Deadline Date: Monday 7 July 2025
Requirement: Support to Cyberspace Operations Malware and Digital Forensics
Location: Mons, BE
Full Time On-Site: Yes
Time On-Site: 100%
Period of Performance: 2025 BASE: 1 SEP 2025 to 31 DEC 2025, with the possibility to exercise following options:
• 2026 option: 1 JAN 2026 to 31 DEC 2026
• 2027 option: 1 JAN 2027 to 31 DEC 2027
• 2028 option: 1 JAN 2028 to 31 DEC 2028
Required Security Clearance: NATO COSMIC TOP SECRET
1. BACKGROUND
The NCI Agency has been established with a view to meeting the collective requirements of some or all NATO nations in the fields of capability delivery and service provision related to Consultation, Command & Control as well as Communications, Information and Cyber Defence functions, thereby also facilitating the integration of Intelligence, Surveillance, Reconnaissance, Target Acquisition functions and their associated information exchange.
2. INTRODUCTION
The NATO Cyber Security Centre (NCSC) is a team of over 200 members working to monitor and protect NATO networks. In the NCSC’s role to deliver robust security services to the NATO Enterprise and NATO Allied Operations and Missions (AOM), the centre executes a portfolio of programmes and projects around 219 MEUR euros per year, in order to uplift and enhance critical cyber security services.
The Portfolio ranges from Programme of Work (POW) activities funded via the NATO Military Budget (MB) to Critical / Urgent Requirements (CURs/URs) and NATO Security Investment Programme (NSIP) projects funded via the Investment Budget (IB). In some edge cases, projects are also funded via the Civilian Budget (CB). Projects can span multiple years and are governed by various frameworks, including the Common Funded Capability Development Governance Framework (CFCDGM).
In order to execute this work, the NCI Agency requires support with the work undertaken by the NATO Cyber Security Centre (NCSC) in the area of Communications and Information System (CIS) security, cyber defence and cyberspace operations. This Statement of Work (SoW) specifies the required skillset and experience.
3. PURPOSE
The NCSC and more specifically the DEFEND branch is responsible to defend NATO networks on a 24/7 basis and to support incident response by performing malware analysis and digital forensics. This involves among other things: the analysis of malicious emails and payloads, the retrieval of forensics artefacts in a sound manner, the reverse engineering of binaries and continuous improvements of scripting, automation and the environment.
4. OBJECTIVES
This Statement of Work (SoW) outlines the services to be provided by the Contractor to NCSC for providing support to Cyber Operations malware and digital forensics.
5. DELIVERABLES
The service is executed in sprints, each sprint is planned for a duration of 5 working days.
The Contractor’s personnel shall deliver the following functions:
D1. Based on a specific malware analysis task (TASK) received via the NCSC COMS system. Analyse what is required (malicious email, URL, binary…) and perform a comprehensive analysis using automated and manual approaches.
D1 Outcome: The analysis is presented in the updated TASK following the template.
D1 Acceptance Criteria:
1. Regular updates are provided via “comments” on the task once assigned, at least daily
2. The format of the analysis follows the agreed template
3. The relevant Standard Operating Procedures (SOP) and Standard Operating Instructions(SOI) are followed
4. Work on the task should start within 2 hours of being assigned
5. A maximum of 1 day for email/URL analysis is foreseen, up to 5 days for a complex binary. If a longer time is required, a detailed justification is to be provided and accepted by management.
D2. Malware analysis research on samples of particular interest. When such a research is required, the provider will perform additional tasks to analyse in depth the sample and produce rules to better detect it.
D2 Outcome: A page in the NCSC wiki containing a detailed research about the samples including links to Yara rules and IOCs created
D2 Acceptance Criteria:
1. The page documenting the research follows the template
2. If applicable, the Yara rules were created in the repository
3. If applicable, extracted IOCs (indicators of compromise) were recorded in a MISP event
D3. Create, update and modify existing SOI/SOPs to reflect the current best practices.
D3 Outcome: The SOI/SOP has been updated, created or modified to reflect the current practices.
D3 Acceptance Criteria:
1. The template has been followed
2. Links with other relevant SOI/SOPs have been made
D4. Acquire and analyse digital forensics evidence following the forensics task (TASK) raised in NCSC COMS
D4 Outcome: The evidence has been acquired, analysed and the analysis outcome has been documented in COMS
D4 Acceptance Criteria:
1. The acquisition has been performed using the fastest methods available
2. The acquisition is forensically sound and follows existing SOP/SOIs
3. Regular updates on the task are provided via “comments”, at least daily
4. The evidence has been stored in the centralized evidence storage
D5. Use and configure security tools such as Microsoft Defender for Endpoint, Fidelis Endpoint Security, F-Response as well as supporting scripting and tools.
D5 Outcome: Documentation about the configuration change.
D5 Acceptance Criteria:
1. The change of configuration has been documented in the knowledge base (Confluence). When the tool is using configuration as code, the appropriate documented pull request in the Git repository must also be raised.
2. The format should follow the template already in use by NCSC.
3. The change should be documented at least 24 hours before the change is expected to take place.
4. For bigger changes, the NCSC change management process must be followed, including the submission of a change request as well as supporting documents
D6. Brainstorm during weekly meetings with the rest of the Cyber Threat Investigation Team how to improve the services delivered by the team.
D6 Outcome: Participation in the meetings
D6 Acceptance Criteria: Participation is reported and tracked in the meeting minutes which need to be prepared before the meeting and updated during the meeting (Confluence). Weekly participation is expected.
D7. Perform supporting activities around malware and digital forensics such as informing relevant stakeholders, liaising with other teams in the NATO enterprise, preparing administrative documents and technical implementation to assist with continuous service improvements.
D7 Outcome: Updated “Routine Task (ORT)” containing regular updates and the final outcome of the task given.
D7 Acceptance Criteria:
1. The task tracker is updated regularly, at least once every week with the latest status
2. The blocking points are clearly identified
3. Subtasks are created proactively if required
Rejection Criteria:
• The client may reject deliverables if they do not meet the specified acceptance criteria or if they contain critical errors.
• A rejected deliverable must be corrected and resubmitted within 1 (one) business day.
Further details:
• Each deliverable will be assessed by a supervisor or team member on a scale from 1 to 5 based on the criteria defined above. This score is used for the monthly KPI, an overall score below 80% introduces a financial penalty. Further, the contractor must conduct the following reviews:
• A bi-weekly ‘touch point’ between NCSC – Technical Analysis Service Delivery Manager, or any other NCSC personnel designated by NCSC.
Structure and formatting of the deliverables:
In addition to their specific acceptance criteria, each deliverable shall meet the following requirements:
• Language: the product shall be written in English, meeting the NATO STANAG 6001 Level 3 “Professional Proficiency”.
• Intended Audience: the product shall be intended for Cyber Security Professional, Senior Military personnel and decision makers in the field of Cyber Security and Cyberspace Operations.
• Accuracy: the product shall accurately reflect what was done.
• Clarity and Conciseness: Information shall be presented clearly and concisely, avoiding unnecessary jargon or complex language.
• Objectivity: the content shall be impartial and objective, presenting information without bias or personal interpretation.
• Structure: the product shall follow a logical structure such as template when available.
• Timeliness: the product shall be prepared and distributed promptly after the assignment, ensuring that information is fresh and actionable.
• Formatting: Consistent formatting shall be used throughout the document, including font style, size, headings, and spacing further directed by the Information and Knowledge Management Steering Group.
• Confidentiality: Information processed by analysing threat intelligence reports or acquired during threat hunting campaigns shall be handled in accordance with the NATO policy on Information Management.
6. PENALTIES
The penalties defined below will apply to the payment amount based on the performance results measured through R1 - Monthly Service Performance (Annex A)
Each deliverable will be assessed by a supervisor or team member on a scale of 1 to 5 based on the criteria defined above. If the score is below 4/5, a justification is provided by the assessor. This score is used for the monthly KPI reported in R1 (Annex A) which is the sum of all the deliverables scores divided by the number of deliverables and transformed into percentage, an overall score below 80% introduce financial penalty. This score is computed in the “sprint review” phase detailed in Section 7.
The grade are to be understood as follows:
1 (20%): Unsatisfactory: The deliverable is completely off-target
2 (40%): Lacking: The deliverable doesn’t meet 1 or more acceptance criteria
3 (60%): Substandard: The deliverable didn’t meet an acceptance criteria or the deadline communicated
4 (80%): Acceptable: The deliverable meets all acceptance criteria however some structure and formatting could be improved
5 (100%): Satisfactory: The deliverable perfectly meets the expectations
Overall Satisfaction on Deliverables D01 to D07 as per paragraph 5: >=80% = 0% Penalty
Overall Satisfaction on Deliverables D01 to D07 as per paragraph 5: 60 - 79% = 25% Penalty
Overall Satisfaction on Deliverables D01 to D07 as per paragraph 5: 40 - 59% = 50% Penalty
Overall Satisfaction on Deliverables D01 to D07 as per paragraph 5:
12. QUALIFICATIONS SKILLS
[See Requirements]
Requirements
10. SECURITY AND NON-DISCLOSURE AGREEMENT
* Any contracted individuals of the Contractor’s personnel must be in possession of a security clearance by their National Authority of NATO COSMIC TOP SECRET or above.
12. QUALIFICATIONS SKILLS
The Contractor’s Personnel must meet the following experience, qualities and qualifications:
* Experience of at least 2 years in malware analysis techniques and technologies;
* Experience of at least 2 years in analysis of digital forensic artefacts in the context of cyber security
* Experience of at least 2 years in cyber security in cloud-based environments
* Experience of at least 2 years in analysing Windows forensics artefacts such as Windows Event logs, UAL, MFT…
* Experience of at least 2 years in writing scripts (Python, Powershell) and building automation workflows
* Experience of at least 2 years in report writing about a technical task and communication with stakeholders
* Excellent ability to recognise when an IT network/system has been attacked, be able to take immediate action to limit damage and to escalate the event to higher authority;
* Good knowledge of the principles of computer and communications security, networking, and vulnerabilities of modern operating systems and applications;
* Good understanding of the MITRE ATT&CK framework and its applicability in Cyber;
* Good knowledge of cyber security incident handling;
* Knowledge of Azure Sentinel, Microsoft Defender for endpoint
* Good knowledge of networking protocols
* Knowledge of Fidelis EDR is an asset
* Language proficiency in English meet or exceed the NATO STANAG 6001 Level 3 “Professional Proficiency”.
* The contractor shall be dressed suitably for meetings with high ranked officials. No religious sign shall be worn during such meeting.
* The contractor shall actively collaborate during internal meeting and touch-points discussions to improve the quality of services.
* Strong reporting skills to various levels of seniority,
* Accuracy and attention to detail.
* Previous experience in working for or supporting a military or governmental organization is an asset.