Threat Hunting and Forensics Analyst

About The Position

Requirements

• High School or GED-General Educational Development-GED Diploma
• Bachelor’s degree in computer science or equivalent is preferred
• Minimum of five years’ hands-on experience
• Understanding of basic computer and networking technologies.
• Windows and Linux operating systems
• Networking technologies (routing, switching, VLANs, subnets, firewalls)
• Common networking protocols – SSH, SMB, SMTP, FTP/SFTP, HTTP/HTTPS, DNS, etc.
• Common enterprise technologies – Active Directory, Group Policy, and the Microsoft Azure suite of cloud services.
• Understanding of current system logging technology and retrieving information from a plethora of technology platforms.
• Familiarity with the MITRE ATT&CK Framework and deep, technical-level understanding of the major techniques contained within.
• Ability to work with or learn Microsoft Power BI.
• Ability to obtain and maintain Public Trust Security Clearance. Applicants selected will be subject to a government security investigation and must meet eligibility requirements for access to classified information. Accordingly, U.S. Citizenship is required.
• Grasp of core THF concepts: Adversary Tactics, Techniques, and Procedures (TTPs): Deep familiarity with the MITRE ATT&CK framework and common APT behaviors.
• Hypothesis-Driven Hunting: Ability to form and test analytic hypotheses based on threat intelligence and anomalous activity.
• Data Analysis & Correlation: Skilled at leveraging SIEM, EDR, and network telemetry to detect patterns and anomalies.
• Indicators of Compromise (IOCs): Identifying, validating, and operationalizing IOCs across diverse data sources.
• Forensic & Malware Analysis Fundamentals: Understanding of how to examine artifacts, logs, and malicious code behavior.
• Automation & Scripting: Competence in Python, PowerShell, or similar languages to streamline hunting workflows.
• Excellent analytical and problem-solving skills.
• The preferred candidate should have the ability to work independently, but also to work as part of a team.
• Ability to research and understand log sources for new or unfamiliar systems, and learn how to distinguish between “normal” activity and anomalous/malicious activity on those systems.
• Familiarity with the Microsoft 365/Azure suite of products including Microsoft Sentinel and Microsoft 365 Defender.
• Ability to speak publicly within the organization at meetings with up to 100 participants.
• Willingness to take on and adapt to new, open-ended tasks for which there is no current standard operating procedure.
• Ability to research independently and self-teach.
• Proficiency with common enterprise AI tools such as ChatGPT and Microsoft CoPilot to enhance productivity.

Nice To Haves

• Interest in security/hacking culture.
• Ability to “think like an attacker”
• Any threat hunting or forensics certification, especially: eLearnSecurity Certified Threat Hunting Professional (eCTHPv2) SANS GIAC Reverse Engineering Malware (GREM) EC-Council Computer Hacking Forensic Investigator (CHFI)
• Any Microsoft 365/Azure cybersecurity certification, especially: Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) Microsoft Certified: Security Operations Analyst Associate (SC-200) Microsoft Certified: Azure Fundamentals (AZ-900) Microsoft Certified: Azure Security Engineer Associate (AZ-500)
• Expertise in Microsoft Power BI
• Knowledge of common enterprise technologies, policies, and concepts such as: Microsoft Sentinel SIEM Kusto Query Language (KQL)
• Mobile device technologies (iOS, Android)
• Scripting experience (PowerShell, Python, etc.)
• Azure DevOps
• Artificial Intelligence (AI) / Machine Learning (ML) expertise
• In-depth knowledge of AI and ML concepts.
• How to practically apply AI/ML technologies to enhance cyber threat hunting capabilities.
• Experience with specific AI services offered within Microsoft Azure.

Responsibilities

• Perform active cyber threat hunt activities based on current cyber threat intelligence and the MITRE ATT&CK Framework.
• Build queries, alerts, and automations to monitor activities and traffic across the network.
• Perform detailed analysis to reconstruct the series of events that led to a compromise or breach.
• Collaborate with the CTI Team to establish relevant tactics, techniques and procedures for prioritized cyber actors identified in the threat model.
• Collaborate with the Security Operations Center (SOC) to continuously develop and tune alerts and automations to detect and repel threat to the federal client’s operations.
• Develop cyber hunt activities based on attack hypotheses to identify indications of potential compromise or breach.
• Possess advanced knowledge across various IT platforms in order to understand how attacks occur and what residual indicators might result.
• Develop, maintain, and update the Threat Hunting Concept of Operations (ConOps) and standard operating procedures (SOPs) as identified in contract deliverables.
• Collaborate with and support the Insider Threat Program.
• Execute proactive defense of the federal client’s systems through IOC sweeps, host interrogation, and persistent threat hunting.
• Conduct advanced analysis and adversary hunting activities in support of operations to proactively uncover evidence of adversary presence on federal client networks and follow Incident Handling processes for detected Insider Threat activity.
• Receive and apply intelligence from the CTI Team, including IOCs and TTPs, to hunt for activity within federal client networks.
• Provide status updates according to the reporting rhythm, maintain daily Activities Tracker, and prepare Enterprise Forensics, Malware Analysis and Advanced Hunting Plan & SOP as identified in contract deliverables.
• Preserve the user activity monitoring audit data chain of custody in accordance with Title 5 U.S.C. (aka Privacy Act) and in compliance with Federal and DHS regulations.
• Provide notification, escalation, and daily summary reports based on security event analysis in accordance with the current Federal requirements, DHS requirements and guidelines.
• Proactively search through networks to detect and isolate advanced threats that evade existing security solutions.
• Perform digital forensic analysis, including network, cloud, and host based.
• Collect, process, analyze, preserve, and present computer-related evidence in support of cyber incidents, law enforcement, and fraud or counterintelligence.
• Maintain a secure sandboxing solution, simulated Internet connectivity, multiple Antivirus vendor scanning capabilities, and other methods to safely determine malware affects and indicators.
• Ensure that the malware lab contains appropriate digital media analysis tools and equipment (i.e., spare hard drives for replication).
• Conduct forensic analysis of digital media or package and ship media to a designated computer forensic analysis team.
• Identify, analyze, reverse engineer, and de-obfuscate content related to cyber incidents in the lab environment isolated from the client’s networks.
• Serve as technical Subject Matter Experts (SMEs) within the team.
• Write, update, and modernize SOPs in accordance with applicable Federal policies, regulations, directives, and standards including, but not limited to, the current NIST Publications.
• Conduct formal digital forensic investigations and document findings in formal investigation reports.
• Conduct malware analysis and provide Malware Analysis Reports.
• Develop new security content, such as network IDS signatures, endpoint and SIEM Queries and attacker TTPs after reversing malware.
• Conduct purple team assessments in conjunction with the penetration testing team to measure effectiveness of existing logging and detection mechanisms and identify areas of improvement.

Benefits

• generous salary
• insurance (medical, dental, etc.)
• paid leave
• 401k plan