SOC Analyst

SOC Analyst

Language of the Work: English &Arabic

Expected duration of project:4 months and above

SOC services Responsibilities

• Role require 24/7 support and shifts
• Skills in tier 1 and 2 as these will be performed by the resource
• Experience in managing and threat hunting using Azure Sentinel
• Ability to manage tickets and raise tickets on Ivanti Incident management.
• Follow CLIENT Security Incident response process
• Ensure proper evidence details and complete report provided for each security incident.
• Raise and ensure to security incidents are created and closed
• Examine network topologies to understand data flows through the network.
• Analyze network traffic to provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities.
• Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs) to analyze events, perform cyber defense trend analysis and reporting, and perform event correlation to mitigate threats.
• Carry out triage to ensure that a genuine security incident is occurring.
• Notify other SOC Analyst on suspected events for further analysis.
• Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.
• Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact.
• Provide daily summary reports of network events and activity relevant to cyber defense practices.
• Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.
• Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.
• Isolate and remove malware.
• Identify network mapping and operating system (OS) fingerprinting activities.
• Develop content for cyber defense tools used for continual monitoring and analysis of network activity to identify malicious activity.
• Assist in the construction of signatures which can be implemented on cyber defense tools in response to new or observed threats within the network environment or enclave.
• Analyze and report organizational security posture trends.
• Monitor external data sources (e.g., cyber defense vendor sites and Computer Emergency Response Teams) to maintain updated cyber defense threat condition and determine which security issues may have an impact
  on the enterprise.
• Assess and monitor cybersecurity related to system implementation and testing practices.
• Provides cybersecurity recommendations based on significant threats and vulnerabilities.
• Work with stakeholders to resolve security incidents and vulnerability compliance.
• Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.
• Support and mentor and other team members the techniques of detection and analysis.
• Handle and validate incident escalations from other SOC Analyst services.
• Conduct recommended proactive response actions and predictive analysis of potential cybersecurity threats.
• Receive and analyze network alerts from various sources and determine possible causes of such alerts.
• Interact with internal and external parties to resolve the queries related to raised incidents.
• Use SOC tools for continual monitoring and analysis of system/ network activity to identify potential malicious activities.
• Monitor external data sources (threat intelligence sources, ADGovCERT team, etc.) to maintain updated threat condition and determine which security issues may have an impact on the entity’s services and information.
• Coordinate and provide expert technical support to other SOC Analyst services to resolve cyber incidents.
• Correlate incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation.
• Perform analysis of log files from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible threats to network security.
• Perform cyber incident triage, to include determining scope, urgency, and potential impact, identifying the specific vulnerability.
• Perform initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on entity systems.
• Perform real-time cyber incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs).
• Conduct test of security controls in accordance with established Incident Response plans and procedures.
• Track and document cyber incidents from initial detection through final resolution.
• Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies, and update the knowledge base with Lessons Learned after every incident.
• Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness).
• Collect intrusion artifacts (e.g., source code, malware, Trojans) and use discovered data to enable mitigation of potential cyber incidents within the entity.
• Serve as technical expert and liaison to law enforcement personnel and explain incident details as required.
• Coordinate with intelligence analysts to correlate threat assessment data.
• Generate daily, weekly and monthly reports and maintain timely delivery.
• Follow CLIENT internal processes for any new request or change request required.

Knowledge in:

• Security concepts such as cyber-attacks and techniques, threat vectors, risk and threat management, incident management etc.
• Networking concepts and protocols, and network security attacks, vulnerabilities, processes, methodologies, access control mechanisms, traffic analysis methods.
• Cyber threats and vulnerabilities types and information dissemination sources (e.g., alerts, bulletins and advisories)
• Cyber defense and vulnerability assessment tools and their capabilities.
• System and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• Incident response and handling concepts, programs, processes, methodologies, roles and responsibilities.
• Incident categories, incident responses, and timelines for responses.
• Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools, applications, methodologies and techniques for detecting host and network-based intrusions.
• Intrusion detection methodologies and techniques for detecting host and network-based intrusions.
• Threat investigations, reporting and investigative tools.
• Cyber defense and information security policies, procedures, and regulations.
• Common attack vectors, the different classes of attacks (e.g., passive, active and insider attacks) and attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).
• Cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored).
• Packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).
• Penetration testing principles, tools, and techniques.
• Risk management frameworks, approaches and processes (e.g., methods for assessing and mitigating risk).
• Business continuity, disaster recovery and continuity of operations plans.
• System and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• Malware analysis concepts and methodologies.
• Windows/Unix ports and services.

Skills in:

• Having hands-on skill in performing threat hunting using Azure Sentinel is mandatory
• Should possess good understanding on Microsoft Azure and Office 365 environment
• Sysadmin skills (Linux/Mac/Windows) including Cloud Administration (MS Azure)
• Programming skills Python, PowerShell etc. are preferable
• Knowledge in KQL is mandatory
• Developing and deploying detection signatures
• Detecting host and network-based intrusions via intrusion detection/prevention technologies
• Apply incident handling methodologies for incident triage
• Collecting data from a variety of cyber defense resources.
• Recognizing and categorizing types of vulnerabilities and associated attacks.
• Performing packet-level analysis
• Using cyber defense Service Provider (ADDA & aeCERT) reporting structure and processes within CLIENT.
• Applying analytical and problem-solving skills.
• Identifying, capturing, containing, and reporting malware
• Preserving evidence integrity according to standard operating procedures or national standards
• Designing and applying incident response plans, models and methodologies.
• Perform Malware analysis.
• Conduct vulnerability scans and recognize vulnerabilities in security systems
• Performing packet-level analysis.
• Mentoring and training skills

Abilities in:

• Perform Malware analysis.
• Conduct vulnerability scans and recognize vulnerabilities in security systems.
• Accurately and completely source all data used in intelligence, assessment and/or planning products.
• Apply techniques for detecting host and network-based intrusions using intrusion detection technologies.
• Interpret the information collected by network tools (e.g. Nslookup, Ping, and Traceroute).
• Work in a flexible schedule within a 24x7x365 Security Operations Center (SOC) environment, as well as possibly be expected to work holidays.
• Prepare regular reports to document any security breaches/ incidents. Apply risk management frameworks, approaches and processes when needed.
• Implement Incident response and handling programs, processes and methodologies when needed.
• Apply techniques for detecting host and network-based intrusions using intrusion detection technologies.
• Establish, confirm, and publish channels of communication.
• Apply risk management frameworks, approaches and processes when needed.
• Be resilience to stressful situation.

Collaboration

• Collaborate with internal and external stakeholders to ensure governance and compliance of Security.
• Collaborate with Internal Audit and ERM teams to ensure risks are communicated and reported.

Day-to-Day Operations

• Set Operational, management, monitoring, Project progress KPIs.
• Supervise the day-to-day operations at monitoring security operations, abnormalities, suspicious cases, alerts and notifications from SIEM solution.
• Update and develop the SOC documents and playbooks with all new use cases and configurations.
• Report on a regular basis to the Line Manager and CISO on the operational activities and status of security etc. as required to keep the Line Manager informed.
• Complete report of security incidents and closure of these incidents within the time required.
• Follow CLIENT internal processes for any new request or change request required.