Position: Digital Forensics and Incident Response
Location: Research Triangle Park, NC (Remote)
Duration: 3+ Months (contract)
Key responsibilities:
Collect, process, analyze, interpret, preserve, and present digital evidence
Perform forensic triage of an incident to include determining scope, urgency and potential impact
Conduct analysis of forensic images, and available evidence in support of forensic write-ups for inclusion in reports and written products
Document forensic analysis from initial participation through resolution
Ability to document forensic workflows based on sound industry practice
Investigate data breaches leveraging traditional forensic tools and cloud-specific tools to determine the source of compromises and malicious activity
Support incident response engagements, perform forensic investigations, contain security incidents, and provide guidance on longer term remediation recommendations
Develop, document and refine procedures to accomplish discovery process requirements
Manage all chain of custody best practices associated with the rules of evidence
Mentorship of team members in incident response and forensics best practices to cultivate secondary resources to assist in larger collection events
Solid understanding of the forensic lifecycle and scoping activities, evidence acquisitions on a range of devices
Forensics analysis background on following platforms and technologies:
Cloud (AWS, Azure, GCP)
Windows/Mac/Linux OS
Physical and virtual network devices and platforms
Understanding of SaaS, PaaS, and IaaS
Analyze and characterize cyber-attacks unique to cloud
Skilled in identifying different classes of attacks and attack stages
Understanding of system and application security threats and vulnerabilities
Understanding of proactive analysis of systems and networks, to include creating trust levels, and understanding cloud authentication methods
Experience with performing reactive incident response functions in public cloud environments - Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), etc
Experience with examining compute, storage, network, IAM, Kubernetes, serverless, and other log sources to identify evidence of malicious activity
Understanding of APIs and ability to leverage them for building integrations
Ability to write custom query logic for major Security Incident and Event Monitoring (SIEM) tools
Ability to write SQL to search data warehouse databases
Familiarity with the following tools
Forensics platforms such as EnCase, FTK, X-Ways, SIFT, Splunk, Redline, Volatility, WireShark, TCPDump, and other open source forensic tools
Security Incident and Event Monitoring (SIEM) and Security Orchestration, Automation & Response (SOAR)
Malware Analysis / Reversal Tools
Network and Host Intrusion Detection (IDS) such as SNORT/Sourcefire, Palo Alto, etc.
Endpoint Detection & Response (EDR)
Network sniffers and packet tracing tools such as DSS, Ethereral, tcpdump, Wireshark, etc.
You are an ideal candidate if you possess:
6+ years of incident response or digital forensics experience with a passion for cyber security; or equivalent educational experience in Information Security, Computer Science, Digital Forensics, Cyber Security or related field
Proficient with host-based forensics and data breach response
Hands-on experience with architecting, building, operating, investigating, and troubleshooting large and complex cloud environments, DevSecOps experience welcome
Understand and demonstrate best practices for architecting and operating in a multi cloud environments in a scalable manner
Experience with large-scale application administration and debugging, Cloud Security Posture Management (CSPM) solutions, or automation via scripting or cloud-native approaches
Experience using industry standard forensic tools
Experience preserving desktops, laptops, mobile devices/tablets, servers, both cloud and on-premise email implementations, nontraditional cloud data sources, social media, etc. in a forensically sound manner
Ability to communicate effectively and tactfully in both verbally and in written format to team members and technical/non-technical clients
Ability to demonstrate superior organizational skills with acute attention to detail
Must be an energetic self-starter who can work within a team environment but also independently as the situation requires
Strong troubleshooting skills coupled with the ability to solve on the fly to solve complex problems
Have experience working on incident response teams
Understand common threat actor tactics, techniques, and procedures (TTPs) and how they are chained together
Have experience leading threat hunts, using available logs and threat intelligence to proactively identify and investigate potential risks and suspicious behavior
Understand the NIST IR framework or competing IR lifecycle frameworks
Have the ability to write custom *nix scripts to gather evidence for investigation and forensics during an incident
Able to work independently and identify areas of need in highly ambiguous and time-sensitive situations
Have familiarity with MITRE ATT&CK and/or D3FEND frameworks
Understand major security compliance frameworks such as PCI, SOC 2, and FedRAMP as they relate to incident monitoring and response
Relevant industry security certifications such as CISSP, SANS GIAC (e.g. EnCE, GCIH, GNFA, GCFE, GCFA, GREM or additional tool based certifications), AWS certifications (SAA, SAP, or SCS), etc.
Familiarity with other security verticals such as: Incident Response, Threat Intelligence, Threat Detection, Application Security, Cloud Security, Offensive Security
Networking experience with LAN/WAN routing and high availability (OSPF, BGP4/iBGP, EIGRP, and NSRP) routing protocols and technologies
Knowledge of detection tools, for example: Nessus, Qualys, OSSEC, Osquery, Suricata, Threatstack, AWS Guard Duty
Demonstrate how to execute common web application attacks like SQL Injection, XSS, CSRF
Experience with IoT platforms, large-scale distributed systems, and/or client-server architectures
