XOR Security – Cyber Hunt/Deception Operations SME

XOR Security is currently seeking several Cyber Hunt/Deception Operations SME to support an Agency-level Focused Operations (FO) team at DHS. The FO program is part of a purple team that provides comprehensive Computer Network Defense and Response support through monitoring and analysis of potential threat activity targeting the enterprise.

Cyber Hunt/Deception Operations SMEs will conduct tactical operations using deception technologies deployed and to be deployed.  Deception operators will coordinate closely with Cyber Hunt, Threat Emulation SMEs, and DevOps and will respectively focus on Cyber Hunt, Detective Content Development, Malware Analysis, and Cyber Threat Intelligence (skills in more than one cyber discipline are preferred).  To support this vital mission, XOR staff are on the forefront of providing Advanced CND Operations, and Systems Engineering support to include the development of advanced analytics and countermeasures to protect critical assets from hostile adversaries.

To ensure the integrity, security and resiliency of critical operations, we are seeking candidates with diverse backgrounds in cyber security systems operations, analysis and incident response. Strong written and verbal communications skills are a must. The ideal candidate will have a solid understanding of cyber threats and information security in the domains of TTP’s, Threat Actors, Campaigns, and Observables. Additionally, the ideal candidate would be familiar with intrusion detection systems, intrusion analysis, security information event management platforms, endpoint threat detection tools, and security operations ticket management. Hunt operations, while not staffed 24×7, will be on-call seven days a way, 24 hours a day.

Corporate duties such as solution/proposal development, corporate culture development, mentoring employees, supporting recruiting efforts, will also be required.  Program has on-site requirements in Springfield, VA one or more day a week for all staff.

Job Responsibilities:

In support of this task and the activities listed above, the Contractor shall:

• Lead Tactical Deception Operations to identify threat activities within the Agency environment.
• Support improvement of Cyber Defense capabilities through development of SOC use cases and detection techniques.
• Perform hunt operations to analyze the overall Agency data systems security posture and to propose improvements. The work will be performed over the period of the contract with a minimum of six trips to field sites to gain perspective from operational personnel.
• Develop implementation plans for improvement.
• Provide recommendations and assistance regarding implementation requirements.
• Be responsible for the application of defensive cyber counter infiltration operations against APTs and perform host level analysis. This includes identifying incidents, malicious code, malicious binary network traffic, and behavioral analysis.
• Produce all reports in both a classified and unclassified version for distribution to other Agency departments as well as other agencies and organizations within the IC.
• Work with other agencies and organizations within the IC at the direction of the COR.
• Research and apply pertinent cyber intelligence within two business day of issuance by the IC.
• Create and deliver Cyber Security Incident Reports.
• Provide support to SOC requests including the triage and analysis of requests from the SOC.
• Provide support to the SOC and FO to perform host level analysis. This includes identifying incidents, continuing analysis to requests, malicious code, malicious binary network traffic, and behavioral analysis.
• Provide threat and vulnerability findings within four hours of validation to the Agency SOC and FO Threat Analysts for tracking and the deployment of proactive countermeasures.
• Properly validate threats/vulnerabilities in accordance with the source, criticality of the device, availability of test devices, etc.
• Attend and participate in weekly Department-level meetings and participate in weekly Agency Network Intrusion Working Group meetings with the Agency SOC.
• Accept escalation of suspected threats and vulnerabilities from multiple sources, internal and external.
• Use data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs etc.) to analyze events that occur within their environments for the purposes of mitigating threats.
• Develop cyber indicators to maintain awareness of the status of the highly dynamic operating environment. Collects, processes, analyzes, and disseminates cyber threat/warning assessments.
• Analyze data/information from one or multiple sources to conduct preparation of the environment, respond to requests for information, and submit intelligence collection and production requirements in support of planning and operations.
• Conduct advanced analysis of collection and open-source data to ensure target continuity, profile targets and their activities, and develop techniques to gain more target information. Determines how targets communicate, move, operate and live based on knowledge of target technologies, digital networks, and the applications on them.
• Analyze digital evidence and investigates computer security incidents to derive useful information in support of system/network vulnerability mitigation.
• Analyze threats and vulnerabilities to determine their impact upon the Agency IT systems.
• Generate threat intelligence indicators during the course of Hunt operations and apply/fine tune them across the enterprise network.
• Conduct cybersecurity analysis and research in support of FO investigations.
• Examine malicious software, such as bots, worms, and Trojans, to understand the nature of the threat.
• Follow department procedures and protocols for troubleshooting and resolving issues.
• Use a wide range of software applications and tools to diagnose and resolve issues.
• Identify the necessary actions to proactively mitigate risks posed by threats and vulnerabilities.
• Develop, research and maintain proficiency in tools, techniques, countermeasures, and trends in computer and network vulnerabilities, data hiding, and encryption.
• Successfully and continuously execute tests and analyze results that proactively alert on drift from a known-good baseline and validate control configuration.
• Actively hunt the Agency network to identify suspicious, malicious, and anomalous activity.
• Provide processes and procedures and created content within, Elastic, Splunk and Tanium.
• Hunt Operations will be “on-call” on a 24×7 basis for emergency situations.
• Conduct daily hunt analysis of data to identify and detect malicious and or anomalous activity.
• Conduct special hunt ops that are generally related to specific incidents that require focused hunt analysis of a specific system’s architecture and security posture. Provide the associated final reports and briefs for information sharing and action to mitigation.
• Be accountable for utilizing a range (3 or more) of intelligence and other cybersecurity resources to hunt for threat actors across the Enterprise.
• Provide, maintain and brief all hunt successes bi-weekly and as requested. These should be accompanied by final reports that include the evidence discovered.
• Supports the underlying business cases while identifying limitations and planning for contingencies.
• Avoids major risks that aren’t part of the core, cybersecurity mission.
• Establishes continuity clauses that ensure limited disruption to daily operations while improving the competitive posture.
• Completes all required documentation prior to each hunt operation. The require documentation includes: a. Threat Hunt Operations plans to include: i. Notifications to “approved” stakeholders (Leadership, Agency SOC etc.), Provision of technical information to the “approved” stakeholders for de-confliction purposes, Complete all required activities upon completion of each Threat Hunt operation. a. Threat Hunt Final Reports that include: Findings, Recommendations, and Provision of all findings for the creation of POAMs for remediation.
• Cyber Hunt SMEs will present Threat Hunt Oral Presentations that include the final report contents and oral brief of the operation at the Biweekly Brief oral brief to other stakeholders, as required.
• All documentation is maintained and current. Updates are applied monthly (minimum).
• Cyber Hunt SMEs will maintain documentation that must ensure that the follow documentation is updated monthly and remains current including Threat Hunt SOP(s) and Threat Hunt equipment and software (all current security updates/patches applied) .
• Provides support, documentation to and other threat emulation duties required for the DHS CSP audit held every 3 years.