Cyber Defense Operator (CDO)

Overview

This position is for a Cyber Defense Operator (CDO) to provide 24/7/365 support the Air Force Computer Emergency Response Team (AFCERT) in conducting its mission of Air Force (AF) Defensive Cyberspace Operations (DCO) for the AF and supported unified commands and their combatant commanders.

As a dynamic systems integrator, SMS offers proven solutions in engineering, operations, cybersecurity, and digital transformation. With expertise in modernizing and optimizing legacy infrastructure and systems, ensuring operational efficiency, and designing, implementing, and managing secure environments, SMS supports business and mission goals with proficiency, quality, and integrity.

SMS has been serving the advanced information technology needs of the federal government since 1976, delivering talented teams and innovative, cost-effective solutions and services to support our customers’ missions for more than 45 years. SMS is headquartered in McLean, Virginia, with offices and on-site operations at customer locations throughout the United States. For additional information on SMS, visit www.sms.com.

Submit your resume today!

Responsibilities

Specific work to be performed includes the following:

• Review all IDS/IPS alerts per AFCERT Operating Instruction (OI) and checklists at the AOL, COOP, or Ops Floor. Conduct host security monitoring, alert review, and intrusion detection analysis for the AFIN‐SOC mission.
• Develop, Review and Maintain procedures related to the overall monitoring of Hosts/Systems.
• Comply with 3rd party MOU/MOA monitoring and reporting requirements.
• Analyze host DCO events to determine the necessity for higher level analysis and conduct an initial assessment of type and extent of intruder activities.
• Monitor security sensors to analyze Intrusion Detection Systems (IDS) and Security Information and Event Management (SIEM) to identify and correlate security issues/events and review logs to identify intrusions for remediation.
• Correlate suspicious events with network events, if possible, and data stored within databases and other external DoD resources.
• Analyze traffic/logs/events to determine the necessity for higher level analysis and conduct an initial assessment of type and extent of intruder activities.
• Record who, what, where, why and when for any identified suspicious activity in case management system (CMS) case to enable additional investigations.
• Conduct triage of suspicious activity alerts and logs to make a fast and accurate triage decision.
• Enter event data into mission support systems in accordance with AFIN SOC operational procedures and reports.
• Provide monthly performance metrics.
• Escalate security incidents using established policies and procedures.
• Generate end of mission reports (MISREPS) and provide pass‐on information for knowledge transfer to subsequent /crews of analysts on duty regarding the latest suspicious traffic seen from a given port, Internet Protocol (IP), etc.
• Provide computer security‐related support to AF field units as directed by CCC, in countering vulnerabilities, minimizing risk, and improving the security posture of AF computers networks and systems within the scope of AFIN SOC operational requirements and mission execution.
• Provide focused DCO tailored analysis and monitoring operations of specified sensor locations during contingency operations and in support of named DCO operations and exercises.
• Conduct near real‐time network security monitoring and intrusion detection analysis for the networks, systems monitored using AF’s selected IDS/IPS capabilities.
• Provide OJT to other contractor employees, military, and/or civilian personnel, and ensure continuity folders/working aids are updated as needed through the approved documentation system, in order to ensure efficient transition when personnel rotate.
• Create and document metrics for reporting and analysis to improve alert triage processes and mission execution.
• Provide requested information to operational leadership as it relates to mission execution.
• Conduct intake of administrative and operational communication from external agencies and route the communication to the Mission Lead/Crew Commander.
• Initiate emergency checklists due to imminent threat, as directed by Crew Commander.
• Inform Crew Commander of all anomalies.
• Provide feedback on detection mechanisms that are both true and false positive events to ESM and Content Development as applicable.
• Participate in planning, briefing, and debriefing tasks as directed by CDO Mission Lead or Crew Commander.
• Analyze threat intelligence (TIPPERS) as directed by CDO Mission Lead or Crew Commander to include contextual information, IoCs, TTPs, vulnerabilities, effects, and actionable intelligence about threats mapped to the MITRE threat framework.
• Work with CDO Mission Lead for prioritization and assignment of tasks.
• Provide CDO Mission Lead support, notify CDOs of Crew Commander prioritized tasks, tracking all required mission systems and functions.

Qualifications

Security Clearance: Active DoD Top Secret/SCI

Education: 5+ years’ experience

Certifications: DoD 8140 Cyber Defense Incident Responder -Advanced GCFA certification required

 Required:

• Intermediate knowledge with one or more of the IDS/IPS systems currently in use by the Department of Defense (DoD), Services, and Agencies (i.e., AF, Navy, Army, DC3, DISA) or Federal Government.
• Intermediate experience in IP addressing and domain name service; network components; Transmission Control Protocol (TCP)/User Datagram Protocol (UDP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP), and Hypertext Transfer Protocol (HTTP).
• Must understand the network Open Systems Interconnection (OSI) model and have extensive knowledge of MITRE ATT&CK framework, and its uses within the cybersecurity community (e.g., Open-Source projects).

SMS is a dynamic systems integrator established in 1976, delivering talented teams and innovative, cost-effective solutions and services to support our customers’ missions for more than 47 years. Our ability to hire and retain quality people in a rapidly evolving IT market is proven through our employee retention rate averaging over 3 years. At SMS, we place a high value on quality of service, customer satisfaction, and best-of-breed policies and practices, resulting in CMMI Level 3 certification and ISO registrations including 9001:2015, 20000-1:2018, and ISO/IEC 27001:2013. SMS is headquartered in McLean, Virginia, with offices and on-site operations at customer locations throughout the United States. 

SMS is an Equal Opportunity Employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.