SUMMARY

The forensic intern will work and learn the processes, approach, and methodology to perform investigations of Business Email Compromise and ransomware matters. The role of the forensic intern is to work with the forensic team members and analysts on the Tiger Teams to learn and perform triage-level analysis of the collected images, data, and available logs (e.g., SentinelOne, firewall logs, DLP logs, etc.) and more in-depth advanced analysis under the direction and guidance of the senior analysts and forensic lead. The forensic intern should work to help develop the narrative and story in conjunction with the Tiger Team members under the direction of the forensic lead or senior analysts. The Digital Forensics & Incident Response (DFIR) team works together to support clients and help restore business operations during an incident through the identification of threat actor behavior and activity.

The forensic intern is a temporary role working to learn and understand DFIR delivery with an opportunity to advance to a full-time associate forensic analyst role. It supports the Forensic Lead and Tiger Team responsible for assisting the team with the delivery of active ransomware, investigations, and Business Email Compromise projects assigned to the respective Tiger Teams.

ROLES & RESPONSIBILITIES  

• With guidance, performs digital forensic analysis on Windows, Apple Mac, and Linux-based operating systems, including the analysis of email log files and log files for networking appliances, including but not limited to VPN and firewall appliances
• Ability to leverage forensics tools including Encase, FTK, X-Ways, Axiom and other custom investigation tools to identify malicious activity that occurred within client environments
• The candidate should be able to perform forensic analysis with guidance on: 
  • Host-based systems including Windows and Mac OS X to identify indicators of threat actor activity and compromise.
  • Analysis of M365 or Microsoft Exchange log files to identify evidence and artifacts of malicious and compromised activity. 
• Learns and performs triage-level analysis of the collected images, data, and available logs (e.g., SentinelOne, Firewall Logs, DLP Logs, etc.) with guidance
• Documents forensic findings in accordance with the standards set forth within the Arete Forensic Tracker and dLearns to develop a narrative story, master timeline, and visual attack map of the events based on the findings of the analysis
• Works with the DFIR-Forensic tiger teams to closely provide and develop status updates and summaries of findings to the senior forensics team members, senior forensic analysts, forensic leads, and DFIR leadership
• Identifies Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) for variants related to the case delivery of forensic findings
• Learns to document data and deliver findings through forensic trackers and forensic updates to the internal Tiger Team analysts team, outlining the narrative story and the timeline of events based on the forensic findings
• Documents analysis and captures data points related to investigations to enhance and inform our threat intelligence
• Learns to update and use project management systems and templates to document the forensic findings, case analyst notes, the forensic tracker, timeline, and attack map for collaboration within the team in our centralized case location
• Identifies the timing and persistence mechanism of the initial intrusion, adversary actions, timeline of activity/lateral movement, and indicators of data access and/or exfiltration based on the analysis
• Develops the forensic report for investigations related to ransomware and business email compromise 
• Is responsible for integrity in analysis and quality in reports and  deliverables, as well as documenting and gathering information and potential threat intelligence based on the caseload
• Able to manage multiple projects on a daily basis
• Has diligence with documentation and the tracking of forensic findings and allocating of hours to the Master Planner software to provide real-time visibility to DFIR leadership
• May perform other duties as assigned by management

SKILLS AND KNOWLEDGE  

• Basic understanding of forensic artifacts, including (but not limited to) the analysis of operating system artifacts and the recovery of deleted items from Windows operating systems and Windows event logs
• Ability to use project management systems and templates to document the forensic findings for collaboration within the team in our centralized case location
• Ability to manage multiple projects on a daily basis
• Working knowledge and understanding of the NTFS, APFS, and Linux and Unix operating system structure
• Working knowledge of the M365 and Exchange log files, including Unified Audit Logs, Message Trace logs, and Purview logs
• Experience with Linux or Mac forensics desired but not required
• Experienced in performing host-based forensics, network forensics, malware analysis and data breach response
• Working knowledge and limited experience with EnCase, Magnet Axiom, X-Ways, FTK, SIFT, Splunk, ELK, Redline, Volatility, and other commercial and open-source forensic tools
• Experienced with a common scripting or programming language, including Perl, Python, Bash, and/or PowerShell, preferred
• Excellent verbal and written communication and experience working in a team environment
• Knowledge and/or experience with various database formats such as SQL, Elastic, Mongo, etc., preferred
• Some experience with cyber insurance investigations, preferred

JOB REQUIREMENTS

• Candidate must have collegiate or business experience in incident response or digital forensics with a passion for cybersecurity
• Candidate should possess or be enrolled in an accredited degree program working towards an Associate's or Bachelor's Degree in Information Security, Computer Science, Digital Forensics, or Cybersecurity 
• Possession of one or more of the following certifications is a plus:
  • Security+, Network+, SANS GCFE, GCFA.
• Ability to work 40 hours per week or during non-business hours, etc

DISCLAIMER

The above statements are intended to describe the general nature and level of work being performed. They are not intended to be an exhaustive list of all responsibilities, duties, and skills required by personnel so classified. 

WORK ENVIRONMENT

While performing the responsibilities of this position, the work environment characteristics listed below are representative of the environment the employee will encounter: Usual office working conditions. Reasonable accommodations may be made to enable people with disabilities to perform the essential functions of this job.

TERMS OF EMPLOYMENT

Salary and benefits shall be paid consistent with Arete salary and benefit policy.

DECLARATION

The Arete Incident Response Human Resources Department retains the sole right and discretion to make changes to this job description.

EQUAL EMPLOYMENT OPPORTUNITY

We’re proud to be an equal opportunity employer- and celebrate our employees’ differences, regardless of race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, or Veteran status. Different makes us better.

Arete Incident Response is an outstanding (and growing) company with a very dedicated, fun team. We offer competitive salaries, fully paid benefits including Medical/Dental, Life/Disability Insurance, 401(k) and the opportunity to work with some of the latest and greatest in the fast-growing cyber security industry.

 

 

When you join Arete…

You’ll be doing work that matters alongside other talented people, transforming the way people, businesses, and things connect with each other. Of course, we will offer you great pay and benefits, but we’re about more than that. Arete is a place where you can craft your own path to greatness. Whether you think in code, words, pictures or numbers, find your future at Arete, where experience matters.

Equal Employment Opportunity

We’re proud to be an equal opportunity employer- and celebrate our employees’ differences, regardless of race, color, religion, sex, sexual orientation, gender identity, national origin, age, disability, or Veteran status. Different makes us better.