Threat Hunter
We are looking for motivated individuals to work in the field of Threat Hunting (TH)
As a Threat Hunter in the Threat Intelligence Operations (TI-OPS) team, you will have a particular focus on supporting our Threat Hunting program. Here you will develop threat hypothesis of adversary behavior, execute hunting missions, write briefs on hunting analytics, -missions and -findings, and performing continuous improvement activities of our processes, procedures, methods and tooling as needed. You will play an integral part in the production of Threat Hunting deliverables, and in analysing threats and data originating from thousands of incidents detected by mnemonic, third party telemetry, as well as novel sources and methods.
To be successful in this role, you must be self-driven with in-depth technical knowledge, and the curiosity to dive deeply into the intersection between Security Operations, Digital Forensics and Threat Intelligence.
We encourage both experienced candidates, and candidates with strong commitment and relevant skills to apply.
mnemonic responds to the region’s most serious cyberattacks. We work side by side with Europe’s most important organisations and critical infrastructure to protect them from the cyberattacks they see today, and what they can expect to see tomorrow.
At more than 350 employees, we are amongst the largest pure play security companies in Europe, and continue to grow rapidly in Norway and internationally. In addition, we are continually ranked by Great Place to Work as one of Norway’s and Europe’s top workplaces.
What you will do
We approch our work by striving to make our intelligence insights both actionable and impactful, as we continue to push ourselves in close collaboration with Security Operations, Detection Engineering, and Digital Forensics and Incident Response (DFIR). We perform threat research using a variety of open- and closed sources and partnerships, and use this insight to continuously mature our market-leading MDR service and to drive projects, services and external engagements on CTI subject matters. We believe that today's threats must be combated by detection- and mitigation strategies that are intelligence-driven and continuously adapted to an ever-changing threat landscape.
This approach is also reflected in the variety of tasks this position covers, including:
- Develop threat hypothesis of adversaries behavior, and perform open- and closed research to formulate detection strategies of said behavior.
- Plan and execute hunting missions to investigate hypotheses in raw telemetry and data lakes for the purpose of identifying threats and providing context to various stakeholders.
- Assist incident responders, CTI analysts and intrusion analysts in pivoting network -, log- and endpoint-data in the investigation of targeted attacks and serious profiteering campaigns against mnemonic’s customers.
- Researching and analysing malware, attack campaigns, threat groups and their tactics, techniques and procedures (TTP) as observed in the threat landscape.
- Applying Threat Intelligence and Threat Model scenarios as part of our threat hunting function, and provide guidance to our detection engineers on strategies and detection logic needed to operationalise 24/7 detection.
- Assess and implement new methods, processes, tools and deliverables as part of our Threat Hunting program and operational functions.
- Build on existing threat hunting practices to improve and mature our repeatable threat hunting workflow and the overall Threat Hunting program.
- Perform in-depth forensics, memory analysis and artifact analysis on confirmed or suspected compromised machines as part of incident response engagements and in supporting mnemonic’s customers.
- Participate in the processes for collecting, enriching, assessing and distributing threat intelligence data and reporting; incl. the use of Threat Intelligence Platforms (TIP).
- Participate in the development of new detection mechanisms and implementation of monitoring, threat intelligence and incident response services for mnemonic's customers.
- Participate in shift rotation as part of the threat hunting function for performing in-depth threat hunting and in supporting forensic activities as needed.
The Threat Intelligence Operations (TI-OPS) team focuses on the technical- and tactical spectrum of Threat Intelligence, incl. Threat Hunting. This enables our customers to detect emerging threats, performing targeted intrusion analysis and response activities, and in making well-informed decisions.
Our mission is to have a leading understanding of threats and adversary tradecraft, and in the practical application of intelligence through operational functions and supporting technologies.
What you will bring
Hard skills
- The ideal candidate has a background in one of the following disciplines: Threat Hunting, Incident Response, Threat Intelligence, Threat Assessments, Digital Forensics, Security Analytics, Security Operations, Infrastructure Analysis, Malware Analysis.
- Experience with at least two of the following areas (and a willingness to work with other areas):
- Hunting and identifying malicious behavior in large data sets/telemetry.
- Researching-, formulating- and refining threat hypothesis, incl. assessment of adversary behavior.
- Operational workflows involving Incident Handling, -Investigation, Preferably with strong knowledge and understanding of analytical- and intelligence lifecycle processes.
- Strong knowledge of technical analysis involving network traffic, malware, endpoint artifacts, disk- and memory forensics, and OS-internals.
- Detection logic frameworks and pattern matching concepts such as incl. Yara, Sigma, Snort, RegEX, Kusto, SIEM query languages or similar.
- Applying industry-wide frameworks such as MITRE ATT&CK, CKC, Pyramid of Pain, Detection Maturity Level Model, the Diamond Model, Threat Hunting Maturity Model, FAT PIE or similar.
- Technologies and solutions used for security monitoring and response capabilities. Preferably, with practical knowledge of Endpoint Detection & Response (EDR) tools.
- Malware sandboxing and using the output to pivot and find additional activity.
- Researching threats as observed in the ever-changing threat landscape, incl. third party telemetry, as well as novel sources and methods.
- OSINT of variety of data sources incl. social media, blog posts, news outlets/vendors, malware sandboxes or similar.
- Researching how threat groups operate, and understand tactics, techniques and procedures (TTP) as part of threat campaigns.
- Practical scripting and programming, such as incl. Python, Perl, Ruby, Go, Bash, PowerShell or similar.
- Infrastructure analysis, such as incl. Passive DNS, WHOIS data, SSL certificates or similar
- ... or any other working experience that directly relates to the provided job description ('what you will do').
- The following knowledge are considered a plus, but not a requirement (necessary training and on-boarding program will be offered):
- Industry certifications such as from incl. GIAC/SANS, CREST, EC-Council, Offensive security, eLearnSecurity or similar.
- Products and technologies certifications such as incl. EDR, SIEM, Malware sandboxes, TIPs, Anomalies/Heuristics solutions, Cloud concepts incl. Azure/AWS or similar.
- Technical training related to Threat Hunting, Threat Detection, Threat Intelligence, Incident Response, Detection Engineering, Security Analytics, Digital Forensics or similar.
Soft skills
- Have strong analytical skills and the ability to synthesise complex and contradictory information.
- Is creative, solution oriented and able to find new solutions to complex problems.
- Is curious and likes to emerge deep into details to better understand the problem at hand.
- Is self-driven, independent and has the ability to successfully prioritise important tasks with minimal oversight.
- Is well-organised and has the ability to structure and organise information that facilitates efficient knowledge sharing among team members.
- Is a team player that understands the importance knowledge sharing among peers.
We also appreciate open applications if your profile is not a 100% match!
What we can offer
- An informal and pleasant working environment that provides opportunities for growth, influence and variations in tasks
- Competitive salary, share program and bonus scheme that promotes a long-term employment outlook, including attractive pension and insurance coverage
- Opportunities for relevant professional training (courses) and conferences
- We place a strong emphasis on workplace well-being and teambuilding through social activities, events and trips with colleagues. In addition, we have an inclusive environment that promotes work-life balance and accommodates to families. Both in Utrecht and Oslo our offices are centrally located. In Oslo, you'll find us at Solli plass.
- A workplace that has been ranked as one of the best in Europe for a number of years. In Norway we have been amongst the top 10 workplaces for 10 years in a row. This year, we even won our category!
How do I apply?
Email us at [email protected] and write "MSS-TI-ThreatHunter" in the subject field. Add a text about why you are right for the job, and your CV. Send us a code project you have been working on, that illustrates exactly how you work with code.
If you have publications or other projects you have worked on that you think represent your technical skills or ability to communicate, please attach or refer to these as well.
Background check
We use Semac AS for background checks in our recruitment process. Security clearance is a requirement.
Do you have questions about a career in mnemonic?
