Job Description

As the Senior Cyber Intel Analyst, the individual will continuously monitor, analyze, and address Cyber/PMESII threats as they relate to networks/systems, DoDIN communications and DoD operations. In this role, the Analyst will perform duties as a Cyber Threat Hunt (CTH) Analyst, applying information from various cybersecurity and multi-intelligence and non-intelligence organizations and products to facilitate CTH activities and taskers. In addition, the Analyst will execute, guide and/or support hunt missions to detect, track, trend threat and develop automated detections for Threat Actor (TA) activity. CTH Analyst will support long-term DoD operations, network defense/defensive information operations, network security engineering and collaboration with the defensive cyberspace operations community of interest. #LI-DNI RESPONSIBILITIES Uses threat hunt analytic techniques to research, analyze, assess, perform hunt activities, to detect/discover, research, report, recommend COA's and develop mitigations to detect future threat actor (TA) activity Applies analytical trade craft and evaluative techniques to address information gaps Conducts Hunt Operations/Investigations, including Tactics, Techniques, and Procedures (TTP) Investigation, Hypothesis Driven Investigations, IOC Driven investigations, while producing Hunt reports based on findings and disseminate to the DoD, Government communities of defensive cyber operations using collaborative tools Attends meetings/briefings and conducts comprehensive research on complex topics independently or as a part of a larger analytical effort focusing on events and long-term trends that could impact the supported unit's mission. Conducts intelligence research, analysis, and assessments using intelligence, law enforcement and cybersecurity threat community products, databases, websites, and commercial/open-source tools Manages and responds to requests for information from USCENTCOM/USARCENT, NETCOM, IA-CND sections, RCC-SWA DCO Chief and its Director to provide actionable information/intelligence and finished intelligence products Monitors and analyzes network and host-based traffic and alerts using tools such as ArcSight ESM/Logger, Microsoft Defender for Endpoints, Tanium, TYCHON, Elastic with Endpoint, Menlo CBII, Active Directory Audits, Syslog Provides network intrusion detection expertise to support timely and effective decision making of when to declare an incident Analyzes a variety of network and host-based security appliance logs (Firewalls, NIDS, HIDS, Sys Logs, etc.) to determine the correct remediation actions and escalation paths for each incident. Provides information regarding intrusion events, security incidents, and other threat indications and warning information. Assists with the development of processes and procedures to improve hunt operations, incident response times, analysis of incidents, and overall Defensive Cyber Operations and Intelligence Support. Conducts analysis, cyber threats, the discovery of IT vulnerabilities, monitoring for cyber intrusions, troubleshoot and response to security incidents detected and other security applications Performs other tasks as required by BME and the Government contracting office Required Qualifications/Education and Experience Bachelor's degree in a related field and minimum 5 years of direct Cyber Intelligence experience and includes the following: 1 year of direct DoD OSINT experience or 3 years civilian formal OSINT experience 2 years direct Incident Response experience 2 years' experience with packet analysis using Elastic SIEM, Security Onion and Wireshark 2 years' experience scripting experience, such as Python, PowerShell, and KQL Security+ or ISC2 SCCP (ISC2 CISSP Preferred) CCNA, MCSA or Linux+ with strong emphasis on security MS Excel experience for data manipulation and differentials Cyber-Intel working experience must be in a DOD/LE environment with the ability to translate traditional Intelligence reporting into cyber threat alerting Minimum 3 years dedicated direct experience in Cyber Threat Hunt operations and network security with a focus on data forensics and advanced (packet) network analysis Digital Forensics and Incident Response (DFIR) experience is preferred, with special focus on the subset of forensics that supports identification, investigation, and remediation of cyberattacks. These include Hypothesis/IOC driven operations, File System Forensics, Memory Forensics, Network Forensics, Log Analysis, Identify lateral movement and pivots within networks, Determine how the breach occurred, Extract indicators, providing a report and recommending specific COAs Experience and demonstrable knowledge in log analytics using common threat hunting tools and platforms including ARCYBER's Gabriel Nimbus, ArcSight, Splunk, packet analysis (PCAP, Wireshark), Netflow, QRadar, Elastic with Endpoint, MDE, various type of log analytics (Windows, AV, Firewall) Experience hunting unknown live, dormant, and custom malware in memory across multiple Windows systems in an enterprise environment and track malware beaconing outbound to its command and control (C2) channel via memory forensics, registry analysis, and network connection residue Thorough understanding of the MITRE ATT&CK Framework and Cyber Kill Chain methodologies Must be able to demonstrate a thorough understanding of the intelligence cycle and architecture, to include planning, collection, research, analysis, and production Knowledge of classified intelligence community/DoD reporting databases and interfaces SME level knowledge and understanding with cyber threat actor's tactic, techniques and procedures, from simple and unsophisticated to sophisticated complex hybrid layered attacks Foundational understanding of file analysis Demonstrate the thorough understanding of the wider roles of interconnecting Defensive Cyber Operations, Security and Intelligence teams and collaboration with each of those (i.e., Forensics / Threat Intelligence / Penetration Testing / Vulnerability Management / "Purple Teaming" etc.) Experience with tuning SIEM events to reduce the false positives Extract the IOCs and behavioral characteristics of malicious samples and implement the proper mitigation (Sandboxing) Demonstrated ability to scope an event to ensure the proper remediation steps Advanced knowledge of TCP/IP based ports, protocols and services and experience configuring and implementing various technical security solutions Advanced experience providing analysis and trending of security log data from many heterogeneous security devices. Strong understanding of system log information and what it means, where to collect specific data/attributes as necessitated per Incident Event (host, network, cloud, etc.) Excellent verbal, written, presentation communication skills including the ability to clearly articulate technical and strategic level cyber matters to a variety of audiences, in person or via phone/VTC Experience providing tactical and strategic real world cyber intelligence support to Command leadership using Computer Network Defense mission analysis in conjunction with All-Source Intelligence and open-source feeds to provide actionable output Any one or more of the following: GCIA, GCIH, GPEN, CEH, ECSA (pen-testing preferred) Must possess a solid understanding of LAN/WAN routing protocols, LAN switch technologies, firewalls, network/systems and security infrastructures and understand how they inter-operate Must possess the willingness to travel with the military to locations throughout Southwest Asia, as required, to support the military customer at their location(s) via military air/land convoy Ability to lift and carry 50 lbs Must possess and be able to maintain an active DOD TS clearance with full SCI eligibility Preferred Qualifications/Education and Experience8 years' advanced Cyber Threat Intelligence experience with 5 years of direct dedicated threat hunt experience 2 years' experience with KQL scripting in MDE (Microsoft Defender Endpoint) Strong familiarity with host and network forensics with one or more of the following: GCFA, GCFE, GNFA, GREM 5 years python scripting applied to log analysis, with emphasis on SIEM data analytics. Certifications in CISSP-ISSAP, CCNP Security or MCSE, GCIH OSCP certification is strongly preferred, but it must be combined with either CEH or GPEN for the DoD environment since OSCP is not recognized in the DoD 8570

Equal Employment Opportunity/M/F/disability/protected veteran status