Adversary Emulation Manager

Role Overview

Operating as a function of Cyber Defence under Information Security, you will lead TP ICAP’s purple teaming function, and ensure the firm is well positioned to prevent and detect modern cyber-attacks. As TP ICAP embarks on extensive EDR and SIEM refresh projects, you will be responsible for ensuring these tools are fit for purpose through the delivery of threat-led sprints, and the creation or customisation of attack detection rules.

Being able to model sophisticated and persistent adversaries is essential, and you will be given existing tools such as Prelude, Cobalt Strike, and Vectr to support you, plus any others that you identify.

Role Responsibilities

Define and execute purple team sprints that materially and demonstrably improve TP ICAP’s ability to prevent and detect modern attacks.

Simulate both established and emerging attacker TTPs and personally build the respective detection rules and response procedures.

Through the delivery of purple team sprints, identify opportunities to reduce TP ICAP’s attack surface using preventative controls.

Work with the Security Engineering team as necessary to support the deployment and tuning of security-related tooling, particularly those that pertain to prevention and detection.

Develop processes for attack surface monitoring and constant validation through automation.

Act as an escalation point for the SOC and assist with incident response.

Experience / Competences

Essential

Practical experience emulating sophisticated cyber-attacks, likely in a purple or red team capacity.

Deep understanding of modern attacker tools, techniques and procedures.

Comfortable identifying appropriate telemetry sources to collect, and using these to build custom attack detection rules where out the box capability doesn’t exist.

Desired

Active contributor to offensive security research and/or tooling, perhaps presenting this research at industry-recognised conferences and forums.

Experience working with a SOC to:

Tune existing rules and increase alert fidelity/decrease alert fatigue

Include analysts on the purple team journey, aiding in staff retention

Train analysts in modern attacker TTPs and the ‘attacker mindset’

Able to evade defensive controls such as EDR and AV, tailoring open source tooling and rolling your own where required.

Experience using Infrastructure-as-Code to support emulation activities, for example Terraform/Ansible.

Experience attacking or securing AWS infrastructure.

Development experience in one or more programming languages, with one of them ideally being python.

#LI-Hybrid #LI-MID