Cyber Hunt Analyst

Location: Laurel, MD
Date Posted: 01-25-2018
Company Information:
Synergy ECP is a Service Disabled Veteran-Owned Small Business SD(VOSB) that was formed in July 2007 with Headquarters in Columbia, MD and is made up of talented, dedicated staff to provide a broad range of services to the defense, intelligence and health care industries.

In an ultra-competitive environment, Synergy ECP has thrived by adhering to our name, making sure excellence is displayed by our Employees, to our Customers and by Improving Performance (ECP).

It’s what sets us apart, enabling us to be an autonomous yet agile business that delivers huge results - showing we’re ready to meet our customers’ evolving demands.

Synergy ECP has earned a client list that includes numerous Fortune 100 companies, in addition to multiple branches of the US government and military services.
Synergy ECP is an equal opportunity employer and considers qualified applicants for employment without regard to race, color, creed, religion, national origin, sex, sexual orientation, gender identity and expression, age, disability, veteran status, or any other protected class.

Clearance Required: TS/SCI w/ Full Scope Polygraph

In support of the Active Security Mission we are looking for someone who will perform Cyber Threat  analysis and serve as a critical component of the 24/7 IA integrated operations team (shift work not required).  You will identify new opportunities for active/holistic defense against adversarial activities based on IA vulnerability information and will work closely with the Customer to ensure experiences, risk mitigation techniques, IA guidance, and best practices are brought to bear on the most critical threats on a continuous basis.

Task Activities:
You will provide the following security operations tasks in support for  Enterprise Management networks, systems, and applications:
  • Discovers and characterizes network and platform anomalies.
  • Provides first instance threat actors analysis and reports to Enterprise Mission Elements as appropriate.
  • Continuously monitors, identifies, and analyzes anomalous network activity on various networks.
  • Evaluates and documents identified cross domain violations and submits findings to the Reporting Team Member for analysis and report generation.
  • Conducts all multisource analyses to examine network traffic for high priority malicious attacks, anomalous traffic, or other incidents of interest.
  • Provides initial event analysis assessing the vulnerability implications for technologies and customers.
  • Collaborates with Information Systems Incident Response Team (ISIRT) Operation to analyze and recommend risk mitigation measures; recommends modifications to ISIRT operational priorities based on IA vulnerability information.
  • Coordinates vulnerability analysis of watch floor cyber events with appropriate Mission Elements.
  • Identifies potential areas for deeper dive analysis of threats and vulnerabilities for Mission Elements.
  • Examines network topologies to understand data flows through networks and provides mechanisms to tip countermeasures.
  • Employs tools to discover new threat actors.
  • Continuously monitors and maintains situational awareness of:
    • All planned, projected, ongoing, or recently completed IA Operations activities.
    • Adversarial capabilities, exploits, vulnerabilities, mitigations, techniques, and best practices information and guidance through all-source research.
    • Cyber activity, identifying reportable information based on reporting requirements.
  • Provides IA content appropriate for insertion into ISIRT reporting.
  • Updates Cyber Windshield/ISIRT with IA reporting content.
  • Evaluates cross domain violations and generates appropriate content.
  • Implements the applicable reporting guidelines outlined in applicable directives and guidance.
  • Understands and employs the different handling and reporting instructions required for Mission and IA derived data.
  • Analyzes, identifies, documents, and submits recommendations for sensor network based on capabilities and requirements.
  • Provides the ISIRT Operations with the status , availability, and sustainability of critical sensors/capabilities for cross mission use enabling mission integration and current status of all IA collection requirements.
  • Conducts research and planning required for strategy development in response to real-time operations requirements.
  • Identifies and documents triage data gaps in order to determine how IA and vulnerabilities assets can help posture on cyber-related issues.
  • Develops and synchronizes the tasking of signature and rule sets across all data sources.
Skill Set:
  • Hands on experience NOT just theoretical
  • Tier III Analyst experience
  • Malware Analysis
  • Reverse Engineering
  • Network Analytics
  • Incident Investigations
  • Deep understanding of TCP/IP
    • Low Level Networking and Protocols
    • Reiterated need to have strong comfort level with IPv4, TCP/IP, and RFC data
    • TCP/UDP Port #s for Apps, what is normal/abnormal
    • Understand endpoint and on-wire activity
  • Knowing how do you string together data
  • Knowing what questions to ask
  • Knowing what activities will point to a target that we care about
  • Ability to think “outside the box”
    • Not willing to settle for conventional wisdom
    • Reliance on GUI is too inside the box
  • How to deal with this in Cloud Environment?
    • Looking at Cloud Analytics
    • How do we take advantage of the cloud
      • PIG scripts/jobs to present data
      • HDFS – Hadoop Distributed File System
  • How do you find the data that is not supposed to be there?
    • Analyze data – Get familiarity with was captured
    • Filter data – Using tools
    • Break down into smaller chunks
      • Look at protocols, network layers
      • Conduct netflow analysis to assess unknowns
      • Origination IP, destination IP, ports,
      • What unique protocols being used that are non-standard?
    • Reconstruct
  • Use of SIEMs or scripting to pull data into usable formats
    • Connectors being used to pull into ArcSight
    • Notification sources are
      • Antivirus
      • HIDS
      • Firewalls
  • Tier III/Expert CND Analyst would be best
    • Want to improve the abilities of the team
    • Unclass, Wireless, SCADA
    • How to prioritize jobs:

  •  We are looking for the right intellectual inquisitiveness.  Tools can be taught OJT.  Some of the tools include:
  • Linux command line ability required
  • Scripting experience is desired
  • EnCase Enterprise
  • FTK
  • TCP Dump
  • SNORT/SNORT signatures
  • PCAP
  • Netflow
  • YAF – Yet Another Flowmeter
No certifications are required, but the following are highly desired:
  • IAT II:GSEC, Security+ CE, SSCP
  • CND Analyst:GCIA, GCIH, C/EHAlso we would welcome any SANS certs dealing with Intrusion Analysis and Forensic Analysis.
this job portal is powered by CATS