Cyber Threat Hunter
Sev1Tech
- Chandler, AZ
- Permanent
- Full-time
- Manage all aspects of the Cyber-Threat Hunt lifecycle, including creation and improvement of enterprise-specific Threat Models and threat hypotheses, plan and scope Threat Hunt campaigns, missions, and activities against a variety of threat types and identify enterprise defense gaps and propose potential mitigation activities
- Perform Cyber-Threat Hunt missions by identifying and investigating patterns and anomalies in data, suspicious network activities, including access from Outside the Continental United States (OCONUS) or utilization of non-standard credentials, anomalous or suspicious telemetry, and other Cyber Threat Intelligence
- Pro-actively search networks to detect and isolate advanced cybersecurity threats that evade in-place security solutions
- Regularly perform advanced analysis and adversary hunting activities to pro-actively uncover evidence of adversary presence on DHS networks
- Follow incident response procedures for detected insider threat activity
- Create Threat Models to better understand the DHS IT Enterprise, identify defensive gaps, and prioritize mitigations
- Author, update, and maintain SOPs, playbooks, work instructions
- Utilize Threat Intelligence and Threat Models to create threat hypotheses
- Plan and scope Threat Hunt Missions to verify threat hypotheses
- Pro-actively and iteratively search through systems and networks to detect advanced threats
- Analyze host, network, and application logs in addition to malware and code
- Prepare and report risk analysis and threat findings to appropriate stakeholders
- Create, recommend, and assist with development of new security content as the result of hunt missions to include signatures, alerts, workflows, and automation.
- Coordinate with different teams to improve threat detection, response, and improve overall security posture of the Enterprise
- Bachelors of in Science, Technology, Engineering, Math or related field
- Eight (8) to twelve (12) years of prior relevant experience with a focus on Cyber Security or Masters with six (6) years of prior relevant experience
- At least four (4) years of experience serving as a SOC Analyst and/or Incident Responder Ability to work independently with minimal direction
- Self-starter/self-motivated
- Must have at least one (1) of the following certifications:
- SANS GCIH (GIAC Certified Incident Handler)
- SANS GCFA (GIAC Certified Forensic Analyst)
- SANS GCFE (GIAC Certified Forensic Examiner)
- SANS GREM (GIAC Reverse Engineering Malware)
- SANS GISF (GIAC Information Security Fundamentals)
- SANS GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)
- SANS GCTI (GIAC Cyber Threat Intelligence) SANS GOSI (GIAC Open Source Intelligence)
- SANS GCIA (GIAC Certified Intrusion Analyst)
- SANS GNFA (GIAC Network Forensic Analyst)
- SANS GWAPT (GIAC Web Application Pentester)
- SANS GPEN (GIAC Penetration Tester) Offensive Security Certified Professional (OSCP) Offensive Security Certified Expert (OSCE) Offensive Security Wireless Professional (OSWP) Offensive Security Exploitation Expert (OSEE)
- ISC2 CCFP (Certified Cyber Forensics Professional)
- ISC2 CISSP (Certified Information Systems Security Professional)
- Expertise in network and host-based analysis and investigation
- Demonstrated experience planning and executing threat hunt missions
- Understanding of complex Enterprise networks to include routing, switching, firewalls, proxies, load balancers
- Working knowledge of common (HTTP, DNS, SMB, etc) networking protocols
- Familiar with operation of both Windows and Linux based systems
- Proficient with scripting languages such as Python or PowerShell
- Familiarity with Splunk Search Processing Language (SPL) and/or Elastic Domain Specific Language (DSL)
- Demonstrated experience triaging and responding to APT activities
- Experience working with various technologies and platform such as AWS, Azure, O365, containers, etc.
- Understanding of current cyber threat landscape, the different tactics commonly used by adversaries and how you would investigate, contain and recover against their attacks