The aim of this SOW is to support NCSC with technical expertise specifically related to the Cyber Security Incident Detection.  

The following activities are expected to be performed under this SOW:

• Conduct detailed investigation and research of security events within NATO Cyber Security Centre (NCSC) team:

- Analyse firewall, IDS, anti-virus and other sensor-produced system security events and present findings;

- Leverage the comprehensive extended toolset (e.g. Log Collection, Intrusion Detection, Packet Capture, VA, Network Devices etc.) to identify malicious activity;

- Triage, analysis and response to alerts;

- Deliver the analysis and reports in response to tasks associated with ongoing investigations and incidents.

• Develop new Splunk alerts, searches and reports for security monitoring and detection:

- Identify security gaps in NATO infrastructure, develop, update and review custom content utilising available toolset;

- Propose possible optimisations and enhancements, which help to maintain and improve NATO’s Cyber Security posture. 

• Collaborate with threat intelligence teams to incorporate threat indicators into detection systems:

- Work closely with the threat intelligence team to integrate the latest Indicators of Compromise (IOCs) and attack techniques into the detection environment;

- Implementation of at least 3 new threat intelligence-driven detections per quarter to stay ahead of emerging threats. 

• Develop and maintain standard operating procedures (SOPs) and playbooks for incident detection and response:

- Ensure documentation is up-to-date and provides clear guidance for responding to common attack scenarios;

- Delivery of updated SOPs and playbooks quarterly, ensuring they reflect the latest threat landscape and detection capabilities.

• Produce briefings in Microsoft PowerPoint or Word format to provide detailed technical reports in support of incidents and capability improvements. Report and/or briefing for the management team containing details on the detection capabilities, scope, and details. This may be requested in either Word, PowerPoint, or both depending on the briefing. 

• Review reports and observables from threat hunting, red teaming, and purple teaming activities.  Detection gap analysis and recommendations for solutions, subsequently leading on the development, testing and implementation;
• Brainstorm during weekly meetings with the rest of the Monitoring and Detection Team how to improve detection capability to increase detection coverage. Participation in meetings as reported and tracked in the meeting minutes which need to be prepared before the meeting and updated during the meeting (Confluence).