Cyber Security Analyst III - Incident Response SME III

Job Description

We are GDIT. The people supporting and securing some of the most complex government, defense, and intelligence projects across the country. We ensure today is safe and tomorrow is smarter. Our work has meaning and impact on the world around us, but also on us, and that’s important.

GDIT is your place. You make it your own by embracing autonomy, seizing opportunity, and being trusted to deliver your best every day.  We think. We act. We deliver. There is no challenge we can’t turn into opportunity.  At GDIT, people are our differentiator.

In this role, you will be a SME responsible for security response to viruses and other potentially catastrophic incidents in customer environments that could be significant security risks. Supports and mentors other analysts who support the incident response functions for the Security Operations Center. In this position the successful candidate:

• Communicate and coordinate incident response efforts. 
• Analyze reports to understand threat campaign(s) techniques, lateral movements and extract indicators of compromise (IOCs).
• Act as the SME and technical lead for all incidents.
• Carefully document the outcome and lessons learned for all incidents.
• Prepare metrics and reports for executive review during and after resolution of any Cyber Incidents.
• Coordinate and work closely with legal, HR and law enforcement.
• Prepare and process security policy violations discovered from incidents.
• Provides technical support on post event network security logs and trend analysis. 
• Recognize potential, successful, and unsuccessful intrusion attempts and compromises thorough reviews and analysis of relevant event detail and summary information.
• Ensure the integrity and protection of networks, systems, and applications through monitoring of security devices. React to customers escalations.
• Identify, analyze, and document actions taken by malicious actors.
• Determine sophistication, priority, and threat level of identified malware.
• Examine media and malware analysis reports and operational reporting from incidents to correlate similar events, tradecraft, and TTPs of malicious activity. Conduct log and system analysis for various system, and network and security devices.
• Experience working within a wide range of environments to include Linux, UNIX, Windows in addition to a strong understanding of networking, the OSI model, and TCP/IP protocols.
• Familiarity with Federal and DoD security standards such as NIST, DCID, CNSS and DoD 8500. Experience in implementation of ITIL practices and ISO 2700 family of standards.

Skills 

• Proven team player with excellent oral and written communications skills. 
• Capable of working on projects independently and possess strong organizational skills.
• Very strong communications skills and analytical aptitude with the ability to express technical concepts effectively, both verbal and in written form
• Comprehensive knowledge APT actors; their tools, techniques, and procedures (TTPs)
• Knowledge of TCP/IP communications & knowledge of how common protocols and applications work at the network level, including DNS, HTTP, and SMB
• Expert knowledge of the Windows file system, registry functions and memory artifacts and/or expert knowledge of Unix/Linux file systems and memory artifacts
• Advanced Microsoft Office skills: SharePoint, PowerPoint, Excel, Outlook, and Word 
• The position requires a sense of urgency and ownership.
• Working knowledge of network infrastructure, cloud computing and security monitoring tools.
• Ability to learn new technologies and apply that knowledge to daily workflows.
• Attention to detail, organized and able to work and research independently.
• Demonstrated adaptability, analytical and problem-solving, and attention to detail.
• Experience managing cases with enterprise SIEM or Incident Management systems
• Familiarity with Federal and DoD security standards such as NIST, DCID, CNSS and DoD 8500. Experience in implementation of ITIL practices and ISO 2700 family of standards.
• Computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.) and Network traffic analysis methods. Working knowledge of Windows and Linux OS to include experience working in the command line interface. Knowledge of IPS/IDS, Experience managing cases with enterprise SIEM systems (e.g. LCE, ArcSight, Splunk) and other network security tools. Experience reviewing and analyzing network packet captures. 
• Knowledge of information security event monitoring and detection and  incident response; Cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks); Attack methods and techniques (DDoS, brute force, spoofing, etc.).
• Experience with Vulnerability assessment tools such as NESSUS
• Experience with Intrusion Detection Systems and Intrusion Protection Prevention (IDS or IPS) - understanding the functionality and deployment configuration and analysis

Qualifications and Education

• BS or equivalent + 5 yrs related experience, or MS + 3 yrs experience in a technically related field OR equivalent related work experience.
• Information Security certification required. Security certifications may include, but not be limited to CISSP, CASP, Security+, GSEC, CISA, CISM, GSEC and CEH.
• Experience / Certification in project management.
• Previous experience on a Computer Incident Response Team (CIRT), Computer Emergency Response Team (CERT), Computer Security Incident Response Center (CSIRC) or a Security Operations Center (SOC) (required)
• Minimum at 2 years of in a multi-tenant SOC or Incident Response company (other related fields may be acceptable at discretion of hiring manager)
• Strong research background. Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. (a plus, not required)