This role is responsible for threat intelligence analysis efforts to support customers and strengthen Apple’s information security posture.
- Influence what data sources need to be collected to perform threat intelligence analysis to better protect Apple employees and users from a wide range of cyber threats.
- Perform functional data analysis to develop profiles of adversaries to identify their tactics, techniques, and procedures (TTPs) derived from analysis of malware, actions taken on compromised hosts, and successful or attempted data theft.
- Lead strategic data analysis activity in order to attribute cyber attacks to threat actors. This will apply knowledge of the current geopolitical climate, current product and business lines, analysis of targeting, and timing of activity to understand an attacker’s motivations.
- Develop and report intelligence analysis findings to internal teams, senior leadership, and external partners.
- Produce bulletins, assessments, or full-length profiles of actors delivered in a timely and contextual manner.
- Foster relationships with teams inside and outside of Apple Information Security to understand and meet their collection and reporting requirements.
- Vet, manage, and protect threat intelligence sources to include comparison and review of a data source’s reputation and deliverables to ensure the information can safely be used as an input to the analysis process and protection of source identity.
- Follow operational security best practices to ensure Apple is not responsible for damaging the credibility, security, or reputation of any intel sources.
- Produce regular metrics to measure the effectiveness of the Apple Information Security threat intelligence program to include the number of indicators produced from analysis, number of incidents detected from analysis and number of reports generated and disseminated to Apple groups.
- Own and manage relationships with external threat intelligence partners to include regular in-person meetings with threat intel partners and two-way sharing of threat information.
- Identify opportunities to enhance detection systems and security controls to counter known threats.
- Evangelize the threat intelligence team with key stakeholders through trainings and presentations.
This individual will help build and expand Apple’s threat intelligence capability, to include: Data gathering – leverage data sources to ensure there is sufficient data for analysis Data evaluation – improve program quality by providing quantitative feedback on data quality and quantity Functional analysis – identify and document the tools, techniques and procedures used by attackers Fusion analysis – work on tight timelines with a diverse set of data to facilitate customer decision making Strategic analysis – derive a complete picture of an attacker by analyzing attacker motivations, organizations, and networks using a target-centric methodology The analysis produced by the team provides insight to groups within Apple who are at risk from intrusions and provide contextual information to teams that are responsible for detection.
Excellent communication and presentation skills. Ability to brief discuss cyber threats with a variety of audiences. Familiarity with target-centric intelligence analysis with a focus on cyber threats. Ability to work with business partners to understand and address their intelligence needs. Knowledge of cyber threat landscape – including tracked actors, commonly used TTPs, and targets of past campaigns. Experience performing open source research using sources like VirusTotal, Farsight, OpenDNS, Domain Tools, Recorded Future, and social media. Understanding of current threat detection tools and technologies. Familiarity with forensics tools and techniques including memory analysis, disk metadata analysis, and file carving. Experience with indicator sharing formats and platforms – including STIX, TAXII, and OpenIOC. Experience with malware classification via dynamic analysis, and static signature matching, and call-graph analysis to cluster malware samples into distinguishable families. Experience with malware reverse engineering to identify custom code used in the malware including packers, data obfuscation, and anti-analysis features. Experience developing network protocol parsers and processing full PCAP data. Understanding of large-scale data storage and analysis platforms to organize and search vast amounts of intelligence data including malware samples, forensic artifacts, command and control session data, actor information, and attacker infrastructure maps. Familiarity with intelligence link analysis tools used to model relationships between intelligence items – including Maltego, Analyst’s Notebook, and Palantir. Off hours / On call support required due to the 24×7 nature of this team.