Cyber Threat Hunter

Posted Yesterday
Be an Early Applicant
Washington, DC, USA
In-Office
Senior level
Software
The Role
Perform hypothesis-driven threat hunts and incident response across cloud and on-prem environments (Azure, O365, AD, Zscaler). Use Splunk ES, Sentinel, EDR (CrowdStrike), Sysmon/Auditd, and network tools to collect, analyze, and document findings. Produce hunt hypotheses, reports, detection logic, SOPs, and weekly updates. Participate in agile scrum, Jira ticketing, on-call IR support, and coordinate with court IT for agent deployment and remediation.
Summary Generated by Built In
cFocus Software seeks a Mid Level Cyber Threat Hunter to join our program supporting US Courts in Washington, DC. This position is 4 days a week onsite in DC and one day remote.
Required Qualifications include:
  • 5+ years of experience performing threat hunts & incident response activities for cloud-based and non-cloud-based environments, such as: Microsoft Azure, Microsoft O365, Microsoft Active Directory, and Zscaler 
  • 5+ years of experience performing hypothesis-based threat hunt & incident response utilizing Splunk Enterprise Security.
  • 5+ years of using Splunk to create queries and look up tables.
  • 5+ years of experience collecting and analyzing data from compromised systems using EDR agents (e.g. CrowdStrike) and custom scripts (e.g. Sysmon & Auditd)
  • 5+ years of experience with the following threat hunting tools:
    • Microsoft Sentinel for threat hunting within Microsoft Azure;
    • Tenable Nessus and SYN/ACK for vulnerability management;
    • NetScout for analyzing network traffic flow;
    • SPUR.us enrichment of addresses
    • Mandiant Threat intel feeds
  • Must be able to work 80% (Monday thru Thursday) onsite at AOUSC office in Washington, DC
Desired Qualifications include:
  • One of the following certifications:
    • GIAC Certified Intrusion Analyst (GCIA)
    • GIAC Certified Incident Handler (GCIH)
    • GIAC Continuous Monitoring (GMON)
    • GIAC Defending Advanced Threats (GDAT)
    • Splunk Core Power User
Duties:
  • Provide incident response services after an incident is declared and provides a service that proactively searches for security incidents that would not normally be detected through automated alerting.
  • The Threat Hunt mission is to explore datasets across the judicial fabric to identify unique anomalies that may be indicative of threat actor activity based on the assumption that the adversary is already present in the judicial fabric.
  • Accept and respond to government technical requests through the AOUSC ITSM ticket (e.g., HEAT or Service Now), for threat hunt support. Threat hunt targets include cloud-based and non-cloud-based applications such as: Microsoft Azure, Microsoft O365, Microsoft Active Directory, and Cloud Access Security Brokers (i.e., Zscaler).
  • Review and analyze risk-based Security information and event management (SIEM) alerts when developing hunt hypotheses.
  • Review open-source intelligence about threat actors when developing hunt hypotheses.
  • Plan, conduct, and document iterative, hypothesis based, tactics, techniques, and procedures (TTP) hunts utilizing the agile scrum project management methodology.
  • At the conclusion of each hunt, propose, discuss, and document custom searches for automated detection of threat actor activity based on the hunt hypothesis.
  • Configure, deploy, and troubleshoot Endpoint Detection and Response agents (e.g., CrowdStrike and Sysmon).
  • Collect and analyze data from compromised systems using EDR agents and custom scripts provided by the AOUSC.
  • Track and document cyber defense incidents from initial detection through final resolution.
  • Interface with IT contacts at court or vendor to install or diagnose problems with EDR agents.
  • Participate in government led after action reviews of incidents.
  • Triage malware events to identify the root cause of specific activity.
  • Attend daily Agile Scrum standups and report progress on assigned Jira stories.
Deliverables:
  • Hunt Hypotheses: Hunt hypotheses describe how an actor might operate in the network while remaining undetected. The hypothesis describes what is expected to happen if the hypothesis is true and what is expected to happen if the hypothesis is false. The hypothesis contains all data required, is free from errors in grammar, spelling, content, and submitted in the specified times that are stated in the deliverable section.
  • Hunt Reports: Hunt reports describe the original hypothesis and all iterations. At each stage, the report details how the hypothesis was tested and the results. The reports contain all data required, is free from errors in grammar, spelling, content, and submitted in the specified times that are stated in the deliverable section.
  • Detection Logic: Document and test detection logic for automated detection of threat actor activity based on hunt hypothesis. Detection logic in the form of Splunk Enterprise Security (ES) searches that are run at proposed intervals. Proposal and discussion will happen in agile scrum stand up meetings. Document in Jira stories.
  • Advanced SME IR Reports: Timely Advanced SME IR Support for Priority 1 Security Events. SME actively participating in IR activities within 4 hours of request (7x24x365).
  • Incident Report: Document all incident details in an incident report. Report shall include executive summary, details of incident, security impact of incident, timeline of incident, and actions taken.
  • Provide Weekly Reports to the AOUSC Program Manager that documents all activities, tasks, tickets and documents worked on.
  • Document repeatable Standard Operation Procedures (SOPs) and playbooks for security use cases.

Skills Required

  • 5+ years performing threat hunts and incident response for cloud and non-cloud environments (Microsoft Azure, Microsoft O365, Microsoft Active Directory, Zscaler)
  • 5+ years performing hypothesis-based threat hunting and incident response utilizing Splunk Enterprise Security
  • 5+ years using Splunk to create queries and lookup tables
  • 5+ years collecting and analyzing data from compromised systems using EDR agents (e.g., CrowdStrike) and custom scripts (e.g., Sysmon, Auditd)
  • 5+ years experience with threat hunting tools: Microsoft Sentinel, Tenable Nessus, SYN/ACK, NetScout, SPUR.us, and Mandiant threat intel feeds
  • Ability to work 80% onsite (Monday–Thursday) at AOUSC office in Washington, DC
  • Provide incident response services and be available for Advanced SME IR support (respond within 4 hours for Priority 1 events)
  • Familiarity with ITSM ticketing systems (ServiceNow or HEAT) and Agile Scrum processes (Jira)
  • GIAC GCIA, GCIH, GMON, GDAT, or Splunk Core Power User certification
Am I A Good Fit?
beta
Get Personalized Job Insights.
Our AI-powered fit analysis compares your resume with a job listing so you know if your skills & experience align.

The Company
HQ: Largo, MD
25 Employees
Year Founded: 2006

What We Do

Established in 2006, cFocus Software automates FedRAMP compliance and develops government chatbots for the Azure Government Cloud, Office 365, and SharePoint. cFocus Software is the exclusive vendor of ATO (Authority To Operate) as a Service™, which automates FedRAMP compliance for the Azure Government Cloud and Office 365. Contact Us for a demo of ATO as a Service™ or a FREE government chatbot proof of concept project today!

Similar Jobs

PwC Logo PwC

Tax Innovation - Software Engineering - Senior Associate

Artificial Intelligence • Professional Services • Business Intelligence • Consulting • Cybersecurity • Generative AI
Hybrid
4 Locations
370000 Employees
77K-214K Annually

PwC Logo PwC

Healthcare Provider Business Operations Consulting- Manager

Artificial Intelligence • Professional Services • Business Intelligence • Consulting • Cybersecurity • Generative AI
Hybrid
39 Locations
370000 Employees
99K-232K Annually

PwC Logo PwC

Strategic Alliance Sales Director (CRE): AWS

Artificial Intelligence • Professional Services • Business Intelligence • Consulting • Cybersecurity • Generative AI
Hybrid
35 Locations
370000 Employees
123K-123K Annually

PwC Logo PwC

Client Strategy Manager - Pharma

Artificial Intelligence • Professional Services • Business Intelligence • Consulting • Cybersecurity • Generative AI
Remote or Hybrid
34 Locations
370000 Employees
212K-244K Annually

Similar Companies Hiring

Hanover Park Thumbnail
Artificial Intelligence • Fintech • Software • Financial Services
New York, New York
42 Employees
Kepler  Thumbnail
Fintech • Software
New York, New York
6 Employees
Onshore Thumbnail
Artificial Intelligence • Fintech • Software • Financial Services
New York, New York
60 Employees

Sign up now Access later

Create Free Account

Please log in or sign up to report this job.

Create Free Account