Job Description

Hello;

Tier 2 SOC Analyst

Job Location:- Remote

Long Term

Job Description

Tier 2 SOC Analyst

A Tier 2 SOC Analyst serves as a critical escalation point and deeper investigation resource

within the SOC structure. They are expected to possess a more advanced skillset and

broader knowledge base than Tier 1 analysts, allowing them to handle more complex

security incidents and contribute to proactive security measures.

Principal Duties and Responsibilities

I. Incident Investigation and Analysis

Advanced Alert Triage and Analysis:

o In-depth Investigation: Thoroughly investigate security alerts escalated

from Tier 1 or directly generated by security tools. Go beyond initial triage and

reconstruct event timelines, analyze logs across multiple systems, and

correlate disparate data points.

o Contextualization: Deeply understand the context of security incidents,

including a ected assets, business impact, and potential attack vectors.

o False Positive/Negative Analysis: Accurately di erentiate between true

positives, false positives, and potential false negatives. Analyze the root

cause of false positives and propose tuning or improvement of detection

rules. Investigate scenarios where detections might have been missed.

o Determine Scope and Impact: Precisely define the scope of security

incidents, including the number of systems a ected, data compromised,

and potential business disruption. Assess the immediate and long-term

impact of the incident.

o Containment and Remediation Guidance: Provide actionable guidance to

Tier 1 analysts and relevant teams (e.g., IT, system administrators) on

immediate containment steps and initial remediation actions based on the

nature of the incident.

Complex Security Incident Handling:

o Lead Investigations for Complex Incidents: Take the lead in investigating

more complex security incidents, such as suspected advanced persistent

threats (APTs), sophisticated malware outbreaks, or significant data

breaches.

o Malware Analysis: Conduct basic malware analysis, including analysis of

malware sandbox reports, identify indicators of compromise (IOCs), and

determine its capabilities and potential impact.

o Network Forensics: Perform network tra ic analysis using tools like

Wireshark or tcpdump to identify malicious network activity, analyze

protocols, reconstruct network sessions, and extract relevant artifacts.

o Endpoint Forensics: Utilize endpoint detection and response (EDR) tools

and perform manual endpoint analysis to investigate compromised systems,

analyze process execution, registry modifications, file system changes, and

identify malicious artifacts.

o Log Analysis: Perform log analysis across diverse systems and security

devices (SIEM, firewalls, IDS/IPS, operating systems, applications). Develop

complex queries and correlations to identify subtle indicators of malicious

activity.

Incident Documentation and Reporting

o Detailed Incident Documentation: Create comprehensive incident reports

documenting the entire investigation process, findings, analysis,

containment steps, remediation actions, and lessons learned. Reports

should be clear, concise, and actionable.

o Develop Actionable Recommendations: Based on incident analysis,

develop specific and actionable recommendations for improving security

posture, enhancing detection capabilities, and preventing future incidents.

o Incident Timeline Creation: Construct detailed timelines of security

incidents, accurately mapping out the sequence of events to understand the

attack lifecycle and identify critical points of compromise.

II. Threat Intelligence and Proactive Security

Threat Intelligence Utilization:

o Consume and Integrate Threat Intelligence: Actively consume threat

intelligence feeds, reports, and briefings to stay updated on emerging

threats, attack trends, and threat actor tactics, techniques, and procedures

(TTPs). Integrate threat intelligence into investigations and detection

strategies.

o Contextualize Threats with Intelligence: Use threat intelligence to

contextualize security incidents, identify potential threat actors involved, and

understand their motivations and capabilities.

o Proactive Threat Hunting: Participate in basic to intermediate threat hunting

activities based on threat intelligence, anomaly detection, and observed

patterns of malicious activity. Develop and execute hunt plans to proactively

identify hidden or persistent threats within the environment.

Detection Engineering and Improvement

o Detection Rule Tuning and Optimization: Analyze false positive/negative

incidents and proactively tune and optimize existing detection rules in

security tools (SIEM, IDS/IPS, EDR) to improve detection accuracy and

reduce alert fatigue.

o Detection Gap Analysis: Identify gaps in current detection coverage based

on threat intelligence, incident trends, and known attacker TTPs. Propose

new detection rules and strategies to address these gaps.

o Develop New Detections (Under Guidance): Contribute to the

development of new detection rules and logic under the guidance of senior

analysts or detection engineers, based on emerging threats and identified

gaps.

III. Tooling, Technology, and Technical Proficiency

Advanced Security Tool Proficiency:

o SIEM Expertise: Proficiently utilize SIEM platforms for alert analysis, log

investigation, correlation rule development, and report generation.

Understand SIEM architecture and data flow.

o EDR Expertise: Expertly leverage EDR tools for endpoint investigation, threat

hunting, containment actions, and forensic data collection.

o IDS/IPS Expertise: Understand IDS/IPS principles, analyze alerts, review

signatures, and contribute to rule tuning.

o Firewall Analysis: Analyze firewall logs, understand firewall rule sets, and

use firewalls for containment actions.

Scripting and Automation (Desirable, Increasingly Important):

o Scripting Skills (e.g., Python, PowerShell): Develop scripts for automating

repetitive tasks, data analysis, and tool integration.

IV. Collaboration, Communication, and Escalation

Collaboration with Tier 1 and Other Teams: E ectively collaborate with Tier 1

analysts, providing guidance, mentorship, and knowledge transfer. Work

collaboratively with other teams (IT, Engineering, Incident Response Team) as

needed during incident response.

Clear and Concise Communication: Communicate technical findings and analysis

clearly and concisely to both technical and non-technical audiences (e.g.,

management, other teams).

E ective Escalation to Tier 3/Incident Response Team: Know when and how to

appropriately escalate complex or high-severity incidents to Tier 3 analysts or the

Incident Response Team, providing comprehensive context and analysis.

Level of Depth and Technical Proficiency:

Deeper Technical Understanding: Tier 2 analysts require a deeper technical

understanding of operating systems (Windows, Linux), networking protocols,

security controls, and attack methodologies compared to Tier 1.

Strong Analytical and Problem-Solving Skills: They must possess strong

analytical and problem-solving skills to dissect complex security incidents, identify

root causes, and develop e ective solutions.

Hands-on Experience: They should have demonstrable hands-on experience with

security tools and technologies and be comfortable performing detailed technical

investigations.

Knowledge of Threat Actor Tools, Tactics, and Behavior:

Solid Understanding of TTPs: Tier 2 analysts must have a solid understanding of

common threat actor tactics, techniques, and procedures (TTPs) across di erent

attack stages (reconnaissance, initial access, persistence, lateral movement,

exfiltration, etc.).

Familiarity with Threat Actor Groups: They should be familiar with common threat

actor groups (APTs, cybercrime gangs) and their associated TTPs and tools.

Knowledge of Attack Vectors and Exploits: Understanding common attack vectors

(phishing, malware, web application attacks) and exploit methods is crucial for

contextualizing incidents and identifying potential vulnerabilities.

Staying Updated on Emerging Threats: Tier 2 analysts must continuously stay

informed about new and emerging threats, vulnerabilities, and attack trends to

maintain e ective detection and response capabilities.

Job Tags

Hourly pay, Full time, Part time, Internship, Seasonal work, Immediate start, Gangs,

Similar Jobs