Description of the Position
Senior Incident Response Consultant | Digital Forensics & Incident Response | Full Time Position | Remote
A client calls in crisis. Their network team identified an unusual 2TB spike in traffic from their production Microsoft SQL server and confirmed it was not a backup job and such a spike had never previously been observed. Their internal SOC performed triage and found that ntds.dit was dumped on the primary domain controller around the same time MSSQL data was exfiltrated. There are 30,000 users in their Active Directory environment, 10+ user VPNs spanning the globe, and multiple site-to-site tunnels to business partners. You are invited to join an emergency conference call with the CISO, all heads of engineering, and inside counsel. They look to you to manage the crisis. Are you confident in the cockpit? If so, we should talk.
CipherTechs Digital Forensics & Incident Response Team is part of CipherTechs Offensive Security department, and works closely with our Blue Team and Compliance departments. We are looking for a senior full time employee to join us and lead cases like the one described above.
Between large cases the person in this role will help with service maturity and development, threat hunting MDR clients, and automation development.
- Incident response delivery. Manage the full life-cycle of an incident including crisis management, containment, incident project management, threat hunting, remediation, and developing recommendations.
- Incident leadership. Capable of quickly creating an action plan, prioritizing, keeping teams on task, following through with commitments, and patience to see long complex tasks through to completion. Understand large complex production environments quickly and help make impromptu production decisions with clients.
- Exceptional communication skills. Bedside manner. Able to remain level headed under pressure and strike the right balance between giving a calming affect and driving everyone towards the end goal. Able to convey technical matters to non-technical leadership, Providing customers and internal teams with status updates. Emotional maturity in difficult interactions. Create and present reports that tell the full incident story.
- Forensics. Confident performing memory analysis, full disk forensics, and using a variety of security tooling on Linux, Windows, and OSX.
- Threat hunting. Threat hunt in customer environments as directed. Identify potential breaches and investigate until resolution. Threat hunt during large incidents but also in customer environments that subscribe to our Threat Hunting service.
- DFIR service development. Improve and grow CipherTechs’ DFIR service offerings. Establish partnerships with cyber insurers, foster relationships with partners in the incident ecosystem. Work towards technical automation where possible. Further mature processes/playbooks. Develop additional IOCs and watchlists.
- Attend/present at conferences, contribute to blog posts and GitHub, and industry events.
- Experience in senior level DFIR position. Vast production experience expected. Track record of leading large scale incident response where thousands of assets are affected. Experience working with outside counsel and client senior leadership.
- Deeply technical. This position requires strong soft skills, but technical excellence is the top requirement. Instill confidence in clients you know what you are doing and earn trust.
- Corporate production operations experience. Able to make difficult decisions with clients in production environments, understanding the impact, risks, and making the right judgment calls. Above-average understanding of Active Directory, virtualization platforms, database servers, network topology, software distribution storage.
- Exceptional troubleshooting and analytical abilities
- Seniority with Linux and Windows. Must have strong practical experience in both environments.
- Senior level network experience. PCAP interpretation and parsing, understanding of L1-8 protocols
- IOC development. Effective with sigma, yara, and suricata. Bro experience is a plus.
- Some scripting experience. Capable with Python or PowerShell. Able to parse files and interact with APIs.
- Some reverse engineering. We have gifted reverse engineers but the person in this role should be able to do basic static and dynamic analysis of untrusted executables, scripts, and blobs
- Cloud experience. Familiarity with AWS, Microsoft, and other popular cloud service logs, acquisition, and analysis
- Knowledge of TTP. Deep familiarity with Windows lateral movement, persistence, attack patterns in event logs, and OS internals
- Execute memory and full disk forensics on all major platforms. Familiarity with tools like log2timeline, timesketch, plaso, ELK, Graylog
- Familiarity with forensics for civil litigation and HR investigations
- Fluency in at least one EDR or SIEM platform such as SentinelOne, CrowdStrike, Carbon Black, Endgame, Cortex.
- Flexible schedule. CipherTechs offers a lot of freedom around schedule, but when a P1 incident is in progress, be willing to work hours that t he situation demands. Comp time will be provided so a work life balance is maintained.
- Great written and verbal communication
- Comfortable with online collaboration based workflow. Encrypted chat is used to collaborate with remote colleagues and reports are written as a group in many cases
- Discretion. We work on extremely sensitive subjects that cannot be discussed outside, and in some cases, even among coworkers.
- Ability to occasionally travel. Our team’s work load is predominately remote but for occasional onsite requirements senior staff needs to be able to travel to client locations and maintain a good image for the company and team
- Ability to pass a criminal background check
- Competitive salary
- 401k plan
- Full medical and dental benefits
- Performance based bonus
- Full remote if desired or work in our NYC headquarters or Kilkenny Ireland office
- CipherTechs’ Offensive Security Team is boutique and does not seek to become a big-five consulting firm. Our team is small and maintains a collective identity of people that truly enjoy offensive operations.
- Work on great projects. CipherTechs has fascinating clients and projects that unfortunately cannot be discussed here but our plate is always full with interesting projects.
- Work for a great company. CipherTechs’ headquarters is two blocks from the NY Stock Exchange and we host a lot of client and company events. We engage and form friendships with clients and help build long lasting business relationships. CipherTechs founders are very technical and listen to engineering teams. Collaborate with the Red and Blue teams, Audit and Compliance. CipherTechs sales team sells a lot of different security products so our lab always has interesting things to attack, evade, and build play books against.
- If you have a certification and/or degree that’s great. If you don’t that’s no problem. You will be considered strictly based on your current abilities to do the job. CipherTechs will pay for cyber security relevant certifications if that interests you.
- Mobile or Internet expense reimbursement
- Maintain ownership of any published code (your GitHub account belongs to you)
- On-going training and infosec conference opportunities
- Opportunity to speak at CipherTechs technical events and infosec conferences