OCIO-0007 Cyber Threat Intelligence Analyst Services (NS) - MON 3 Oct

Deadline Date: Monday 3 October 2022

Requirement: Cyber Threat Intelligence Analyst Services

Location: Brussels, BE

Full time on-site: Yes

NATO Grade: G12/75

Total Scope of the request (hours): 440

Required Start Date: 31 October 2022

End Contract Date: 31 December 2022

Required Security Clearance: NATO SECRET

1. INTRODUCTION

The NATO Office of the Chief Information Officer (OCIO) is responsible for Cyber Defence for the NATO Enterprise. The OCIO has been tasked to increase NATO’s Cyber Defence posture. As part of this initiative, the OCIO plans to enhance the ability of NATO’s Cyber Threat Analysis Branch (CTAB) within the Joint Intelligence & Security Division to provide the quality and quality of cyber intelligence products required by the NATO Enterprise. The contractor will work for the OCIO, however, will be located with CTAB.

The Cyber Threat Analysis Branch is responsible for providing evidence-based assessments of the cyber threat landscape to empower NATO stakeholders to make risk-informed decisions. The multidisciplinary team combines all-source data with cutting edge technologies to support and enhance the Alliance leaderships’ understanding on the nature of cyber competition and conflict. CTAB systematically identifies strategic patterns and trends in cyber space and generates tailored insights to support network defence and mission assurance with predictive analysis, cyber threat intelligence, and threat hunting.

The contractor will support the work of the OCIO and the Cyber Threat Analysis Branch by reviewing and analysing past incidents and getting insights on trends and possible threat actor attack patterns targeting NATO.

2. TASKS

In providing Cyber Threat Intelligence Analyst services, the contractor will be responsible for tracking, reviewing and correlating (historic) events/incidents that are observed by NATO’s internal incident response team. Specific tasks include:

2.1 Support with the development of a process, procedure and methodology to track cluster and link incident tickets together:

Measurement: A document that describes the process, procedure and methodology followed to assess, cluster and link incident response tickets.

2.2 Review, triage, assess, cluster and link historic events/incidents together based on ticket data. Assist in the prioritization of the development of threat hunt playbooks, based on observed and recurring activity. Liaise with NATO’s Incident Handling Officers to understand tickets and request more technical data when needed.

Measurement: Report on incidents that show overlap, links, etc, describing why they are linked, why it matters, lessons that can be learned and how to defend against the type of activity.

2.3 Assess, cluster and link disparate activity into related intrusions & campaigns.

Measurement: Merger or cross-correlation of intrusion sets into operations or campaigns.

2.4 Support Enterprise risk and incident management activities

Measurement: support information exchange with OCIO, based on cyber threat data analysis and trend information.

Exploration of how above correlated information could be ingested and rendered in Enterprise tools used by the OCIO.

4. LOCATION

The services will be provided on site at the NATO HQ offices in Brussels, Belgium.

5. TIMELINES

The services of the contractor are to be provided in the period of 31st October 2022 until 31th December, 2022. An earlier start date is possible, if feasible by the contractor.

Under the current framework contract, a contract extension is possible for the calendar year 2023.In any case, future contract extensions are subject to performance of the contractor and related NATO regulations.

6. SPECIFIC WORKING CONDITIONS

Secure environment with standard working hours, with the exception of working in non-standard working hours up to 360 hours annually.

In addition, it may exceptionally be required to work non-standard hours in support of a major Cyber Incident or on a shift system for a limited period due to urgent operational needs.

7. TRAVEL

No travel is required.

8. SECURITY AND NON-DISCLOSURE AGREEMENT

The contracted individual must be in possession or capable of possessing a security clearance of NATO Secret.

A signed Non-Disclosure Agreement will be required.

Annex A – Special Terms and Conditions

• The contractor will be responsible for complying with the respective national requirements for working permits, visas, taxes social security etc. whilst working on site at NATO HQ- Brussels, Belgium.
• No special status is either conferred or implied by the host organisation, NATO HQ- Brussels, Belgium on to the contractor whilst working on site.
• The contractor will be responsible for complying with all the respective National Health COVID-19 regulations for quarantine on arrival in Belgium before taking up the position.

Requirements

3. PROFILE

• The candidate must have a currently active NATO SECRET security clearance.
• A university degree from a nationally recognised/certified University in a technical subject with substantial Information Technology (IT) content and 4 years of specific experience. Exceptionally, the lack of a university degree may be compensated by the demonstration of the service provider’s particular abilities or experience that is/are of interest to the OCIO; that is, at least 7 years extensive and progressive expertise in the tasks related to providing cyber threat intelligence analyst services.

Mandatory

• Advanced level in at least three of the following areas and a high level of experience in the other areas:
• Experience analysing and synthesizing security events and incidents in a high-speed environment.
• Knowledge and experience in analysis of incidents, attack patterns and tactics, techniques, and procedures (TTPs).
• Experience supporting incident response and deeply familiar with common incident response procedures, processes, and tools.
• Experience with threat hunting, including deep knowledge of operating systems and windows internals.
• Strong knowledge of malware families and network attack vectors.

Desirable

• Applied knowledge across all critical elements and common data types used in threat intelligence analysis, including malware used in targeted adversary campaigns; windows and Linux system internals and experience threat hunting in Enterprise environments; and network forensics including common protocols and how those are used in adversary operations.
• Applied knowledge of a variety of adversary command and control methods and protocols.
• Ability to produce contextual attack models applied to a scenario.
• Experience working in a threat intelligence team.
• Knowledge of JIRA.