What we are looking for
We are looking for motivated individuals to work in the field of Cyber Threat Intelligence (CTI). We encourage both experienced candidates, and candidates with strong commitment and relevant skills to apply.
As a Technical CTI Analyst in the Threat Intelligence Operations (TI-OPS) team, you will have a particular focus on the technical spectrum of Threat Intelligence. Here you will be involved in discovering, researching and assessing threats and adversary tradecraft, practical application of intelligence in various operational functions and -initiatives, and performing continuous improvement activities of our processes, procedures, methods and tooling as needed. You will play an integral part in helping us analyse threats and data originating from thousands of incidents detected by mnemonic, third party telemetry, as well as novel sources and methods.
To be successful in this role, you must be self-driven, curious and technical savvy, and skilled in using data and information derived from multiple disciplines to solve analytical problems.
What we can offer
- An unique environment consisting of more than 250+ security specialists that daily work with some of the most demanding and awarding challenges within IT and information security.
- Exciting projects and significant influence in design and architectural choices in own projects.
- Professional training (courses) and conferences.
- Competitive terms including a collective bonus scheme for all employees.
- A solid and profitable corporate economy providing resources for development and innovation.
- A remote-friendly culture which emphasises healthy work-life balance.
- For the past nine years, mnemonic has been ranked among Norway’s and Europe’s best workplaces by Great Place to Work. In Norway, we’ve been among the top 3 the last five years!
What you will do
The position covers a wide range of tasks, which include:
- Actively contribute in the development of tools, frameworks, services and guidelines to analyse and respond to threats, and in supporting operational functions on CTI-matters as needed (DFIR, Security Operations, Malware Analysis etc).
- Periodically assess and evaluate emerging CTI-related products- and platforms, and be a knowledge expert on the quality of- and how such technologies can be used.
- Take technology lead (ownership) on CTI-related products- and platforms as needed to fulfill the TI-OPS mission, and in supporting our DFIR-framework.
- Conduct threat research using open- and closed sources, and maintain Intelligence KBs to effectively track known TTPs, detection coverage, and response/mitigation recommendations associated with specific threats and adversary tradecraft.
- Provide curated intelligence to support operational functions, such as incl. Threat Hunting for executing threat hunting missions and Detection Engineering for the development of use cases of new emerging adversary behavior.
- Consume and analyse technical-oriented Threat Intelligence from a variety of sources (e.g. social media, blog posts, intelligence reports, sandbox output, partner sharing, internal detections etc) to track and report on the evolving threat landscape, e.g. TTPs.
- Researching and analysing malware, attack campaigns, threat groups and their tactics, techniques and procedures (TTP) as observed in the threat landscape.
- Support the build out of a Threat Intelligence program and contribute to a coherent and targeted tactical and operational intelligence production to our customers, incl. the application of Threat Intelligence frameworks and -models.
- Actively participate in projects such as incl. implementation- and integration initiatives as a Subject Matter Expert (SME) on CTI, both as a member and manager as needed.
- Participate in the processes for collecting, enriching, assessing and distributing Threat Intelligence data and reporting; incl. the use and evaluation of supporting technologies, such as incl. Threat Intelligence Platforms (TIP).
- Assist incident responders, threat hunters and intrusion analysts in pivoting network -, log- and endpoint-data in the investigation of targeted attacks and serious profiteering campaigns against mnemonic’s customers.
- Perform in-depth forensics, memory analysis and artifact analysis on confirmed or suspected compromised machines as part of incident response engagements and in supporting our customers.
- Participate in shift rotation either as part the threat hunting function for performing in-depth threat hunting or SDG-Yara for analysing malware and writing Yara-rules.
What you will bring
- The ideal candidate has a background in one of the following disciplines: Threat Intelligence, Incident Response, Threat Hunting, Threat Assessments, Digital Forensics, Security Analytics, Security Operations, Infrastructure Analysis, Malware Analysis.
- Familiar with at least two of the following areas (and a willingness to learn the rest):
- Graph theory and clustering analysis.
- Open- and closed source intelligence.
- Intelligence methods, frameworks and standards.
- CTI-focused products, platforms and technologies.
- Disk and memory forensics.
- Forensic methods, frameworks and standards.
- Static and dynamic binary analysis.
- Network traffic and/or Log analysis.
- Technical analysis methods, processes and tooling.
- Windows and/or Linux internals.
- Experience with at least three of the following areas (and a willingness to work with others):
- Tracking threat actors and researching their TTPs.
- Supporting intelligence led assessments, such as incl. CBEST or TIBER.
- Using commercial and open source platforms, such as incl. Shodan, Censys, or similar.
- Malware sandboxes and using the output to pivot and find additional activity.
- Performing threat hunting, and researching and refining supporting hypothesis.
- Creating network-, endpoint-, malware- detection signatures on such as incl. Yara, Snort, Kusto or similar.
- Infrastructure analysis, such as incl. Passive DNS, WHOIS data, SSL certificates or similar.
- OSINT of variety of data sources incl. social media, blog posts, news outlets/vendors, malware sandboxes or similar.
- Platforms and -solutions for storing, structuring and managing CTI.
- The production of actionable intelligence reports and insights (incl. RFI-processes).
- Practical knowledge of researching, collection skills and analytical methods.
- Practical application of industry-wide frameworks, such as incl. MITRE ATT&CK, CKC, Pyramid of Pain, the Diamond Model, ACH or similar.
- Encoding and decoding of obfuscation techniques within network traffic and endpoint artifacts.
- Threat landscape- and adversary tradecraft analysis.
- Practical application of CTI-, OSINT- and DFIR-workflows (incl. supporting tooling).
- Visualisation- and graphing tools, such as incl. Maltego, IBM i2, Spiderfoot or similar.
- Cloud environments and telemetry capabilities, in particular Azure and AWS.
- Practical scripting and programming, such as incl. Python, Perl, Ruby, Go, Bash, PowerShell or similar.
- ... or any other working experience that directly relates to the provided job description ('what you will do').
- The following knowledge are considered a plus, but not a requirement (necessary training and on-boarding program will be offered):
- Industry certifications such as from incl. GIAC/SANS, CREST, EC-Council, Offensive security, eLearnSecurity or similar.
- Products and technologies certifications such as incl. EDR, SIEM, Malware sandboxes, TIPs, Anomalies/Heuristics solutions, Cloud concepts incl. Azure/AWS or similar.
- Standards and frameworks such as incl. CBEST, TIBER, ISO 27000-series, IRAM2 or similar.
- Technical training related to Threat Detection, Threat Intelligence, Incident Response, Detection Engineering, Security Analytics, Digital Forensics, Threat Hunting or similar.
- Have strong analytical skills and the ability to synthesise complex and contradictory information.
- Is creative, solution oriented and able to find new solutions to complex problems.
- Is curious and likes to emerge deep into details to better understand the problem at hand.
- Is self-driven, independent and has the ability to successfully prioritise important tasks with minimal oversight.
- Has the ability to clearly communicate complex technical information, verbally and in writing with minimal review before broad dissemination.
- Is well-organised and has the ability to structure and organise information that facilitates efficient knowledge sharing among team members.
- Is a team player that understands the importance knowledge sharing among peers.
We also appreciate open applications if your profile is not a 100% match!
The Threat Intelligence Operations (TI-OPS) team is located in mnemonic's MSS department and focuses on the technical- and tactical spectrum of Threat Intelligence, incl. Threat Hunting. This enables our customers to detect emerging threats, performing targeted intrusion analysis and response activities, and in making well-informed decisions.
Our mission is to have a leading understanding of threats and adversary tradecraft, and in the practical application of said intelligence through operational functions and supporting technologies. We strive to make our intelligence insights both actionable and impactful, as we continue to push ourselves in close collaboration with Security Operations, Detection Engineering, and Digital Forensics and Incident Response (DFIR).
We perform threat research using a variety of open- and closed sources and partnerships, and use this insight to continuously mature our market-leading MDR service and to drive projects, services and external engagements on CTI subject matters. We believe that today's threats must be combated by detection- and mitigation strategies that are intelligence-driven and continuously adapted to an ever-changing threat landscape.
mnemonic is the Nordic’s leading company within IT and information security with a unique combination of services and solutions. We respond to the region’s most serious cyberattacks, working side by side with Europe’s most important organisations. We actively participate in collaborative research projects and are a trusted source of threat intelligence to Europol and other global agencies.
Today we are nearly 300 employees, and growing rapidly in Norway and internationally. In addition, we are continually ranked by Great Place to Work as one of Norway’s and Europe’s top workplaces.
We use Semac AS for background checks in our recruitment process. It is an advantage if you qualify for a Norwegian security clearance.
How do I apply?
If you have publications or other works that you think represents your technical skills or ability to communicate in Norwegian or English, please attach or refer to these as well.
Email us at and write “MSS-TI-Technical-CTI” in the subject field. Add a text about why you are right for the job, and your CV. Send us a code project you have been working on, that illustrates exactly how you work with code.