Senior/Principal Threat Hunting Analyst

The role is to develop and lead the new Threat Hunting capability at the heart of the threat hunting service. This is part of a portfolio of cyber security services provided by our Enterprise Cyber business to internal and external clients.

The role includes: proactively searching for and detecting advanced persistent threats, developing and leading a team to do this including training and coaching junior cyber analysts, developing QinetiQ's threat hunting capability (in the context of QinetiQ's wider cyber security capability) maturity from Level 1 to Level 2 and beyond (ref. UK Government Threat Hunting Capability Maturity Model, "Detecting the Unknown: A Guide to Threat Hunting", v2.0 March 2019")

This is not a shift or night working role.

Key Accountabilities:

Essential:
• Proactively search and detect advanced persistent attacks underway on a system
• Reverse engineer and analyse attacks (including malware) to understand their tools, methods and root causes
• Create hypotheses and investigate using modern tools and techniques
• Create use cases for detecting new threats, either as a result of research, collaboration (e.g. red/purple teaming), Threat Intelligence (TI), in response to incidents, or using your intuition
• Engage in research projects regarding detection methods
• Summarise findings in the form of blogs, reports or whitepapers, tailoring the technical content to suit the intended audience
• Lead a team in a complex organisational environment that does all of this drawing on expertise from other areas as required
• Deliver effectively in an operational environment fully integrated with our other cyber security services, meeting targets and delivering to service level agreements
• Develop the maturity of the Threat Hunting capability
• Coach and train more junior cyber analysts to become capable threat hunting analysts

Desirable:
• Apply data analytics to inform and enrich understanding

Key Capabilities/Knowledge:

Essential:
• Expertise in alert monitoring, incident response and technical forensics
• Understanding of network and endpoint characteristics, and normal behaviour thereof
• Understanding of threat intelligence and how to use it effectively
• Appreciation and/or qualifications in cyber red teaming and security engineering
• Detailed understanding of Tactics, Techniques and Procedures (TTPs) used by advanced Threat Actors
• Detailed understanding of security technologies such as intrusion detection and prevention technologies, endpoint protection and proxies and ability to interpret log data produced by these technologies
• Knowledge of relevant frameworks such as MITRE ATT&CK, GPG-13 and CIS 20
• Knowledge of relevant regulations and legislation such as ISO 27001, GDPR and the Computer Misuse Act
• Able to develop hypothesis for threat hunting investigations
• Able to write SQL queries, REGEX expressions and PowerShell/bash scripts
• Able to use intelligence from a variety of sources (e.g. OSINT tools) to hunt for attackers
• Able to perform simple static and dynamic malware analysis
• Able to communicate across domains (business, technical, commercial) as well as with third parties
• Able to build and lead teams
• Able to work effectively in an operational environment and meet milestones & targets

Desirable:
• Working knowledge of Cloud functions and capabilities (SaaS, Serverless functions, IAM)
• Able to perform complex malware analysis
• Able to define tailored, tactical and strategic remediation plans for compromised organisations following a cyber incident
• Knowledge of Agile methodology, project and risk management

Experience & Qualifications

Essential:
• Experience of working in an information security role in an operational environment
• Demonstrated ability to proactively detect Advanced Persistent Threats, in addition to Hacktivists, 'Script Kiddies' and other adversaries
• Experience utilizing threat hunting tools and big data platforms
• Security Information and Event Management (SIEM) experience, ideally both Splunk and LogRythym, including content development and use case creation
• Operational network security experience, including configuring network architecture, host, data and/or application security in multiple operating system environments
• Experience of Digital Forensics investigations using network and host data
• Experience of utilizing Endpoint Detection and Response (EDR) tools, including the investigatory and response modules and developing signals
• Leadership

Desirable:
• A Bachelor's Degree in Computer Science, Computer Networks, Information Security or other related technical discipline or equivalent experience
• Experience working in a dedicated, specialist Threat Hunting team
• Relevant market domain experience (e.g. Government, Critical National Infrastructure, Defence)
• Digital Forensics using memory analysis
• Qualification such as CREST Practitioner Intrusion Analyst (CPIA), SANS Certified Intrusion Analyst (GCIA), Certified Incident Handler (GCIH), Cisco Certified Network Professional Security (CCNP Security),
• Completion of relevant training courses (e.g. SANS SEC487, SEC504, FOR500, FOR508, FOR572, etc.)
• Experience developing the capabilities of junior CSOC analysts

Person Specification:
• A true passion for cyber security, and a relentless desire to stay ahead of the adversaries, evidenced by significant continuous professional development
• Flexibility to meet operational requirements is essential
• Ability to work well as part of a team, cooperatively and professionally
• Ability to lead, and work effectively with, individuals with varying levels of experience
• Multi-Tasker with willingness and ability to learn and adapt quickly
• Ability to work unsupervised and adhere to process and policy
• Outstanding attention to detail
• Self-starting and motivated
• Analytical and deeply curious
• Strong written, verbal and customer service skills
• Demonstrates a positive attitude towards change and suggest improvements
• Ability to offer mentoring and learning support to junior practitioners