Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Jobs InfoSec Jobs

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Digital Forensics and Incident Response (DFIR) Investigator
Company Citi
Location Irving TX
Preferred GIAC Certifications GMON, GCIH, GCIA, GIAC
Travel 10%
Salary DOE
URL https://citi.wd5.myworkdayjobs.com/2/job/Irving-Texas-United-States/Senior-Cyber-Analyst_20239394
Contact Name Apply via Website
Contact Email mshrewsbury/at/sans.org
Expires 2021-06-10

Job Description

Excited to grow your career?

We value our talented employees, and whenever possible strive to help one of our associates grow professionally before recruiting new talent to our open positions. If you think the open position you see is right for you, we encourage you to apply!

Our people make all the difference in our success.

As an individual contributor, you will be a hands-on incident responder and digital forensics expert actively investigating cases involving cloud, traditional on-premises infrastructure/components, and hybrid environments. This position will tap into your expertise while continuing to hone your skills in establishing strong partnerships, mentoring, motivating, and keeping you technically challenged. One guarantee is that no two days will be the same.

Responsibilities
Related activities include but are not limited to:

Conduct and/or support hands-on teams for in-depth high profile/ impact cyber investigations for cloud, traditional, and hybrid environments.
Perform incident response functions including but not limited to host-based analytical functions (e.g. digital forensics, metadata, malware analysis, etc.) through investigating Windows, Unix based, appliances, and Mac OS X systems to uncover Indicators of Compromise (IOCs) and/or Tactics, Techniques and Procedures (TTPs).
Create and track analytics based on the MITRE ATT&CK Framework and other industry security focused models.
Work with other SMEs of involved apps and infrastructure to identify key components and information sources such as environments (on-premises versus cloud), servers, workstations, middleware, applications, databases, logs, etc.
Participate in active incident response efforts using forensic tools including but not limited to Encase, X-Ways, SIFT, Cellebrite, Splunk, Magnet Axiom, and other custom tools to determine the source of compromises and/or malicious activities taking place.
Collaborate with global multidisciplinary groups for triaging and defining the scope of high profile/ impact cyber investigations.
Document and brief high profile and/or risk focused Cyber investigations.
Participate in purple teams, table tops, AWS Jams, regulatory exercises, etc.
Train less experienced digital forensic cyber investigators in incident response and forensics best practices.
Qualifications
You should be all of the following:

A skilled and creative digital forensic incident response investigator. Success will depend on your ability to:
Stay current with the evolving landscape of threat activities and cybersecurity best practices.
Quickly synthesize information from disparate sources.
Scrutinize evidence thoroughly to identify relationships and develop leads.
Establish defensible working theories to explain observations and findings.
Perform investigations in a forensically sound manner.
A goal oriented individual contributor. Success will depend on your ability to:
Stay motivated and work independently with minimal oversight.
Adapt to changing requirements in a fast paced environment.
Multitask and meet deadlines despite competing priorities.
Navigate operational impediments in order to complete time sensitive tasks.
Identify and document any opportunities for process improvement.
​A reliable team player. Success will depend on your ability to:
Practice mutual respect at all times.
Establish trust and build strong partnerships.
Resolve conflict in a constructive manner and use as an opportunity to develop team unity.
Prioritize collective success ahead of individual ambition.
​A great communicator. Success will depend on your ability to:
Establish clear narratives to describe investigative findings and working theories.
Clearly and concisely articulate any recommendations that arise from investigative activities.
Motivate colleagues and partners to cooperate and support as needed.
Exert influence both verbally and in writing.
A passionate leader. Success will depend on your ability to:
Lead by example.
Enable team success by being approachable and available.
Innovate and inspire self and others.
Not be afraid to fail, but able to learn from your experiences.
Minimum Requirements
Education, knowledge, and Experience:
Bachelor's degree in a technically rigorous domain such as Computer Science, Information Security, Engineering, Digital Forensics, etc.
5+ years of professional experience in cybersecurity and/or information security, or demonstrated equivalent capability.
2+ years hands-on working in Cyber incidents analysis in medium to large organizations with cloud and forensics components.
Experience in Cloud Forensics/IR
Hands-on Dev/Sec/Ops experience with cloud environments (e.g. AWS, GCP, Azure) and underlying storage, compute and monitoring services (e.g. AWS S3, EC2, CloudTrail, CloudWatch, GuardDuty, AWS Config, KMS, IAM, Athena, etc).
Prior experience with AWS common services (e.g. Federation, Organizations, Lambda, DynamoDB, Route53, VPC)
Hands-on experience with forensic investigations or large scale incident response in cloud environments (e.g. AWS, GCP, Azure).
Hands-on experience with containerization methods and tools (e.g. Docker, Kubernetes, Twistlock) including incident response and digital forensics.
Foundational or Associate AWS Certification (e.g. Cloud Practitioner, Developer, SysOps Administrator), or demonstrated equivalent capability
Experience in Digital Forensics/IR
Hands-on experience with analyzing and pivoting through large data sets (e.g. Splunk, Elasticsearch/Logstash/Kibana -ELK / Elastic Stack)
Current hands-on experience in digital forensics (e.g. computer, network, mobile device forensics, and forensic data analysis, etc).
Activities include but not limited to:
e-Discovery process and procedures (e.g. tools including but not limited to Nuix, Relativity, etc.)
In-depth Memory focused collection and analysis from various platforms using tools such as Redline, Volatility, Rekall, etc.
Evidence preservation best practices.
In-depth Malware analysis and Reverse Engineering of samples (e.g. static, dynamic analysis, de-obfuscation, unpacking,)
In-depth File system knowledge and analysis.
In-depth experience with timeline analysis.
In-depth experience with Registry, event, and other log file and artifact analysis.
Hands-on experience with a DFIR toolset (e.g. EnCase, FTK, Sleuth Kit) and related scripting (e.g. EnScripts, EnConditions)
Hands-on experience with some of the following tools: YARA, SIFT Workstation, Wireshark, Plaso, Metasploit, Rekall, Cellebrite, X-Ways. WireShark, TCPDump, Magnet Axiom, AWS CLI
Current expertise with an EDR system (e.g. Tanium, Crowdstrike Falcon)
One or more GIAC (e.g. GCFE, GCFA, GREM, GCIH, GASF, GNFA, etc.) or other digital forensic and incident response certifications.
Experience in the following operating systems:
Windows Operating Systems / UNIX / Mac OS X
System Administration
Advanced command line
Shell code
Networking
Advanced File system knowledge
Windows / Linux / Mac OS X Security
Windows / Linux / Mac OS X Hardening
Memory dump
Application security
Windows / Linux / Mac OS X security and admin utilities
Experience in Basic Scripting and Automation
Proficient in basic scripting and automation of tasks (e.g. C/C++, Powershell, JavaScript, Python, bash, etc.).
Network Concepts and Understanding
Working knowledge of networking protocols and infrastructure designs; including routing, firewall functionality, host and network intrusion detection/prevention systems, encryption, load balancing, and other network protocols.
Other
Working knowledge of relational database systems and concepts (SQL Server, PostgreSQL, etc.)
Working knowledge of virtualization products (e.g. VMware Workstation)
Must have flexibility to work outside of normal business hours when necessary.
Exceptional candidates who do not meet these criteria may be considered for the role provided they have the commensurate skills and experience from non-traditional backgrounds
This job description provides a high-level review of the types of work performed. Other job-related duties may be assigned as required.

-------------------------------------------------

Job Family Group:

Corporate Services

-------------------------------------------------

Job Family:

CSIS Management & Operations

------------------------------------------------------

Time Type:

------------------------------------------------------

Citi is an equal opportunity and affirmative action employer.

Qualified applicants will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.

Citigroup Inc. and its subsidiaries ("Citi”) invite all qualified interested applicants to apply for career opportunities. If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi.

View the "EEO is the Law" poster. View the EEO is the Law Supplement.

View the EEO Policy Statement.

View the Pay Transparency Posting

-------------------------------------------------

Job Family Group:

Corporate Services
-------------------------------------------------

Job Family:

CSIS Management & Operations
------------------------------------------------------

Time Type:

------------------------------------------------------

Citi is an equal opportunity and affirmative action employer.

Qualified applicants will receive consideration without regard to their race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.

Citigroup Inc. and its subsidiaries ("Citi”) invite all qualified interested applicants to apply for career opportunities. If you are a person with a disability and need a reasonable accommodation to use our search tools and/or apply for a career opportunity review Accessibility at Citi.

View the "EEO is the Law" poster. View the EEO is the Law Supplement.

View the EEO Policy Statement.

View the Pay Transparency Posting