Threat Hunting Investigator

Who We Are

Cisco's Security Visibility and Incident Command (SVIC) forms part of the monitoring & response branch of Cisco's Security and Trust Organization (S&TO) and is Cisco's cyber investigations and forensics team. We provide Cisco with security threat detection, compliance monitoring, vulnerability discovery and response services to protect Cisco's digital world from attacks, abuse, reputational harm, and loss of its intellectual assets. The primary mission of SVIC is to help ensure system and data risk management by performing comprehensive investigations into cyber security incidents, and to assist in the prevention of such incidents by engaging in dedicated threat assessment, mitigation planning, incident trend analysis, and security architecture review. We are a highly-functioning, diverse, and globally distributed group of committed professionals from various technical backgrounds. We are Open-Source Software contributors, technical authors, tool builders, DFIR (Digital Forensics & Incident Response) community members, lock pickers, makers, and breakers.

Who You Are

What You Will Do

Conduct the technical investigation into computer security incidents to assess the scope of impact to the business and uncover the root cause.

Engage with impacted teams to devise & drive them towards containment of the incident while proceeding to work for a full resolution.

Perform an after actions review into high severity incidents & communicate findings with management & partner teams.

Perform threat hunting campaigns using information on adversary tools, tactics & procedures (TTPs) and knowledge of how they manifest in security data sources & system telemetry.

Research and deploy modern technologies or enhancements to support business objectives related to security detection, threat hunting, forensics, and response.

Study how attackers operate and their methods, but also use your IT and networking expertise to build & improve detection logic and investigative procedures.

Collaborate with your peers to evolve our operational processes & procedures towards improving efficiency & efficacy.

Teach, mentor and support your peers in areas you have specialized knowledge or experience.

Represent SVIC in collaboration with industry peers and in trusted working groups.

Participate in a follow-the-sun on-call rotation.

Desired Skills

Self-Starter, Go-Getter & Self-Learner.

Superb communication (verbal and written) skills.

Reasonable scripting/coding abilities and an eye for automation opportunities.

A solid grasp of networking and core Internet protocols (e.g. TCP/IP, DNS, SMTP, HTTP, TLS and distributed networks).

Experience or familiarity with the usage of cloud computing platforms & components, like - AWS, GCP, Azure, Docker, Kubernetes, etc.

Experience or familiarity with protocols & products used for authentication & authorization, like - Radius, Active Directory, LDAP, NTLM, Kerberos, SAML, OAuth, JWT, etc.

Experience across common security products like - firewalls, IDS/IPS, NetFlow, AV, EDR, SIEM, SOAR, etc.

Experience with a mix of red team or blue team tools, like - Metasploit, C2 frameworks, Kali Linux, Security Onion, Burp Suite, Nessus, OSquery, yara, sleuthkit, velociraptor, etc.

Experience in one or more data analytics platforms or languages like - Splunk, Elastic Stack, Kusto Query Language (KQL), Structured Query Language (SQL), etc.

Agility in dealing with several types of security incidents concurrently and a curiosity to learn about the tools and technologies involved.

Flexibility - willingness to pitch in where needed across program and team, and outside typical business hours.

Strong leadership, influence, and collaboration skills; sound problem resolution, judgment, negotiating and decision-making skills.