Cybersecurity Threat Hunter And Forensic Analyst

Overview

Why Microsoft

With over 18,000 employees worldwide, the Microsoft Customer Experience & Success (CE&S) organization is responsible for the strategy, design, and implementation of Microsoft’s end-to-end customer experience. Come join CE&S and help us build a future where customers come to us not only because we provide industry-leading products and services, but also because we provide a differentiated and connected customer experience.

This role can be based anywhere in Australia and is flexible in that you can work up to 100% from home.

The purpose of this role 

The Microsoft Detection and Response team (DART) is hiring for a Cybersecurity Threat Hunter and Forensic Analyst. This position will be a vital individual contributor role on the DART Team in taking the lead in threat hunting and Forensics in delivery of cybersecurity investigations for our customers. You will work in a fast-paced, intellectually intense, service-oriented environment where collaboration and speed are key to our investigations.

Responsibilities:

• Responding to security incidents as Threat Hunter and digital forensics analyst when our customers are under cyber attack
• Conduct threat hunting across customer’s networks with indicators of compromise, hunting for evidence of a compromise
• Conduct incident response within various Cloud platforms
• Identify attacker tools, tactics, and procedures to develop indicators of compromise
• Identify and investigate intrusions to determine the cause and extent of the breach, by leveraging EDR solutions and threat intelligence sources
• Conduct host forensics, network forensics, log analysis, and malware analysis in support of incident response investigations
• Lead end-to-end incident response investigations with Microsoft’s customers
• Produce comprehensive and accurate oral and written out-briefs and presentations for both technical and executive audiences
• Effectively communicate and interface with customers, both technically and strategically, from the executive level to customers, stakeholders, and legal counsel
• Strong analytic, qualitative, and quantitative reasoning skills
• Excellent time management, writing and communication skills
• Assisting in the development of pragmatic solutions that achieve business requirements while maintaining an acceptable level of risk.
• Identifying and recommending solutions that improve or expand Microsoft’s incident response capabilities.
• Providing security engineering solutions and support during customer-facing incidents, proactively considering the prevention of similar incidents from occurring in the future.
• Working alongside and mentoring Cybersecurity analysts and engineers to improve security, reduce and quickly address risk.
• Evaluating the impact of current security trends, advisories, publications, and academic research to Microsoft, cascading learnings as necessary across partner teams
• Operating and continually improving existing threat hunting, threat and Forensic analysis and investigation process, as well as the development of new processes in response to evolving threats and business requirements.
• Leverage input from Cyber Threat Intelligence (CTI) team, including strategic, operational and tactical intelligence to benefit customer investigations
• Keeping your knowledge and skills current with the rapidly changing threat landscape.
• Participating in a follow-the-sun on-call rotation

Due to the nature of this role short-notice travel will likely be 40% or higher as is demanded by the needs of our customers and our business. Off-time zone hours and weekend work is highly likely.

What skills do you need to have?

There will be many opportunities for you to learn and grow into this role and Microsoft. 

• 5+ years of relevant work experience  
• In-depth knowledge of digital forensics in relation to the Windows operating system, including the ability to parse and interpret various artifacts accurately to provide historical context when perform an investigation
• Equivalent knowledge in Linux, macOS, and memory captures also desirable
• Experience acquiring both disk and memory images
• Experience conducting forensic investigations involving the collection and analysis of data from Microsoft cloud products - including both Microsoft Entra ID and Azure workloads
• Equivalent knowledge in third-party Cloud and identity providers also desirable
• In-depth knowledge of enriching investigations utilizing a SIEM solution - from understanding what artifacts should be centralized and for how long, to how that data is structured within various SIEM products and familiarity with querying those solutions effectively
• Including the analysis of data ingested from additional sources such as firewalls, VPNs, third-party AV and EDR solutions
• Familiarity with Kusto Query Language or similar database query language for manipulating data
• Experience with programming/scripting
• Approaches Threat Hunting with a data science focused mindset, and is intimately familiar with different hunting methodologies and their place within the analysis cycle e.g. leveraging known threat intelligence sources to perform IOC Hunting vs hunting for common attacker behaviors with TTP Hunting vs identifying and investigating outliers across large datasets with Anomaly Hunting
• Ability to take a risk-based approach when hunting through large datasets, including the ability to generate targeted recommendations based on those findings depending on the overarching incident, and to raise time-sensitive remediation actions when appropriate
• Extensive experience Threat Hunting in both reactive incident response scenarios to identify initial access, lateral movement, persistence mechanisms, staging and exfiltration, and impact, and proactive scenarios to identify opportunities to reduce unnecessary risk, improve overall maturity, or evidence of an undiscovered compromise

Additional Qualifications  

• Familiarity with effective operational management processes to ensure effective tasking amongst your internal team members when managing hunting through expansive datasets in a limited window of time
• Ability to operate effectively in high pressure incident response environments where customers are experiencing a potentially business-ending event and your findings dictate their next steps
• Ability to communicate complex and technical findings effectively to customer representatives of varying levels - from deep and accurate forensic findings bring shared with security analysts, through to communicating the effective impact of your findings to the C-suite level
• Experience working with methods utilized for evidence collection, maintenance of chain of custody and associated documentation, evidence storage and analysis, and evidentiary reporting
• Experience with some of the following is a distinct advantage:
• Demonstrated history of working as a threat hunting analyst, engineer and consultant to successfully investigate cases of advanced targeted exploitation or similar interactive hacking cases
• Proven experience in helping enterprises manage vulnerabilities, measure security and ensure compliance
• Recognized as a subject matter expert in various security disciplines with a deep understanding of real-world APT tools, tactics, and procedures
• Cloud SaaS and PaaS experience and an understanding of investigations in those environments (Azure, AWS, Google) and leveraging cloud for investigation scale
• Solid grasp of common cyber frameworks and models such as the MITRE ATT&CK, Cyber Kill Chain, Diamond Model, Pyramid of Pain, DeTT&CT and modern penetration testing techniques
• International consulting experience is a plus
• Eligibility for a government security clearance is a plus.

Ability to meet Microsoft, customer and / or government security screening requirements are required for this role.  These requirements include, but are not limited to the following specialized security screenings: Microsoft Cloud Background Check: This position will be required to pass the Microsoft Cloud Background Check upon hire / transfer and every two years thereafter.

Microsoft believes that by investing in our people and creating an inclusive environment, our team will do their best work. See our complete list of benefits and why we are recognised as an Endorsed Employer for Women by WORK180. Microsoft Benefits | WORK180 Endorsed Employer

Our mission is deeply inclusive.  Inside Microsoft | Global Diversity and Inclusion at Microsoft

What next?

Even if you feel you may not meet 100% of the criteria, please apply. You may exceed your own expectations, or we may have another opportunity that suits your potential.  While we’re not able to reach out directly to every applicant, we will always do our best to help you feel heard and supported throughout the experience.     

In the meantime, please see our FAQs, Interview Tips and Accessibility Support for more information on our recruitment process.