DFIR Analyst

A client calls in crisis. Their network team identified an unusual 2TB spike in traffic from their production Microsoft SQL server and confirmed it was not a backup job and such a spike had never previously been observed. Their internal SOC performed triage and found that ntds.dit was dumped on the primary domain controller around the same time MSSQL data was exfiltrated. There are 30,000 users in their Active Directory environment, 10 user VPNs spanning the globe, and multiple site-to-site tunnels to business partners. You are invited to join an emergency conference call with the CISO, all heads of engineering, and inside counsel. They look to you to manage the crisis. Are you confident in the cockpit? If so, we should talk.

The DFIR Analyst works closely with our Blue Team and Compliance departments. We are looking for a full-time employee to join us and be the primary contact on cases like the one described above.

Between large cases the person in this role will help with service maturity and development, perform threat hunts for the threat hunting clients, and automation development.

Responsibilities:

• Incident response delivery. Manage the full life-cycle of an incident including crisis management, containment, incident project management, intrusion analysis, remediation, and developing recommendations.
• Incident leadership. Capable of quickly creating an action plan, prioritizing, keeping teams on task, following through with commitments, and patience to see long complex tasks through to completion. Understand large complex production environments quickly and help make impromptu production decisions with clients.
• Exceptional communication skills. Bedside manner. Able to remain levelheaded under pressure and strike the right balance between calming and driving everyone towards the end goal. Able to convey technical matters to non-technical leadership, Providing customers and internal teams with status updates. Emotional maturity in difficult interactions. Create and present reports that tell the full incident story.
• Forensics. Confident performing memory analysis, full disk forensics, and using a variety of security tooling on Linux, Windows, and OSX.
• Intrusion Analysis. Perform intrusion analysis in customer environments as directed to identify, if possible, initial entry and later actions toward their objectives.
• Attend/present at conferences, contribute to blog posts and GitHub, and industry events.

Requirements:

• Track record of leading large scale incident response where thousands of assets are affected is highly desired. Experience working with outside counsel and client senior leadership.
• This position requires strong soft skills, but technical excellence is the top requirement. Instill confidence in clients you know what you are doing and earn trust.
• Corporate production operations experience. Able to make difficult decisions with clients in production environments, understanding the impact, risks, and making the right judgment calls. Above-average understanding of Active Directory, virtualization platforms, database servers, network topology, software distribution storage.
• Exceptional troubleshooting and analytical abilities
• Some scripting experience. Capable with Python or PowerShell. Able to parse files and interact with APIs.
• Some reverse engineering. We have gifted reverse engineers but the person in this role should be able to do basic static and dynamic analysis of untrusted executables, scripts, and blobs
• Cloud experience. Familiarity with AWS, Microsoft, and other popular cloud service logs, acquisition, and analysis
• Knowledge of TTP. Familiarity with Windows lateral movement, persistence, attack patterns in event logs, and OS internals
• Execute memory and full disk forensics on all major platforms. Familiarity with tools like log2timeline, timesketch, plaso, ELK, Graylog
• Familiarity with forensics for civil litigation and HR investigations
• Fluency in at least one EDR or SIEM platform such as SentinelOne, CrowdStrike, Carbon Black, Endgame, Cortex.
• Flexible schedule. When a P1 incident is in progress, be willing to work hours that the situation demands. Comp time will be provided so a work-life balance is maintained.
• Great written and verbal communication
• Comfortable with online collaboration-based workflow. Encrypted chat is used to collaborate with remote colleagues and reports are written as a group in many cases
• Discretion. We work on extremely sensitive subjects that cannot be discussed outside, and in some cases, even among coworkers.
• Ability to occasionally travel.