Vacancy expired!
- Validate analysis that is conducted and ensure that the analysis provided is completed at a professional standard.
- Ensure efficient configuration and content tuning of threat hunting platforms and security tools to improve intelligence collection efficiency.
- Ensure that events are clearly documented and processed in accordance with SOPs and reporting guidance.
- Review internal SOPs and the Judiciary Security Operations Center Incident Response Plan (JSOCIRP) for quality and accuracy.
- Provide analytics capabilities with respect to threat event data for visualization and trend analysis. Analytics capabilities include:
- Identify, retrieve, and report on relevant Threat Hunting Events
- Utilize visualization tools permitting the identification of trends in event data
- Enable users to display, sort, filter, and query data contained in event records of all types
- Export record and analysis data in a variety of ways, including but not limited to, screen, printer, e-mail, text, HTML, Adobe PDF, and MS Excel
- Communicate clearly both orally and in writing
- Methodically examine all collected Linux host data for evidence of intrusion, malware, or unauthorized activity.
- Methodically examine all collected windows host data for evidence of intrusion, malware, or unauthorized activity.
- Develop and maintain custom acquisition and post processing tools.
- Collect and organize host data pulls at scale. Host data pulls are required for Linux and Windows workstations and servers.
- Conduct full digital forensics on any operating system to include all version of Microsoft Windows, Unix based OS, Mac OS, and mobile operating systems.
- Use isolated virtual environments to conduct research and develop adversary detection methods.
- Use active defense capabilities to profile adversaries and create custom detections to be used in threat hunt operations.
- Conduct Threat Hunt operations in cloud environments, including Azure and O365.
- Leverage domain and enterprise knowledge to create hypotheses and methodologies in support of targeted and ad-hoc threat hunt operations.
- Thoroughly analyze both network and host-based artifacts across all operating systems present within the enterprise for the presence of malicious artifacts.
- Identify potential malicious activity from memory dumps, logs, packet captures and characterize suspicious binaries and be able identify traits, C2, and develop network and host-based IOCs.
- Conduct immediate host-based and network-based forensic examinations on security incidents as they arise to determine the root cause and to reconstruct a timeline of events to facilitate incident response and recovery.
- Support the incident triage process through the examination and analysis of digital evidence and artifacts. Use a variety of tools to investigate incidents and recommend courses of action to safeguard systems.
- Draft hunt, forensic and malware analysis reports that provide a clear explanation of the analysis performed and key findings.
- Report all aspects of the hunt from the methodology as well as finding and recommendations. Where logging is insufficient for determining the presence or absence of a TTP the report details new logging that the customer should enable to detect specific TTPs going forward.
- Present highly technical information to non-technical audiences.
- Accomplish tasks with little guidance and supervision. r. Use PowerShell scripting in support of live forensic investigations. Will write scripts that encapsulate multiple PowerShell cmdlets to support live incident response.
- Conduct live forensic and incident response remotely through an EDR or an "EDR-like" solution.
- Conduct cloud forensics, including O365.
- Use a SIEM, such as Splunk, to support forensic investigations and incident response.
- Use Python or other scripting language to develop or modify existing forensic tools.
- Use a forensic analysis platform, such as Magnet Axiom, EnCase, or Autopsy; and understand the forensic principles behind those automated tools.
- Directly support the provide incident response support for critical security incidents as they arise.
Vacancy expired!