Incident Manager

US Government, Department of Homeland Security

DHS is recruiting for an Incident Manager in the Cybersecurity and Infrastructure Security Agency (CISA),Cybersecurity Division Threat Hunting SubDivision. This is a DHS Cybersecurity Service position in the Technical Track at the Staff Cybersecurity Specialist career level. Department of Homeland Security (DHS) Cybersecurity Service employees are a diverse, dynamic team working across DHS Components and organizations to protect the Nation’s information technology infrastructure.


For more details on elgibility, requirements, and evaluation. Please click “Apply Now”, which will take you to the US Gov job platform.


Job Grade: 2
Total Openings: many


As an Incident Manager, you will support the CISA Cybersecurity Division, Threat Hunting’s SubDivision efforts to execute the day-to-day management of customer service for assigned incidents involving advanced cyber threats, intrusions, and malicious activities that evade existing security solutions and impact Federal Civilian Executive Branches, Departments, and Agencies, State and Local Governments, and the Nation’s Critical infrastructure. As a DHS Cybersecurity Service Employee in the Technical Track, at the Staff Cybersecurity Specialist level, you will continually maintain and share your expert/resident-level Cybersecurity Defensive Operations – Intelligence Collection and Analysis and/or Mitigation and Response expertise to perform a range of critical, routine and non-routine tasks, including: Applying technical expertise of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). Coordinating with designated managers, cyber incident responders, and cybersecurity service provider team members to support. enterprise-wide cyber defense technicians to resolve cyber defense incidents. Conducting analysis of log files from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system (IDS)logs) to identify possible threats to network security. Performing real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs). Tracking and documenting cyber defense incidents from initial detection through final resolution (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment. Serving as technical expert and liaison to law enforcement personnel and explain incident details as required. Characterizing and analyzing network traffic to identify anomalous activity and potential threats to network resources. Performing event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack. Identifying and analyzing anomalies in network traffic using metadata. Proactively notifying designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan. Assisting other in correlating incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation. Writing and publishing cyber defense techniques, trend analysis, guidance, and reports on incident findings to appropriate constituencies and after action reviews. Collecting intrusion artifacts (i.e., source code, malware, Trojans) using discovered data to mitigate potential cyber defense incidents within the enterprise. DHS Cybersecurity Service employees with a technical capability in Cybersecurity Defensive Operations – Intelligence Collection and Analysis will generally: Responsible for the integration, management, and execution of all aspects of the cyber attack lifecycle to inform cyber defensive operations. Plan and execute end-to-end cybersecurity operations to defend protected assets. Plan collection operations, retrieves and analyzes key intelligence data. Understand where to focus surveillance. Oversee specialized denial and deception operations and collection of cybersecurity information that informs and develops the end-to-end operations. DHS Cybersecurity Service employees with a technical capability in Mitigation and Response will generally: Track and respond to prioritized urgent IT and cyber events and indicators of compromise (IOCs) to mitigate threats to networks, systems, and applications. Investigate and analyze response activities and employs various advanced response and recovery approaches as appropriate. Apply understanding of tactics, techniques, and procedures for investigative processes, including identifying adversaries’ TTPs and applying corresponding defense or security controls. Conduct root cause analysis and response coordination, providing recommendations for mitigation. Execute recovery action plans and adapts plans to handle new developments.


This position is in the Technical Track at the Staff Cybersecurity Specialist career level. DHS Cybersecurity Service employees start at career levels and salaries matching their experience and expertise. To learn more about DHS Cybersecurity Service career tracks and levels, visit our application portal. Staff Cybersecurity Specialist generally: 8+ years of cybersecurity work experience. Are capable of serving as a resident cybersecurity expert who applies significant technical expertise to develop solutions for critical, non-routine challenges. This position is focused on Cybersecurity Defensive Operations – Intelligence Collection and Analysis and Mitigation and Response . DHS Cybersecurity Service jobs are structured cybersecurity specializations – called technical capabilities. To learn more about technical capabilities, visit our application portal. DESIRED TOOLS/INDUSTRY EXPERIENCE: Skill in assessing security controls based on cybersecurity principles and tenets (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.). Ability to apply techniques for detecting host and network-based intrusions using intrusion detection technologies. Demonstrated knowledge of cyber attack stages (e.g., reconnaissance, scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).

Job Requirements:

Job Overview