IR senior principal Analyst

The Incident Response Senior Principal Analyst leads a team of experts with diverse skill sets across areas such as Security Operations Center (SOC), Forensics, and other applicable technical Subject Matter Expert (SME) resources. The IR Senior Principal Analyst is specifically tasked with managing all aspects of an Incident Response engagement to include incident validation, monitoring, containment, log analysis, system forensic analysis, and reporting. The IR Senior Principal Analyst is also responsible for developing and sustaining strong relationships with our clients, and client’s counsel to ensure the engagement’s objectives and expectations are met and executed successfully as documented in the statement of work. The incumbent of this role should display a strong foundation of technical expertise in Cybersecurity, Incident Response, and Digital Forensics to successfully execute the responsibilities associated with this role.  

ROLES AND RESPONSIBILITIES

• Supports the management of the technical aspects from client setup and kickoff to supporting the reporting process.
• Co-leads project scoping calls to accurately collect information from the client concerning the incident to include but not be limited to the client’s environment, size, technology, and security threats. Responsible for capturing all client’s expectations and objectives throughout the engagement to ensure successful engagement delivery.
• Organize and maintain an inventory of requests sent to the client to include at a minimum public IP ranges, requested information (including systems for collection), collected logs, systems Skadi or full systems, and any other requested made of the client by Arete or counsel.
• Works directly with the client and other Arete team members to preserve and collect artifacts for forensic analysis.
• Engages in communications with the TA for negotiation and recovery of decryption keys or manages the ransomware specialist team.
• Ensures deadlines are met and timely update meetings are established with client and counsel.
• Responsible for quality control over the budget of engagement and proactively identifying the need for addendums for engagements. Discusses with counsel before provided addendum.
• The main point of contact who manages and participates in all communications with the client and client’s counsel during the engagement. Assists with the development of communications.
• Supports the management and coordination of all technical efforts for the IR engagement to drive the process forward through; tool deployment, ransomware decryption, restoration, and recovery efforts, system rebuilds, system, application, and network administration tasks. 
• Coordinates with the Ransom Specialist when ransom negotiations are needed. Ensures updates regarding ransom status are delivered to the client and counsel in a timely fashion.
• Manages and coordinates the onsite efforts with the Onsite Lead or team ensuring they understand and can execute the objectives for the onsite work. Additional responsibilities with onsite efforts include ensuring communications are frequent and getting the daily onsite update communicating these back to the IR Director and/or IR Ops Associate for their Tiger Team.
• Co-manages restoration team when engaged with the client for recovery of systems, data collection, and SentinelOne (S1) deployment.
• Partners with the Forensic Lead to coordinate additional data collection requests pertinent to the investigation.
• Communicates in tandem with the Forensic Lead relevant findings to the client during the investigation.
• Designs and executes a strategy to install S1 and live response data within the SLAs set by Arete.
• Manage the SOC for accurate reporting of S1 metrics from threats to checked-in systems based on the need from the client.
• Follows up with the SOC Lead on SentinelOne alerts and encourages/coordinates client participation with the product. 
• Organizes the updates for client and counsel and acts as the "quarterback" for leading update calls when prompted by counsel; maintains an organized and methodical approach for providing updates from negotiations, system restoration, data collection forensics, and closeout. Accountable for final report review, ensuring the report is accurate, professional, and meets the objective of client counsel.
• Can troubleshoot instability issues within infected operating systems and stabilize the system for continued recovery.
• Cross trains across the IR services within SOC, IR Lead, Forensics, and Restoration.
• Supports peers and IR Directors within the engagement lifecycle. Familiarizes oneself with the negotiation tactics and communications with threat actors.

• Other duties as assigned.

DISCLAIMER

The above statements are intended to describe the general nature and level of work being performed. They are not intended to be an exhaustive list of all responsibilities, duties, and skills required personnel so classified. 

SKILLS AND KNOWLEDGE

1. Experience delivering consulting engagements in a fast-paced environment
2. Experience leading scoping calls
3. Strong background and practical hands-on experience with Windows or Linux System and Network Administration, Security DevOps, Incident Response and Digital Forensics, or Security Engineering
4. Practical experience performing in a functional role including but not limited to one or more of the following disciplines: computer forensics, Incident Response, data analytics, Security Operations, and Engineering, Digital Investigations
5. Knowledgeable of collection methodologies and tools.
6. Comfortable working within various OS including Windows, Linux, and OSX
7. Organized communications and notes
8. Communicates clearly and concisely
9. Generally knowledgeable of the multiple services that comprise an IR investigation
10. In-depth knowledge of the ransom negotiation process and details it accordingly to clients