We are looking for motivated individuals to work in the field of Cyber Threat Intelligence (CTI). We encourage both experienced candidates, and candidates with strong commitment and relevant skills to apply.

As a Technical CTI Analyst you will be involved in discovering, researching and assessing threats and adversary tradecraft, practical application of intelligence in various operational functions and -initiatives, and performing continuous improvement activities of our processes, procedures, methods and tooling as needed. You will play an integral part in helping us analyse threats and data originating from thousands of incidents detected by mnemonic, third party telemetry, as well as novel sources and methods.

To be successful in this role, you must be self-driven, curious and technical savvy, and skilled in using data and information derived from multiple disciplines to solve analytical problems.

You will be working with

We approch our work by striving to make our intelligence insights both actionable and impactful, as we continue to push ourselves in close collaboration with Security Operations, Detection Engineering, and Digital Forensics and Incident Response (DFIR). We perform threat research using a variety of open- and closed sources and partnerships, and use this insight to continuously mature our market-leading MDR service and to drive projects, services and external engagements on CTI subject matters. We believe that today's threats must be combated by detection- and mitigation strategies that are intelligence-driven and continuously adapted to an ever-changing threat landscape.

This approach is also reflected in the variety of tasks this position covers, including:

  • Actively contribute in the development of tools, frameworks, services and guidelines to analyse and respond to threats, and in supporting operational functions on CTI-matters as needed (DFIR, Security Operations, Malware Analysis etc).
  • Periodically assess and evaluate emerging CTI-related products- and platforms, and be a knowledge expert on the quality of- and how such technologies can be used.
  • Take technology lead (ownership) on CTI-related products- and platforms as needed to fulfill the TI-OPS mission, and in supporting our DFIR-framework.
  • Conduct threat research using open- and closed sources, and maintain Intelligence KBs to effectively track known TTPs, detection coverage, and response/mitigation recommendations associated with specific threats and adversary tradecraft.
  • Provide curated intelligence to support operational functions, such as incl. Threat Hunting for executing threat hunting missions and Detection Engineering for the development of use cases of new emerging adversary behavior.
  • Consume and analyse technical-oriented Threat Intelligence from a variety of sources (e.g. social media, blog posts, intelligence reports, sandbox output, partner sharing, internal detections etc) to track and report on the evolving threat landscape, e.g. TTPs.
  • Researching and analysing malware, attack campaigns, threat groups and their tactics, techniques and procedures (TTP) as observed in the threat landscape.
  • Support the build out of a Threat Intelligence program and contribute to a coherent and targeted tactical and operational intelligence production to our customers, incl. the application of Threat Intelligence frameworks and -models.
  • Actively participate in projects such as incl. implementation- and integration initiatives as a Subject Matter Expert (SME) on CTI, both as a member and manager as needed.
  • Participate in the processes for collecting, enriching, assessing and distributing Threat Intelligence data and reporting; incl. the use and evaluation of supporting technologies, such as incl. Threat Intelligence Platforms (TIP).
  • Assist incident responders, threat hunters and intrusion analysts in pivoting network -, log- and endpoint-data in the investigation of targeted attacks and serious profiteering campaigns against mnemonic’s customers.
  • Perform in-depth forensics, memory analysis and artifact analysis on confirmed or suspected compromised machines as part of incident response engagements and in supporting our customers.
  • Participate in shift rotation either as part the threat hunting function for performing in-depth threat hunting or SDG-Yara for analysing malware and writing Yara-rules.

You will be working closely with our Tactical CTI Analyst and Threat Hunter.

What you will bring

Hard skills

  • The ideal candidate has a background in one of the following disciplines: Threat Intelligence, Incident Response, Threat Hunting, Threat Assessments, Digital Forensics, Security Analytics, Security Operations, Infrastructure Analysis, Malware Analysis.
  • Familiar with at least two of the following areas (and a willingness to learn the rest):
    • Graph theory and clustering analysis.
    • Open- and closed source intelligence.
    • Intelligence methods, frameworks and standards.
    • CTI-focused products, platforms and technologies.
    • Disk and memory forensics.
    • Forensic methods, frameworks and standards.
    • Static and dynamic binary analysis.
    • Network traffic and/or Log analysis.
    • Technical analysis methods, processes and tooling.
    • Windows and/or Linux internals.
  • Experience with at least three of the following areas (and a willingness to work with others):
    • Tracking threat actors and researching their TTPs.
    • Supporting intelligence led assessments, such as incl. CBEST or TIBER.
    • Using commercial and open source platforms, such as incl. Shodan, Censys, or similar.
    • Malware sandboxes and using the output to pivot and find additional activity.
    • Performing threat hunting, and researching and refining supporting hypothesis.
    • Creating network-, endpoint-, malware- detection signatures on such as incl. Yara, Snort, Kusto or similar.
    • Infrastructure analysis, such as incl. Passive DNS, WHOIS data, SSL certificates or similar.
    • OSINT of variety of data sources incl. social media, blog posts, news outlets/vendors, malware sandboxes or similar.
    • Platforms and -solutions for storing, structuring and managing CTI.
    • The production of actionable intelligence reports and insights (incl. RFI-processes).
    • Practical knowledge of researching, collection skills and analytical methods.
    • Practical application of industry-wide frameworks, such as incl. MITRE ATT&CK, CKC, Pyramid of Pain, the Diamond Model, ACH or similar.
    • Encoding and decoding of obfuscation techniques within network traffic and endpoint artifacts.
    • Threat landscape- and adversary tradecraft analysis.
    • Practical application of CTI-, OSINT- and DFIR-workflows (incl. supporting tooling).
    • Visualisation- and graphing tools, such as incl. Maltego, IBM i2, Spiderfoot or similar.
    • Cloud environments and telemetry capabilities, in particular Azure and AWS.
    • Practical scripting and programming, such as incl. Python, Perl, Ruby, Go, Bash, PowerShell or similar.
    • ... or any other working experience that directly relates to the provided job description ('what you will do')
  • The following knowledge are considered a plus, but not a requirement (necessary training and on-boarding program will be offered):
    • Industry certifications such as from incl. GIAC/SANS, CREST, EC-Council, Offensive security, eLearnSecurity or similar.
    • Products and technologies certifications such as incl. EDR, SIEM, Malware sandboxes, TIPs, Anomalies/Heuristics solutions, Cloud concepts incl. Azure/AWS or similar.
    • Standards and frameworks such as incl. CBEST, TIBER, ISO 27000-series, IRAM2 or similar.
    • Technical training related to Threat Detection, Threat Intelligence, Incident Response, Detection Engineering, Security Analytics, Digital Forensics, Threat Hunting or similar.

Soft skills

  • Have strong analytical skills and the ability to synthesise complex and contradictory information.
  • Is creative, solution oriented and able to find new solutions to complex problems.
  • Is curious and likes to emerge deep into details to better understand the problem at hand.
  • Is self-driven, independent and has the ability to successfully prioritise important tasks with minimal oversight.
  • Has the ability to clearly communicate complex technical information, verbally and in writing with minimal review before broad dissemination.
  • Is well-organised and has the ability to structure and organise information that facilitates efficient knowledge sharing among team members.
  • Is a team player that understands the importance knowledge sharing among peers.

We also appreciate open applications if your profile is not a 100% match!

What we can offer

  • An informal and pleasant working environment that provides opportunities for growth, influence and variations in tasks
  • Competitive salary, share program and bonus scheme that promotes a long-term employment outlook, including attractive pension and insurance coverage
  • Opportunities for relevant professional training (courses) and conferences
  • We place a strong emphasis on workplace well-being and teambuilding through social activities, events and trips with colleagues. In addition, we have an inclusive environment that promotes work-life balance and accommodates to families. Both in Utrecht and Oslo our offices are centrally located. In Oslo, you'll find us at Solli plass. 
  • A workplace that has been ranked as one of the best in Europe for a number of years. In Norway we have been amongst the top 10 workplaces for 10 years in a row. This year, we even won our category!

How do I apply?

Email us at [email protected] and write "MSS-TI-Technical-CTI" in the subject field. Add a text about why you are right for the job, and your CV. Send us a code project you have been working on, that illustrates exactly how you work with code.

If you have publications or projects you have worked on that you think represent your technical skills or ability to communicate, please attach or refer to these.

Background check

We use Semac AS for background checks in our recruitment process. Security clearance is a requirement.

Har du noen spørsmål til oss?