Tier 2 Cyber Incident Response Team (CIRT) Shift Lead

About The Position

Requirements

• Bachelor’s degree and minimum of 11 years of relevant experience; or, Master’s degree with minimum of 9 years; or PhD with 6 years
• Must possess, or obtain prior to start date, at least one of the following certifications: CASP+ CE, CCISO, CCNA Cyber Ops, CCNA Security, CCNP Security, CEH, CFR, CISA, CISM, CISSP (or Associate), CISSP-ISSAP, CISSP-ISSEP, Cloud+, CySA+, GCED, GCIA, GCIH, GICSP, GSLC, SCYBER. Continued certification is required as a condition of employment
• Demonstrated experience across the incident response lifecycle
• Experience with SOAR platforms and automated response workflows (e.g., ServiceNow, Splunk SOAR, Microsoft Sentinel)
• Experience with Security Information and Event Management (SIEM) platforms (e.g., Splunk, Microsoft Sentinel, Elastic, QRadar)
• Experience with Endpoint Detection and Response (EDR) solutions (e.g., Microsoft Defender for Endpoint, Elastic XDR, Carbon Black, CrowdStrike)
• Knowledge of cloud security monitoring and incident response
• Knowledge of integrating indicators of compromise (IOCs) and tracking advanced persistent threat (APT) actors
• Ability to analyze cyber threat intelligence and understand adversary tactics, techniques, and procedures (TTPs)
• Knowledge of malware analysis techniques
• Familiarity with MITRE ATT&CK and D3FEND frameworks
• U.S. Citizenship required
• Active Secret security clearance required at start

Nice To Haves

• Proficiency with Splunk for security monitoring, alert creation, and threat hunting
• Experience using Microsoft Azure access and identity management
• Proficiency in Microsoft Defender for Endpoint and Identity for security monitoring, response, and alert generations
• Experience using digital forensics collection and analysis tools (e.g. Autopsy, Axiom MagnetForensics, Zimmerman-Tools, KAPE, CyLR, Volatility)
• Experience using ServiceNow SOAR for ticketing and automated response
• Experience using Python, PowerShell and BASH scripting languages
• Proficiency in cloud security monitoring and incident response
• Demonstrated ability to perform static/dynamic malware analysis and reverse engineering
• Experience with integrating cyber threat intelligence and IOC-based hunting
• Technical certifications such as: Azure SC-900, CCSP, GCIH, CCSK, GSEC, CHFI, GCLD, GCIA
• Advanced technical certifications such as: SecurityX/CASP+, PRMP, GREM, GEIR, GNFA, or GCFA

Responsibilities

• Detect, classify, process, track, and report on cyber security events and incidents
• Perform advanced in-depth analysis of coordinated Tier 1 alert triage and requests in a 24x7x365 environment
• Analyze logs from multiple sources (e.g., host logs, EDR, firewalls, intrusion detection systems, servers) to identify, contain, and remediate suspicious activity
• Characterize and analyze network traffic to identify anomalous activity and potential threats
• Protect against and prevent potential cyber security threats and vulnerabilities
• Perform forensic analysis of hosts artifacts, network traffic, and email content
• Analyze malicious scripts and code to mitigate potential threats
• Conduct malware analysis to generate IOCs to identify and mitigate threats
• Collaborate with Department of State teams to analyze and respond to events and incidents
• Monitor and respond to the CIRT Security Orchestration and Automation Response (SOAR) platform, hotline, email in-boxes
• Create tickets and initiate workflows as instructed in technical SOPs
• Coordinate and report incident information to the Cybersecurity and Infrastructure Security Agency (CISA)
• Collaborate with other local, national and international CIRTs as directed
• Submit alert tuning requests
• Review all Tier 2 shift tickets for accuracy and completeness
• Coordinate with CIRT Watch Officers and government leadership on remediation actions
• Provide technical and procedural improvement recommendations to CIRT leadership
• Assist with Tier 2 candidate technical interviews as required
• Ensure coordinated remediation actions are operating properly