Security Digital Forensics Engineer
Remote
Contracted
Experienced
About the opportunity:
Cloud Security Services is seeking a Digital Forensics Engineer Consultant to support their Threat Management Team’s objectives to provide forensics acquisition and analysis support across environments and support root cause analysis to improve security posture.
Duration: 6-Months Contract
Rate: Depends on Experience
Responsibilities:
- Collect, process, analyze, interpret, preserve, and present digital evidence across environments, including AWS.
- Perform forensic triage of an incident to include determining scope, urgency, and potential impact within AWS and other cloud environments.
- Conduct analysis of forensic images and available evidence in support of forensic write-ups for inclusion in reports and written products, with specific expertise in AWS cloud forensics.
- Document forensic analysis from initial participation through resolution.
- Document forensic workflows based on sound industry practices, especially within AWS environments.
- Investigate data breaches leveraging traditional forensic tools and AWS-specific tools to determine the source of compromises and malicious activity.
- Support incident response engagements, perform forensic investigations in AWS and other cloud platforms, contain security incidents, and provide guidance on longer-term remediation recommendations.
- Develop, document, and refine procedures to accomplish discovery process requirements, with a focus on AWS-based infrastructures.
- Manage all chain of custody best practices associated with the rules of evidence.
- Mentor team members in incident response and forensics best practices within cloud environments, including AWS, to cultivate secondary resources to assist in larger collection events.
Required Skills:
- Solid understanding of the forensic lifecycle and scoping activities, evidence acquisitions on a range of devices, especially in AWS environments.
- Forensics analysis background on the following platforms and technologies:
- Cloud (AWS, Azure, GCP)
- Windows/Mac/Linux OS
- Physical and virtual network devices and platforms
- Experience with performing reactive incident response functions in public cloud environments, particularly AWS (e.g., examining compute, storage, network, IAM, serverless, and other log sources to identify evidence of malicious activity).
- 6+ years of incident response or digital forensics experience, with a focus on AWS environments, with a passion for cybersecurity; or equivalent educational experience in Information Security, Computer Science, Digital Forensics, Cybersecurity, or related fields.
- Analyze and characterize cyber-attacks unique to AWS and other cloud platforms.
- Understanding of SaaS, PaaS, and IaaS, with expertise in AWS.
- Skilled in identifying different classes of attacks and attack stages, especially within AWS environments.
- Understanding of system and application security threats and vulnerabilities, particularly in AWS.
- Ability to document forensic workflows based on sound industry practice in AWS.
- Understanding of proactive analysis of systems and networks, including creating trust levels, and understanding AWS authentication methods.
- Hands-on experience with AWS services deployment, architecture, and troubleshooting in complex environments.
- Understanding of APIs and ability to leverage them for building integrations, particularly within AWS environments.
- Ability to write custom query logic for major Security Incident and Event Monitoring (SIEM) tools, specifically in AWS environments.
- Ability to write SQL to search data warehouse databases, particularly in AWS-based infrastructures.
- Familiarity with the following tools:
- Forensics platforms such as EnCase, FTK, X-Ways, SIFT, Splunk, Redline, Volatility, WireShark, TCPDump, and other open-source forensic tools used within AWS.
- Security Incident and Event Monitoring (SIEM) and Security Orchestration, Automation & Response (SOAR), including integrations with AWS.
- Malware Analysis / Reversal Tools
- Network and Host Intrusion Detection (IDS) such as SNORT/Sourcefire, Palo Alto, etc.
- Endpoint Detection & Response (EDR)
- Network sniffers and packet tracing tools such as DSS, Etherereal, tcpdump, Wireshark, etc.
- Proficient with host-based forensics and data breach response in AWS environments.
- Experience preserving desktops, laptops, mobile devices/tablets, servers, both cloud and on-premises email implementations, nontraditional cloud data sources, social media, etc., in a forensically sound manner, particularly in AWS.
- Ability to communicate effectively and tactfully both verbally and in written format to team members and technical/non-technical clients.
- Ability to demonstrate superior organizational skills with acute attention to detail.
- Must be an energetic self-starter who can work within a team environment but also independently as the situation requires.
- Strong troubleshooting skills coupled with the ability to solve complex problems on the fly, especially in AWS cloud environments.
- Have experience working on incident response teams and leveraging AWS security services.
- Understand common threat actor tactics, techniques, and procedures (TTPs) and how they are chained together.
- Have experience leading threat hunts using available logs and threat intelligence to proactively identify and investigate potential risks and suspicious behavior, especially in AWS environments.
- Understand the NIST IR framework or competing IR lifecycle frameworks.
- Have the ability to write custom *nix scripts to gather evidence for investigation and forensics during an incident, particularly in AWS cloud environments.
- Able to work independently and identify areas of need in highly ambiguous and time-sensitive situations.
- Have familiarity with MITRE ATT&CK and/or D3FEND frameworks.
- Understand major security compliance frameworks such as PCI, SOC 2, and FedRAMP as they relate to incident monitoring and response in AWS environments.
- Excellent analytical skills.
- Collaborative team worker – both in person and virtually using WebEx or similar.
- Excellent documentation skills; demonstrated proficiency in Microsoft Office including Word, Excel and PowerPoint.
- Ability to work as a liaison between business and information security/information technology.
- Flexibility to accommodate working across different time zones.
- Ability to work PST work hours.
- Excellent interpersonal communication skills with strong spoken and written English.
- Business outcomes mindset.
- Solid balance of strategic thinking with detailed orientation.
- Self-starter, ability to take initiative.
- Project management and organizational skills with attention to detail.
Preferred Skills:
- Relevant industry security certifications such as CISSP, SANS GIAC (e.g. EnCE, GCIH, GNFA, GCFE, GCFA, GREM, or additional tool-based certifications), AWS certifications (SAA, SAP, or SCS), etc.
- Familiarity with other security verticals such as Incident Response, Threat Intelligence, Threat Detection, Application Security, Cloud Security, Offensive Security.
- Networking experience with LAN/WAN routing and high availability (OSPF, BGP4/iBGP, EIGRP, and NSRP) routing protocols and technologies.
- Knowledge of detection tools, for example: Nessus, Qualys, OSSEC, Osquery, Suricata, Threatstack, AWS Guard Duty.
- Demonstrate how to execute common web application attacks like SQL Injection, XSS, CSRF.
- Experience with IoT platforms, large-scale distributed systems, and/or client-server architectures.
Required Education:
Bachelor's degree (BA/BS) in Computer Science from a four-year college or university; or equivalent training, education, and work experience. Cybersecurity certifications such as CISSP, CISM, etc.
Preferred Education:
Cybersecurity certifications such as CISSP, CISM, etc.
Apply for this position
Required*