Senior Threat Researcher –detection Engineer

About Us Sophos is a worldwide leader and innovator of advanced cybersecurity solutions, including Managed Detection and Response (MDR) and incident response services and a broad portfolio of endpoint, network, email, and cloud security technologies that help organizations defeat cyberattacks. As one of the largest pure-play cybersecurity providers, Sophos defends more than 500,000 organizations and more than 100 million users globally from active adversaries, ransomware, phishing, malware, and more. Sophos’ services and products connect through its cloud-based Sophos Central management console and are powered by Sophos X-Ops, the company’s cross-domain threat intelligence unit. Sophos X-Ops intelligence optimizes the entire Sophos Adaptive Cybersecurity Ecosystem, which includes a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers, and other cybersecurity and information technology vendors. Sophos provides cybersecurity-as-a-service to organizations needing fully managed, turnkey security solutions. Customers can also manage their cybersecurity directly with Sophos’ security operations platform or use a hybrid approach by supplementing their in-house teams with Sophos’ services, including threat hunting and remediation. Sophos sells through reseller partners and managed service providers (MSPs) worldwide. Sophos is headquartered in Oxford, U.K. More information is available at www.sophos.com.

Role Summary Threat hunter? Programmer? Data-driven?  We have a fantastic opportunity here at Sophos Labs for a Threat Researcher to join our global team of behavior-based detection engineers, to hunt, to research, and to add real-time detection for suspicious activity across our customer environments. Our team of skilled security experts combine their passion to detect & disrupt cyber-attacks with their capability to develop classification rules that can cut through the noise in modern computing environments to tease out attacker’s nefarious activities. You are intrinsically motivated to understand the core logic behind malware and hacking attacks, to find & predict new ways attackers will modify their techniques and take great satisfaction in developing robust detection logic that is immune to evasive actions. You will be responsible for writing rules that are able to detect malicious activities across all types of TTP (even if a Mitre Technique doesn’t exist yet). This is the foundation of Sophos next-gen approach. Above all - you enjoy thinking creatively; combining your deep technical knowledge, your tenacity for innovation, and your can-do attitude to solve complex and challenging problems on a daily basis.

What You Will Do

• Understand malware kill chain and lifecycle & hands-on-keyboard attacks
• Accurate & efficient classification of malicious & suspicious behavior
• Mapping TTPs to MITRE ATT&CK matrix
• Author classification rules, for both Endpoint & Cloud scenarios, to identify malicious & suspicious use of TTPs
• Analyze real-world kill chains to discover new TTPs and gaps in coverage
• Measure and tune TTP coverage through data mining, customer telemetry & internal sandbox feeds
• Build & maintain playbooks on threat actor TTPs

What You Will Bring

• Strong knowledge of Windows or MacOS operating system, internals & forensic tools
• Demonstrated programming experience. Preferred: Python, Lua, RegEx and/or SQL.
• Excellent grasp of MITRE ATT&CK tactics, techniques & procedures in order to create simulation
• Familiar with computational cost analysis & problem solving to minimize impact
• Bachelor’s degree in computer software (Computer Security preferable) or equivalent experience
• Big data experience, Elastic Search, Kibana, Redshift
• SDLC or CI/CD Knowledge is a plus