Threat Hunter

Threat Hunter

WHAT WE ARE LOOKING FOR

We are looking for motivated individuals to work in the field of Threat Hunting (TH). We encourage both experienced candidates, and candidates with strong commitment and relevant skills to apply.

As a Threat Hunter in the Threat Intelligence Operations (TI-OPS) team, you will have a particular focus on supporting our Threat Hunting program. Here you will develop threat hypothesis of adversary behavior, execute hunting missions, write briefs on hunting analytics, -missions and -findings, and performing continuous improvement activities of our processes, procedures, methods and tooling as needed. You will play an integral part in the production of Threat Hunting deliverables, and in analysing threats and data originating from thousands of incidents detected by mnemonic, third party telemetry, as well as novel sources and methods.

To be successful in this role, you must be self-driven with in-depth technical knowledge, and the curiosity to dive deeply into the intersection between Security Operations, Digital Forensics and Threat Intelligence.

WHAT WE CAN OFFER

• An unique environment consisting of more than 250+ security specialists that daily work with some of the most demanding and awarding challenges within IT and information security.
• Exciting projects and significant influence in design and architectural choices in own projects.
• Professional training (courses) and conferences.
• Competitive terms including a collective bonus scheme for all employees.
• A solid and profitable corporate economy providing resources for development and innovation.
• A remote-friendly culture which emphasises on a healthy work-life balance.
• For the past nine years, mnemonic has been ranked among Norway’s and Europe’s best workplaces by Great Place to Work. In Norway, we’ve been among the top 3 the last five years!

WHAT YOU WILL DO

The position covers a wide range of tasks, which include:

• Develop threat hypothesis of adversaries behavior, and perform open- and closed research to formulate detection strategies of said behavior.
• Plan and execute hunting missions to investigate hypotheses in raw telemetry and data lakes for the purpose of identifying threats and providing context to various stakeholders.
• Assist incident responders, CTI analysts and intrusion analysts in pivoting network -, log- and endpoint-data in the investigation of targeted attacks and serious profiteering campaigns against mnemonic’s customers.
• Researching and analysing malware, attack campaigns, threat groups and their tactics, techniques and procedures (TTP) as observed in the threat landscape.
• Applying Threat Intelligence and Threat Model scenarios as part of our threat hunting function, and provide guidance to our detection engineers on strategies and detection logic needed to operationalise 24/7 detection.
• Assess and implement new methods, processes, tools and deliverables as part of our Threat Hunting program and operational functions.
• Build on existing threat hunting practices to improve and mature our repeatable threat hunting workflow and the overall Threat Hunting program.
• Perform in-depth forensics, memory analysis and artifact analysis on confirmed or suspected compromised machines as part of incident response engagements and in supporting mnemonic’s customers.
• Participate in the processes for collecting, enriching, assessing and distributing threat intelligence data and reporting; incl. the use of Threat Intelligence Platforms (TIP).
• Participate in the development of new detection mechanisms and implementation of monitoring, threat intelligence and incident response services for mnemonic's customers.
• Participate in shift rotation as part of the threat hunting function for performing in-depth threat hunting and in supporting forensic activities as needed.

WHAT YOU WILL BRING

Hard skills:

• The ideal candidate has a background in one of the following disciplines: Threat Hunting, Incident Response, Threat Intelligence, Threat Assessments, Digital Forensics, Security Analytics, Security Operations, Infrastructure Analysis, Malware Analysis.
• Experience with at least two of the following areas (and a willingness to work with other areas):
• Hunting and identifying malicious behavior in large data sets/telemetry.
• Researching-, formulating- and refining threat hypothesis, incl. assessment of adversary behavior.
• Operational workflows involving Incident Handling, -Investigation, Preferably with strong knowledge and understanding of analytical- and intelligence lifecycle processes.
• Strong knowledge of technical analysis involving network traffic, malware, endpoint artifacts, disk- and memory forensics, and OS-internals.
• Detection logic frameworks and pattern matching concepts such as incl. Yara, Sigma, Snort, RegEX, Kusto, SIEM query languages or similar.
• Applying industry-wide frameworks such as MITRE ATT&CK, CKC, Pyramid of Pain, Detection Maturity Level Model, the Diamond Model, Threat Hunting Maturity Model, FAT PIE or similar.
• Technologies and solutions used for security monitoring and response capabilities. Preferably, with practical knowledge of Endpoint Detection & Response (EDR) tools.
• Malware sandboxing and using the output to pivot and find additional activity.
• Researching threats as observed in the ever-changing threat landscape, incl. third party telemetry, as well as novel sources and methods.
• OSINT of variety of data sources incl. social media, blog posts, news outlets/vendors, malware sandboxes or similar.
• Researching how threat groups operate, and understand tactics, techniques and procedures (TTP) as part of threat campaigns.
• Practical scripting and programming, such as incl. Python, Perl, Ruby, Go, Bash, PowerShell or similar.
• Infrastructure analysis, such as incl. Passive DNS, WHOIS data, SSL certificates or similar
• ... or any other working experience that directly relates to the provided job description ('what you will do').
• The following knowledge are considered a plus, but not a requirement (necessary training and on-boarding program will be offered):
• Industry certifications such as from incl. GIAC/SANS, CREST, EC-Council, Offensive security, eLearnSecurity or similar.
• Products and technologies certifications such as incl. EDR, SIEM, Malware sandboxes, TIPs, Anomalies/Heuristics solutions, Cloud concepts incl. Azure/AWS or similar.
• Technical training related to Threat Hunting, Threat Detection, Threat Intelligence, Incident Response, Detection Engineering, Security Analytics, Digital Forensics or similar.

Soft skills:

• Have strong analytical skills and the ability to synthesise complex and contradictory information.
• Is creative, solution oriented and able to find new solutions to complex problems.
• Is curious and likes to emerge deep into details to better understand the problem at hand.
• Is self-driven, independent and has the ability to successfully prioritise important tasks with minimal oversight.
• Is well-organised and has the ability to structure and organise information that facilitates efficient knowledge sharing among team members.
• Is a team player that understands the importance knowledge sharing among peers.

We also appreciate open applications if your profile is not a 100% match!

ABOUT TI-OPS

The Threat Intelligence Operations (TI-OPS) team is located in mnemonic's MSS department and focuses on the technical- and tactical spectrum of Threat Intelligence, incl. Threat Hunting. This enables our customers to detect emerging threats, performing targeted intrusion analysis and response activities, and in making well-informed decisions.

Our mission is to have a leading understanding of threats and adversary tradecraft, and in the practical application of said intelligence through operational functions and supporting technologies. We strive to make our intelligence insights both actionable and impactful, as we continue to push ourselves in close collaboration with Security Operations, Detection Engineering, and Digital Forensics and Incident Response (DFIR).

We perform threat research using a variety of open- and closed sources and partnerships, and use this insight to continuously mature our market-leading MDR service and to drive projects, services and external engagements on CTI subject matters. We believe that today's threats must be combated by detection- and mitigation strategies that are intelligence-driven and continuously adapted to an ever-changing threat landscape.

ABOUT MNEMONIC

mnemonic is the Nordic’s leading company within IT and information security with a unique combination of services and solutions. We respond to the region’s most serious cyberattacks, working side by side with Europe’s most important organisations. We actively participate in collaborative research projects and are a trusted source of threat intelligence to Europol and other global agencies.

Today we are nearly 300 employees, and growing rapidly in Norway and internationally. In addition, we are continually ranked by Great Place to Work as one of Norway’s and Europe’s top workplaces.

BACKGROUND CHECK

We use Semac AS for background checks in our recruitment process. It is an advantage if you qualify for a Norwegian security clearance.

HOW DO I APPLY?

If you have publications or other works that you think represents your technical skills or ability to communicate in Norwegian or English, please attach or refer to these as well.

Email us at rekruttering-web[at]mnemonic.no and write “MSS-TI-ThreatHunter” in the subject field. Add a text about why you are right for the job, and your CV. Send us a code project you have been working on, that illustrates exactly how you work with code.