Cyber Risk Defense Consultant V - Incident Response

Tier 2 and tier 3 incident response functions, including Strong experience with 1) computer incident response and the underlying systems, platforms, and applications, 2) malware analysis, 3) Endpoint Detection and Response (EDR), 4) computer forensics, and 5) strong understanding of attacker and malware techniques and methods of unauthorized access containment

The Consultant-level Incident Handler uses incident response, investigative, and forensics skills to respond to breaches implement containment measures, and investigate impacts. This includes appropriate data collection, preservation, mitigation, remediation requirements, and security improvement plans. The Incident Handler will utilize forensic best practices and provide chain of custody service for criminal investigations (e.g., employee situations, fraud, etc.).

• Collects and preserves digital evidence in a forensically sound manner according to best practices
• Evaluates artifacts (processes, services, drivers, libraries, binaries, scripts, memory, network traffic, file, email, and other objects) for malicious activity, exploitation, and/or unauthorized access
• Identifies attack vectors, exploit methods, malicious code, C2 activity, and persistence mechanism
• Identify containment controls to halt attacks in progress against affected or exposed resources
• Performs analysis to determine scope, risk, and impact of breach or exposure
• Performs root cause analysis and recommend mitigation strategies
• Properly and thoroughly document incident findings, evidence, analysis steps, and create status updates, findings reports, and recommendations
• Focus on preserving uptime and minimize the impact on business and medical services

This senior level employee is primarily responsible for overseeing the maintenance and protection of integrity and reliability of the security of data, systems and networks.

• Conducts or oversees business-specific projects by applying deep expertise in subject area; promoting adherence to all procedures and policies; developing work plans to meet business priorities and deadlines; determining and carrying out processes and methodologies; coordinating and delegating resources to accomplish organizational goals; partnering internally and externally to make effective business decisions; solving complex problems; escalating issues or risks, as appropriate; monitoring progress and results; recognizing and capitalizing on improvement opportunities; evaluating recommendations made; and influencing the completion of project tasks by others.
• Practices self-leadership and promotes learning in others by building relationships with cross-functional stakeholders; communicating information and providing advice to drive projects forward; influencing team members within assigned unit; listening and responding to, seeking, and addressing performance feedback; adapting to competing demands and new responsibilities; providing feedback to others, including upward feedback to leadership and mentoring junior team members; creating and executing plans to capitalize on strengths and improve opportunity areas; and adapting to and learning from change, difficulties, and feedback.
• Leads team in the proactive monitoring and/or response to known or emerging threats against the KP network.
• Effectively communicates investigative findings to non-technical audiences.
• Plans and facilitates regular operations meeting with Cyber Risk Defense Center (CRDC) teams.
• Supports closed loop processes on security efforts by providing feedback to the TDA leads and/or leadership.
• Participates in information fusion procedures across operations and engineering, including activities such as Use Case planning/development, Use Case quality assurance validation, and response procedure documentation.
• Serves as a liaison between stage teams and upper management by identifying issues, improvement areas, or security/architectural gaps and suggesting appropriate improvements.
• Drives the development of the CRDC intellectual capital by leading process or procedure improvements, consulting on brown bag training sessions, and leading the development of new training documents.
• Partners with the CRDC Policy Engineers and Remediation teams to contain identified issues and determine the best approach for improving security posture.
• Facilitates follow-up remediation design and review efforts.
• Leads the investigation and triage of security events across multiple domains.
• Leads complex data analyses in support of security event management processes, including root cause analysis.
• Coordinates the response and resolution of high impact or critical cyber security incidents.
• Leads the deployment of threat detection capabilities and/or incident response plans which may include after-hours support and coordination among responsible teams.
• Drives the execution of incident detection and/or handling processes which may include containment, protection, and remediation activities.