Threat Hunter - National Security - Leeds

BAE Systems Digital Intelligence is home to 4,500 digital, cyber and intelligence experts. We work collaboratively across 10 countries to collect, connect and understand complex data, so that governments, nation states, armed forces and commercial businesses can unlock digital advantage in the most demanding environments.

Location: Leeds - We offer a range of hybrid and flexible working arrangements - please speak to your recruiter about the options for this particular role.

Grade: GG10 - GG11

Job Description:

• Point of escalation for intrusion analysis, forensics and Incident Response queries.
• Able to provide root cause analysis of complex, non-standard analytic findings and anomaly-based detections for which a playbook does not exist.
• Mentor and share knowledge with the wider team as and when it becomes prudent.
• Contribute and facilitate collaboration through the SOC Knowledge Repository and associated systems, autonomously creating new knowledge and updating existing items.
• Working outside the HMG community to build/develop relationships with external SOCs and cyber security researchers, identify analytics, tradecraft and threat intelligence that may benefit the Blue Team.
• Development of new complex and anomaly-based KQL analytics, and associated playbooks that result in creation of bespoke detection rules/analytics against M365 environments, plus host-based analytics for Linux and Windows VMs.
• Review open-source research into latest threats and detection opportunities that primarily impact cloud hosted services and cloud-hosted VMs. Independently prioritise for implementation.
• Research potential vulnerabilities which could lead to environment compromise. Produce proof-of-concept exploit code capable of demonstrating exploitation of the identified vulnerabilities.
• Emulate adversary TTPs for purposes of team training and detection capability evaluation.
• Review findings of red team/Pentest activities and derive new improvements to detection rules.
• Provide forensic support, and threat-emulation, to enhance the triage of existing alerts and their accuracy and/or risk posed, where reasonable.
• Identify weaknesses and gaps in SOC processes, data collection and analysis.
• Using technical knowledge and skills to perform a broad range of non-routine and more complex ID&A tasks, including threat hunting, automation and analytic enrichment.
• Set the vision and milestones for emulation and detection capability, influencing other teams to provide collaboration where necessary.
• Full accountability for adjustment of alert thresholds and suppressions based on assessment of signal-to-noise assessment, team risk appetite, analyst team capability and skill availability.
• Define Threat Hunting initiatives based on real-world or reasoned risks.
• Architect detection programmes/processes/systems to better determine unusual behaviours, reduce dwell time, and reduce resources spent on expected activity.
• Determine and oversee practices which improve daily operations and capabilities, including quality review of analyst activities.
• Provide strategy and goals of operational team exercises with full autonomy as detection needs require.
• Influence the formation of team requirements inclusive of engineering, analysis and continuous improvement strategy.
• Devise technical interview questions, conduct technical interviews and evaluate candidate responses.

Experience:

• Demonstrable experience of security testing practices and techniques.
• Knowledge of Azure, desirable to also have knowledge of AWS.
• Knowledge of Windows Active Directory.
• Knowledge of Windows Operating System fundamentals.
• Knowledge of Networking fundamentals.
• Experience using CICD and source control.
• Experience in writing new malware and anomaly detections.
• Knowledge of using statistical methods to find anomalies in data.
• Advanced practical use of Microsoft Sentinel and/or Microsoft XDR.
• Competent in writing med-highly complex KQL analytics/searches.
• Strong knowledge of latest threats in security.
• Ability to prioritise threats.
• Determine factors that contribute to a detection's effectiveness.
• Threat hunting or SOC analyst skills/certifications.

We are embracing Hybrid Working. This means you and your colleagues may be working in different locations, such as from home, another BAE Systems office or client site, some or all of the time, and work might be going on at different times of the day. By embracing technology, we can interact, collaborate and create together, even when we’re working remotely from one another. Hybrid Working allows for increased flexibility in when and where we work, helping us to balance our work and personal life more effectively, and enhance well-being.

Diversity and inclusion are integral to the success of BAE Systems Digital Intelligence. We are proud to have an organisational culture where employees with varying perspectives, skills, life experiences and backgrounds – the best and brightest minds – can work together to achieve excellence and realise individual and organisational potential.