Penetration Testing Team Lead

SUMMARY

Bering Professional Services, a subsidiary of Bering Straits Native Corporation, is currently seeking a qualified Penetration Testing Team Lead to work with our federal client, in Washington D.C. The ideal candidate for this job will serve as a penetration tester on the federal agency client’s in-house penetration testing team within the client’s Cyber Division – Cyber Integration Center. A highly motivated individual with strong technical, communication, and organizational skills will succeed on this program.

ESSENTIAL DUTIES & RESPONSIBILITIES

• Support federal client’s enterprise penetration testing program to test all facets of client’s IT infrastructure for exploitable weaknesses on a continuous basis.
• Conduct system-specific penetration tests on each of the federal client’s numerous FISMA systems every two years, with designated high-value asset (HVA) systems and FIPS 199 – High systems being tested every year.
• Operate enterprise-grade and open-source penetration testing software, including:
• • BloodHound AD
  • Burp Suite Pro
  • Cobalt Strike
  • Kali Linux tool suite
  • Other tools as applicable
• Develop custom proof of concept exploit code/scripts to illustrate exploitable vulnerabilities.
• Mimic attacks of threat actors defined by the Cyber Threat Intelligence (CTI) Team to assess and improve IT system resilience, EOC monitoring effectiveness and tuning of security tools within the federal client’s environment.
• Perform ad hoc, focused pen tests to validate effectiveness of corrective actions taken to address identified weaknesses.
• Red Team Testing to emulate the actions and tactics of an Advanced Persistent Threat (APT) actor to gain access to an organization and attempt to reach the targets identified.
• Conduct Purple Team adversary simulation exercises at least 6 times per year to help SOC staff practice recognizing and responding to APT-style TTPs, such as encrypted C2 communication, anti-virus evasion, and covert channel data exfiltration.
• Phishing Assessments to measure the awareness of an organization and reinforce key learning objectives.
• Compete as part of a team in various regional and virtual CTF competitions (BSides, ShmooCon, etc.)
• Learn from other specialist security engineers to be able to assist with advanced incident response activities.
• Under the direction of Federal leadership penetration testing services includes but not limited to:
• • Circumventing authentication and authorization mechanisms
  • Escalate Application user privileges
  • Hijack accounts belonging to other users
  • Violate access controls placed by the site administrator
  • Alter data or data presentation.
  • Corrupt Application and data integrity, functionality and performance.
  • Circumvent Application business logic.
  • Circumvent Application session management.
  • Break or analyze use of cryptography within user accessible components.
  • Determine possible extent of access or impact to the federal client’s systems by attempting to exploit vulnerabilities under the direction of the federal client.
  • Exploit web applications and Application Programming Interfaces (APIs) during the API lifecycle.
  • Source Code Analysis identifying any vulnerabilities or weaknesses within the software.
  • Test database applications or stored functions, database systems, database servers and associated network links that validate the database security and verifies the adversaries are not able to exploit vulnerabilities in the database to access or modify the data.
  • Network Services Testing conducted locally or remotely identifying security weaknesses and vulnerabilities in the network infrastructure.

QUALIFICATIONS - EXPERIENCE, EDUCATION AND CERTIFICATION

To perform this job successfully, an individual must be able to satisfactorily perform each essential duty. The requirements listed below are representative of the knowledge, skill and/or ability required. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

Required (Minimum Necessary) Qualifications

• Hands-on-keyboard penetration testing experience. (Running nmap and Nessus scans doesn’t count – must have experience actually exploiting target assets/popping shells, even if only in a lab environment.)
• Proficiency with common open-source penetration testing tools such as the Kali Linux tool suite, i.e. Metasploit Framework, SQLmap, Burp Suite.
• Understanding of common exploitation techniques such as SQL injection, XSS, pass-the-hash, etc.
• Ability to craft custom exploits to provide proof of concept vulnerability validation.
• Proficient scripting skills in Python, PowerShell, and/or Bash.
• In-depth knowledge of common enterprise operating systems: Windows, Linux/Unix

Knowledge, Skills, Abilities, and Other Characteristics

• Ability to work well in a team environment.
• Exceptional critical thinking and analytical skills – candidate must have the ability to fully learn and understand security measures and devise creative mechanisms to defeat them.
• Ability to calculate and assess risk based on threats, vulnerabilities, and mitigating factors.
• Self-starter with ability to work with little supervision.
• The ability to rapidly shift priorities efficiently is a necessary skill for this position.
• Ability to clearly and concisely document vulnerability findings in written format for both technical and non-technical audiences.
• Ability to speak publicly within the organization at meetings with up to 100 participants.
• Willingness to take on and adapt to new, open-ended tasks for which there is no current standard operating procedure.
• Ability to research independently and self-teach.

Preferred

• Interest in security/hacking culture. Ability to “think like an attacker”
• Certifications (one or more of the following preferred):
  • OSCP – strongly preferred, required within 6 months of hire (company-paid).
  • Certified Ethical Hacker (CEH)
  • GIAC Certified Penetration Tester (GPEN)
• Familiarity with the Microsoft 365 and Microsoft Azure suite of products, including Microsoft Sentinel and Microsoft 365 Defender.
• Familiarity with non-Windows operating systems, i.e. Cisco IOS, Mac OSX, Android, Apple iOS, IBM Z/OS.
• Familiarity with NIST SP 800-53 security controls.

NECESSARY PHYSICAL REQUIREMENTS

The physical demands described here are representative of those that must be met by an employee to successfully perform the essential functions of this job. Employee must maintain a constant state of mental alertness at all times. Reasonable accommodations may be made to enable individuals with disabilities to perform the essential functions.

Essential and marginal functions may require maintaining physical condition necessary for bending, stooping, sitting, walking or standing for prolonged periods of time; most of time is spent sitting in a comfortable position with frequent opportunity to move about.

DOT COVERED/SAFETY-SENSITIVE ROLE REQUIREMENTS

• This position is not subject to federal requirements regarding Department of Transportation “safety-sensitive” functions.

WORK ENVIRONMENT

Work Environment characteristics described here are representative of those that must be borne by an employee to successfully perform the essential functions of this job.

The job is performed in an office setting with exposure to computer screens and requires extensive use of a computer, keyboard, mouse, and multi-line telephone system. The work described herein is primarily in a modern office setting. Occasional travel may be required.

SUPERVISORY RESPONSIBILITIES

• This position supervises employees

ADDITIONAL QUALIFYING FACTORS

As a condition of employment, you will be required to pass a pre-employment drug screening and have acceptable background check results. If applicable to the contract, you must also obtain the appropriate clearance levels required and be able to obtain access to military installations.

Shareholder Preference

BSNC gives hiring, promotion, training, and retention preference to BSNC shareholders, shareholder descendants and shareholder spouses who meet the minimum qualifications for the job.

Bering Straits Native Corporation is an equal opportunity employer. All applicants will receive consideration for employment, without regard to race, color, religion, creed, national origin, gender, or gender-identity, age, marital status, sexual orientation, veteran status, disability, pregnancy or parental status, or any other basis prohibited by law.

Equal Opportunity Employer/Veterans/Disabled

We participate in the E-Verify Employment Verification Program. We are a drug free workplace.

Equal Opportunity Employer/Protected Veterans/Individuals with Disabilities

The contractor will not discharge or in any other manner discriminate against employees or applicants because they have inquired about, discussed, or disclosed their own pay or the pay of another employee or applicant. However, employees who have access to the compensation information of other employees or applicants as a part of their essential job functions cannot disclose the pay of other employees or applicants to individuals who do not otherwise have access to compensation information, unless the disclosure is (a) in response to a formal complaint or charge, (b) in furtherance of an investigation, proceeding, hearing, or action, including an investigation conducted by the employer, or (c) consistent with the contractor’s legal duty to furnish information. 41 CFR 60-1.35(c)