Threat Intelligence and Response Engineer
Security: Threat Intelligence & Response Engineer
The CSIRT:Threat Intelligence & Response team is responsible for effectively detecting and responding to security incidents for Airbnb’s corporate and production environments.
Areas of Responsibility:
The following are shared responsibilities across the team, but we expect each member to be able to do the following things:
- Threat Intelligence: Detecting and responding to evolving threats requires up-to-date threat intelligence. You will collect, develop, refine and deploy Threat Intelligence to products like StreamAlert and BinaryAlert. You will also develop threat reports to inform stakeholders, projects and priorities.
- Security Operations: It's important to detect security incidents before they cause material damage to the business. You will prioritize, analyze and drive alerts to resolution. In the event an alert is identified as a security incident, you will kick off Incident Response.
- Incident Response: You will rapidly scope, contain and eradicate threats, minimizing financial, legal, business and reputational losses. Services include but are not limited to log analysis, memory and disk forensics, reverse engineering, network containment, threat eradication and postmortems. You will also develop and refine processes, plans and procedures and partner closely with Legal, Comms and other stakeholders across the business.
- Red Teaming: The team will run red teams (attack simulations) to measure our ability to prevent, detect and respond to real-world attacks. You will identify areas for improvement in people, process and technology and prioritize these efforts, collaborating with stakeholders.
How We Are Different:
- Threat Intelligence: Instead of solely relying on atomic indicators (MD5, IP, Domain), we translate raw intelligence from public and commercial threat reports into actionable detection rules that focus on TTPs. We utilize MITRE’s ATT&CK framework to reason about breadth, depth and areas for improvement. We carefully reason about what we are uniquely positioned to do and where we can leverage industry partners and vendors.
- Security Operations: We have all seen bad SOCs: large numbers of analysts, hundreds to thousands of alerts, IT environment centric (production is ignored), heavy emphasis on network logs and appliances, repetitive work, and limited autonomy and career progression. Our team focuses on automation, high fidelity rules w/tests and autonomy of the entire lifecycle: intelligence -> rule development -> deployment -> triage -> incident response. You won’t find an alert queue with hundreds of low fidelity alerts here. Rules include enough context so a majority of them can be triaged via a mobile application.
- Incident Response: You are expected to drive incidents to resolution quickly through pre-deployed infrastructure, products, automation and playbooks, not one-off manual SIEM queries.
- Redteaming: We know the difference between a pentest and a redteam. Using existing trust and rapport the team has already developed, you will challenge existing assumptions, technologies and processes and identify ways to improve Airbnb’s security posture.
- Scope: You are responsible for all corporate and production environments, which includes Windows, macOS & Linux systems, supporting networks, applications, and all therein.
- Quality: You will see it in our blog posts and our open source projects: we care a lot about quality. We expect you will meet or raise this bar.
- You are able to solve large, complex technical problems
- You have multiple years of experience in detecting and responding to attacks.
- You are comfortable and experienced in managing significant incidents including technical response, coordination, and communicating with stakeholders across functions (Executives, Legal, etc.)
- You are self-driven, autonomous and can contribute to the strategy and roadmap of the team
- You have experience in technical mentorship and enjoy collaborating with teammates and industry peers
- You can code in Python and are capable of contributing meaningful rules to StreamAlert
- You can write effective YARA rules and are capable of contributing meaningful rules to BinaryAlert
- You have an attention to detail and care about quality and testing
- You have excellent written and verbal communication skills; people are delighted when they read your blog posts, threat reports and/or postmortems
- Competitive salaries
- Quarterly employee travel coupon
- Paid time off
- Medical, dental, & vision insurance
- Life insurance and disability benefits
- Fitness Discounts
- Flexible Spending Accounts
- Apple equipment
- Commuter Subsidies
- Community Involvement (4 hours per month to give back to the community)
- Company sponsored tech talks and happy hours
- Much more...
Back to top