Cyber Defence Technical and Content Author

Description of DV cleared role, based at customer site (some work can be done off-site) 

Uses data collected from a variety of Cyber defence toolsets to analyse events that occur within the ICS/network environment for the purposes of mitigating threats.

Tasks: 
•    Develop content/use cases/playbooks for Security Information and Event Management (SIEM) solutions and provide SME assistance in the construction of signatures/rule correlations to be implemented in response to new or observed threats within the network/enterprise
•    Use Authority’s environment for continual monitoring and analysis of on-boarded ICS/networks to identify malicious activities 
•    Progress the ability to write custom lists, queries and rules within the Authority’s environment
•    Coordinate and conduct event collection, log management, event management, compliance automation and identify monitoring activities
•    Assist the Authority’s environment engineer team in identifying how logs should be parsed
•    Mentor and support the existing Level 1 Analysts to triage alerts independently and support their role development within the Authority’s environment
•    Produce the Authority’s environment related supporting documentation detailing governance, procedures and processes for Level 1 and 2 Analysts and linking to the engineering documentation
•    Develop innovative and cutting-edge detection content; utilising the MITRE ATT&CK and Cyber Kill Chain frameworks and liaison with the Authority’s environment TI to assist Authority in understanding their adversaries TTP’s, prioritise and test their defence in order to mature their Security Posture
•    Analyse ICS/network alerts received by the Authority’s environment and determine possible causes of such alerts
•    Analyse identified malicious activity to determine ICS/network weaknesses being exploited, the exploitation methods and effects on the system and information
•    Characterise and analyse network traffic in-depth to identify anomalous activity and potential threats to ICS/networks
•    Provide timely detection, identification and alerting of possible attacks/intrusions, anomalous activities and misuse activities and distinguish these incidents and events from benign activities
•    Coordinate with Authority’s environment’s staff to validate network alerts
•    Document and escalate incidents that may cause ongoing and immediate impact to the environment
•    Perform cyber defence trend analysis and reporting
•    Work with ambition to support the Authority with the maturation of the Authority’s environment, demonstrating a desire to broaden your own skills and knowledge in-turn imparting this knowledge on.

Skills/Experience:
•    Previous experience of Enterprise ICS/network architectures and technologies
•    Experience and knowledge of SIEM solutions; having the ability to identify use cases and their creation, their deployment and tuning. 
•    Experience as a mentor/coach to junior Analysts
•    Experience of writing automated test scripts or feature verification tests.
•    Broad IT and Network Security Experience and its application within a SOC environment and Best Practices 
•    Previous experience of utilising the MITRE ATT&CK and Cyber Kill Chain frameworks
•    Skilled in performing packet-level analysis to identify potential malicious activities
•    Knowledge of key security frameworks e.g. ISO, NIST
•    Excellent communication skills
•    Experience of writing Defence/Government documentation

Desirable Qualifications:
•    Broad Spectrum Cyber Course (SANS SEC401 or SEC501 or equivalent)
•    SIEM Design, Architecture and Analyst Course (SANS SEC455 or SEC555 or equivalent)
•    Advanced Analyst Course (SANS SEC503 or equivalent)