Insider Threat & Cyber Forensics SME

About The Position

Requirements

• Requires BS degree and 12 or more years of direct relevant experience .
• D egree in computer science, IT, Information/Cyber Security field from an accredited college or university .
• Clearance: Must be able to obtain customer specific public trust clearance. (Can take 4-6 months or longer for a new clearance)
• Flexible and adaptable self-starter with strong relationship-building skills
• Effective communication skills with emphasis on attention to detail, ability to accurately capture and document technical remediation details, and ability to brief stakeholders on incident statuses, recovery and root causes.
• Demonstrable experience performing forensic analysis, digital media analysis, and in-depth system & network log analysis in support of forensic investigations.
• Ability to generate forensically sound cyber analysis reports detailing forensically sound analysis procedures, findings, and recommendations from incident investigations.
• Strong problem-solving abilities with an analytic and qualitative eye for reasoning under pressure .
• Ability to independently prioritize and complete multiple tasks with little to no supervision.
• The candidate should have at minimum ONE of the following certifications: GCIH – Certified Incident Handler GCFA – Certified Forensic Analyst GCFE – Certified Forensic Examiner GREM – Reverse Engineering Malware GISF – Security Fundamentals GXPN – Exploit Researcher and Advanced Penetration Tester GCTI – Cyber Threat Intelligence GOSI – Open Source Intelligence OSCP (Certified Professional) OSCE (Certified Expert) OSWP (Wireless Professional) OSEE (Exploitation Expert) CCFP – Certified Cyber Forensics Professional CISSP – Certified Information Systems Security CHFI – Computer Hacking Forensic Investigator LPT – Licensed Penetration Tester CSA – EC Council Certified SOC Analyst (Previously ECSA – EC-Council Certified Security Analyst) CTIA – EC-Council Certified Threat Intelligence Analyst
• Clearance: Must be able to obtain customer specific public trust clearance. (Can take 4-6 months or longer for a new clearance)

Nice To Haves

• SANS GREM certification
• Previous experience contributing to or leading insider threat investigations in support of Federal Government, DOD, or Law Enforcement environments.
• Experience performing computer forensics in Federal Government, DOD or Law Enforcement environments.
• Ability to script in one more of the following computer languages Python, Bash, Visual Basic or PowerShell .
• Knowledge of the Cyber Kill Chain and MITRE ATT&CK framework
• Advanced understanding of multiple Operating Systems, monitoring and detection techniques and methods, and Incident Response Lifecycle .
• Prior experience with CBP/DHS
• Between 2-3 years of experience in two or more of these specialized areas: Insider Threat Digital M edia F orensic s Incident Response

Responsibilities

• Provide support to CBP OIT’s Cyber Defense Forensic s (CDF) team in support of insider threat and security operations according to established policies, handbooks, and CBP CDF Standard Operating Procedures (SOPs).
• Support includes monitoring activities, conducting threat analysis, investigating policy violations, identifying mitigation and/or remediation courses of action, and assessing risk posed by trusted insiders.
• Work with the OIT tools to process incidents , investigate potential insider threats, spillages of multiple types of classified and/or controlled data, conduct root cause analyses into suspicious or malicious activity, and assist with SOC i ncidents / OPR investigations as needed .
• Conduct formal digital forensic investigations supporting insider threat investigations and document findings in formal , forensically sound investigation reports.
• Provide recommendations for Information Spillage Incident Response efforts on handling and sanitization methods pursuant to industry best practices, NIST 800-88 recommendations, and Federal guidelines.
• Conduct enterprise and system(s) endpoint analysis (e.g., Windows, Linux, Mac, Cloud , and mobile systems) and network based digital forensic analysis
• Perform e mail hygiene activities in support of CBP investigations .
• Support enterprise recovery efforts as necessary to ensure that security events and incidents are properly remediated prior to restitution.
• Utilize state of the art forensic tools (FTK/Encase, etc . ) to perform computer, mobile phone forensics and memory analysis (volatility, rekall ) in support of incident response .
• Conduct reverse engineering of suspicious files utilizing dynamic, automated and static analysis.
• Properly preserve evidence, maintain chain of custody and write malware analysis or forensic reports.
• Recognize attacker and APT activity, tactics, and procedures (TTPs) and I ndicators of C ompromise (IOCs) that can be used to improve monitoring, analysis, and incident response.
• Install, secure, maintain and recommend forensic software and hardware within a Forensic Lab environment while following established configuration management processes.
• Develop and build security content, scripts, tools, or methods to enhance forensic processes and insider threat investigations .
• Effectively investigate and identify root cause findings then communicate findings to stakeholders including technical staff, and leadership.
• Develop and maintain Standard Operating Procedures (SOPs) and playbooks as deemed necessary.