Clarification from the agency

This vacancy announcement is open to applicants who currently live in the Washington, D.C. commuting area, and to current employees of the federal judiciary nationwide (AO and U.S. Courts).

The incumbent is a recognized IT security expert with a strong background and "hands-on" experience in cyber threat hunting and incident response. The incumbent will plan, conduct, and review deliberate and ad hoc hunt missions throughout the judiciary's IT environment and perform multiple and varying assignments under the direction of the Chief, Advanced Capabilities Branch - Security Operations Division.

The cyber threat hunt analyst is responsible for conducting cyber threat hunt missions. Cyber threat hunt missions are hypothesis-based, formally approved, and consistent with the judiciary's threat profile. The objective of the missions is to identify previously undetected advanced persistent threat activity, to assess scope, and monitor threat actor activity once identified. Threat hunt missions may be on-premises or in the cloud.

Duties may include, but are not limited to, the following:

1. Developing and articulating iterative threat hunt hypotheses.
2. Participating in technical planning sessions with threat intel teams.
3. Developing and documenting required artifacts for each hunt mission.
4. Evaluating network and host artifacts for indicators of compromise.
5. Recommending technical deception techniques as required.
6. Evaluating full network traces for indicators of compromise.
7. Developing and documenting plans for identifying lateral movement.
8. Developing plans for identifying Active Directory compromises.
9. Executing plans for identifying Active Directory compromises.
10. Developing, executing, and documenting advanced Splunk queries.
11. Developing, executing, and documenting advanced KQL queries.
12. Providing triage and debugging for host agents used in threat hunt missions.
13. Continuously improving knowledge of adversarial techniques.
14. Assessing the technical impact of compromises and providing recommendations.
15. Participating in writing in-depth technical reports that detail threat hunt missions.
16. Developing new methods for monitoring threat activity once identified.
17. Developing and modifying scripts or programs necessary for the collection of data.
18. Iteratively testing relevant technical hypotheses on test systems.
19. Reporting status on at least a weekly basis.
20. Developing webinars that advance and share technical knowledge exchange.
21. Providing monthly input on threat detection efficacy.
22. Making recommendations for improving threat detection efficacy.

Conditions of employment

CONDITIONS OF EMPLOYMENT

1. All information is subject to verification. Applicants are advised that false answers or omissions of information on application materials or inability to meet the following conditions may be grounds for non-selection, withdrawal of an offer of employment, or dismissal after being employed.
2. Selection for this position is contingent upon completion of OF-306, Declaration of Federal Employment during the pre-employment process and proof of U.S. citizenship for competitive status positions or conversion to a competitive status position with the AO. If non-citizens are considered for hire into a temporary or any other position with non-competitive status or when it is confirmed by the AO Human Resources Office there are no qualified U.S. citizens for a competitive status position (unless prohibited by a law or statue), non-citizens must provide proof of authorization to work in the U.S. and proof of entitlement to receive compensation. Additional information on the employment of non-citizens can be found at USAJOBS Help Center | Employment of non-citizens/. For a list of documents that may be used to provide proof of citizenship or authorization to work in the United States, please refer to Form I-9, Employment Eligibility Verification.
3. All new AO employees will be required to complete an FBI fingerprint-based national criminal database and records check and pass a public trust suitability check.
4. New employees to the AO will be required to successfully pass the E-Verify employment verification check. To learn more about E-Verify, including your rights/responsibilities, visit https://www.e-verify.gov/.
5. All new AO employees are required to identify a financial institution for direct deposit of pay before appointment.
6. You will be required to serve a trial period if selected for a first-time appointment to the Federal government, transferring from another Federal agency, or serving as a first-time supervisor. Failure to successfully complete the trial period may result in termination of employment.
7. If appointed to a temporary position, management may have the discretion of converting the position to permanent depending upon funding and staffing allocation.

Qualifications

Applicants must have demonstrated experience as listed below. This requirement is according to the AO Classification, Compensation, and Recruitment Systems which include interpretive guidance and reference to the OPM Operating Manual for Qualification Standards for General Schedule Positions.

Specialized Experience: Applicants must have at least one full year (52 weeks) of specialized experience which is in or directly related to the line of work of this position. Specialized experience is demonstrated experience performing in a technical role in the areas of Defensive Cyber Operations, Threat Hunting, Incident Response, Threat Detection and Threat Modeling.

Be clear and specific when describing your work history since human resources cannot make assumptions regarding your experience. Your application will be rated based on your resume.

Applicants with the following certifications/experiences are highly desirable:

• Certified Information Systems Security Professional (CISSP)
• Offensive Security Certified Professional (OSCP)
• Certified Ethical Hacker (CEH)
• Global Information Assurance (GIAC) Certification

How you will be evaluated

You will be evaluated for this job based on how well you meet the qualifications above.

We will review your resume and supporting documentation and compare this information to your responses on the occupational questionnaire to determine if you meet the minimum qualifications for this job. If you meet the minimum qualifications for this job, we will evaluate your application package, to assess the quality, depth, and complexity of your accomplishments, experience, and education as they relate to the requirements listed in this vacancy announcement.

You should be aware that your ratings are subject to evaluation and verification. If a determination is made that you have rated yourself higher than is supported by your resume and/or narrative responses, you will be assigned a rating commensurate to your described experience. Failure to submit the mandatory narrative responses will result in not receiving full consideration and/or rating credit. Deliberate attempts to falsify information may be grounds for not selecting you, withdrawing an offer of employment, or dismissal after being employed.