Network Engineer (SOC Analyst, Ukraine) #15241

Purpose Of The Job

In-depth Investigation: Analyze escalated alerts and incidents from L1. Use advanced forensic and analysis tools to perform deep-dive investigations where appropriate. More often than not, this will simply be consulting additional threat intel sources and closer examination of logs, as deep forensic analysis is typically only required for certain incidents where compromise has occurred. On rare occasions, the investigation might conclude that the alert was triggered due to the legacy alert triggers (SIEM saved search with triggers) design flaws resulting in false positives. While investigating the alert L2 should examine if the alert triggers could be improved based on the investigation outcome and consult that with L3.

Main Tasks And Responsibilities

Basic Threat Containment: Take limited containment actions under strict guidelines, such as isolating suspicious hosts (when permitted). These guidelines need to be established for internal Platform level accounts, as well as for customer (digital product) accounts.

Threat Intelligence Correlation: Leverage threat intelligence sources to correlate indicators and identify broader threat campaigns or tactics used by attackers. There are often security communities / forums where trusted industry professionals post information about active attacks they are seeing. Crowd-sourced threat intel can also be useful.

Containment & Mitigation: Coordinate with product teams to implement containment measures (e.g., blocking IPs, disabling accounts, quarantining devices) and lead initial remediation efforts. During these occurrences consult with product teams about their appetite for participating in automatic remediation / mitigations. Report that to L3. In order to perform remediation (either manually or through automation) on behalf of a product, agreements must be in place that indicate which containment measures are authorized to be performed.

Incident Handling: Act as the primary handler for incidents, leading analysis, investigation, and coordination efforts until resolution.

Root Cause Analysis: Conduct detailed root cause analysis on incidents and assist with recommendations for future prevention.

Playbook & SOP Enhancement: Review and update incident response playbooks and procedures to reflect new threats and improve efficiency. Based on feedback from L1 or if identified that an area does not have a runbook created - develop such a runbook if possible. Consult L3 in case L2 is unable to deliver the runbook themself.

Escalation to L3: Escalate complex or high-impact incidents to L3 with a detailed analysis and recommendations.

Education, Skills And Experience

MUST HAVE:

Intermediate knowledge of network and Cloud security, including malware analysis and packet analysis.

Hands on experience with Splunk and AWS environments (2-4 years)

Experience with threat intelligence and incident response tools.

Strong problem-solving skills and ability to handle more complex or persistent threats.

Would Be a Plus

Basic knowledge of Python or any other scripting language

Security Certification(s) and/or strong educational background in security, as well as experience working in a SOC.