CNA's Red-Team reduces cyber risk by uncovering vulnerabilities and weaknesses in the enterprise cyber environment through coordinated ethical hacking and penetration testing scenarios. This position works closely with team members to plan, coordinate, execute and report on sophisticated ethical hacking exercises, to identify cyber vulnerabilities and reduce the risk posture of enterprise systems. This role will be primarily responsible for performing infrastructure, application, OS security assessments, and social engineering attacks and will make recommendations to management on effective countermeasures.
The successful candidate for this position will be part of an exciting and dynamic environment to help build and deliver industry leading ethical hacking capabilities to continuously protect and defend CNA employees, brand, systems, and data. Red-Team is part of the InfoSec Operations organization and assists with identifying opportunities to enhance CNA's information security posture against a broad range of cyber threats, and develop strategies to most effectively address the threats.
Essential Duties & Responsibilities
Performs a combination of duties in accordance with departmental guidelines:
- Leads and contributes to Red-Team's Tactics Techniques and Procedures (TTPs) knowledge base.
- Demonstrates subject matter expertise of penetration testing techniques and methodologies.
- Develops and customizes payloads specific to the environment software version or for evasion of defensive technologies related to mobile applications.
- Performs penetration testing of infrastructure applications and related technologies (API endpoints databases payment etc.).
- Assesses CNA's security policies standards and practices and help mature corporate security standards.
- Assists triage and test application and/or infrastructure responsible disclosure findings and newly disclosed vulnerabilities.
- Communicates findings attack paths and recommendations to technical non-technical and senior leadership through written reports and verbal presentations.
- Works with technology teams to improve CNA's threat profile.
- Works with developers to improve SDLC for applications as needed.
- Mentors SecOps team members to develop additional depth in offensive security practices.Develops scripts tools techniques and methodologies to improve the overall ability of the team to deliver high-quality tests.
- Employs advanced internal networks wireless networks mobile applications thick-client applications embedded applications or hardware penetration testing techniques.
- Acts as a primary technical contact for IT and development teams to remediate findings.
May perform additional duties as assigned.
Typically AVP or above
Skills Knowledge & Abilities
- Proficient with the common tools associated with penetration testing (Metasploit Burp Suite Cobalt Strike etc.)
- Ability to effectively code in a scripting language (Python Perl etc)
- Ability to work independently and function effectively as part of a team in a dynamic environment
Education & Experience
- Bachelor's Degree in Computer Science Information Technology or related discipline or equivalent work experience.
- Typically a minimum of ten years of information security experience (red teaming cloud security application security or network security)
- Typically a minimum of two years of experience with threat modeling concepts and frameworks (CVSS MITRE ATT&CK DREAD or STRIDE)
- Typically a minimum of six years of experience with scripting or compiled languages
- Typically a minimum of six years of penetration testing experience
- Applicable certifications preferred (OSCP OSCE OSWP CMWAPT GPEN GWAPT GMOB GAWN GXPN GCIH or CPT)