• Cyber Defensive Operator II

    Job ID 2018-3057
    Job Locations
    US-VA-Fort Belvoir
    IT: Information Assurance / Quality / Cyber Security
    Regular Full-Time
  • Overview

    NCI is a leading provider of enterprise solutions and services to U.S. defense, intelligence, health and civilian government agencies. Coupled with a refined focus on strategic partnerships, we are successfully bridging the gap between commercial best practices and mission-critical government processes. Core competencies include:

    • Artificial intelligence
    • Agile digital transformation
    • Advanced analytics
    • Hyperconverged infrastructure solutions
    • Cyber security and information assurance
    • Fraud, waste and abuse
    • Engineering and logistics


    NCI has been designated a 2018 Military Friendly Employer by MilitaryFriendly.com 


    Headquartered in Reston, Virginia, NCI has approximately 2,000 employees operating at more than 100 locations worldwide.


    NCI: As a Cyber Defensive Operator II, you will provide services in support of the United States (U.S.) Army Cyber Command’s (ARCYBER) mission, to direct and conduct integrated Electronic Warfare (EW), Information Operations (IO), and Cyberspace Operations, as authorized or directed, to ensure freedom of action in and through cyberspace and the information environment, and to deny the same to adversaries. Cyber Defensive Operations Engineer II. Conducts research and evaluates technical performance of software products and overall segments and systems. Ensures systems comply with requirements and IA standards. Verifies/validates systems with specific emphasis on network operations and cyber warfare tactics, techniques, and procedures focused on the threat to information networks.  Participates in design reviews to ensure applicability to the current system and requirements traceability. Produces papers, presentations, recommendations, and findings for the government.  In assuming this position, you will be a critical contributor to meeting NCI's mission: To deliver innovative, cost-effective solutions and services that enable our customers to rapidly adapt to dynamic environments.

    Highlights of Responsibilities:

    • Skilled with Cyber Warfare techniques, methods, and processes. Experience detecting, monitoring, analyzing, and mitigating cyber threats.
    • Familiarity with CJCSM 6510.01B
    • Provides oversight of activities and is directly responsible for receiving, analyzing, and distributing information in order to mitigate cyber incidents/events occurring throughout the RCCs across the designated AORs.
    • Provides daily operational status briefings, makes technical recommendations, and provides procedural strategies for the Army Global “enterprise” network.
    • Provides technical support to the Army Cyber Operations Integration Center (ACOIC) staff during identification, resolution, and tracking of network intrusions and other cyber security incidents/events. Coordinates with the RCCs, USCYBERCOM, JFHQ, DODIN, LE/CI, and IC, and various other agencies in order to triage and systematically analyze cyber intrusion events.
    • Provide detection, correlation, identification, and characterization of intentional unauthorized activity and coordinate information on detected events with required teams to ensure timely response is executed.
    • Provide support using scripting languages (e.g., Python, Perl, PowerShell, etc.) to understand the adversarial capabilities and risks.
    • Conduct open source research to identify commercial exploits or vulnerabilities (i.e., Zero-Day) requiring DCO actions.
    • Identify current detection capabilities (e.g., Audio Visual (AV), Host Base Security System (HBSS), and Intrusion Detection System (IDS)/Intrusion Prevention Services (IPS)) for new or potential threat activity.
    • Coordinate and develop host base and network base (IDS/IPS) signatures for implementation.
    • Maintain sensor location documentation for sensor grid layout and design.
    • Provide a cyber response team capability to develop mitigations in response to cyber threats. In addition, contractor support shall include, but is not limited to, the following activities:
    • Track, review, identify, and submit pre-approved actions (i.e., IP blocks/Uniform Resource Locator (URL) blocks).
    • Review, assess, and recommend mitigation actions in response to confirmed, potential threat activity, and unknown/new vulnerabilities.
    • Prepare and brief pre-approved actions conducted, as required.
    • Provide potential COAs, assessments, and technical expertise; and, enhance and improve the defensive posture, as required.
    • Conduct vulnerability tests to identify operational impacts of activity directed against systems or applications.
    • Provide digital media and network forensics using a variety of methods to detect and identify anomalous and/or malicious software.
    • Coordinate with internal and external mission partners to execute F&MA functions, including LE/CI liaison officers, and other intelligence professionals to understand higher-level adversary capability.
    • Perform reverse-engineering on compiled executable code.
    • Examine malicious software/capabilities to identify the nature of the threat.
    • Reverse-engineer the compiled executable code to examine how the program interacts with its environment.
    • Analyze collected media for DCO value to understand adversary technical capabilities and TTPs/methods of employment.
    • Analyze the attack/exploit capability of the software, and document and catalog findings for future correlation.
    • Develop and maintain malware analysis artifacts, reports, case notes, and all case related data, and ensure information is properly stored within the infrastructure.
    • Provide all pertinent finding to personnel responsible for the development of signatures capable of detecting the analyzed malware as it propagates on infected systems.
    • Perform dead-box forensic analysis and live forensic/incident handling analysis, as required, to include collection, preservation, and transfer forensic evidence of unauthorized access to a military/partner network, device, or Information Systems (IS); analyze forensically sound images to identify suspicious/malicious files, all intrusion related artifacts, and entry points/attack vectors; and develop necessary procedures or scripts to identify such data.
    • Provide ancillary IT maintenance support for the forensic lab environment to include active directory (Windows), servers, (VMWare ESX), switches (CISCO/Brocade), and other network hardware/software appliances, as required.
    • Update relevant portions of SOPs, TTPs, CSSP, website information, as required.
    • Maintain and configure IDS/IPS and sensors; develop and test signatures; and document procedures
    • Update, maintain, configure security enterprise solutions (e.g., ArcSight Enterprise, etc.) to improve threat monitoring.
    • Develop, maintain, and enhance cyber tools and software applications that improve tracking and facilitation of incident response.
    • Develop dashboards, querying capabilities, trend analysis, and analysis tools using multiple data sources to correlate information.
    • Identify and assess gaps in DCO capabilities and security posture and develop solutions as required.
    • Develop and maintain documentation for activities as required.



    • Current Information Assurance (IA) certification (required at performance start date): CSSP Analyst/Incident Responder (CEH, CFR, CCNA Cyber Ops, CySA+, GCIA, GCFA, GCIH, GICSP, SCYBER) IA Certification IAW DoD 8570.10-M.
    • Clearance: Must possess the required favorably adjudicated TOP SECRET security clearance and favorable eligibility for SCI prior to start date; and must maintain the required TS/SCI throughout employment on this contract.
    • Bachelor’s Degree and 10 - 15 years practical experience.


    Physical Requirements:


    This position requires the ability to perform the below essential functions:

    • Sitting for long periods
    • Standing for long periods
    • Ambulate throughout an office
    • Ambulate between several buildings
    • Travel by land or air transportation 25%


    Sorry the Share function is not working properly at this moment. Please refresh the page and try again later.
    Share on your newsfeed

    Connect With Us!

    Not ready to apply? Connect with us for general consideration.