Incident Handler Cyber Security

Secure Division Support. The GCC provides CSSP responsibilities and conducts DODIN Operations and DCO Internal Defensive Measures (IDM) to protect the DODIN IAW the DoDM 8530.01 and the DoD Cybersecurity Services Evaluator Scoring Metrics (ESM). These responsibilities are broken into five 5 CSSP functions; Identify Protect Detect Respond and Recover. GCC is responsible to conduct these functions for its assigned portion of the DODIN for both unclassified and classified networks/ systems. The division provides support services for the protection monitoring analysis detection and response to unauthorized activity within the DoD Information Systems and Networks. DCOIDM services are required to defend against unauthorized activity on all Army assets residing on the NIPRNet and SIPRNet. The division provides defensive measures to protect and defend information computers and networks from disruption denial degradation or destruction. The division provides sensor management and event analysis and response for network and hostbased events. For sensor management the division provides management of inline Network Intrusion Protection System/Network Intrusion Detection System (NIPS/NIDS) sensors monitoring all CONUS DoDINA NIPRNet and SIPRNet Enterprise traffic to detect sensor outages and activities that attempt to compromise the confidentiality integrity or availability of the network. In coordination with GCC Operations DCO initiates defensive security procedures upon detection of these attacks. Event analysis and response includes the processes involved with reducing multiple cyber incidents to actual malicious threat determinations and mitigating those threats IAW guidance received from GCC Government leadership. Support the Government in providing services for CSSP services on both the NIPRNet and SIPRNet IAW Appendix E: Secure Division Workload Assessment in support of the CONUS portion of the DoDINA. Develop reports and products both current and longterm in support of CSSP and course of action development. Prepare Tactics Techniques and Procedures (TTP) SOPs Executive Summary (EXSUMS) trip reports and information/point papers. Contribute during the preparation of agreements policy and guidance documentation such as Memorandums of Understanding / Agreement (MOU/A) Service Level Agreements (SLA).

Cyber Defense Operations (CDO) Support. Provide sufficient staffing to maintain onsite capability IAW PWS. Place of Work and Work Hours to work directly with GCC Operations personnel in conducting initial triage/cyber incident analysis to include review correlated events system/device logs and SIEM event data to determine and recommend/take immediate DCOIDM response actions. Immediate response actions can include submission of a cyberincident response ticket making an initial determined category of cyber incident (IAW Chairman of the Joint Chiefs of Staff Manual (CJCSM) 6510 and/or notifying DCO/ARCYBER/Higher Headquarters IAW Commanders Critical Information Requirements (CCIR) reporting requirements. All other CDO operations must have an oncall capability to take actions as required to respond to cyber incidents IAW policy and/or Government direction.
Incident Analysis and Mitigation. Provide incident analysis and mitigation support by conducting incident analysis and recommending mitigation measures in response to general or specific Advanced Persistent Threats (APT) (attempted exploits/attacks malware delivery etc. on Army networks.

Block/deny access by hostile sites or restrict access by specific ports/protocols and/or applications.
Provide recommendations to the supporting operations and maintenance organization to take necessary action where the CSSPD Division does not administratively control the sensor grid.
Provide justification of IDMs and/or operational impact (implied or accepted risk) to a Configuration Control Board (CCB) and/or Authorizing Official (AO) as required for mitigation action (IDM) approval. If deemed appropriate (or as requested) the internal defensive measure may involve coordination of a Network Damage Assessment (NDA) Network Assistance Visit (NAVs) or other version of the Computer Defense Assistance Program (CDAP) mission.
Monitor all sensors and agents managed by the GCC for security event analysis and response and maintain/update the triage database with current threat data and response methods in realtime with followup recurring within 72 hours of last response. The Contractor shall respond to a detected event and perform triage ensure proper handling of the associated trouble ticket (TT) and process events accordance with appropriate TTPs.
Provide all initial cyber incident reports to Law Enforcement and Counterintelligence (LE/CI) agencies and:
Maintain an uptodate POC list for LE/CI agencies as routinely provided by the Major Cybercrimes Unit (MCU) and Cyber Counterintelligence agencies.
In cases where an active investigation will be opened LE/CI agencies will provide written request that will include the official case number specific data logs and other required information IAW local TTPs.
Provide support and expertise include the provision of the required data along with a summary or analysis of the data. Data and answers provided in the analysis shall pertain specifically to requirements in the LE/CI official request or within CSSPD TTPs.
Provide all initial cyber incident investigation reports to LE/CI.
Maintain a Master Station Log (MSL) to document high visibility cyber incidents defined as events identified in an ARCYBER Task Order a Named Operation or a Category 1 (CAT1 with status discuss DCO topics share internal tasks between shifts document call outs and share any additional relevant instructions between shifts and up through GCC Leadership and Operations reporting channels. The MSL must be available for Government inspection at any given time to ensure accurate tracking of the above information.

Basic Qualifications:

• 2 years with BS/BA; 0 years with MS/MA; 6 years with no degree
• Certifications: Certified Authorization Professional (CAP) OR meets current DCWF qualification requirements DCWF Code: 722 Advanced: Certified Information Security Manager (CISM) or Certified Information Systems Security Officer (C)ISSO) or Certified Information Systems Security Professional (CISSP) or Federal IT Security ProfessionalManagerNG (FITSPM) or GIAC Certified Incident Handler (GCIH) or GIAC Certified Intrusion Analyst (GCIA) or GIAC Cloud Security Automation (GCSA) or GIAC Global Industrial Cyber Security Professional (GICSP) or GIAC Security Essentials Certification (GSEC) or GIAC Security Leadership Certification (GSLC) or Information Systems Security Management Professional (ISSMP).
  AND DCWF code 531 Intermediate: Certified Cloud Security Professional (CCSP) or Certified Ethical Hacker (CEH) or Cisco Certified CyberOps Associate or CompTIA Cloud or CompTIA PenTest or CompTIA Security or Federal IT Security ProfessionalOperatorNG (FITSPO) or GIAC Certified Enterprise Defender (GCED) or GIAC Information Security Fundamentals (GISF).
• Experience collecting and analyzing event information and performing threat or target analysis.
• Experience supporting operations related to persistent monitoring on a 24/7 basis of all designated networks enclaves and systems.
• Demonstrated competence in managing and executing firstlevel responses and addressing reported or detected incidents.
• Comfort level with reporting to and coordinating with external organizations and authorities.
• Background in coordinating and distributing directives vulnerability and threat advisories to identified consumers.
• U.S. citizenship required.
• Possess a Secret security clearance with the ability to qualify for a Top Secret with SCI Security Clearance.
• Ability to work shift hours.

Peraton is a nextgeneration national security company that drives missions of consequence spanning the globe and extending to the farthest reaches of the galaxy. As the worlds leading mission capability integrator and transformative enterprise IT provider we deliver trusted highly differentiated solutions and technologies to protect our nation and allies. Peraton operates at the critical nexus between traditional and nontraditional threats across all domains: land sea space air and cyberspace. The company serves as a valued partner to essential government agencies and supports every branch of the U.S. armed forces. Each day our employees do the cant be done by solving the most daunting challenges facing our customers. Visit peraton to learn how were keeping people around the world safe and secure.