What we are looking for
We are looking for motivated individuals to work in the field of Cyber Threat Intelligence (CTI). We encourage both experienced candidates, and candidates with strong commitment and relevant skills to apply.
As a Tactical CTI Analyst in the Threat Intelligence Operations (TI-OPS) team, you will have a particular focus on the tactical spectrum of Threat Intelligence. Here you will be involved in researching and assessing threats and adversary tradecraft, applying intelligence in various operational deliverables, providing curated intelligence reports to operational functions and our customers, and performing continuous improvement activities of our processes, procedures, methods and tooling as needed. You will play an integral part in helping us analyse threats and data originating from thousands of incidents detected by mnemonic, third party telemetry, as well as novel sources and methods.
To be successful in this role, you must be independent, well-organised, have excellent communication skills, and skilled in using data and information derived from multiple disciplines to solve analytical problems.
What we can offer
- An unique environment consisting of more than 250+ security specialists that daily work with some of the most demanding and awarding challenges within IT and information security.
- Exciting projects and significant influence in design and architectural choices in own projects.
- Professional training (courses) and conferences.
- Competitive terms including a collective bonus scheme for all employees.
- A solid and profitable corporate economy providing resources for development and innovation.
- A remote-friendly culture which emphasises healthy work-life balance.
- For the past nine years, mnemonic has been ranked among Norway’s and Europe’s best workplaces by Great Place to Work. In Norway, we’ve been among the top 3 the last five years!
What you will do
The position covers a wide range of tasks, which include:
- Conduct threat research using open- and closed sources, and maintain Intelligence KBs to effectively track known TTPs, detection coverage, and response/mitigation recommendations associated with specific threats and adversary tradecraft.
- Produce clear, concise and actionable intelligence reports on threats with insights into attacker techniques and identified campaigns, incl. guidance on mitigation and detection strategies.
- Provide curated intelligence to support operational functions, such as incl. Threat Hunting for executing threat hunting missions and Detection Engineering for the development of use cases of new emerging adversary behavior.
- Consume and analyse technical-oriented Threat Intelligence from a variety of sources (e.g. social media, blog posts, intelligence reports, sandbox output, partner sharing, internal detections etc) to track and report on the evolving threat landscape and TTPs.
- Provide relevant trend analysis and technical insights to customers and other stakeholders, incl. mapping to common frameworks, such as incl. MITRE ATT&CK.
- Researching and analysing malware, attack campaigns, threat groups and their tactics, techniques and procedures (TTP) as observed in the threat landscape.
- Support the build out of a Threat Intelligence program and contribute to a coherent and targeted tactical and operational intelligence production to our customers, incl. the application of Threat Intelligence frameworks and -models.
- Participate in the processes for collecting, enriching, assessing and distributing Threat Intelligence data and reporting; incl. the use and evaluation of supporting technologies, such as incl. Threat Intelligence Platforms (TIP).
- Actively contribute in the development of tools, frameworks, services and guidelines to analyse and respond to threats, and in supporting operational functions on CTI-matters as needed (DFIR, Security Operations, Malware Analysis etc).
- Assist incident responders and intrusions analysts with technical expertise, and in general the understanding of the context, nature, and sophistication of attacks and incidents being detected.
- Identify patterns and trends in detections and write actionable Intelligence Insights about trends we are observing, how customers can respond to them, and why they are relevant.
- Actively contribute to the production of- and in the development of threat briefs, reports, advisories and other forms of CTI-focused deliverables, both as a contributor and in performing peer review.
- Periodically assess and evaluate CTI-related threat feeds and data sources, both as received from external and third-parties, but also actively taking a lead to ensure that mnemonics threat feeds and -data is of high quality prior to distribution.
- Engage with external parties for producing- and responding to RFIs, and actively contributing to intelligence sharing with our customers, partners, CERTs and the community as a whole.
- Maintaining and developing our internal CTI- and OSINT frameworks, both to ensure alignment with internal requirements and needs, and to ensure that our intelligence expertise is continuously maturing.
What you will bring
- The ideal candidate has a background in one of the following disciplines: Threat Intelligence, Incident Response, Threat Hunting, Threat Assessments, Digital Forensics, Security Analytics, Security Operations, Infrastructure Analysis, Malware Analysis.
- Familiar with at least two of the following areas (and a willingness to learn the rest):
- Graph theory and clustering analysis.
- Open- and closed source intelligence.
- Intelligence methods, frameworks and standards.
- CTI-focused products, platforms and technologies.
- Disk and memory forensics.
- Forensic methods, frameworks and standards.
- Static and dynamic binary analysis.
- Network traffic and/or Log analysis.
- Technical analysis methods, processes and tooling.
- Windows and/or Linux internals.
- Experience with at least three of the following areas (and a willingness to work with others):
- Tracking threat actors and researching their TTPs.
- Supporting intelligence led assessments, such as incl. CBEST or TIBER.
- Using commercial and open source platforms, such as incl. Shodan, Censys, or similar.
- Malware sandboxes and using the output to pivot and find additional activity.
- Performing threat hunting, and researching and refining supporting hypothesis.
- Creating network-, endpoint-, malware- detection signatures on such as incl. Yara, Snort, Kusto or similar.
- Infrastructure analysis, such as incl. Passive DNS, WHOIS data, SSL certificates or similar.
- OSINT of variety of data sources incl. social media, blog posts, news outlets/vendors, malware sandboxes or similar.
- Platforms and -solutions for storing, structuring and managing CTI.
- The production of actionable intelligence reports and insights (incl. RFI-processes).
- Practical knowledge of researching, collection skills and analytical methods.
- Knowledge of industry-wide frameworks, such as incl. MITRE ATT&CK, CKC, Pyramid of Pain, the Diamond Model, ACH or similar.
- Encoding and decoding of obfuscation techniques within network traffic and endpoint artifacts.
- Threat landscape- and adversary tradecraft analysis.
- Practical application of CTI-, OSINT- and DFIR-workflows (incl. supporting tooling).
- Visualisation- and graphing tools, such as incl. Maltego, IBM i2, Spiderfoot or similar.
- Cloud environments and telemetry capabilities, in particular Azure and AWS.
- Practical scripting and programming, such as incl. Python, Perl, Ruby, Go, Bash, PowerShell or similar.
- ... or any other working experience that directly relates to the provided job description ('what you will do').
- The following knowledge are considered a plus, but not a requirement (necessary training and on-boarding program will be offered):
- Industry certifications such as from incl. GIAC/SANS, CREST, EC-Council, Offensive security, eLearnSecurity or similar.
- Products and technologies certifications such as incl. EDR, SIEM, Malware sandboxes, TIPs, Anomalies/Heuristics solutions, Cloud concepts incl. Azure/AWS or similar.
- Standards and frameworks such as incl. CBEST, TIBER, ISO 27000-series, IRAM2 or similar.
- Technical training related to Threat Detection, Threat Intelligence, Incident Response, Detection Engineering, Security Analytics, Digital Forensics, Threat Hunting or similar.
- Have strong analytical skills and the ability to synthesise complex and contradictory information.
- Is creative, solution oriented and able to find new solutions to complex problems.
- Is self-driven, independent and has the ability to successfully prioritise important tasks with minimal oversight.
- Has the ability to clearly communicate complex technical information, verbally and in writing with minimal review before broad dissemination.
- Excellent communication skills, both written and verbal, including the ability to communicate technical concepts in a clear, succinct fashion.
- Is well-organised and has the ability to structure and organise information that facilitates efficient knowledge sharing among team members.
- Is a team player that understands the importance knowledge sharing among peers.
We also appreciate open applications if your profile is not a 100% match!
The Threat Intelligence Operations (TI-OPS) team is located in mnemonic's MSS department and focuses on the technical- and tactical spectrum of Threat Intelligence, incl. Threat Hunting. This enables our customers to detect emerging threats, performing targeted intrusion analysis and response activities, and in making well-informed decisions.
Our mission is to have a leading understanding of threats and adversary tradecraft, and in the practical application of said intelligence through operational functions and supporting technologies. We strive to make our intelligence insights both actionable and impactful, as we continue to push ourselves in close collaboration with Security Operations, Detection Engineering, and Digital Forensics and Incident Response (DFIR).
We perform threat research using a variety of open- and closed sources and partnerships, and use this insight to continuously mature our market-leading MDR service and to drive projects, services and external engagements on CTI subject matters. We believe that today's threats must be combated by detection- and mitigation strategies that are intelligence-driven and continuously adapted to an ever-changing threat landscape.
mnemonic is the Nordic’s leading company within IT and information security with a unique combination of services and solutions. We respond to the region’s most serious cyberattacks, working side by side with Europe’s most important organisations. We actively participate in collaborative research projects and are a trusted source of threat intelligence to Europol and other global agencies.
Today we are nearly 300 employees, and growing rapidly in Norway and internationally. In addition, we are continually ranked by Great Place to Work as one of Norway’s and Europe’s top workplaces.
We use Semac AS for background checks in our recruitment process. It is an advantage if you qualify for a Norwegian security clearance.
How do I apply?
If you have publications or other works that you think represents your technical skills or ability to communicate in Norwegian or English, please attach or refer to these as well.
Email us at and write “MSS-TI-Tactical-CTI” in the subject field. Add a text about why you are right for the job, and your CV. Send us a code project you have been working on, that illustrates exactly how you work with code.