Join us in creating the technology that helps the world act together

We are a B2B technology innovation leader pioneering the future where networks meet cloud. At Nokia you will have a positive impact on people’s lives and help build the capabilities needed for a more productive, sustainable, and accessible world.

Be part of a culture built on an inclusive way of working where we are open to your ideas, you are empowered to take risks and are encouraged to be fearless in bringing your authentic self to work.

The team you'll be part of

Technology and AI (TAO) lays the path for Nokia’s future technology innovation and identifies the most promising areas for Nokia to create new value. We set the company’s strategy and technology vision, offer an unparalleled research foundationI for innovation, and provide critical support infrastructure for Nokia.

Part of Technology and AI, Group Security (GS) is Nokia’s central knowledge center responsible for Nokia’s cyber security policies and standards, the cyber security architecture and roadmap, and the monitoring, alerting of security incidents.

We partner with the Nokia Business Groups and Central Functions on product security, customer security, and interact with governments on security regulations.

Together we take care of Nokia’s security culture, processes, systems, products and services to position Nokia as a trusted partner for the 5G/6G era and beyond

The Cyber Security Defense Center (CDC) is looking for a Threat Intelligence and Threat Hunting Security Professional taking up responsibilities in the CDC Threat Intelligence and Hunting Team.

---

The TI/TH professional will leverage threat intelligence to identify hunting topics and, by applying the defined process, execute these hunts accordingly. Insights from hunts are then shared with appropriate stakeholders for follow-up and resolution (where applicable).

---

Your skills and experience

In the overview below, a series of requirements or expectations are listed. This overview is not to be considered as a need-to-have for all but, in the case a particular expectation cannot be met, it is expected that the applicant is aspiring to (eventually) fulfill the expectation.

• BSc or MSc (preferred) degree in computer science or related technical field

• Have +5 years of experience in cyber security (or equivalent by education and/or interest)

• Have a practical/hands-on experience in ‘Threat Intelligence’ in the context of ‘Information Security’

• Having experience as an analyst in a SOC is considered a plus

• Having a security certification is considered a plus (e.g. CEH, CHFI, CTIA); if not in place at the moment of soliciting for this position, be willing to obtain a certification in due time

• Understand the activities in support of Threat Hunting and be able to demonstrate it

• Terminologies such as CIA, SIEM, SOC, APT, TTPs and MITRE ATT&CK are no secret to you and you’re able to demonstrate an active understanding of it

• Be familiar with the approach taken to define SIEM detection rules and, when relevant, be able to translate hunt findings into improvements to existing detection rules or propose new rules

• Be able to work in a standalone way with a minimum of guidance and oversight – in case assignments are not clear, it is expected from the applicant to make this known to the peers or team lead and drive it towards a resolution.

• Knowledge of scripting and programming languages is considered key (e.g. Python, Powershell)

• Show eagerness in getting to ‘the bottom’ of a given hunt

• Proactive and collaborative mindset.

• Be fluent in English (oral and written)

---

What you will learn and contribute to

Nokia’s CDC has established a ‘Threat Intelligence & Threat Hunting Capability’. This consists out of 3 main activities: ‘Threat Intelligence’ – ‘Threat Modeling’ – ‘Threat Hunting’.

The focus of ‘Threat Intelligence’ is on gathering information on threats that may affect Nokia when executed. A timely understanding of these threats allows to validate whether the existing security measures are effective or need to be updated or introduced. To make this happen, the gathered intelligence needs to be evaluated and the relative priorities established as it is not feasible (nor sustainable) to focus on every reported threat. The prioritization of threats and the translation of the info into threat models is taken care of by the ‘Threat Modeling’.

Finally, to validate whether additional security measures need to be taken, it is up to the ‘Threat Hunting’ team to perform the necessary validations (i.e., standalone or in collaboration with other parties such as Computer Emergency Response Team) and to provide insights on the observations made.

In the remainder of this document, the profile we’re looking for will be referenced as ‘TI & TH-professional’.

The TI & TH-professional is capable of addressing the challenges regarding the management of Threat Intelligence information (aka TI info). I.e. establish an effective lifecycle management and incrementally improve the value add of the available threat intel through the (auto-)enrichment of security event data. The activities in scope of the TI activities include (non-exhaustive view):

- Identification of relevant TI-feeds in support of stakeholders needs

- Support (auto-)enrichment of event information through the ingestion of TI information in our TI platform (MISP).

- Introduction of AI-supported ingestion of threat intel is considered the next step, so a proper and practical understanding of what AI can offer is considered a must for this role

- Support the establishment of an effective TI reporting mechanism

- Look for options to improve the ‘value add’ of the available intel

Information available through the TI-capability pillars ‘Threat Intelligence’ & ‘Threat Modeling’ is used to identify the potential threats and prioritize these for evaluation through a dedicated hunt. To streamline the activities in support of defined hunts, the hunt team takes a process-based approach, leveraging the PEAK Framework

Focus of ‘Threat Hunting’ is in investigating a defined threat hypothesis and hunt for information that will (dis)prove the hypothesis. The outcome of the hunt is used to inform the relevant team stakeholders and to propose improvements to existing detection rules or define new ones.

The ‘TI & TH-professional’ will actively supported the execution of defined hunts and diligently carry out the full lifecycle, i.e. from hypothesis definition up to documenting findings and sharing the insights with stakeholders. The activities in scope include (non-exhaustive view):

· Digest the information made available through the TI- and TM-activities

· Propose topics for new hunts, considering the priorities associated with specific TTPs

· Prepare the execution of hunts, including a validation whether the prerequisites to successfully execute a hunt are met

· Execute the hunt, in line with the agreed restrictions (i.e. time, scope, effort)

· Consolidate findings and involve relevant stakeholders to discuss them (i.e. via Detection Committee); in the event security gaps are found, ensure that the right steps are taken to get these gaps (eventually) resolved

· Upon concluding the hunt, document findings and, when relevant, suggest improvements for future hunts

Gradually, the focus will shift towards including the outcome of ‘Threat Modelling’-activities as an effective ‘Threat Hunting’-capability heavily depends on having access to relevant and well-maintained threat models.

To realize this, the ‘TI & TH-professional’ will have to work with both external parties (e.g., IT support) as well as internal parties (e.g., CDC Operations, CERT), so the ability to connect and engage with other parties is key. A ‘continuous improvement’-mindset is of essence as the insights resulting from a hunt can be overwhelming - what is found to be ineffective today, will still be tomorrow. Also, not every hunt will result in an actionable finding – it is expected from the “TI & TH-professional” to give this the proper perspective. The “TI &TH-professional” will be able to count on the services of multiple teams when executing threat hunts – it will be key to involve the right teams at the right time.