As a Tactical CTI Analyst in the Threat Intelligence Operations (TI-OPS) team, you will have a particular focus on the tactical spectrum of Threat Intelligence. Here you will be involved in researching and assessing threats and adversary tradecraft, applying intelligence in various operational deliverables, providing curated intelligence reports to operational functions and our customers, and performing continuous improvement activities of our processes, procedures, methods and tooling as needed. You will play an integral part in helping us analyse threats and data originating from thousands of incidents detected by mnemonic, third party telemetry, as well as novel sources and methods.

To be successful in this role, you must be independent, well-organised, have excellent communication skills, and skilled in using data and information derived from multiple disciplines to solve analytical problems.

We encourage both experienced candidates, and candidates with strong commitment and relevant skills to apply.

You will be working with

We approch our work by striving to make our intelligence insights both actionable and impactful, as we continue to push ourselves in close collaboration with Security Operations, Detection Engineering, and Digital Forensics and Incident Response (DFIR). We perform threat research using a variety of open- and closed sources and partnerships, and use this insight to continuously mature our market-leading MDR service and to drive projects, services and external engagements on CTI subject matters. We believe that today's threats must be combated by detection- and mitigation strategies that are intelligence-driven and continuously adapted to an ever-changing threat landscape.

This approach is also reflected in the variety of tasks this position covers, including:

  • Conduct threat research using open- and closed sources, and maintain Intelligence KBs to effectively track known TTPs, detection coverage, and response/mitigation recommendations associated with specific threats and adversary tradecraft.
  • Produce clear, concise and actionable intelligence reports on threats with insights into attacker techniques and identified campaigns, incl. guidance on mitigation and detection strategies.
  • Provide curated intelligence to support operational functions, such as incl. Threat Hunting for executing threat hunting missions and Detection Engineering for the development of use cases of new emerging adversary behavior.
  • Consume and analyse technical-oriented Threat Intelligence from a variety of sources (e.g. social media, blog posts, intelligence reports, sandbox output, partner sharing, internal detections etc) to track and report on the evolving threat landscape and TTPs.
  • Provide relevant trend analysis and technical insights to customers and other stakeholders, incl. mapping to common frameworks, such as incl. MITRE ATT&CK.
  • Researching and analysing malware, attack campaigns, threat groups and their tactics, techniques and procedures (TTP) as observed in the threat landscape.
  • Support the build out of a Threat Intelligence program and contribute to a coherent and targeted tactical and operational intelligence production to our customers, incl. the application of Threat Intelligence frameworks and -models.
  • Participate in the processes for collecting, enriching, assessing and distributing Threat Intelligence data and reporting; incl. the use and evaluation of supporting technologies, such as incl. Threat Intelligence Platforms (TIP).
  • Actively contribute in the development of tools, frameworks, services and guidelines to analyse and respond to threats, and in supporting operational functions on CTI-matters as needed (DFIR, Security Operations, Malware Analysis etc).
  • Assist incident responders and intrusions analysts with technical expertise, and in general the understanding of the context, nature, and sophistication of attacks and incidents being detected.
  • Identify patterns and trends in detections and write actionable Intelligence Insights about trends we are observing, how customers can respond to them, and why they are relevant.
  • Actively contribute to the production of- and in the development of threat briefs, reports, advisories and other forms of CTI-focused deliverables, both as a contributor and in performing peer review.
  • Periodically assess and evaluate CTI-related threat feeds and data sources, both as received from external and third-parties, but also actively taking a lead to ensure that mnemonics threat feeds and -data is of high quality prior to distribution.
  • Engage with external parties for producing- and responding to RFIs, and actively contributing to intelligence sharing with our customers, partners, CERTs and the community as a whole.
  • Maintaining and developing our internal CTI- and OSINT frameworks, both to ensure alignment with internal requirements and needs, and to ensure that our intelligence expertise is continuously maturing.

You will be working closely with our Technical CTI Analyst and Threat Hunter.

What you will bring

Hard skills

  • The ideal candidate has a background in one of the following disciplines: Threat Intelligence, Incident Response, Threat Hunting, Threat Assessments, Digital Forensics, Security Analytics, Security Operations, Infrastructure Analysis, Malware Analysis.
  • Familiar with at least two of the following areas (and a willingness to learn the rest):
    • Graph theory and clustering analysis.
    • Open- and closed source intelligence.
    • Intelligence methods, frameworks and standards.
    • CTI-focused products, platforms and technologies.
    • Disk and memory forensics.
    • Forensic methods, frameworks and standards.
    • Static and dynamic binary analysis.
    • Network traffic and/or Log analysis.
    • Technical analysis methods, processes and tooling.
    • Windows and/or Linux internals.
  • Experience with at least three of the following areas (and a willingness to work with others):
    • Tracking threat actors and researching their TTPs.
    • Supporting intelligence led assessments, such as incl. CBEST or TIBER.
    • Using commercial and open source platforms, such as incl. Shodan, Censys, or similar.
    • Malware sandboxes and using the output to pivot and find additional activity.
    • Performing threat hunting, and researching and refining supporting hypothesis.
    • Creating network-, endpoint-, malware- detection signatures on such as incl. Yara, Snort, Kusto or similar.
    • Infrastructure analysis, such as incl. Passive DNS, WHOIS data, SSL certificates or similar.
    • OSINT of variety of data sources incl. social media, blog posts, news outlets/vendors, malware sandboxes or similar.
    • Platforms and -solutions for storing, structuring and managing CTI.
    • The production of actionable intelligence reports and insights (incl. RFI-processes).
    • Practical knowledge of researching, collection skills and analytical methods.
    • Knowledge of industry-wide frameworks, such as incl. MITRE ATT&CK, CKC, Pyramid of Pain, the Diamond Model, ACH or similar.
    • Encoding and decoding of obfuscation techniques within network traffic and endpoint artifacts.
    • Threat landscape- and adversary tradecraft analysis.
    • Practical application of CTI-, OSINT- and DFIR-workflows (incl. supporting tooling).
    • Visualisation- and graphing tools, such as incl. Maltego, IBM i2, Spiderfoot or similar.
    • Cloud environments and telemetry capabilities, in particular Azure and AWS.
    • Practical scripting and programming, such as incl. Python, Perl, Ruby, Go, Bash, PowerShell or similar.
    • ... or any other working experience that directly relates to the provided job description ('what you will do').
  • The following knowledge are considered a plus, but not a requirement (necessary training and on-boarding program will be offered):
    • Industry certifications such as from incl. GIAC/SANS, CREST, EC-Council, Offensive security, eLearnSecurity or similar.
    • Products and technologies certifications such as incl. EDR, SIEM, Malware sandboxes, TIPs, Anomalies/Heuristics solutions, Cloud concepts incl. Azure/AWS or similar.
    • Standards and frameworks such as incl. CBEST, TIBER, ISO 27000-series, IRAM2 or similar.
    • Technical training related to Threat Detection, Threat Intelligence, Incident Response, Detection Engineering, Security Analytics, Digital Forensics, Threat Hunting or similar.

Soft skills

  • Have strong analytical skills and the ability to synthesise complex and contradictory information.
  • Is creative, solution oriented and able to find new solutions to complex problems.
  • Is self-driven, independent and has the ability to successfully prioritise important tasks with minimal oversight.
  • Has the ability to clearly communicate complex technical information, verbally and in writing with minimal review before broad dissemination.
  • Excellent communication skills, both written and verbal, including the ability to communicate technical concepts in a clear, succinct fashion.
  • Is well-organised and has the ability to structure and organise information that facilitates efficient knowledge sharing among team members.
  • Is a team player that understands the importance knowledge sharing among peers.

We also appreciate open applications if your profile is not a 100% match!

What we can offer

  • An informal and pleasant working environment that provides opportunities for growth, influence and variations in tasks
  • Competitive salary, share program and bonus scheme that promotes a long-term employment outlook, including attractive pension and insurance coverage
  • Opportunities for relevant professional training (courses) and conferences
  • We place a strong emphasis on workplace well-being and teambuilding through social activities, events and trips with colleagues. In addition, we have an inclusive environment that promotes work-life balance and accommodates to families. Our HQ is centrally located in Solli plass with work from home opportunities
  • A workplace that is ranked as one of the best in Europe. In Norway we have been amongst the top 10 workplaces for 10 years in a row. This year, we won our category!

How do I apply?

Email us at [email protected] and write "MSS-TI-Tactical-CTI" in the subject field. Add a text about why you are right for the job, and your CV. Send us a code project you have been working on, that illustrates exactly how you work with code.

If you have publications or projects you have worked on that you think represent your technical skills or ability to communicate, please attach or refer to these.

Background check

We use Semac AS for background checks in our recruitment process. Security clearance is a requirement.

Do you have questions about a career in mnemonic?