OCIO-0004 Cyber Threat Intelligence Analyst Services (NS) - FRI 15 Jul

Deadline Date: Friday 15 July 2022

Requirement: Cyber Threat Intelligence Analyst Services

Location: Brussels, Belgium

Full time on-site: Yes

NATO Grade: G17/110

Total Scope of the request (hours): 1335

Required Start Date: 8 August 2022

End Contract Date: 31 December 2022

Required Security Clearance: NATO SECRET

Special Terms and Conditions:The contractor will be responsible for complying with the respective national requirements for working permits, visas, taxes social security etc. whilst working on site at NATO HQ- Brussels, Belgium.No special status is either conferred or implied by the host organisation, NATO HQ- Brussels, Belgium on to the contractor whilst working on site.The contractor will be responsible for complying with all the respective National Health COVID-19 regulations for quarantine on arrival in Belgium before taking up the position.

1. INTRODUCTION

The NATO Office of the Chief Information Officer (OCIO) is responsible for Cyber Defence for the NATO Enterprise. The OCIO has been tasked to increase NATO’s Cyber Defence posture. As part of this initiative, the OCIO plans to enhance the ability of NATO’s Cyber Threat Analysis Branch (CTAB) to provide the quality and quality of cyber intelligence products required by the NATO Enterprise. The contractor will work for the OCIO, however, the CTAB has tasking authority.

The Cyber Threat Analysis Branch is responsible for providing evidence-based assessments of the cyber threat landscape to empower NATO stakeholders to make risk-informed decisions. The multidisciplinary team combines all-source data with cutting edge technologies to support and enhance the Alliance leaderships’ understanding on the nature of cyber competition and conflict. CTAB systematically identifies strategic patterns and trends in cyber space and generates tailored insights to support network defence and mission assurance with predictive analysis, cyber threat intelligence, and threat hunting.

The contractor will support the work of the OCIO and Cyber Threat Analysis Branch and help the development of cyber assessments and threat hunting playbooks of interest to the Alliance.

2. TASKS

In providing Cyber Threat Intelligence Research and Development services, the contractor will be responsible for identifying and tracking sophisticated cyber threat actors across a geo-political region. Specific tasks include:

2.1 Develop extensions to our analytics backend (Vertex Synapse) in the form of Storm services. Code both in Storm and in Python to automatically ingest and integrate several structured and unstructured data sources and map the different data points to the available data model. These data can come from OSINT or CTI subscriptions and can be in the form of raw data and threat intelligence reports often made available via APIs.

• Measurement: Finished Storm services, committed to our internal code repositories and documentation within the code and central documentation server.

2.2 Improve and write new infrastructure and malware tracking code (Storm and Python) to keep track of cyber threat actors, based on the data available in our analytics backend.

• Measurement: Storm and Python code committed to our internal code repositories and documentation within the code + central documentation server.

2.3 Help to mature and improve the team’s development life cycle, by setting up the tools and pipelining necessary to automate, test and deploy code in a structured way using Docker, JIRA, git and other technologies according to industry best practices.

• Measurement: Deployed bug tracking and Docker container management system. Documented and implemented development life cycle.

2.4 Support the team, i.e. cyber threat analysts, cyber threat researchers and data scientists by developing tailored solutions to automate and innovate.

• Measurement: Presentation on implemented solutions, committed code to our internal code repositories and documentation within the code and central documentation server.

4. LOCATION

The work will be executed on site at the NATO HQ offices in Brussels, Belgium. Teleworking options may be available at manager’s discretion.

5. TIMELINES

The services of the contractor are required for the period starting 8th of August 2022 until 31th December, 2022. An earlier start date is possible, if feasible for the contractor if mutually agreed. Under the current framework contract, a contract extension is possible for the calendar year 2023. Future contract extensions are subject to performance of the contractor and related NATO regulations.

6. SPECIFIC WORKING CONDITIONSSecure environment with standard working hours, with the exception of working in non-standard working hours up to 360 hours annually.In addition, it may exceptionally be required to work non-standard hours in support of a major Cyber Incident or on a shift system for a limited period due to urgent operational needs.

7. TRAVELNo travel is required.

8. SECURITY AND NON-DISCLOSURE AGREEMENTThe contracted individual must be in possession or capable of possessing a security clearance of NATO Secret or equivalent.A signed Non-Disclosure Agreement will be required.

Requirements

3. PROFILE
• Required Security Clearance: NATO Secret

• A university degree from a nationally recognised/certified University in a technical subject with substantial Information Technology (IT) content and 4 years of specific experience.

• Exceptionally, the lack of a university degree may be compensated by the demonstration of the service provider’s particular abilities or experience that is/are of interest to the OCIO; that is, at least 6 years extensive and progressive expertise in the tasks related to development and tracking cyber threat actors within a cyber threat intelligence team.

• Have solid experience in Python development querying different APIs.
• Experience in using, managing and building Docker containers.
• Have a good knowledge of a data querying language.
• Have experience working with (hyper)graph databases.
• Experience in integrating threat intelligence data with other systems.
• Have experience working in incident response or cyber threat intelligence teams.
• Experience working with extensive data models.
• Solid knowledge of Linux.
• Good TCP/IP knowledge
• Have a strong desire to learn new technologies.
• Have a ‘can do’ mentality.

Desirable

• Have experience with Vertex Synapse.
• Experience working in AWS.
• Knowledge of the Storm language.
• Knowledge of MISP.
• Have experience in setting up a development pipeline