XOR Security is currently seeking several talented Forensic and eDiscovery Analysts to support an Agency-level Focused Operations (FO) team at DHS. The Focused Operations is part of an advanced analytics capability of the larger Security Operation Center (SOC) program that provides comprehensive Computer Network Defense and Response support through 24×7×365 monitoring and analysis of potential threat activity targeting the enterprise. Forensic and eDiscovery analysts will conduct advanced security event analytics, host-based forensics, enterprise data collection, incident investigation, and investigational reporting in support of the CND operational mission. XOR staff are on the forefront of providing CND Operations with analysis, incident handling and security engineering support to include the development of advanced analytics and countermeasures to protect critical assets from hostile adversaries.
To ensure the integrity, security and resiliency of critical operations, we are seeking candidates with diverse backgrounds in cyber security systems operations, analysis and incident response. Strong written and verbal communications skills are a must. The ideal candidate will have a solid understanding of cyber threats and information security in the domains of Insider Threat, Incident Response, Forensics, and Observables. Additionally the ideal candidate would be familiar with host-based forensics tools, insider threat monitoring tools, intrusion detection systems, security information event and log management platforms, endpoint threat detection tools, and security operations case management.
Candidate must have the required Qualifications:
• For Junior analysts, 1 years of hands-on experience in host-based forensics environment. For a Mid-level analyst, at least 3 years of hands-on experience in host-based forensics and incident response environment to include leading investigations.
• Active Secret and/or DHS Agency Clearance.
• Experience with Chain of Custody, case management, incident response and host-based forensics.
• Strong analytical and technical skills in computer network defense operations, ability to lead/support efforts in Incident Handling (Detection, Analysis, Triage), Hunting (anomalous pattern detection and content management) and Malware Analysis.
• Prior experience and ability to with analyzing information technology security events to discern events that qualify as a legitimate security incidents as opposed to non-incidents. This includes security event triage, incident investigation, implementing countermeasures, and conducting incident response.
• Strong logical/critical thinking abilities, especially analyzing investigational logs and security events (windows event logs, Tanium queries, network traffic, IDS events for malicious intent).
• Strong proficiency Report writing – a technical writing sample and technical editing test will be required if the candidate has no prior published intelligence analysis reporting, excellent verbal and written communications skills and ability produce clear and thorough security incident reports and briefings.
• Excellent organizational and attention to details in tracking activities within various Security Operation workflows.
• A working knowledge of the various operating systems (e.g. Windows, OS X, Linux, etc.) commonly deployed in enterprise networks, a conceptual understanding of Windows Active Directory is also required, and a working knowledge of network communications and routing protocols (e.g. TCP, UDP, ICMP, BGP, MPLS, etc.) and common internet applications and standards (e.g. SMTP, DNS, DHCP, SQL, HTTP, HTTPS, etc.).
• Experience with the identification and implementation of counter-measures or mitigating controls for deployment and implementation in the enterprise network environment.
• Extensive experience conducting Forensic Analysis on compromised systems using digital forensics tools (e.g. EnCase, FTK)
• Experience with Cyber, Insider Threat and Policy Violation Investigations, and conducting eDiscovery investigations
• Data recovery experience from failed hard drives and/or USBs
• Must have working knowledge parsing and analyzing exchange, active directory, restored data; to include link analysis, filtering and file recovery and provide reports of such data;
• Must possess past experience performing restoration of tape backups for criminal and administrative investigations, utilizing Linux and windows based solutions such as Symantec net back up and backup exec.
• Proficiency in cyber threat exploitation patterns, from discovery through establishing a persistent presence
• Provide subject matter expertise support in the detection, analysis and mitigation of malware, trends in malware development and capabilities, and proficiency with malware analysis capabilities.
• Knowledge and proficiency using the tools and techniques required to successfully conduct dynamic and static analysis of binary samples.
• Bachelor’s Degree in Information Technology, Cyber Security, Computer Science, Computer Engineering, or Electrical Engineering.
• Previous hands-on experience with a Security Information and Event Monitoring (SIEM) platforms and log management systems that perform log collection, analysis, correlation, and alerting is required (preferably within Splunk or ArcSight).
• Ability to develop rules, filters, views, signatures, countermeasures and operationally relevant applications and scripts to support analysis and detection efforts.
• Digital Forensic and Incident Response Certifications such as: GCIA, GCFA, GCFE, GNFA, GCIH, ECSA, CHFI, CCE, CFC, EnCE, CFCE, GREM. Or for Junior-level personnel: Security+, Network+, A+.
• Experience in supporting FOIA requests as well as investigations for Internal Affairs, Inspector General, or law enforcement.
• Ability to work on-call during critical incidents or to support coverage requirements (including weekends and holidays when required).