The ACD Analyst will look through network flow, PCAP, logs, and sensors for evidence of cyber-attack patterns, hunt for Advanced Persistent Threats (APT).
Duties and Responsibilities:
-Actively hunt for Indicators of Compromise (IOC) and APT Tactics, Techniques, and Procedures (TTP) in network and on host.
-Find evidence of attack, and attackers actions thereafter.
-Work with team to produce effective countermeasures against found evidence. Also, contributes to mitigations for future attacks of a similar nature.
-Follow Security Operations Center (SOC) policies, procedures for incident reporting and management. Create a detailed Incident Report (IR) and contribute to lessons learned. .
-Analyze infrastructure build sheets, Configuration Management Database (CMDB), NIST 800-53 ATO artifacts, Vulnerability scans, Access Control Lists (ACL), and vendor documentation to thoroughly understand software behaviors and interactions. .
-Monitor open source and commercial threat intelligence for IOCs, new vulnerabilities, software weaknesses, and other attacker TTPs.
-Study and understand IANA, W3C, IETF and other internet bodies' protocol RFC definitions to understand violations and security weaknesses.
-Conduct forensic testing and operational hardening of multiple OS platforms.
-Analyze network perimeter data, flow, packet filtering, proxy firewalls, and IPS/IDS to create and implement a concrete plan of action to harden the defensive posture.
-Work with SOC shift team to help contain intrusions.
-Provides detailed requirements to team security engineers, SIEM specialists, and other team capability developers to provide reusable hunt tactics and techniques for other team analysts.
-Provide detailed input to watchlog and provide thorough pass-down.
-Generates documentation as required by the US Census.
**External Referral Eligible**
-BS degree and 14 years of prior relevant experience or Masters with 12 years of prior relevant experience.
-Expert knowledge of network routing and switching fundamentals to include knowledge of Multiprotocol Layer Switching (MPLS)
-Deep technical understanding of operating systems, network architecture and design, Active Directory (AD) application log consumables, systems design as well as superior knowledge of technical operations process and procedures
-Knowledge of how encryption, key management and cryptology works in the enterprise and in cyber data
-Understanding of Enterprise Architecture Standards such as the Department of Defense Architecture Framework (DODAF), Service-Oriented Architecture (SOA), the Open Group Architecture Framework (TOGAF), and/or the Amazon Web Services (AWS) Well Architected Framework
-Knowledge in the Risk Management Framework (NIST 800-37), Security Controls as described in NIST 800-35, and the Federal Information Security Modernization Act (FISMA) operating standards and applicable guidelines (risk profiling, control selection, control assessment, control monitoring)
-Expertise in performing threat modeling, risk analysis, root cause analysis, risk identification, and risk mitigation
-Expertise in Application Penetration Testing (fuzzing, reverse engineering, Fortify or similar, IDA Pro, Kali, BackTrack, OllyDbg, SQLMap, etc.)
-Expertise in Proof of Concept (Exploit) development
-Understanding of Secure SDLC (threat modeling, security requirements, secure design, secure implementation, secure testing, secure maintenance)
-Knowledge of Mobile Application Security and MDM sensor data
-Expertise in Embedded Device Security
-Expertise in Malware Analysis
-Organizational Skills: Proven ability to plan and prioritize work, both their own and that of team. Follows tasks to their logical conclusion.
-Problem Solving: Natural inclination for planning strategy and tactics. Ability to analyze problems and determine root cause, generating alternatives, evaluating and selecting alternatives and implementing solutions.
-Results oriented: Able to drive things forward regardless of personal interest in the task.
-Thorough understanding of network protocol behaviors. Ability to understand netflow and PCAP.
-Thorough knowledge of open source tools to visualize PCAP data (Wireshark, TCPDump, etc.).
-Detailed knowledge of various forms of social engineering, including the ability to recognize and handle spear-phishing campaigns or other forms of social engineering attacks.
-Comprehensive knowledge of Windows and Linux behaviors, logging, vulnerabilities, exploits, and known attacks.
-Use of IPSec packet filtering and Windows firewalls with specific application to defense in depth of network based attacks, data corruption, data theft, credential theft, and administrative control.
Preferred Certifications: OSCP, CSSLP, GIAC (GPEN), GIAC (GWAPT), GIAC (GXPN), GIAC (GMOB), GIAC (GAWN), GIAC (GPYC), CFSR, CCNP, MCSE, RHCE