Incident Response Analyst

Overview

Secure Division Support. The GCC provides CSSP responsibilities and conducts DODIN Operations and DCO – Internal Defensive Measures (IDM) to protect the DODIN IAW the DoDM 8530.01 and the DoD Cybersecurity Services Evaluator Scoring Metrics (ESM). These responsibilities are broken into five (5) CSSP functions; Identify, Protect, Detect, Respond, and Recover. GCC is responsible to conduct these functions for its assigned portion of the DODIN for both unclassified and classified networks / systems. The division provides support services for the protection, monitoring, analysis, detection, and response to unauthorized activity within the DoD Information Systems and Networks. DCO-IDM services are required to defend against unauthorized activity on all Army assets residing on the NIPRNet and SIPRNet. The division provides defensive measures to protect and defend information, computers, and networks from disruption, denial, degradation, or destruction. The division provides sensor management and event analysis and response for network and host-based events. For sensor management, the division provides management of in-line Network Intrusion Protection System / Network Intrusion Detection System (NIPS / NIDS) sensors monitoring all CONUS DoDIN-A NIPRNet and SIPRNet Enterprise traffic to detect sensor outages and activities that attempt to compromise the confidentiality, integrity, or availability of the network. In coordination with GCC Operations, DCO initiates defensive security procedures upon detection of these attacks. Event analysis and response includes the processes involved with reducing multiple cyber incidents to actual malicious threat determinations and mitigating those threats IAW guidance received from GCC Government leadership. Support the Government in providing services for CSSP services on both the NIPRNet and SIPRNet IAW Appendix E : Secure Division Workload Assessment in support of the CONUS portion of the DoDIN-A. Develop reports and products, both current and long-term, in support of CSSP and course of action development. Prepare Tactics, Techniques, and Procedures (TTP), SOPs, Executive Summary (EXSUMS), trip reports, and information / point papers. Contribute during the preparation of agreements, policy, and guidance documentation such as Memorandums of Understanding / Agreement (MOU / A), Service Level Agreements (SLA).

Responsibilities

• Identify, Protect, Detect, Respond, and Recover CSSP functions for assigned DoDIN segments (unclassified and classified).
• Provide support services for protection, monitoring, analysis, detection, and response to unauthorized activity within DoD Information Systems and Networks.
• Defend DCO-IDM on Army assets residing on the NIPRNet and SIPRNet.
• Deliver defensive measures to protect information, computers, and networks from disruption, denial, degradation, or destruction.
• Provide sensor management and event analysis / response for network and host-based events, including management of in-line NIPS / NIDS sensors for CONUS DoDIN-A NIPRNet / SIPRNet traffic.
• Coordinate with GCC Operations to initiate defensive security procedures upon attack detection.
• Engage in event analysis and response to determine malicious threats and mitigate per GCC guidance.
• Develop reports and products (current and long-term) to support CSSP and course of action development.
• Prepare TTPs, SOPs, EXSUMS, trip reports, and information / point papers; contribute to MOU / Agreement (MOU / A) and SLA documentation.
• SIEM Tool Support : provide administrator support to maintain connectivity between devices and SIEM, update event analysis rules, communicate storage requirements (approximately 12 months of online security events, up to ~4 TB), and maintain SIEM rules for optimal detection of malicious activity.

Qualifications

J-18808-Ljbffr