Incident Response Analyst

Terms: Permanent Location: Cheltenham, Gloucestershire Salary: £45k − £60k

CORVID provides advanced and innovative cyber security protection services, using sophisticated means to detect and manage technical security incidents. There is an opportunity for an Incident Response (IR) Analyst to join this team.

Our customers benefit from a suite of services which includes incident detection and incident response, which is delivered predominantly using an in-house EDR platform.

Key responsibilities

You will be responsible for monitoring identifiers and suspect activity that indicates a potential security incident. This will make use of intrusion prevention systems, vulnerability scanning tools, and enterprise detection and response tools. You will be proficient in IR with an understanding of real-world APT tools, tactics, and procedures, and be able to quickly determine the nature of the threat and deliver the appropriate response.

  • Formulate and implement threat hunts across the CORVID customer base, using both public data sources and internal research.
  • Investigate suspicious activity to determine if it's a true positive.
  • Perform incident response activities on compromised devices and/or networks to:
    • determine the scope of infection
    • remove the threat
    • identify potential data loss
    • identify the infection vector
    • create additional threat hunts or detections using TTPs
    • liaise with customers

Skills and experience

Essential:

  • Two to three years' experience in a SOC or incident response role
  • Experience in incident response or incident analysis
  • Good awareness of the current threat landscape
  • Familiarity with host forensic artefacts on both Windows and Linux, and their acquisition, processing, and interpretation
  • Experience with network analysis and network intrusion detection
  • Understanding of firewall rules, Windows and Linux tools for analysing packet capture, netflow, and raw log files, such as those generated by firewalls, web servers, and proxies
  • Understanding of modern malware, including execution methods, persistence, detection, C2 methods, delivery mechanisms (JavaScript, PowerShell, etc.) and entry points (phishing, drive-by, etc.)
  • Knowledge of analysing artefacts to deduce behaviour of malware in an estate, include method of entry, evidence of lateral movement, C2/exfiltration analysis, and remediation activities
  • Ability to innovate malware hunting methods
  • General technical analysis and data correlation skills
  • Ability to launch and interpret network vulnerability scans, web scans, and port scans
  • Good communication, reporting, and analytical skills
  • Ability to produce and review reports
  • Proven experience with scripting/programming languages
  • Ability to commit to ad hoc scripting (for example, in Python)

Desirable:

  • Familiarity with the challenges of processing large volumes of log traffic, including Windows event logs
  • Familiarity with malware dynamic analysis to determine potential malicious intent of samples
  • Some experience with static analysis and reverse engineering of samples and C2 protocols
  • Familiarity with Elastic, Splunk, or similar
  • Understanding of vulnerabilities and vulnerability detection
  • Ability to commit to small development projects (for example, in C or C++)
  • Ability to work in and perform system administration skills using Windows and Linux
  • Understanding of the MITRE ATT&CK framework
  • Experience with EDR-type telemetry or similar, such as from sysmon
  • Experience of writing and implementing Snort/Suricata rules
  • Excellent understanding of TCP/IP networking and protocols (including HTTP, SSL/TLS, HTTPS, HTTP/2, DNS, SMTP, IPSEC)

How to apply

Please email your CV and covering letter to careers@corvid.co.uk.