desired as well as one or more of the following: GXPN, Offensive Security Exploitation Expert (OSEE), Offensive Security Exploit Developer (OSED) certification.
Existing Subject Matter Expertise of Advanced Persistent Threat or Emerging Threats.
Proficiency in utilizing various packet capture (PCAP) applications/engines and in the analysis of PCAP data.
Ability to develop rules, filters, views, signatures, countermeasures and operationally relevant applications and scripts to support analysis and detection efforts.
Familiarity with coding, scripting languages (BASH, Powershell, Python, PERL, RUBY etc.) or software development frameworks (.NET).
- Salary: $140000 - $170000
- Citizenship: Top Secret
- Incentives: Not Provided
- Education: Bachelors Degree
- Travel: Not Provided
- Telework: Hybrid Telecommute