HIRT Host-Based Cybersecurity Lead Analyst
Leidos is looking for a Host-Based Cybersecurity Lead Analyst to provide leadership and vision in incident handling, response, and analysis on a mission-critical program whose purpose is rapid response to cyber incidents and proactive monitoring for malicious cyber activity. This Lead will be responsible for the technical direction and leadership of a team of host-based cybersecurity and digital forensics systems analysts.
Must be U.S. citizen and possess an active TS clearance and ability to obtain TS/SCI.
NOTE: This position is based out of Arlington, VA.
o Manage investigation status, progress reporting, risks/issues, scheduling, quality, and continual improvement documentation
o Assist in managing stakeholder relationships; coordinate with other contractors
• Documentation, and Reporting
o Provide accurate, concise reporting
o Identify and document host-based tactics, techniques, and procedures used by an attacker to gain unauthorized system access.
o Track and document CND incidents from initial detection through final resolution.
• Deployment and Data Collection
o Collect intrusion artifacts (e.g., domains, Uniform Resource Identifiers (URIs), certificates, etc.) and use discovered data to enable mitigation of potential CND hunts and incidents
o Understanding of network architecture/engineering standards and methods of securing networks and strong background of network administration/system administration.
o Aide in the scoping and hypothesis gathering process pre-deployment.
• Hunt and Discovery
o Investigating targeted threat actors of various categories such as Nation State Actors, hacktivist groups, commodity malware, script kiddies, more.
o Perform analysis of log files from a variety of host sources to identify threats
o Host forensics to include performing endpoint detection and response/hunt
o Ability to recognize malicious TTPs and IOCs in pursuit of a threat adversary on network using endpoint agent based solutions.
• Post Discovery Analysis
o Reverse Engineering/Malware Analysis using industry standard tools
o Digital Forensics utilizing industry standard tools
o Artifact Analysis - the analysis of files that may or may not be binary's used for in depth analysis but the general analysis of files from various operating systems to determine relation to threat actor activity (target files, residual changes, etc)
o Lateral Movement Analysis via a knowledge of network and authentication and other log types.
o Perform forensically sound collection of images and inspect to discern possible mitigation/ remediation on enterprise systems
• Ancillary skills
o Perform real-time CND Incident Handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable incident response teams.
o Programming and or Scripting Skills to include Python, Ruby, Perl, C, C#, .NET, etc.
o Automation and data normalization skills.
o Familiarity with virtual environment, on premise and public cloud environments, hybrid environments, etc.
MINIMUM REQUIRED QUALIFICATIONS:
• EDUCATION & EXPERIENCE: Typically requires BS degree and 12 - 15 years of prior relevant experience or Masters with 10 - 13 years of prior relevant experience. May possess a Doctorate in technical domain.
• Active TS clearance; Ability to obtain a TS/SCI clearance
• Experience in providing leadership and vision in incident handling, response, and analysis
• Intimate knowledge and hands-on experience in cybersecurity, incident response, and analysis; digital forensics; security vulnerabilities/weaknesses; network security issues, and encryption technologies
• Proficient in malicious activity detection, including automatic detection and characterization; reactive countermeasures; proactive defenses; threat assessment; damage assessment; reverse engineering, IDS; malware and anti-virus support; and RDBMS admin, query, and reports
• Possess at least one active certification from the following: GCFE, GCFA, GCED, GREM, GNFA, EnCE, GCIA, GNFA, GCIH, , or CSIH
• Demonstrated experience/knowledge of incident response and handling methodologies
• Very strong hands-on experience with at least three of the following tools: Volcano Pro, Volexity Surge Collect Pro, Bro Network Analysis, Splunk, FireEye HX, Encase, AccessData Forensics Tool kit, Bro Network Analysis, Surricata, Tanium End Point Detection and Response, Elastic ELK Open Source Tool Stack, and SNORT N/W Intrusion Detection System
• Experience in identifying different classes of attacks and attack stages
• Knowledge of system and application security threats and vulnerabilities
• Ability to analyze digital media (e.g., logs, code, phones, hard drives, memory dumps, etc.) to determine attack vectors and develop mitigation techniques
• Ability to perform forensic analysis on common operating system environments, e.g., MS Windows, Mac OS, UNIX, Linux, Solaris
• Ability to perform real-time CND hunt and incident handling (e.g., forensic collections, intrusion correlation/tracking, threat analysis, and direct system remediation) tasks
• Ability to perform ad-hoc data analysis including on-the-fly onsite data integration and scripting
• Experienced and adept at developing and maintaining technical documents, analyses, and reports.
• Experience presenting briefings to senior customer management, customer stakeholders, and company management; and
• Excellent verbal and written communications skills
ADDITIONAL DESIRED QUALIFICATIONS:
• Possess more than one active certification from the following: CISSP, GCFE, GCFA, GCED, GREM, GNFA, EnCE, GCIA, GNFA, GCIH, CEH, CSIH, OSCP, or OSCE
• Experience in incident handling for nation state-sponsored operational threat environments