Remote Security Digital Forensics Engineer

About the opportunity:

Cloud Security Services is seeking a Digital Forensics Engineer Consultant to support their Threat Management Team’s objectives to provide forensics acquisition and analysis support across environments and support root cause analysis to improve security posture.

Duration: 6-Months Contract

Rate: Depends on Experience

Responsibilities:

• Collect, process, analyze, interpret, preserve, and present digital evidence across environments, including AWS.
• Perform forensic triage of an incident to include determining scope, urgency, and potential impact within AWS and other cloud environments.
• Conduct analysis of forensic images and available evidence in support of forensic write-ups for inclusion in reports and written products, with specific expertise in AWS cloud forensics.
• Document forensic analysis from initial participation through resolution.
• Document forensic workflows based on sound industry practices, especially within AWS environments.
• Investigate data breaches leveraging traditional forensic tools and AWS-specific tools to determine the source of compromises and malicious activity.
• Support incident response engagements, perform forensic investigations in AWS and other cloud platforms, contain security incidents, and provide guidance on longer-term remediation recommendations.
• Develop, document, and refine procedures to accomplish discovery process requirements, with a focus on AWS-based infrastructures.
• Manage all chain of custody best practices associated with the rules of evidence.
• Mentor team members in incident response and forensics best practices within cloud environments, including AWS, to cultivate secondary resources to assist in larger collection events.

Required Skills:

• Solid understanding of the forensic lifecycle and scoping activities, evidence acquisitions on a range of devices, especially in AWS environments.
• Forensics analysis background on the following platforms and technologies:
  • Cloud (AWS, Azure, GCP)
  • Windows/Mac/Linux OS
  • Physical and virtual network devices and platforms
• Experience with performing reactive incident response functions in public cloud environments, particularly AWS (e.g., examining compute, storage, network, IAM, serverless, and other log sources to identify evidence of malicious activity).
• 6+ years of incident response or digital forensics experience, with a focus on AWS environments, with a passion for cybersecurity; or equivalent educational experience in Information Security, Computer Science, Digital Forensics, Cybersecurity, or related fields.
• Analyze and characterize cyber-attacks unique to AWS and other cloud platforms.
• Understanding of SaaS, PaaS, and IaaS, with expertise in AWS.
• Skilled in identifying different classes of attacks and attack stages, especially within AWS environments.
• Understanding of system and application security threats and vulnerabilities, particularly in AWS.
• Ability to document forensic workflows based on sound industry practice in AWS.
• Understanding of proactive analysis of systems and networks, including creating trust levels, and understanding AWS authentication methods.
• Hands-on experience with AWS services deployment, architecture, and troubleshooting in complex environments.
• Understanding of APIs and ability to leverage them for building integrations, particularly within AWS environments.
• Ability to write custom query logic for major Security Incident and Event Monitoring (SIEM) tools, specifically in AWS environments.
• Ability to write SQL to search data warehouse databases, particularly in AWS-based infrastructures.
• Familiarity with the following tools:
  • Forensics platforms such as EnCase, FTK, X-Ways, SIFT, Splunk, Redline, Volatility, WireShark, TCPDump, and other open-source forensic tools used within AWS.
  • Security Incident and Event Monitoring (SIEM) and Security Orchestration, Automation & Response (SOAR), including integrations with AWS.
  • Malware Analysis / Reversal Tools
  • Network and Host Intrusion Detection (IDS) such as SNORT/Sourcefire, Palo Alto, etc.
  • Endpoint Detection & Response (EDR)
  • Network sniffers and packet tracing tools such as DSS, Etherereal, tcpdump, Wireshark, etc.
• Proficient with host-based forensics and data breach response in AWS environments.
• Experience preserving desktops, laptops, mobile devices/tablets, servers, both cloud and on-premises email implementations, nontraditional cloud data sources, social media, etc., in a forensically sound manner, particularly in AWS.
• Ability to communicate effectively and tactfully both verbally and in written format to team members and technical/non-technical clients.
• Ability to demonstrate superior organizational skills with acute attention to detail.
• Must be an energetic self-starter who can work within a team environment but also independently as the situation requires.
• Strong troubleshooting skills coupled with the ability to solve complex problems on the fly, especially in AWS cloud environments.
• Have experience working on incident response teams and leveraging AWS security services.
• Understand common threat actor tactics, techniques, and procedures (TTPs) and how they are chained together.
• Have experience leading threat hunts using available logs and threat intelligence to proactively identify and investigate potential risks and suspicious behavior, especially in AWS environments.
• Understand the NIST IR framework or competing IR lifecycle frameworks.
• Have the ability to write custom *nix scripts to gather evidence for investigation and forensics during an incident, particularly in AWS cloud environments.
• Able to work independently and identify areas of need in highly ambiguous and time-sensitive situations.
• Have familiarity with MITRE ATT&CK and/or D3FEND frameworks.
• Understand major security compliance frameworks such as PCI, SOC 2, and FedRAMP as they relate to incident monitoring and response in AWS environments.
• Excellent analytical skills.
• Collaborative team worker – both in person and virtually using WebEx or similar.
• Excellent documentation skills; demonstrated proficiency in Microsoft Office including Word, Excel and PowerPoint.
• Ability to work as a liaison between business and information security/information technology.
• Flexibility to accommodate working across different time zones.
• Ability to work PST work hours.
• Excellent interpersonal communication skills with strong spoken and written English.
• Business outcomes mindset.
• Solid balance of strategic thinking with detailed orientation.
• Self-starter, ability to take initiative.
• Project management and organizational skills with attention to detail.

Preferred Skills:

• Relevant industry security certifications such as CISSP, SANS GIAC (e.g. EnCE, GCIH, GNFA, GCFE, GCFA, GREM, or additional tool-based certifications), AWS certifications (SAA, SAP, or SCS), etc.
• Familiarity with other security verticals such as Incident Response, Threat Intelligence, Threat Detection, Application Security, Cloud Security, Offensive Security.
• Networking experience with LAN/WAN routing and high availability (OSPF, BGP4/iBGP, EIGRP, and NSRP) routing protocols and technologies.
• Knowledge of detection tools, for example: Nessus, Qualys, OSSEC, Osquery, Suricata, Threatstack, AWS Guard Duty.
• Demonstrate how to execute common web application attacks like SQL Injection, XSS, CSRF.
• Experience with IoT platforms, large-scale distributed systems, and/or client-server architectures.

Required Education:

Bachelor’s degree (BA/BS) in Computer Science from a four-year college or university; or equivalent training, education, and work experience. Cybersecurity certifications such as CISSP, CISM, etc.

Preferred Education:

Cybersecurity certifications such as CISSP, CISM, etc.