SOS International LLC (SOSi) is seeking a Cyber Incident Handling Analyst II to join our team in Wiesbaden, Germany. Working as expert to perform analysis of cyber relate events to detect and deter malicious actors using SIEM technologies focused on the threat to networked weapons platforms and US DoD information networks. Analyzes host and network events to determine the impact on current operations, conduct research to determine advisory capability, and develop analytics based on indicators of compromise to leverage the SIEM. Dissect detailed host data dumps to determine route cause of malicious tool, tactics, and techniques used to compromise the system.

• Monitor and action SIEM platforms for alerts, events, and rules providing insight into malicious activities and/or security posture violations 
• Review intrusion detection system alerts for anomalies that may pose a threat to the customer’s network 
• Identify and investigate vulnerabilities, asses exploit potential, and suggest analytics for automation in the SIEM engines 
• Report events through the incident handling process of creating incident tickets for deeper analysis and triage activities. 
• Classify incident reports IAW Army and DoD regulations after identifying root cause and issuing remediation actions to system owners.  
• Perform post intrusion analysis to determine shortfalls in the incident detection methods 
• Develop unique queries and rules in the SIEM platforms to further detection for first line cyber defenders. 
• Determine IDS/IPS rule false positives to recommend tuning of rules to reduce noise and inceae fidelity  
• Respond to the higher headquarters on incidents and daily reports 
• Provide daily updates to Defensive Cyber Operations staff on intrusion detection operation and trends of events causing incidents 
• Prepare charts and diagrams to assist in metrics analysis and problem evaluation, and submit recommendations for data mining and analytical solutions 
• Write reports of remotely exploitable vulnerabilities to increase customer situational awareness and improve the customer’s cyber security posture 
• Assist all sections of the Defensive Cyber Operations team as required in performing Analysis and other duties as assigned 
• Travel to customer sites to perform network security evaluations 
• May perform documentation and vetting of identified vulnerabilities for operational use

• An active in scope Top Secret/SCI clearance is required
• US citizenship required
• Bachelor of Science/Arts (Engineering or Computer Science or Science or Business Administration or Mathematics) +3, AS +7, major certification +7 or 11+ years specialized experience
• DoD IAT Level II certification (CCNA-Security, CND, CySA+, GICSP, GSEC, Security+ CE, or SSCP) or higher is required
• DoD 8570 CSSP-Incident Responder (CEH, GCIH, GCFA, CySA+, or other as listed on the DoD 8570) or higher is required
• A current computing environment certification such as MCSA, RHCSA, CCNA, CEH, ArcSight, etc. 
• Must have a full, complete, and in-depth understanding of all aspects of Defensive Cyber Operations
• Must be fluent in all aspects of government and corporate communications media to include all MS Office products and common task ticketing systems
• Must have a good breadth of knowledge of common ports and protocols of system and network services
• Experience in packet captures and analyzing a network packet
• Experience with intrusion detection systems such as Snort, Suricata, and Zeek
• Experience with SIEM systems such as Splunk, ArcSight, or Elastic
• Must have the demonstrated ability to communicate with a variety of stakeholders in a variety of formats
• Ability to work independently as well as part of a team
• Ability to work periodically on shift to assist the team

• DoD 8570 IAT III (CISSP, CASP, CISA, GCED, GCIH) 
• Experience with writing Snort or Suricata IDS rules 
• Experience in developing complex dashboards, report, and automated searches in Splunk, ArcSight, or Elastic/Kibana 
• Experience with analyzing packets using Arkime 
• Experience with Microsoft Windows event IDs 
• Experience with Linux audit log analysis 
• Familiarity with Git and VScode 
• Experience with one or more scripting languages such as PowerShell, Bash, Python
• Fluency in a foreign language is desirable, but not required.

• Working conditions are normal for an office environment.
• Fast paced, deadline-oriented environment.
• May require periods of non-traditional working hours including consecutive nights or weekends (if applicable)

SOSi is an equal employment opportunity employer and affirmative action employer. All interested individuals will receive consideration and will not be discriminated against on the basis of race, color, religion, sex, national origin, disability, age, sexual orientation, gender identity, genetic information, or protected veteran status. SOSi takes affirmative action in support of its policy to advance diversity and inclusion of individuals who are minorities, women, protected veterans, and individuals with disabilities.