Actively monitor the networks, systems, applications, IT assets and bio-medical equipment’s for suspicious activity and threats. Using offensive and defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or may occur within the network and make the initial decision on the event/ threat severity.
Responsibilities:
- Manage network, intrusion detection and prevention systems.
- Conduct periodic compromise assessments across selected networks and propose recommendations based on assessment results.
- Conduct physical security assessment of the organization’s systems, including servers and networks, ensuring that any unauthorized external physical interference is not actually possible.
- Conduct ongoing network hunt activities.
- Conduct proactive vulnerability assessment across the network, subnetworks and service traffic to identify potential points of intrusion.
- Research and develop methods of tracking and detecting malicious activity within a network.
- Develop tools, signatures, and methods of detection for use in incident response activities.
- Develop SIEM integrations, dashboards, and analytics to illuminate and visualize threat activity.
- Analyze network traffic to provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities.
- Uses data collected from a variety of cyber defense tools (e.g., anti-virus, IDS alerts, firewalls, network traffic logs) to analyze events that occur within their environments, perform cyber defense trend analysis and reporting, and perform event correlation to mitigate threats and gain situational awareness and determine the effectiveness of an observed attack.
- Carries out triage to ensure that a genuine security incident is occurring.
- Coordinate with entity-wide cyber defense staff to validate network alerts.
- Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.
- Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.
- Provide daily summary reports of network events and activity relevant to cyber defense practices.
- Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.
- Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.
- Isolate and remove malware.
- Develop content for cyber defense tools use them for continual monitoring and analysis of network activity to identify malicious activity.
- Assist in the construction of signatures which can be implemented on cyber defense tools in response to new or observed threats within the network environment.
- Analyze and report organizational security posture trends.
- Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus, Threat Intelligence Providers) to maintain updated of cyber defense threat condition and determine which security issues may have an impact on the enterprise.
- Provides cybersecurity recommendations based on significant threats and vulnerabilities.
- Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operational Plans.
- Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber incidents within the enterprise.
- Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.
Utilize deployable forensics toolkit to support operations as necessary
Qualifications:
Knowledge
- Security concepts such as cyber-attacks and techniques, threat vectors, risk and threat management, incident management etc.
- Networking concepts and protocols, and network security attacks, vulnerabilities, processes, methodologies, access control mechanisms, traffic analysis methods.
- Cyber threats and vulnerabilities and information dissemination sources (e.g., alerts and advisories).
- Cyber defense and vulnerability assessment tools and their capabilities.
- System and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
- Scripting languages (e.g., Python, Perl, Bash) used in an incident response environment
- Incident response and handling methodologies.
- Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools, applications, methodologies and techniques for detecting host and network-based intrusions.
- Threat investigations, reporting and investigative tools.
- Cyber defense and information security policies, procedures, and regulations.
- Common attack vectors, the different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks) and attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
- Cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored), and attackers’ methodologies.
- Signature implementation impact for viruses, malware, and attacks.
- Windows/Unix ports and services.
- Relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities.
- Packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
- Use of sub-netting tools.
- Penetration testing principles, tools, and techniques.
- Investigation, auditing and forensics methods, processes, procedures and standards.
- Different types of hardware, storage, imaging and file system analysis.
- Data backup and recovery.
Skills
- Using SIEM/SOAR and Vulnerability Management tools and services.
- Sysadmin skills (Linux/Mac/Windows).
- Programming skills (Python, Ruby, PHP, C, C#, Java, Perl, and more).
- Identifying, analyzing and interpreting trends or patterns in complex data sets.
- Developing and deploying signatures.
- Detecting host and network-based intrusions via intrusion detection technologies (e.g., Snort).
- Using incident handling methodologies.
- Collecting data from a variety of cyber defense resources.
- Recognizing and categorizing types of vulnerabilities and associated attacks.
- Performing packet-level analysis.
- Conducting trend analysis.
- Using cyber defense reporting structure and processes.
- Utilizing a combination of automated and manual testing methods.
- Developing automated vulnerability testing scripts and using off the shelf vulnerability testing tools.
- Conducting vulnerability scans and recognizing vulnerabilities in networks, systems and applications.
- Using of penetration testing tools and techniques.
- Applying analytical and problem-solving skills.
Ability
-