State of Maryland

A State Retirement Agency (SRA) Cybersecurity Defense Incident Responder III is the lead/advanced level of work engaging, planning, and coordinating effective responses and documenting security incidents occurring within the network environment. Employees in this classification mitigate and/or remediate security risks such as Internet-based attacks, malware intrusions, insider threat activity or security device/service misconfigurations' adversely affecting the confidentiality, integrity and/or availability of the Agency's business systems, services and associated data. Employees in this classification also monitor, review, and administer both on-prem and cloud-based data security devices, services, and platforms. Employees in this classification do not supervise.

Employees in this classification receive general supervision from a Cybersecurity Systems
Engineer Lead or other IT Directors.

Positions in this classification are evaluated by using the classification job evaluation methodology. The use of this method involves comparing the assigned duties and responsibilities of the position to the job criteria found in the Nature of Work and

Examples of Work sections of the classification specification.
The SRA Cybersecurity Defense Incident Responder III is differentiated from the SRA Cybersecurity Defense Incident Responder II in that the SRA Cybersecurity Defense Incident Responder III either assigns, reviews and approves the work of and trains SRA Cybersecurity Defense Incident Responders or serves as a technical expert and handles cases of a more complex nature.

When functioning at the Lead-Level:

Assigns, reviews and approves the work of the SRA Cybersecurity Defense Incident Responders;

Trains SRA Cybersecurity Defense Incident Responders;

When functioning at the Advanced Level:

Serves as the technical expert in identifying security incident occurrences, leads in incident investigations and is the principal lead in threat hunting operations for both on-prem and cloud-
based data security devices, services and platforms;

When functioning at both Levels:

Monitors and analyzes output from dashboards, generated alarms, log outputs, reports, etc. of various security devices/platforms (e.g., firewalls, on-prem and cloud-based network and security services, database activity monitoring (DAM), and security information event management (SIEM), etc.);

Coordinates & communicates with the SRA Cybersecurity Defense Analyst and/or the SRA Cybersecurity Systems Engineer if any generated alerts, log output, system messages or observed traffic/system behaviors indicate a security incident or an ongoing compromise attempt within the network;

Provides expert technical support to SRA cybersecurity personnel to monitor, protect, detect, respond and assist in the recovery of systems and/or data affected by cyber defense incidents;

Analyzes and correlates incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation;

Analyzes log files reports, from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible threats to network security;

Performs cyber defense incident triage, to include determining scope, urgency, and potential impact, identifying the specific vulnerability, and making recommendations that enable expeditious remediation;

Performs initial, forensically sound collection of digital artifacts and system images and inspect to discern possible mitigation/remediation on enterprise systems;

Performs real-time cyber defense incident handling (e.g., digital artifact forensic collection, evidence gathering, incident reporting & documentation, intrusion correlation/tracking and threat impact analysis) to support the Incident Response (IR) policy;

Receives and analyzes network alerts from various sources within the enterprise and determine possible causes of such alerts;

Tracks and documents cyber defense incidents from initial detection through final resolution;

Writes and publishes cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies;

Employs approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness);

Collects intrusion artifacts (e.g., source code, malware, Trojans) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise;

Coordinates with intelligence analysts to correlate threat assessment data;

Possesses sound writing and critical thinking skills to document, record, communicate, and present Writes and publishes after action reviews;

Monitors external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise;

Performs other related duties.

Knowledge of computer networking concepts and protocols, local area networks (LAN) architecture, workstation and server operating system settings/controls/services, as they relate to data security;

Knowledge of frameworks, standards, methodologies as they relate to data security and cybersecurity (e.g., NIST 800-53, Cybersecurity Framework (CSF), Cybersecurity & Infrastructure Security Agency (CISA), CERT (etc.));

Knowledge of risk management processes (e.g., methods for assessing and mitigating risk);

Knowledge of MD State and Agency laws, regulations, and policies as they relate to cybersecurity and privacy;

Knowledge of cybersecurity and privacy principles and concepts;

Knowledge of cyber threats and vulnerabilities;

Knowledge of specific operational impacts of cybersecurity lapses;

Knowledge of SRA’s business continuity and disaster recovery continuity of operations plans;

Knowledge of host/network access control mechanisms (e.g., access control list, capabilities);

Knowledge of network services and protocols interactions that provide network communications;

Knowledge of incident categories, incident responses, and timelines for responses;

Knowledge of incident response and handling methodologies;

Knowledge of intrusion detection system (IDS) methodologies and techniques for detecting host and network-based intrusions;

Knowledge of network traffic analysis methods;

Knowledge of packet-level analysis;

Knowledge of system and application security threats and vulnerabilities (e.g., OWASP Top-Ten – broken access control, cryptographic failures, SQL XXS/injection, insecure design, security misconfiguration, etc.,);

Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities;

Knowledge of cyber defense and information security policies, procedures, and regulations;

Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution attacks);

Knowledge of cyber attackers (e.g., insider threat, non-nation/nation sponsored, DoS/DDoS attacks, social engineering-based - frauds/scams/phishing/vishing/smishing, hacktivist, terrorism, etc.);

Knowledge of system administration, network, and operating system hardening techniques;

Knowledge of cyber-attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks);

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth);

Knowledge of OSI model and underlying network protocols (e.g., TCP/IP, );

Knowledge of cloud service models, architectures and operations and how to provision these services to limit incident risks ;

Knowledge of malware analysis concepts and methodologies;

Knowledge of an organization's information classification program and procedures for information compromise;

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS);

Knowledge of the common Internet-based networking and routing protocols (e.g. TCP/IP), services (e.g., web, mail, Domain Name System (DNS), and how they interact and interface with intra-network communications;

Knowledge of secure email concepts and protections (e.g., DKIM (DomainKeys Identified Mail), DMARC (Domain-based

Message Authentication Reporting and Conformance), and SPF (Sender Policy Framework);

Skill in identifying, capturing, containing, analyzing and reporting malware;

Skill in preserving forensic evidence integrity according to standard operating procedures or national standards;

Skill in recognizing and categorizing types of vulnerabilities and associated attacks;

Skill in using security event correlation tools;

Skill in designing incident response for cloud service models;

Ability to design incident response for cloud service models;

Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies.

Education: Graduation from an accredited high school or possession of a high school equivalency certificate.

Experience: Five years of experience in working in a SOC/NOC (Security/Network Operations Center) or equivalent environment with exposure to malware analysis, digital forensics, data security technologies (e.g., intrusion detection systems, data/network analysis, and incident handling).

Notes:

1. Candidates may substitute the possession of a Bachelor’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university for two years of the required experience.

2. Candidates may substitute an Associate’s degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university for one year of the experience.

3. Candidates may substitute a graduate level degree in computer science, cybersecurity, information technology, software engineering, information systems, computer engineering or related field from an accredited college or university for three years of the required experience.

Employees in this classification may be subject to call-in 24 hours a day and be required to work evenings, weekends, and holidays when systems are down or to work on systems that need to be repaired or replaced during non-business hours and, therefore, may be required to provide the employing agency with a telephone number where the employee can be reached. Employees may be furnished with a pager or cell phone.

Applicants for this classification may handle sensitive data. This will require a full scope background investigation prior to appointment. A criminal conviction may be grounds for rejection of the applicant.

Employees may occasionally be required to travel to the main office during off hours, or field locations, and must have access to an automobile in the event a state vehicle cannot be provided. Standard mileage allowance will be paid for use of a privately owned vehicle.

The work may require moving computers, printers and other IT related equipment weighing up to 80 pounds.

Class specifications are broad descriptions covering groups of positions used by various State departments and agencies. Position descriptions maintained by using department or agency specifically address the essential job functions of each position.

This is a Skilled Service classification in the State Personnel Management System. All positions in this classification are Skilled Service positions. Some positions in Skilled Service classifications may be designated Special Appointment in accordance with the State Personnel and Pensions Article, Section 6-405, Annotated Code of Maryland.

This classification is not assigned to a bargaining unit, as indicated by the designation of S (Supervisor), M (Manager), T (Agency Head), U (Board or Commission Member), W (Student), X (Used by Agency or Excluded by Executive Order), or Z (Confidential). As provided by State Personnel and Pensions Article, Section 3-102, special appointment, temporary, contractual, supervisory, managerial and confidential employees are excluded collective bargaining. Additionally, certain executive branch agencies are exempt from collective bargaining and all positions in those agencies are excluded from collective bargaining.