Responsibilities:
• Performing investigation of intensified notable events
• Initial collection of evidence related to called-out security events
• Collection of evidence related to compliance audits
• Validation and regular review of processes and procedures
• Identification, issue, and follow-up on false positives
• Process initial mitigation and containment procedures
• Create and maintain reporting related to security events
• Coordinate with service and operations teams to validate security events and anomalous activity
• Resolve and report on possible causes of security events and alerts
• Operate security tools for continual monitoring and analysis of system/network activity to identify malicious activity
• Assist in the construction of security alerts and processes based on knowledge gained from daily monitoring and triage
• Advise designated managers, and responders of suspected cyber incidents including the event's history, status, and potential impact
• Supervise external data sources to maintain basic knowledge of threat conditions
• Recognize a possible security violation and take appropriate action to raise the incident, as required
Knowledge
• Solid grasp of:
• Computer networking concepts and protocols, and network security methodologies
• Host/network access control mechanisms
• Intrusion detection methodologies and techniques
• How traffic flows across the network (TCP/IP, OSI, ITIL)
• System and application security threats and vulnerabilities
• Types of network communications (LAN, WAN, MAN, etc)
• File extensions (.zip, .sh, .pcap, .bat, .dll, .py, etc)
• Interpreted and compiled computer languages
• Common charge vectors
• Attack classes (passive, active, insider, distributed, etc)
• Incident response and handling methodologies
• Authentication, authorization, and access control methods
• Information technology (IT) security principles and methods
• Network traffic analysis methods
• Operating systems
• Cyber attackers
• Defense-in-depth principles
• System administration, network, and operating system hardening techniques
• Cyber attack stages
• Network security architecture concepts
• Windows/Unix ports and services
• Operating system command-line tools
• Network protocols
• Running knowledge of cyber threats and vulnerabilities
• Understanding security events related to:
• Operating system (Linux and Windows) logs
• Database logs
• VPN logs
• Knowledge of adversarial tactics, techniques, and procedures
• Understanding the use of the following:
• Network tools (ping, traceroute, nmap, etc)
• Host base tools (Tanium, basic Linux and Windows native tools)
• SIEM (Splunk, ELK, Lumberjack, Splunk Enterprise Security, etc)
• Understanding of cybersecurity and privacy principles and related organizational requirement
Skills
• Detecting host and network-based intrusions via intrusion detection technologies
• Using protocol analyzers
• Recognizing and categorizing types of vulnerabilities and associated attacks
• Reading and interpreting signatures
• Conducting trend analysis
• Evaluating information for reliability, validity, and relevance
• Identifying cyber threats that may jeopardize the organization and/or partner interests
• Preparing and presenting briefings
• Providing analysis to aid writing phased after action reports
• Using Boolean operators to construct simple and sophisticated queries
• Using multiple analytic tools, databases, and techniques
• Using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and tools in conducting open-source searches
• Applying virtual collaborative workspaces and/or tools (Zoom, JIRA, Confluence, Oradocs, Slack, etc)
• Performing packet-level analysis
• Using a SIEM to detect, research, and perform initial triage of security events
• Exercising good judgment in calling out security events
Abilities
• Think critically
• Ability to think like threat actors
• Apply techniques for detecting host and network-based intrusions using intrusion detection technologies
• Interpret the information collected by network tools
• Recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists
• Effectively collaborate with virtual and remote teams
• Evaluate information for reliability, validity, and relevance
• Exercise judgment when policies are not well-defined
• Function reliably in a dynamic, fast-paced environment
• Ability to function in a collaborative environment, seeking continuous consultation with other analysts and guides, both internal and external to the organization, to demonstrate analytical and technical expertise
• Recognize and mitigate cognitive biases that may affect analysis.
Other Requirements and Expectations
• Other tasks and duties as assigned
• Work effectively within a remote team including effective, constant, and collaborative communication with all members of the NSGBU SOC
Career Level - IC4