This position is located within the Department of Technology Services (DTS), Information Technology Security Office (ITSO). The incumbent is a recognized IT security expert with a strong defensive cyber background and "hands-on" experience in incident response. The incumbent will perform multiple and varying assignments under the direction of the Chief, Incident Response Branch - Security Operations Division
Applicants must have demonstrated experience as listed below. This requirement is according to the AO Classification, Compensation, and Recruitment Systems which include interpretive guidance and reference to the OPM Operating Manual for Qualification Standards for General Schedule Positions. Applicants must have at least one full year (52 weeks) of specialized experience, which is in or directly related to the line of work of this position. Specialized experience is demonstrated experience in ALL of the following: Development experience to include proficiency in 1 or more of the following: .NET, PowerShell, C# or Python. Comprehensive understanding of adversarial techniques, with the capability to technically diagram and articulate the stages of an intrusion. SME-level experience examining enterprise audit logs including Windows Event Log and Sysmon in Windows environments, and auditd in Linux environments. Knowledge of forensic methodologies and the processes involved in collecting, preserving, and analyzing digital evidence to accurately reconstruct events and support incident response efforts. Experience in analyzing sophisticated attacker techniques that exploit email and cloud services as attack vectors. Desired, but Not Required: GIAC Certified Incident Handler (GCIH) GIAC Certified Forensic Analyst (GCFA) GIAC Certified Forensic Examiner (GCFE) GIAC Cloud Incident Response (GCIR) Certified Information Systems Security Professional (CISSP)
The Incident Response Subject Matter Expert (SME) under the direction of an Incident Commander, is responsible for analyzing intrusion alerts, assessing impact, implementing containment measures to limit threat propagation, and facilitating the recovery of compromised systems. This role supports 24x7x365 security operations and requires availability between 0600 and 2100 EST during incident response activities, with additional on-call responsibilities for weekends and after-hours incidents. The incumbent must be able to perform the tasks and meet the knowledge and skill statements as described in NIST Special Publication 800-181 National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce for the roles of Defensive Cybersecurity (PD-WRL-001) and Incident Response (PD-WRL-003). Duties include, but are not limited to the following: Conducting thorough analysis of network, endpoint, and application logs to identify and assess intrusions, determine their impact, and implement appropriate containment strategies to mitigate threats. Providing timely and accurate incident status updates to key stakeholders, including the incident commander, SOC leaders, and executives. Developing and tests enterprise-wide detection and response capabilities, including endpoint artifact retrieval, isolation techniques, and Yara rule creation, to improve threat detection and containment at scale. Maintaining and enhances the organization's incident response framework by defining and refining incident declaration processes, updating the Judiciary's Incident Response Plan, and identifying gaps in existing procedures. Driving continuous improvement through the development and validation of readiness exercises, standard operating procedures, and playbooks, while pioneering innovative incident response techniques for PaaS and SaaS cloud environments and leveraging automation to streamline response efforts