Cyber Incident Responder

POSITION SUMMARY:

CODICE seeks a highly skilled and experienced Cyber Incident Responder to join our team. The Cyber Incident Responder will be responsible for addressing cybersecurity incidents, minimizing damage, preventing future incidents, and assisting in the investigation and remediation of security breaches. This role will involve responding to real-time threats, conducting thorough analysis, and implementing appropriate countermeasures.

Duties and Responsibilities

• • Incident Response:
    • Lead the response to cybersecurity incidents following the incident response lifecycle (preparation, identification, containment, eradication, recovery, and lessons learned).
    • Quickly identify and assess security incidents to determine the scope and impact.
  • Frameworks and Methodologies:
    • Apply incident response frameworks and methodologies, such as NIST, SANS, and MITRE ATT&CK, to effectively manage and mitigate incidents.
    • Ensure alignment with organizational policies and regulatory requirements.
  • Forensics and Analysis:
    • Conduct digital forensics following best practice principles and techniques.
    • Use forensic tools like FTK, EnCase, Volatility, and Autopsy to analyze and preserve evidence.
    • Utilize common threat detection techniques, including signature-based, anomaly-based, and heuristic detection, to identify and analyze security threats.
  • Security Information and Event Management (SIEM):
    • Operate and manage SIEM tools such as Splunk and LogRhythm to gather and analyze security event data.
    • Perform real-time monitoring and threat detection, correlating logs and alerts to identify potential security incidents.
  • Network and Endpoint Security:
    • Analyze network traffic using tools such as Wireshark and tcpdump to detect and investigate anomalies.
    • Apply expert understanding of network protocols, particularly HTTP/S, to identify and respond to threats.
    • Implement and monitor endpoint security best practices and mitigation techniques.
    • Utilize Endpoint Detection and Response (EDR) solutions like CrowdStrike or similar tools for enhanced threat detection and response.
  • Cloud Security:
    • Manage and secure AWS cloud environments, ensuring compliance with cloud security best practices.
    • Leverage cloud security tools and services to protect cloud-based assets and data.
  • Communication and Reporting:
    • Document incident response actions and findings comprehensively, maintaining clear records for future reference and regulatory compliance.
    • Communicate effectively with stakeholders, providing incident status updates and security recommendations.
  • Continuous Improvement:
    • Participate in post-incident reviews to identify lessons learned and improve the incident response process.
    • Stay up-to-date with the latest cybersecurity threats, trends, and technologies to continuously enhance the organization's security posture.

Knowledge, Skills and Abilities

Technical Skills

Incident Response Lifecycle:

Preparation:

     -Demonstrated expertise in developing and maintaining incident response plans, including regular updates and conducting training exercises.

     -Proficiency in establishing communication protocols and ensuring all stakeholders are informed and prepared for potential incidents.

Identification:

     -Advanced skills in identifying and analyzing security incidents using various tools and techniques.

     -Strong understanding of indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) used by attackers.

Containment:

   -Ability to implement immediate measures to contain security breaches and prevent further damage.

   -Experience with short-term and long-term containment strategies.

Eradication:

   -Expert ability to remove malicious code, artifacts, and access vectors effectively.

   -Developing and executing thorough remediation plans to eliminate root causes.

Recovery:

    -Proficiency in restoring systems to normal operation, ensuring all vulnerabilities are addressed.

     -Knowledge of backup and disaster recovery processes.

Lessons Learned:

      -Experience conducting post-incident reviews, identifying lessons learned, and implementing improvements to the incident response process.

Incident Response Frameworks:

NIST and SANS:

In-depth knowledge of NIST and SANS incident response methodologies, ensuring compliance and best practices.

MITRE ATT&CK:

Familiarity with the MITRE ATT&CK framework for understanding adversary behavior and enhancing detection and response strategies.

Digital Forensics:

Principles and Techniques:

Basic knowledge of digital forensics principles, including data acquisition, preservation, analysis, and reporting.

Forensic Tools:

Hands-on experience using forensic tools such as FTK, EnCase, Volatility, and Autopsy for in-depth analysis of digital evidence.

Threat Detection:

Detection Techniques:

Comprehensive understanding of signature-based, anomaly-based, and heuristic detection techniques.

Proficiency in configuring and tuning detection tools to reduce false positives and enhance accuracy.

SIEM Tools:

Splunk and LogRhythm:

Demonstrated experience in deploying, configuring, and managing SIEM tools like Splunk and LogRhythm.

Proficient in creating custom queries, dashboards , and alerts to effectively monitor and analyze security events.

Malware Analysis:

Types and Behaviors:

Basic understanding of malware types, including viruses, worms, Trojans, ransomware, and their respective behaviors.

Experience with malware analysis tools and techniques to identify and mitigate threats.

Network Protocols:

HTTP/S:

Expert understanding of network protocols, with a focus on HTTP/S, to analyze and detect malicious activities.

Ability to interpret and analyze network traffic to identify potential threats and anomalies.

Network Traffic Analysis:

• • Wireshark and tcpdump:
    • Demonstrated experience in using network traffic analysis tools like Wireshark and tcpdump.
    • Ability to capture, analyze, and interpret network packets to identify suspicious activities and potential breaches.
  • Endpoint Security:
    • Best Practices and Mitigation:
      • In-depth knowledge of endpoint security best practices, including antivirus, anti-malware, and endpoint protection platforms (EPP).
      • Skills in implementing and maintaining endpoint security measures to protect against threats.
    • EDR Solutions:
      • Experience with Endpoint Detection and Response (EDR) solutions such as CrowdStrike or similar tools.
      • Proficiency in configuring, monitoring, and responding to alerts generated by EDR solutions.
    • Cloud Security:
      • AWS Environments:
        • Demonstrated experience with securing AWS cloud environments, including configuration, monitoring, and incident response for cloud assets.
        • Knowledge of AWS security best practices and services, such as IAM, CloudTrail, GuardDuty, and AWS Config.
      • Cloud Security Tools and Services:
        • Familiarity with cloud security tools and services to protect cloud-based resources and data.
        • Experience in implementing security measures for cloud applications and infrastructure.

QUALIFICATIONS

• Bachelor's degree in Computer Science, Information Technology, Cybersecurity, or a related field.

Required Experience:

• 5-7 years of hands-on experience in cybersecurity, with a specific focus on incident response, digital forensics, and network security. This experience should include managing and responding to cybersecurity incidents in both on-premises and cloud environments, using a range of tools and methodologies.
• Incident Response: At least 5 years of experience in managing the full incident response lifecycle.
• Digital Forensics: Experience with forensic tools and digital forensics principles.
• SIEM and EDR Tools: Proficiency in utilizing SIEM tools like Splunk and LogRhythm and EDR solutions like CrowdStrike.
• Network Analysis: Demonstrated experience in network traffic analysis and understanding network protocols.
• Cloud Security: Practical experience in securing AWS cloud environments and using cloud security tools and services.

Required Licensure/ Certification:

• Industry-recognized certifications such as:
  • Certified Information Systems Security Professional (CISSP)
  • GIAC Certified Incident Handler (GCIH)
  • Certified Ethical Hacker (CEH)
  • Certified Forensic Computer Examiner (CFCE)
  • Offensive Security Certified Professional (OSCP)
  • AWS Certified Security – Specialty (for cloud security roles)