Threat Hunter

Who we are:

ShorePoint is a fast-growing, industry recognized, and award-winning cybersecurity services firm with a focus on high-profile, high-threat, private and public-sector customers who demand experience and proven security models to protect their data. ShorePoint subscribes to a “work hard, play hard” mentality and celebrates individual and company successes. We are passionate about our mission and going above and beyond to deliver for our customers. We are equally passionate about an environment that supports creativity, accountability, diversity, inclusion, and a focus on giving back to our community.  

The Perks:

As recognized members of the Cyber Elite, we work together in partnership to defend our nation’s critical infrastructure while building meaningful and exciting career development opportunities in a culture tailored to the individual technical and professional growth. We are committed to the belief that our team members do their best work when they are happy and well cared for. In support of this philosophy, we offer a comprehensive benefits package, including major carriers for health care providers. Highlighted benefits offered: 18 days of PTO, 11 holidays, 80% of insurance premium covered, 401k, continued education, certifications maintenance and reimbursement, etc.

Who we’re looking for:

We are seeking a Threat Hunter who has experience providing support in a dynamic, fast-paced environment within the public sector. This is a unique opportunity to shape the growth, development, and culture of an exciting and fast-growing company in the cybersecurity market. The Threat Hunter will have the opportunity to be exposed to all aspects of support to a federal client and will be encouraged to grow as the organization expands.  

What you’ll be doing: 

• Provide first line SOC support with timely triage, routing and analysis of SOC tasks
• Researches, develops, and monitors custom visualizations
• Researches, analyzes, and writes documents such as cybersecurity briefings for all levels of stakeholders from Tier 1-3 SOC, security engineering, and executives
• Tunes and develops SIEM correlation logic for threat detection
• Ensures documentation is accurate and complete, meets editorial and government specifications, and adheres to standards for quality, graphics, coverage, format, and style.
• Develop scripts using Python to automate IR functions, including (but not limited to) IOC ingestion and SIEM integration via REST APIs to minimize repetition of duties and automate tasks.
• Produce and review aggregated performance metrics
• Perform Cyber Threat Assessment and Remediation Analysis
• Processing, organizing, and analyzing incident indicators retrieved from the client environment and correlating said indicators to various intelligence data
• Assisting in the coordination with internal teams as well as in the creation of engagement deliverables for a multitude of activities, including but not limited to Insider Threats, Rule of Engagement (ROE), Threat Hunting, After Action Reports, and other artifacts to support testing, monitoring and protecting the enterprise
• Investigate network and host detection and monitoring systems to advise engagement processes
• Develop and Execute bash and python scripts to process discrete log files and extract specific incident indicators; develop tools to aid in Tier 1 and Tier 2 functions
• Participate in on-call rotation for after-hours security and/or engineering issues
• Participate in the increase of effectiveness and efficiency of the SOC, through improvements to each function as well as coordination and communication between support and business functions
• Think critically and creatively while analyzing security events, network traffic, and logs to engineer new detection methods
• Work directly with Security and SOC leadership on cyber threat intelligence reports to convert intelligence into useful detection
• Participate in on-call rotation for after-hours security and/or engineering issues
• Collaborate with incident response team to rapidly build detection rules as needed
• Responsible for supporting 24x7x365 SOC operations including but not limited to: Alert and notification activities- analysis/triage / response, Review and action on Threat Intel for IOCs and other operationally impactful information, initial review and triage of reported Incidents
• Perform analysis across all security tools, uncovering attack vectors involving a variety of malware, data exposure, and phishing and social engineering methods
• Monitoring/triage security events received through alerts from SIEM or other security tools; escalate and support to IR as appropriate
• IDS monitoring and analysis, analyze network traffic, log analysis, prioritize and differentiate between potential intrusion attempts and false alarmsReview and reporting on anomalous patterns (Hunting) across all security tools / SIEM
• Develop in in-depth understanding of customer and SOC operations requirements and policies
• Ensure reports are properly entered into the tracking system
• Perform customer security assessments
• Supporting incident response or remediation as needed
• Participate and develop and run tabletop exercises
• Perform lessons learned activities
• Supporting ad-hoc data and investigation requests
• Composing reports, updates, security alert notifications or other artifacts and documents as needed

What you need to know: 

• Deep understanding of Cyber Threat TTPs, Threat Hunt, and the application of the Mitre Attack Framework
• Experience supporting 24x7x365 SOC operations including but not limited to Alert and notification activities- analysis/triage/response, Review and action on Threat Intel for IOCs and other operationally impactful information, initial review and triage of reported alerts and Incidents
• Support alert and notification triage, review/analysis through resolution / close
• Manage multiple tickets/alerts in parallel, including end-user coordination
• Demonstrated ability to evaluate events (through a triage process) and identify appropriate prioritization for response
• Solid understanding and experience analyzing security events generated from security tools and devices not limited to FireEye, Elastic, SourceFire, Malware Bytes, CarbonBlack/Bit9, Splunk, Prisma Cloud/Compute, Cisco IronPort, BlueCoat
• Experience and solid understanding of Malware analysis
• Demonstrated proficiencies with one or more toolsets such as Bit9/CarbonBlack, Endgame, FireEye HX / CM / ETP, Elastic Kibana
• Experience and ability to use, contribute, develop and follow Standard Operating Procedures (SOPs)
• In-depth experience with processing and triage of Security Alerts from multiple sources but not limited to: Endpoint security tools, SIEM, email security solutions, CISA, Threat Intel Sources
• Experience with scripting languages applied to SOC operations; for example, automating investigations with tools, automating IOC reviews, support SOAR development
• Experience with bash, python, and Windows Powershell scripting
• Demonstrated experience with triage and resolution of SOC tasks, including but not limited to: vulnerability announcements, phishing email review, Tier 1 IR support, SIEM/Security Tools - alert analysis
• Demonstrated experience and understanding of event timeline analysis and correlation of events between log sources
• Demonstrated experience with the underlying logs generated by operating systems (Linux/Windows), Network Security Devices, and other enterprise tools
• Demonstrated proficiencies with an enterprise SIEM or security analytics solution, including the Elastic Stack or Splunk.
• Solid understanding and experience analyzing security events generated from security tools and devices not limited to: Carbon Black, FireEye, Palo Alto, Cylance, and OSSEC
• Experience and solid understanding of Malware analysis
• Understanding of security incident response processes

Must have’s: 

• Ability to support working hours: 8:45 AM - 5:15 PM Eastern Time
• Ability to participate in a rotating SOC on-call; rotation is based on number of team members
• Minimum of Twelve (12) years technical experience
  • 7+ years of SOC
  • 3+ years of rule development and tuning experience
  • 1+ years Incident response

Beneficial to have the following:

• GIAC-GCIH – Global Certified Incident Handler
• GIAC-GCFE - Global Information Assurance Certification Forensic Examiner
• GIAC-GCFA - Global Information Assurance Certification Forensic Analyst
• GIAC-GREM -  GIAC Reverse Engineering Malware
• GIAC-GNFA - GIAC Network Forensic Analyst
• GIAC-GCTI - GIAC Cyber Threat Intelligence
• GIAC-GPEN – GIAC Certified Penetration Tester
• GIAC-GWAPT – GIAC Certified Web Application Penetration Tester
• CEPT - Certified Expert Penetration Tester (CEPT)
• CASS - Certified Application Security Specialist (CASS)
• CWAPT - Certified Penetration Tester (CWAPT)
• CREA - Certified Reverse Engineering Analyst (CREA) 

Where it’s done: 

• Herndon, VA or Remote