Title SOC Incident Response Spcilist Location Rockville, MD (60 remote after 90days) Mid-Level SOCIR Engineer Job functions will be split 70 SOC Engineer, and 30 SOC Analyst work. Key Responsibilities Requires technical knowledge in computer network theory, IT standards and protocols, as well as an understanding of the lifecycle of cyberspace threats, attack vectors, and methods of exploitation. Implement new incident response andor threat intelligence capabilities and integrate new capabilities with existing tools in the SOC s cybersecurity ecosystem andor the HRSA IT infrastructure. Write custom scripts using Python (preferred) and Powershell to automate certain tasks. Assist in the implementation of a new EDR solution. Assist in the implementation of a new IDS solution. Assist in the implementation of Phantom to automate certain SOC tasks. Monitor HRSA information system assets for threats and anomalies utilizing tools in the SOC s cyber security ecosystem. Monitor the SIEM (Splunk ES) for notable events and work with customers to investigate and remediate those events. Analyze notable events in Splunk ES and determine if notable events need to become incidents based on the HRSA Incident Response Plan. Investigate triggered signatures from various tools to identify threats and false positives, and respond to those signatures within 5 minutes of notificationalert. Develop and deploy new SNORT signatures based on various threats on a daily basis, and as necessary. Maintain existing SNORT signatures, and tune signatures to reduce false positives on a daily basis, and as necessary. Consistently execute HRSA Incident Response processes according to the HRSA Incident Response Plan, SOC Standard Operating Procedures (SOP), and analyst workflows.. Conduct cyber security threat research, including analyzing threat feeds for effectiveness and applicability researching various types of malware, including reverse engineering (if necessary) understanding adversary techniques, tactics, and procedures (TTPs) and identifying TTPs within the HRSA environment. Continually monitor, review, and investigate notable events generated by the SIEM on a daily basis. Perform threat and anomaly hunting within the HRSA environment utilizing tools in the SOC cyber security ecosystem. Skills Experience 5 years of relevant cyber security experience in IT Security, Incident Response or network security with strong knowledge working in a Security Operations Center. 3 years experience with the incident response process, including detecting advanced adversaries, log analysis using Splunk or similar tools, and malware triage. 3 years of cyber security engineering experience, including experience in writing scripts to automate manual tasks. Strong analytical and investigation skills active threat hunting and adversary tracking. Experience with IDSIPS technologies such as SourceFire and Palo Alto Firewalls. Candidate should be familiar with rulesets, monitor IDSIPS events, and monitor IDSIPS functional operational status. Experience with FireEye technologies, such as NX, HX, AX. Experience with various EDR solutions. Experience with troubleshooting in an Active Directory environment. A solid understanding of Windows 20122016 Server, Windows 710, the Microsoft registry, remote administration, and other MS products. IPv6 experience a plus. Experience with the Enterprise Incident Response Cycle Preparation, Detection Analysis, Containment and Recovery, Post Incident Analysis. Solid experience with TCPIP protocols and ports. Preferably firewall and ACL experience. SOC analysis and SIEM experience with Splunk. Candidate should be able to write basic Splunk queries, create dashboards and reports, and be familiar with Splunk Enterprise Security (ES). Candidates with Splunk certifications are preferred (ie Power User, Admin, etc.) Experience with sniffers, packet capture and netflow tools including Wireshark (required) and NetWitness (preferred). Candidate should be able to efficiently gather and analyze data with these tools to detect potential IT security incidents, identify indicators of compromise, and troubleshoot network events. Experience in Information Security and with the use of security devices.