Threat Operations Analyst

Duties

The joint duty assignment will serve a role as an analyst on CISA's Cybersecurity Division (CSD)- Joint Cyber Defense Collaborative (JCDC) - Chief of Ops Office(COP) Analytical and Triage team. The analyst will participate on a team responsible for the initial triage and analysis of International, Federal, Industry, State Local Tribal Territorial partner shares of cyber information. Analysts will act as SMEs during technical exchanges with partners, for scoring of CSD and JCDC operational priorities based on available information, and for sharing back information that has been enriched from CISAs holdings.

Requirements

Conditions of Employment

• Must be a current permanent Federal employee
• Must have supervisory approval to apply to the Joint Duty Assignment. DHS 250-2 Application Form under "required documents" section.
• Must NOT have any pending/outstanding disciplinary actions
• Must have achieved a minimum of "meet expectations/proficiency" on latest performance appraisal/evaluation
• Must be currently at the grade level of the detail. *No Temporary Promotion Opportunity*
• The program does not apply to members of the Military service or contractors.
  
  

Qualifications

Qualifications required:

• Access to a SCIF
• Combined 7 years' experience in any number of cybersecurity fields (preferably network, host, and intelligence analysis)
• Strong network-based analysis and analytic discovery skills (e.g., knowledgeable about common network/security protocols [HTTP, SSL, SSH, DNS/secure DNS, etc.], including ability to identify normal vs. abnormal behavior)
• Familiarity with host-based anomaly detection (e.g., have basic understanding of what normal process trees look like, vs. malware injection into a process, etc.)
• Experience connecting open-source information with network and/or host-based anomalies (e.g., identifying cyber threat intelligence about suspicious processes, finding new insights through tools such as VirusTotal, understanding of how to find threat intelligence about malformed HTTP traffic, etc.)
• Hands-on experience with open-source cyber threat/related tools (e.g., VirusTotal, Maltego, Shodan, exploit-db, etc.)
• Familiarity working with public/purchased Cyber Threat Intel (CTI) feeds/data (e.g., Crowdstrike reporting, GreyNoise, RecordedFuture, Palo Alto Xpanse, or others)
• Excellent time-management skills with the ability to work in a collaborative team on a common project/event, as well as on your own.
• Excellent mission documentation skills; familiarity with ServiceNow, Confluence, and JIRA is a plus.
• Comfort to autonomously engage with others across the Agency/organization to obtain relevant information in support of unique mission needs.
• Familiarity with Red Teaming / Cyber exploitation concepts (e.g., killchain, MITRE ATT&CK, common hacker tools such as Metasploit/Meterpreter, Kali linux, etc.)
• Ability to code/script simple programs and functions in Python, bash, powershell, etc., to enable analytic triage and automation.
• Familiarity with Amazon AWS/S3, Jupyter Notebooks, and experience using specific CTI APIs is a plus; fusing multiple mission-relevant data streams is a highly desired.
• Broad familiarity with the tactics, techniques, procedures (TTPs) of nation-state and/or ransomware actors is desired; specialization in key nation-state intel a plus.
• Excellent technical reasoning skills / considers analysis of competing hypothesis (ACH) / values quality over quantity / proactive & self-starting approach to work.
  
  

Please read the following important information to ensure we have everything we need to consider your application:

It is your responsibility to ensure that you submit appropriate documentation prior to the closing date. Your resume serves as the basis for qualification determinations and must highlight your most relevant and significant experience as it relates to this Joint Duty assignment opportunity announcement.

Be clear and specific when describing your work history since human resources cannot make assumptions regarding your experience. Your application will be rated based on your resume.

Please ensure EACH work history includes ALL of the following information:

• Job Title (Include series and grade of Federal Job)
• Duties (Be specific in describing your duties)
• Name of Federal agency
• Supervisor name, email, and phone number
• Start and end dates including month and year (e.g. June 2007 to April 2008)
  
  

Education

EDUCATIONAL SUBSTITUTION: There is no educational substitution for this position.

Additional Information

• DHS does not offer any additional benefits beyond that which the Federal employee is already receiving.
  
  

If the position requires a security clearance, employees must have a SECRET or TOP SECRET clearance to placement AND must maintain that level of clearance while performing in the position.

Selected applicants for a JDA are requested to fulfill the items below during the JDA:

• Complete the DHS Training Course 15 days prior to the arrival to the JDA.
• Complete the DHS Joint Duty Assignment Progress Plan to include:
• Phase 1: Establish assignment objectives within the first 30 days of the JDA.
• Phase 2: Complete a self-assessment of the duties performed at the mid-point of the JDA.
• Phase 3: Complete a final review within the last 30 days of the JDA.