cFocus Software Incorporated
Senior Threat Hunter
cFocus Software Incorporated, Washington, District of Columbia, us, 20022
cFocus Software seeks a Threat Hunter to support the Administrative Offices of the United States Courts (AOUSC) in Washington, DC. This position requires 4 days a week onsite at the Thurgood Marshall Building and 1 day remote, working hours 8:00‑4:30 PM.
Required Qualifications
Ability to obtain a Public Trust.
5 years of experience
performing threat hunts & incident response activities for cloud-based and non-cloud-based environments, such as:
Microsoft Azure, Microsoft O365, Microsoft Active Directory, and Zscaler .
5 years of experience
performing hypothesis-based threat hunt & incident response using
Splunk Enterprise Security.
5 years of experience
collecting and analyzing data from compromised systems using EDR agents (e.g.,
CrowdStrike ) and custom scripts (e.g.,
Sysmon
&
Auditd ).
5 years of experience
with the following threat hunting tools:
Microsoft Sentinel
for threat hunting within Microsoft Azure;
Tenable Nessus
and
SYN/ACK
for vulnerability management;
NetScout
for analyzing network traffic flow;
SPUR.us
for enrichment of addresses;
Mandiant Threat
intelligence feeds.
Must be able to work 80% (Monday‑Thursday) onsite at the AOUSC office in Washington, DC.
One of the following certifications:
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Continuous Monitoring (GMON)
GIAC Defending Advanced Threats (GDAT)
Splunk Core Power User
Duties and Responsibilities
Provide incident response services after an incident is declared and proactively search for security incidents not detected by automated alerting.
Conduct threat hunts across the judicial fabric, exploring datasets to identify anomalies indicative of threat actor activity, and, when appropriate, build threat actor dossiers, disrupt operations, identify misconfigurations, vulnerabilities, and visibility gaps.
Accept and respond to government technical requests through the AOUSC ITSM ticketing system (e.g., HEAT or ServiceNow), targeting cloud-based and non-cloud-based applications such as Microsoft Azure, Microsoft O365, Microsoft Active Directory, and Cloud Access Security Brokers (e.g., Zscaler).
Review and analyze risk-based SIEM alerts when developing hunt hypotheses.
Review open-source intelligence about threat actors when developing hunt hypotheses.
Plan, conduct, and document iterative, hypothesis‑based TTP hunts using agile Scrum project management methodology.
At the conclusion of each hunt, propose, discuss, and document custom searches for automated detection of threat actor activity based on the hunt hypothesis.
Configure, deploy, and troubleshoot Endpoint Detection and Response agents (e.g., CrowdStrike and Sysmon).
Collect and analyze data from compromised systems using EDR agents and custom scripts provided by AOUSC.
Track and document cyber defense incidents from initial detection through final resolution.
Interface with IT contacts at the court or vendor to install or diagnose problems with EDR agents.
Participate in government‑led after‑action reviews of incidents.
Triage malware events to identify the root cause of specific activity.
Attend daily Agile Scrum stand‑ups and report progress on assigned Jira stories.
#J-18808-Ljbffr
Required Qualifications
Ability to obtain a Public Trust.
5 years of experience
performing threat hunts & incident response activities for cloud-based and non-cloud-based environments, such as:
Microsoft Azure, Microsoft O365, Microsoft Active Directory, and Zscaler .
5 years of experience
performing hypothesis-based threat hunt & incident response using
Splunk Enterprise Security.
5 years of experience
collecting and analyzing data from compromised systems using EDR agents (e.g.,
CrowdStrike ) and custom scripts (e.g.,
Sysmon
&
Auditd ).
5 years of experience
with the following threat hunting tools:
Microsoft Sentinel
for threat hunting within Microsoft Azure;
Tenable Nessus
and
SYN/ACK
for vulnerability management;
NetScout
for analyzing network traffic flow;
SPUR.us
for enrichment of addresses;
Mandiant Threat
intelligence feeds.
Must be able to work 80% (Monday‑Thursday) onsite at the AOUSC office in Washington, DC.
One of the following certifications:
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Continuous Monitoring (GMON)
GIAC Defending Advanced Threats (GDAT)
Splunk Core Power User
Duties and Responsibilities
Provide incident response services after an incident is declared and proactively search for security incidents not detected by automated alerting.
Conduct threat hunts across the judicial fabric, exploring datasets to identify anomalies indicative of threat actor activity, and, when appropriate, build threat actor dossiers, disrupt operations, identify misconfigurations, vulnerabilities, and visibility gaps.
Accept and respond to government technical requests through the AOUSC ITSM ticketing system (e.g., HEAT or ServiceNow), targeting cloud-based and non-cloud-based applications such as Microsoft Azure, Microsoft O365, Microsoft Active Directory, and Cloud Access Security Brokers (e.g., Zscaler).
Review and analyze risk-based SIEM alerts when developing hunt hypotheses.
Review open-source intelligence about threat actors when developing hunt hypotheses.
Plan, conduct, and document iterative, hypothesis‑based TTP hunts using agile Scrum project management methodology.
At the conclusion of each hunt, propose, discuss, and document custom searches for automated detection of threat actor activity based on the hunt hypothesis.
Configure, deploy, and troubleshoot Endpoint Detection and Response agents (e.g., CrowdStrike and Sysmon).
Collect and analyze data from compromised systems using EDR agents and custom scripts provided by AOUSC.
Track and document cyber defense incidents from initial detection through final resolution.
Interface with IT contacts at the court or vendor to install or diagnose problems with EDR agents.
Participate in government‑led after‑action reviews of incidents.
Triage malware events to identify the root cause of specific activity.
Attend daily Agile Scrum stand‑ups and report progress on assigned Jira stories.
#J-18808-Ljbffr