cFocus Software Incorporated
Cyber Threat Hunter (Senior)
cFocus Software Incorporated, Olympia, Washington, United States
cFocus Software seeks a Cyber Threat Hunter (Senior) to join our program supporting US Courts in Washington, DC.
Required Qualifications
5 years of experience
performing threat hunts & incident response activities for cloud-based and non-cloud-based environments such as Microsoft Azure, Microsoft O365, Microsoft Active Directory, and Zscaler.
5 years of experience
performing hypothesis-based threat hunt & incident response utilizing Splunk Enterprise Security.
5 years of experience
collecting and analyzing data from compromised systems using EDR agents (e.g., CrowdStrike) and custom scripts (e.g., Sysmon & Auditd).
5 years of experience
with the following threat hunting tools:
Microsoft Sentinel
for threat hunting within Microsoft Azure
Tenable Nessus
and
SYN/ACK
for vulnerability management
NetScout
for analyzing network traffic flow
SPUR.us
enrichment of addresses
Mandiant Threat
intel feeds
Must be able to work 80% (Monday thru Thursday) onsite at AOUSC office in Washington, DC
Desired Qualifications
One of the following certifications:
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Continuous Monitoring (GMON)
GIAC Defending Advanced Threats (GDAT)
Splunk Core Power User
Duties
Provide incident response services after an incident is declared and proactively search for security incidents not detected through automated alerting.
Explore datasets across the judicial fabric to identify unique anomalies indicative of threat actor activity, conduct counterintelligence, build threat actor dossiers, disrupt adversary operations, identify misconfigurations/vulnerabilities, and identify visibility/detection gaps.
Accept and respond to government technical requests through the AOUSC ITSM ticket (e.g., HEAT or Service Now) for threat hunt support across cloud-based and non-cloud-based applications such as Microsoft Azure, Microsoft O365, Microsoft Active Directory, and Cloud Access Security Brokers.
Review and analyze risk-based SIEM alerts when developing hunt hypotheses.
Review open-source intelligence about threat actors when developing hunt hypotheses.
Plan, conduct, and document iterative, hypothesis-based TTP hunts utilizing agile scrum methodology.
At the conclusion of each hunt, propose, discuss, and document custom searches for automated detection of threat actor activity.
Configure, deploy, and troubleshoot Endpoint Detection and Response agents (e.g., CrowdStrike and Sysmon).
Collect and analyze data from compromised systems using EDR agents and custom scripts provided by the AOUSC.
Track and document cyber defense incidents from initial detection through final resolution.
Interface with IT contacts at court or vendor to install or diagnose problems with EDR agents.
Participate in government led after action reviews of incidents.
Triage malware events to identify the root cause.
Attend daily Agile Scrum standups and report progress on assigned Jira stories.
Deliverables
Hunt Hypotheses : Describe how an actor might operate in the network while remaining undetected, including expected outcomes and required data. Deliver on time.
Hunt Reports : Detail each stage of hypothesis testing and results. Deliver on time.
Detection Logic : Document and test detection logic for automated detection of threat actor activity based on hunt hypothesis. Include Splunk Enterprise Security searches.
Advanced SME IR Reports : Provide timely support for Priority 1 Security Events, participating in IR within 4 hours of request.
Incident Report : Document all incident details including executive summary, security impact, timeline, and actions taken.
Provide
Weekly Reports
to the AOUSC Program Manager documenting all activities, tickets, and documents.
Document repeatable
Standard Operation Procedures (SOPs)
and playbooks for security use cases.
Equal Employment Opportunity Statement To comply with government Equal Employment Opportunity and/or affirmative action reporting regulations, we are requesting (but NOT requiring) that candidates voluntarily provide personal data. This information will not be used in hiring decisions.
#J-18808-Ljbffr
Required Qualifications
5 years of experience
performing threat hunts & incident response activities for cloud-based and non-cloud-based environments such as Microsoft Azure, Microsoft O365, Microsoft Active Directory, and Zscaler.
5 years of experience
performing hypothesis-based threat hunt & incident response utilizing Splunk Enterprise Security.
5 years of experience
collecting and analyzing data from compromised systems using EDR agents (e.g., CrowdStrike) and custom scripts (e.g., Sysmon & Auditd).
5 years of experience
with the following threat hunting tools:
Microsoft Sentinel
for threat hunting within Microsoft Azure
Tenable Nessus
and
SYN/ACK
for vulnerability management
NetScout
for analyzing network traffic flow
SPUR.us
enrichment of addresses
Mandiant Threat
intel feeds
Must be able to work 80% (Monday thru Thursday) onsite at AOUSC office in Washington, DC
Desired Qualifications
One of the following certifications:
GIAC Certified Intrusion Analyst (GCIA)
GIAC Certified Incident Handler (GCIH)
GIAC Continuous Monitoring (GMON)
GIAC Defending Advanced Threats (GDAT)
Splunk Core Power User
Duties
Provide incident response services after an incident is declared and proactively search for security incidents not detected through automated alerting.
Explore datasets across the judicial fabric to identify unique anomalies indicative of threat actor activity, conduct counterintelligence, build threat actor dossiers, disrupt adversary operations, identify misconfigurations/vulnerabilities, and identify visibility/detection gaps.
Accept and respond to government technical requests through the AOUSC ITSM ticket (e.g., HEAT or Service Now) for threat hunt support across cloud-based and non-cloud-based applications such as Microsoft Azure, Microsoft O365, Microsoft Active Directory, and Cloud Access Security Brokers.
Review and analyze risk-based SIEM alerts when developing hunt hypotheses.
Review open-source intelligence about threat actors when developing hunt hypotheses.
Plan, conduct, and document iterative, hypothesis-based TTP hunts utilizing agile scrum methodology.
At the conclusion of each hunt, propose, discuss, and document custom searches for automated detection of threat actor activity.
Configure, deploy, and troubleshoot Endpoint Detection and Response agents (e.g., CrowdStrike and Sysmon).
Collect and analyze data from compromised systems using EDR agents and custom scripts provided by the AOUSC.
Track and document cyber defense incidents from initial detection through final resolution.
Interface with IT contacts at court or vendor to install or diagnose problems with EDR agents.
Participate in government led after action reviews of incidents.
Triage malware events to identify the root cause.
Attend daily Agile Scrum standups and report progress on assigned Jira stories.
Deliverables
Hunt Hypotheses : Describe how an actor might operate in the network while remaining undetected, including expected outcomes and required data. Deliver on time.
Hunt Reports : Detail each stage of hypothesis testing and results. Deliver on time.
Detection Logic : Document and test detection logic for automated detection of threat actor activity based on hunt hypothesis. Include Splunk Enterprise Security searches.
Advanced SME IR Reports : Provide timely support for Priority 1 Security Events, participating in IR within 4 hours of request.
Incident Report : Document all incident details including executive summary, security impact, timeline, and actions taken.
Provide
Weekly Reports
to the AOUSC Program Manager documenting all activities, tickets, and documents.
Document repeatable
Standard Operation Procedures (SOPs)
and playbooks for security use cases.
Equal Employment Opportunity Statement To comply with government Equal Employment Opportunity and/or affirmative action reporting regulations, we are requesting (but NOT requiring) that candidates voluntarily provide personal data. This information will not be used in hiring decisions.
#J-18808-Ljbffr