Tier 2 Cyber Incident Response Team (CIRT) Shift Lead

Peraton is seeking an experienced Tier 2 Cyber Incident Response Team (CIRT) Shift Lead to join Peratons' Federal Strategic Cyber Mission program.

Location: Beltsville, MD; On-site

Work Hours: Evening Shift, 14:00– 22:00 EST (2:00 - 10:00 PM, EST), Tuesday - Saturday

In this role, you will:

• Detect, classify, process, track, and report on cyber security events and incidents.
• Perform advanced in-depth analysis of coordinated Tier 1 alert triage and requests in a 24x7x365 environment.
• Analyze logs from multiple sources (e.g., host logs, EDR, firewalls, intrusion detection systems, servers) to identify, contain, and remediate suspicious activity.
• Characterize and analyze network traffic to identify anomalous activity and potential threats.
• Protect against and prevent potential cyber security threats and vulnerabilities.
• Perform forensic analysis of hosts artifacts, network traffic, and email content.
• Analyze malicious scripts and code to mitigate potential threats.
• Conduct malware analysis to generate IOCs to identify and mitigate threats.
• Collaborate with Department of State teams to analyze and respond to events and incidents.
• Monitor and respond to the CIRT Security Orchestration and Automation Response (SOAR) platform, hotline, email in-boxes.
• Create tickets and initiate workflows as instructed in technical SOPs.
• Coordinate and report incident information to the Cybersecurity and Infrastructure Security Agency (CISA).
• Collaborate with other local, national and international CIRTs as directed.
• Submit alert tuning requests.

Additionally, as a Tier 2 Shift Lead you will: 

• Review all Tier 2 shift tickets for accuracy and completeness
• Coordinate with CIRT Watch Officers and government leadership on remediation actions
• Provide technical and procedural improvement recommendations to CIRT leadership
• Assist with Tier 2 candidate technical interviews as required
• Ensure coordinated remediation actions are operating properly

Minimum Qualifications

• Bachelor’s degree and minimum of 11 years of relevant experience; or, Master’s degree with minimum of 9 years; or PhD with 6 years.
• Must possess, or obtain prior to start date, at least one of the following certifications. Continued certification is required as a condition of employment:
  • CASP+ CE, CCISO, CCNA Cyber Ops, CCNA Security, CCNP Security, CEH, CFR, CISA, CISM, CISSP (or Associate), CISSP-ISSAP, CISSP-ISSEP, Cloud+, CySA+, GCED, GCIA, GCIH, GICSP, GSLC, SCYBER.
• Demonstrated experience across the incident response lifecycle.
• Experience with SOAR platforms and automated response workflows (e.g., ServiceNow, Splunk SOAR, Microsoft Sentinel).
• Experience with Security Information and Event Management (SIEM) platforms (e.g., Splunk, Microsoft Sentinel, Elastic, QRadar).
• Experience with Endpoint Detection and Response (EDR) solutions (e.g., Microsoft Defender for Endpoint, Elastic XDR, Carbon Black, CrowdStrike).
• Knowledge of cloud security monitoring and incident response.
• Knowledge of integrating indicators of compromise (IOCs) and tracking advanced persistent threat (APT) actors.
• Ability to analyze cyber threat intelligence and understand adversary tactics, techniques, and procedures (TTPs).
• Knowledge of malware analysis techniques.
• Familiarity with MITRE ATT&CK and D3FEND frameworks.
• U.S. Citizenship required.
• Active Secret security clearance required at start.

Preferred Qualifications:  

• Proficiency with Splunk for security monitoring, alert creation, and threat hunting.
• Experience using Microsoft Azure access and identity management.
• Proficiency in Microsoft Defender for Endpoint and Identity for security monitoring, response, and alert generations.
• Experience using digital forensics collection and analysis tools (e.g. Autopsy, Axiom MagnetForensics, Zimmerman-Tools, KAPE, CyLR, Volatility).
• Experience using ServiceNow SOAR for ticketing and automated response.
• Experience using Python, PowerShell and BASH scripting languages.
• Proficiency in cloud security monitoring and incident response.
• Demonstrated ability to perform static/dynamic malware analysis and reverse engineering.
• Experience with integrating cyber threat intelligence and IOC-based hunting.
• Technical certifications such as: Azure SC-900, CCSP, GCIH, CCSK, GSEC, CHFI, GCLD, GCIA.
• Advanced technical certifications such as: SecurityX/CASP+, PRMP, GREM, GEIR, GNFA, or GCFA.