The U.S. Department of Homeland Security (DHS), Customs and Border Protection (CBP) Security Operations Center (SOC) is a U.S. Government program responsible to prevent, identify, contain and eradicate cyber threats to CBP networks through monitoring, intrusion detection and protective security services to CBP information systems including local area networks/wide area networks (LAN/WAN), commercial Internet connection, public facing websites, wireless, mobile/cellular, cloud, security devices, servers and workstations.  The CBP SOC is responsible for the overall security of CBP Enterprise-wide information systems, and collects, investigates, and reports any suspected and confirmed security violations. 

Primary Responsibilities: 

Shift schedule: 7pm-7am, Thur-Sat, every other Wednesday. 

• Utilize state of the art technologies such as Endpoint Detection & Response (EDR) tools, log analysis (Splunk) and occasionally network forensics (full packet capture solution) to investigative activity to examine endpoint and network-based data. 

• Monitor alerting channels for multiple endpoint and network tools for alerts of various criticalities and escalate according to defined processes, procedures, and playbooks.  

• Triage alerts to determine nature of activity occurring on customer networks, systems, servers, and mobile devices.  

• Conduct log analysis from multiple avenues and tools to triage activity in support of incident response. 

• Recognize attacker and APT activity, tactics, and procedures and aggregate indicators of compromise (IOCs) that can be used to improve monitoring, analysis and incident response. 

• Develop and build security content, scripts, tools, or methods to enhance the incident investigation processes. 

• Lead Incident Response activities and mentor junior SOC staff. 

• Create daily, weekly, and monthly reports for dissemination to customer leadership with emphasis on attention to detail and accurate capturing of relevant, timely data for briefings.  

• Succinctly and accurately capture technical details and summarize findings for less technical audiences. 

• Work with key stakeholders to implement remediation plans in response to incidents. 

• Effectively investigative and identify root cause findings then communicate findings to stakeholders including technical staff, and leadership. 

• Strong problem-solving abilities with an analytic and qualitative mindset. 

• Effectively communicate with customer leadership and disseminate timely updates of critical incidents with emphasis on attention to detail and accurate reporting.  

Basic Qualifications: 

• Bachelor’s degree in computer science, engineering, Information Technology (IT), Cyber Security, or related field. Additional years of experience and certifications may be considered in lieu of a degree.

• 5 years of professional experience (or a Bachelors’ Degree and 3 years of professional experience) in incident detection, response and remediation. 

• Minimum of three (3) but (5) preferred years of specialized experience in one or more of the following areas: 

• Email security 

• Digital media forensic 

• Monitoring and detection 

• Incident Response 

• Vulnerability assessment and penetration testing  

• Cyber intelligence analysis  

• Extensive experience analyzing and synthesizing information with other relevant data sources, providing guidance and mentorship to others in cyber threat analysis and operations.  

• Ability to collaborate with technical staff and customers to identify, assess, and resolve complex security problems/issues/risks and facilitate resolution and risk mitigation. 

• Ability to stay up to date with the latest threat intelligence, security trends, tools, and capabilities. 

• Possess strong problem-solving abilities with an analytic and qualitative eye for reasoning.  

• Ability to independently prioritize and complete multiple tasks with little to no supervision. 

Preferred Qualifications:  

• Ability to coordinate and communicate well with team leads and government personnel. 

• Experience with detection engineering efforts to tune alerts, signatures, and tools to reduce false positives.  

• Experience in cyber government, and/or federal law enforcement 

• Experience with the Cyber Kill Chain and MITRE ATT&CK framework  

• Ability to formulate and create new processes, metrics, and procedures to improve security operations.   

Required certifications: 

The candidate should have at minimum ONE of the following certifications: 

• CompTIA Cyber Security Analyst (CySA+) 

• CEH – Certified Ethical Hacker 

• CompTIA Linux Network Professional (CLNP) 

• CompTIA Pentest+ 

• CompTIA Cybersecurity Analyst (CySA+) 

• GPEN – Penetration Tester 

• GWAPT – Web Application Penetration Tester 

• GSNA – System and Network Auditor 

• GISF – Security Fundamentals 

• GXPN – Exploit Researcher and Advanced Penetration Tester 

• GWEB – Web Application Defender 

• GNFA – Network Forensic Analyst 

• GMON – Continuous Monitoring Certification 

• GCTI – Cyber Threat Intelligence 

• GOSI – Open Source Intelligence 

• OSCP (Certified Professional) 

• OSCE (Certified Expert) 

• OSWP (Wireless Professional) 

• OSEE (Exploitation Expert) 

• CCFP – Certified Cyber Forensics Professional 

• CISSP – Certified Information Systems Security 

• CHFI – Computer Hacking Forensic Investigator 

• LPT – Licensed Penetration Tester 

• CSA – EC Council Certified SOC Analyst (Previously ECSA – EC-Council Certified Security Analyst) 

• ENSA – EC-Council Network Security Administrator 

• ECIH – EC-Council Certified Incident Handler 

• ECSS – EC-Council Certified Security Specialist 

• ECES – EC-Council Certified Encryption Specialist 

Clearance:  

All Department of Homeland Security CBP SOC employees are required to favorably pass a 5-year (BI) Background Investigation