NATOIS-0027 Cyber Threat Intelligence Researcher (NS) - THU 13 Mar

Deadline Date: Thursday 13 March 2025

Requirement: Cyber Threat Intelligence Researcher

Location: Brussels, BE

Full Time On-Site: No

Time On-Site: 2-days on-site, 3 days-off teleworking (can be also from outside Belgium)

Total Scope of the request (hours): On basis of 38 hours per week and 42 working weeks - a total of 1596 hrs

Period of Performance: 2025 BASE: As soon as possible but no later than 28th April - 31 December 2025, with possibility to exercise the following options:

2026 Option – 01 Jan 2026 – 31 Dec 2026

2027 Option – 01 Jan 2026 – 31 Dec 2027

Required Security Clearance: NATO SECRET

Special Terms and Conditions: The contractor will be responsible for complying with the respective national requirements for working permits, visas, taxes social security etc. whilst working on site at NATO HQ- Brussels, Belgium. No special status is either conferred or implied by the host organisation, NATO HQ- Brussels, Belgium on to the contractor whilst working on site

Profile Description Summary: The Cyber Threat Analysis Branch (CTAB) is looking for a Cyber Threat Intelligence Researcher to support in the provision of technical cyber threat intelligence to the NATO Enterprise and Alliance through researching threat actors’ tactics, techniques and procedures.

Division: NATO Joint Intelligence and Security Division

The Joint Intelligence and Security Division (JISD), under the leadership of the Assistant Secretary General for Intelligence and Security (ASG I&S), comprises two principal pillars: Intelligence – headed by the Deputy ASG for Intelligence; and the NATO Office of Security (NOS) – headed by the Deputy ASG for Security. Intelligence is responsible for ensuring the situational awareness of the North Atlantic Council and the Military Committee, for the analysis of the indications and warnings in support of the NATO Crisis Response System and for the development of intelligence policies and capabilities for NATO. Its functional areas address: intelligence analysis and production, intelligence policy and capability development.

The joint civilian and military Intelligence Production Unit (IPU), under the JISD, delivers strategic intelligence-based analysis to support North Atlantic Council (NAC) and Military Committee (MC) decision making on strategic issues of concern. The IPU produces a range of planned and tasked intelligence products on regional issues in Eurasia, Africa and the Middle East, and on transnational issues such as hybrid warfare, terrorism, instability, weapons of mass destruction and energy security.

The Cyber Threat Analysis Branch (CTAB), under the IPU, is responsible for providing evidence-based assessments of the cyber threat landscape to empower NATO stakeholders to make risk-informed decisions. The multidisciplinary team combines all-source data with cutting edge technologies to support and enhance the Alliance leaderships’ understanding on the nature of cyber competition and conflict. CTAB systematically identifies strategic patterns and trends in cyber space and generates tailored insights to support network defence and mission assurance with predictive analysis, cyber threat intelligence, and threat hunting.

NATO POC for supervision and coordination purposes: Threat Research Team Lead

Background: The contractor (Cyber Threat Intelligence Researcher) will support the work of the Cyber Threat Analysis Branch and help conduct research into threat actors’ tactics, techniques and procedures – and will create accurate, actionable and relevant technical reporting of interest to the Alliance.

Objectives:

• Create scripts and queries to accurately track threat actor infrastructure and tools using commercial and open-source information and tools;

• Write technical threat intelligence products, including detection signatures, meant for network defenders to aid network defence, threat hunting and adversary emulation efforts;

• Aid in translating technical cyber threat intelligence into operational and strategic intelligence products to inform decision-makers at NATO.

Duties and Role:

• Use the CTAB Cyber Threat Intelligence Platform and other sources to conduct research into prioritized cyber threat actors to discover new infrastructure and capabilities under the direction of the team lead.

• Conduct pattern analysis on threat actor infrastructure to detect new malicious infrastructure, and script and automate that detection to allow for threat intelligence at scale.

• Find and analyse potential new cyber threats to NATO based on existing or novel techniques and scripts, and correlate with all available sources to establish an adequate threat picture.

• Translate threat actor tactics, techniques and procedures into actionable intelligence for 1) network defenders through creating detection signatures, contextualizing IoC’s, and writing standardized CTI products, and 2) strategic cyber analysts for use in intelligence production to decision makers.

• Support other threat researchers in their activities, and advise and assist strategic cyber threat analysts in understanding complex technical topics.

Reporting:

• Report weekly in team standups on progress Deliverables

• Actionable, accurate and relevant cyber threat intelligence products that contain behavioral intelligence for network defenders and other cyber threat analysts.

• Constant delivery of findings, mostly comprising indicators of compromise and MITRE techniques, on novel threat actor infrastructure and malware based on assigned threat actors.

• Scripts and methodologies that improve on current processes and tooling and enhance NATO’s ability to track adversaries in cyberspace.

REQUIRED EXPERTISE AND QUALIFICATION:

• The candidate must have a currently active NATO SECRET security clearance
• Cybersecurity oriented university degree (information technology, computer science, etc.) or equivalent completed advanced vocational training;
• At least 2 years of experience with producing or working with cyber threat intelligence.
• Knowledge and experience in analysis of various threat actor groups, attack patterns and tactics, techniques, and procedures (TTPs) to produce actionable threat intelligence to enable network and host defences in organizations with demonstrable impact.
• Experience with and knowledge of the intelligence lifecycle, analytical tradecraft and frameworks such as MITRE ATT&CK.
• Good communication skills, both orally and written. Able to translate complex technical topics into information conveyable to non-domain experts. Can easily cooperate with other threat researchers by taking and giving feedback.
• Knowledge of network and system fundamentals and experience in any of the following cybersecurity fields: network monitoring, threat hunting, incident response, red teaming, host/network forensics, or reverse engineering.
• Experience with programming in scripting languages such as Python
• Possession of industry recognized cybersecurity certificates such as SANS GIAC or Offensive Security.
• Possess the following minimum levels of NATO’s official languages (English): V (“Advanced”)