CyberMaxx is a global Cyber Security service provider founded in 2001 that remains privately held with headquarters in New York City. We are completely and exclusively focused on cyber security and provide a full-service solution portfolio. We service our customers through the following main practice areas: Governance, Risk & Compliance, Offensive & Defensive Security, Managed & EDR Services and Product Procurement.
A client calls in crisis. Their network team identified an unusual 2TB spike in traffic from their production Microsoft SQL server and confirmed it was not a backup job and such a spike had never previously been observed. Their internal SOC performed triage and found that ntds.dit was dumped on the primary domain controller around the same time MSSQL data was exfiltrated. There are 30,000 users in their Active Directory environment, 10+ user VPNs spanning the globe, and multiple site-to-site tunnels to business partners. You are invited to join an emergency conference call with the CISO, all heads of engineering, and inside counsel. They look to you to manage the crisis. Are you confident in the cockpit? If so, we should talk.
CyberMaxx's Digital Forensics & Incident Response Team is part of CyberMaxx Defensive Security department and works closely with our Blue Team and Compliance departments. We are looking for a senior full-time Incident Response Consultant
to join us and lead cases like the one described above. Between large cases the person in this role will help with service maturity and development, threat hunting MDR clients, and automation development.
- Incident response delivery. Manage the full life-cycle of an incident including crisis management, containment, incident project management, threat hunting, remediation, and developing recommendations.
- Incident leadership. Capable of quickly creating an action plan, prioritizing, keeping teams on task, following through with commitments, and patience to see long complex tasks through to completion. Understand large complex production environments quickly and help make impromptu production decisions with clients.
- Exceptional communication skills. Bedside manner. Able to remain level headed under pressure and strike the right balance between giving a calming affect and driving everyone towards the end goal. Able to convey technical matters to non-technical leadership, Providing customers and internal teams with status updates. Emotional maturity in difficult interactions. Create and present reports that tell the full incident story.
- Forensics. Confident performing memory analysis, full disk forensics, and using a variety of security tooling on Linux, Windows, and OSX.
- Threat hunting. Threat hunt in customer environments as directed. Identify potential breaches and investigate until resolution. Threat hunt during large incidents but also in customer environments that subscribe to our Threat Hunting service.
- DFIR service development. Improve and grow CyberMaxx's & DFIR service offerings. Establish partnerships with cyber insurers, foster relationships with partners in the incident ecosystem. Work towards technical automation where possible. Further mature processes/playbooks. Develop additional IOCs and watchlists.
- Experience in senior level DFIR position. Vast production experience expected. Track record of leading large scale incident response where thousands of assets are affected. Experience working with outside counsel and client senior leadership.
- Deeply technical. This position requires strong soft skills, but technical excellence is the top requirement. Instill confidence in clients you know what you are doing and earn trust.
- Corporate production operations experience. Able to make difficult decisions with clients in production environments, understanding the impact, risks, and making the right judgment calls.
- Above-average understanding of Active Directory, virtualization platforms, database servers, network topology, software distribution storage.
- Exceptional troubleshooting and analytical abilities
- Seniority with Linux and Windows. Must have strong practical experience in both environments.
- Senior level network experience. PCAP interpretation and parsing, understanding of L1-8 protocols
- IOC development. Effective with sigma, yara, and suricata. Bro experience is a plus.
- Some scripting experience. Capable with Python or PowerShell. Able to parse files and interact with APIs.
- Some reverse engineering. We have gifted reverse engineers but the person in this role should be able to do basic static and dynamic analysis of untrusted executables, scripts, and blobs
- Cloud experience. Familiarity with AWS, Microsoft, and other popular cloud service logs, acquisition, and analysis
- Knowledge of TTP. Deep familiarity with Windows lateral movement, persistence, attack patterns in event logs, and OS internals
- Execute memory and full disk forensics on all major platforms. Familiarity with tools like log2timeline, timesketch, plaso, ELK, Graylog
- Familiarity with forensics for civil litigation and HR investigations
- Fluency in at least one EDR or SIEM platform such as SentinelOne, CrowdStrike, Carbon Black, Endgame, Cortex.
- Previous PCI QSA or ISA experience required
- Flexible schedule. CyberMaxx offers a lot of freedom around schedule, but when a P1 incident is in progress, be willing to work hours that the situation demands. Comp time will be provided so a work life balance is maintained.
- Great written and verbal communication
- Comfortable with online collaboration based workflow. Encrypted chat is used to collaborate with remote colleagues and reports are written as a group in many cases Discretion. We work on extremely sensitive subjects that cannot be discussed outside, and in some cases, even among coworkers.
- Ability to occasionally travel. Our team & work load is predominately remote but for occasional onsite requirements senior staff needs to be able to travel to client locations and maintain a good image for the company and team