Minimum required qualifications
- 5+ years of relevant work experience
- In-depth knowledge of digital forensics in relation to the Windows operating system, including the ability to parse and interpret various artifacts accurately to provide historical context when perform an investigation
- Equivalent knowledge in Linux, macOS, and memory captures also desirable
- Experience acquiring both disk and memory images
- Experience conducting forensic investigations involving the collection and analysis of data from Microsoft cloud products - including both Microsoft Entra ID and Azure workloads
- Equivalent knowledge in third-party Cloud and identity providers also desirable
- In-depth knowledge of enriching investigations utilizing a SIEM solution - from understanding what artifacts should be centralized and for how long, to how that data is structured within various SIEM products and familiarity with querying those solutions effectively
- Including the analysis of data ingested from additional sources such as firewalls, VPNs, third-party AV and EDR solutions
- Familiarity with Kusto Query Language or similar database query language for manipulating data
- Experience with programming/scripting
- Approaches Threat Hunting with a data science focused mindset, and is intimately familiar with different hunting methodologies and their place within the analysis cycle e.g. leveraging known threat intelligence sources to perform IOC Hunting vs hunting for common attacker behaviors with TTP Hunting vs identifying and investigating outliers across large datasets with Anomaly Hunting
- Ability to take a risk-based approach when hunting through large datasets, including the ability to generate targeted recommendations based on those findings depending on the overarching incident, and to raise time-sensitive remediation actions when appropriate
- Extensive experience Threat Hunting in both reactive incident response scenarios to identify initial access, lateral movement, persistence mechanisms, staging and exfiltration, and impact, and proactive scenarios to identify opportunities to reduce unnecessary risk, improve overall maturity, or evidence of an undiscovered compromise
Additional Qualifications
- Familiarity with effective operational management processes to ensure effective tasking amongst your internal team members when managing hunting through expansive datasets in a limited window of time
- Ability to operate effectively in high pressure incident response environments where customers are experiencing a potentially business-ending event and your findings dictate their next steps
- Ability to communicate complex and technical findings effectively to customer representatives of varying levels - from deep and accurate forensic findings bring shared with security analysts, through to communicating the effective impact of your findings to the C-suite level
- Experience working with methods utilized for evidence collection, maintenance of chain of custody and associated documentation, evidence storage and analysis, and evidentiary reporting
- Experience with some of the following is a distinct advantage:
- Demonstrated history of working as a threat hunting analyst, engineer and consultant to successfully investigate cases of advanced targeted exploitation or similar interactive hacking cases
- Proven experience in helping enterprises manage vulnerabilities, measure security and ensure compliance
- Recognized as a subject matter expert in various security disciplines with a deep understanding of real-world APT tools, tactics, and procedures
- Cloud SaaS and PaaS experience and an understanding of investigations in those environments (Azure, AWS, Google) and leveraging cloud for investigation scale
- Solid grasp of common cyber frameworks and models such as the MITRE ATT&CK, Cyber Kill Chain, Diamond Model, Pyramid of Pain, DeTT&CT and modern penetration testing techniques
- International consulting experience is a plus
- Eligibility for a government security clearance is a plus.
Ability to meet Microsoft, customer and / or government security screening requirements are required for this role. These requirements include, but are not limited to the following specialized security screenings: Microsoft Cloud Background Check: This position will be required to pass the Microsoft Cloud Background Check upon hire / transfer and every two years thereafter.
In the meantime, please see our , and for more information on our recruitment process.