The candidate will provide industry-leading malware analysis for advanced cyber threat incidents and research support across several security domains in an exciting and growing security delivery organization within IBM. The reverse engineer will work with IBM X-Force Incident Response teams to triage cyber threat activity, leverage and integrate X-Force's proprietary telemetry, open-source intelligence (OSINT), and industry-leading sources within IBM to develop comprehensive threat models and intelligence research. This includes proactively deriving and validating Indicators of Compromise (IOCs) from in-depth analysis of incident data and malware, and contributing to incident response efforts by providing actionable insights and recommendations in a timely fashion. You will also develop targeted automation scripts, primarily in Python, to assist with malware unpacking, configuration extraction, data parsing, IOC identification, and analysis workflow efficiencies.
* Advanced Malware Reverse Engineering: Minimum 5 years of experience in malware reverse engineering and demonstrated expert-level proficiency in advanced malware analysis techniques. This includes manual and automated unpacking of packed/obfuscated executables, rootkit analysis, dissecting complex exploit chains, bypassing sophisticated anti-analysis/evasion mechanisms, and reconstructing malware logic from highly optimized assembly code.
* Programming & Scripting Expertise: Expertise in at least one high-level programming language (e.g., Python, C, C++, Go) for developing analysis tools, automating tasks, scripting debuggers, and parsing complex data structures (e.g., malware configuration blocks, network protocols, cryptographic key values).
* Debugging & Disassembly Tools: Extensive hands‑on experience with industry‑standard debugging and disassembling tools (e.g., IDA Pro, Ghidra, x64dbg, WinDbg, GDB) for static and dynamic malware analysis, including advanced debugging techniques, scriptable breakpoints, and process injection/hooking.
* Assembly Language Proficiency: Deep, demonstrable expertise in assembly language (x86/x64/ARM/ARM64) and processor architectures, with the ability to swiftly comprehend low‑level code, decipher malware behavior, and identify vulnerabilities or exploit mechanisms.
* Signature Development: Proven ability to develop high‑fidelity signatures and rules for threat detection and research, including YARA rules, network‑based signatures (e.g., Snort/Suricata), and behavioral indicators, to effectively identify and track malware families and activities.
Preferred technical and professional experience
* Malware Platform Breadth: Experience analyzing a wide range of malware file types, including Windows PE, ELF (Linux), MacOS binaries, and mobile platforms (Android/iOS).
* Forensic Artifact Analysis: Proficient in analyzing diverse forensic artifacts, including file system data, system logs, network packet captures, registry hives, and memory dumps, to reconstruct infection chains and and malware activity.
* Malicious Document Analysis: Experience with analyzing malicious documents (e.g., Office macros, PDF exploits) and understanding associated exploitation techniques.
* Operating System Internals: Deep working knowledge of various Operating Systems (Windows internals, macOS, Linux) and processor architectures (x86, x64, ARM, ARM64) relevant to malware execution.
* Threat Intelligence Collaboration: Experience supporting incident response partners, managed security, or threat intelligence teams, and clearly and concisely presenting complex malware analysis findings through high‑quality written reports and oral briefings for diverse technical and non‑technical audiences.
* Automated Sandbox Familiarity: Familiarity with automated sandbox technologies for dynamic malware analysis (e.g., Cuckoo Sandbox, VMRay, Any.Run).
#J-18808-Ljbffr