Cyber Threat Intelligence Analyst

XOR Security is currently seeking a Cyber Threat Intelligence Analyst to support an Agency-level Focused Operations (FO) team at DHS. The FO program is part of a purple team that provides comprehensive Computer Network Defense (CND) and Response support through monitoring and analysis of potential threat activity targeting the enterprise.  To support this vital mission, XOR staff are on the forefront of providing Advanced CND Operations, and Systems Engineering support to include the development of advanced analytics and countermeasures to protect critical assets from hostile adversaries. The Threat Intelligence Analyst will hunt for cyber threats from daily operations and generate Cyber Threat Intelligence Analysis Reports (CTARS), Threat Profiles for dissemination to various stakeholders.  This service includes the collection and analysis of intelligence regarding cyber security threats and vulnerabilities as well as the direct and coordinated response to such threats and vulnerabilities.  Strong written and verbal communications skills are a must. The ideal candidate will have a solid understanding of cyber threats and information security in the domains of TTP’s, Threat Actors, Campaigns, and Observables. Additionally, the ideal candidate would be familiar with intrusion detection systems (HIDS/NIDS), intrusion analysis, security information event management (SIEM) platforms, endpoint threat detection tools (e.g., EDR), and security operations ticket management.  Hunt operations, while not staffed 24x7, will be on-call seven days a way, 24 hours a day.   

Corporate duties such as solution/proposal development, corporate culture development, mentoring employees, supporting recruiting efforts, will also be required.  Program has on-site requirements in Springfield, VA one or more day a week for all staff. 

Job Responsibilities: 

In support of this task and the activities listed above, the Contractor shall:  

• Support improvement of Cyber Defense capabilities through development of threat or exploitation use-cases and detection techniques.  

• Implement the knowledge of different operational threat environments (e.g., first generation [script kiddies], second generation [non-nation state sponsored], and third generation [nation state sponsored]) and general attack stages (e.g., foot-printing and scanning, enumeration, gaining access, escalation of privileges, ransomware, maintaining access, network exploitation, covering tracks, etc.) within FO Operations to assist with incident categories, incident responses, and timelines for responses. 
• Obtain and maintain a current understanding of IT systems, policies, and internal operational groups for applications of various threat information sources (including public, private, and classified sources).   
• Ensure that only approved classified government networks and devices are utilized to view, analyze, create, process, or store classified information and review that all classified information is properly marked, handled, processed, stored, and destroyed as necessary. 
• Create and deliver Classified Cyber Threat Intelligence Reports based on intelligence, threats, and vulnerabilities utilizing proper safeguards.  
• Analyze threats and vulnerabilities to determine their impact upon target systems.  

• Identify the necessary actions required to proactively mitigate risks posed by threats and vulnerabilities.  
• Work with other agencies and organizations within the intelligence community at the direction of designated government TSA FO team members.  
• Notify TSA FO regarding procedures and requirements discussed with the intelligence community.  
• Perform daily outreach activities with members of the community for information sharing and timely reporting which includes the collection and delivery of cyber threat indicators. 
• Research and obtain pertinent cyber-intelligence within 1 business day of issuance by intelligence agencies.  

• Create and deliver threat briefs and briefings on a daily, weekly, biweekly, quarterly and ad hoc basis.  

Candidate must have the required Qualifications: 

• A minimum of 7 years of malware analysis, reverse engineering and malware development experience relevant to this task order including 5 years of direct support for the US Government
• Bachelor’s Degree in IT, computer science, business or intelligence analysis OR a minimum of 7 years of relevant experience.Possess the GIAC Cyber Threat Intelligence (GCTI) or equivalent certification.
• Active Top Secret Clearance and SCI Eligibility. 

• Prior experience and ability to analyze information technology security events to discern events that qualify as a legitimate security incident as opposed to non-incidents. This includes security event triage, incident investigation, implementing countermeasures, and conducting incident response. 
• Strong logical/critical thinking abilities, especially analyzing security events (windows event logs, Tanium queries, network traffic, IDS events for malicious intent). 
• Strong proficiency Report writing – a technical writing sample and technical editing test will be required if the candidate has no prior published intelligence analysis reporting, excellent verbal and written communications skills and ability produce clear and thorough security incident reports and briefings. 
• Excellent organizational and attention to details in tracking activities within various Security Operation workflows. 
• A working knowledge of the various operating systems (e.g. Windows, OS X, Linux, etc.) commonly deployed in enterprise networks, a conceptual understanding of Windows Active Directory is also required, and a working knowledge of network communications and routing protocols (e.g. TCP, UDP, ICMP, BGP, MPLS, etc.) and common internet applications and standards (e.g. SMTP, DNS, DHCP, SQL, HTTP, HTTPS, etc.). 

• Experience with the identification and implementation of countermeasures or mitigating controls for deployment and implementation in the enterprise network environment. 

Desired Qualifications: 

• One or more certifications for CND Analysts:  GCIA, GCED, GCFE, GCTI, GNFA, GCIH, CND, ECSA, OSCP, OSEE, OSCE. 
• Existing Subject Matter Expertise of Advanced Persistent Threat or Emerging Threats. 
• Expertise on policies, industry trends, techniques related to penetration testing. 

• Ability to work on-call during critical incidents or to support coverage requirements (including weekends and holidays when required). 

Closing Statement: 

XOR Security offers a very competitive benefits package including health insurance coverage from the first day of employment, 401k with a vested company match, vacation and supplemental insurance benefits. 

XOR Security is an Equal Opportunity Employer (EOE). M/F/D/V. 

Citizenship Clearance Requirement 

Applicants selected may be subject to a government security investigation and must meet eligibility requirements - US CITIZENSHIP and TOP SECRET CLEARANCE REQUIRED!