|Preferred GIAC Certifications||GCIH, GCIA, GCED|
Citi's Global Cyber Investigations Team seeks a highly skilled cyber investigator to support critical efforts aimed at protecting Citi infrastructure, assets, clients and stakeholders. This is a demanding role with global exposure and responsibility. You will serve both as a technical subject matter expert and as an ambassador for the global investigations team. You will be assigned to Citi's Cyber Security Fusion Center, and will collaborate closely with a talented cadre of security specialists and incident responders to react aggressively to urgent security events. Your observations and recommendations will impact security decisions across the organization, and play an important part in maturing the fusion center's team-of-teams operation.
As a Cyber Investigator in the Cyber Security Fusion Center your primary responsibility is to serve as an incident responder for network security events and other potentially high impact cybersecurity incidents. Related activities include but are not limited to:
• Partner with fusion center analysts to assess criticality of security alerts and establish requisite investigative actions
• Manage and conduct forensic investigations to uncover evidence of compromise and identify inadequate security controls
• Drive actions aimed at disrupting, containing, eradicating, and remediating cyber threats
• Influence decision makers across the organization to eliminate and mitigate risks
• Document investigative methods and findings for a broad audience, including technical, executive and regulatory groups
You should be all of the following:
1. A skilled and creative investigator. Success will depend on your ability to:
a. Stay current with the evolving landscape of threat activities and cybersecurity best practices
b. Quickly synthesize information from disparate sources
c. Scrutinize evidence thoroughly to identify relationships and develop leads
d. Establish defensible working theories to explain observations and findings
e. Perform investigations in a forensically sound manner
2. A goal oriented individual contributor. Success will depend on your ability to:
a. Stay motivated and work independently with minimal oversight
b. Adapt to changing requirements in a fast paced environment
c. Multitask and meet deadlines despite competing priorities
d. Navigate operational impediments in order to complete time sensitive tasks
e. Identify and document any opportunities for process improvement
3. A reliable team player. Success will depend on your ability to:
a. Practice mutual respect at all times
b. Establish trust and build strong partnerships
c. Resolve conflict in a constructive manner and use as an opportunity to develop team unity
d. Prioritize collective success ahead of individual ambition
4. A great communicator. Success will depend on your ability to :
a. Establish clear narratives to describe investigative findings and working theories
b. Clearly and concisely articulate any recommendations that arise from investigative activities
c. Motivate colleagues and partners to cooperate and support as needed
d. Exert influence both verbally and in writing
• Education and Experience
• Bachelor’s degree in a technically rigorous domain such as Computer Science, Information Security, Engineering, etc.
• Minimum 5 years of professional experience as a digital forensic investigator and/or incident responder, or demonstrated equivalent capability.
• Knowledge and Skills
• Strong understanding of how computer applications, systems, and networks are managed and secured.
• Strong understanding of common security threats and vulnerabilities, attack vectors, and adversary tactics, techniques and procedures (TTP's).
• Strong understanding of cyber forensic and eDiscovery procedures to collect, handle, examine, and analyze evidentiary artifacts while preserving integrity and maintaining a strict chain of custody.
• Strong understanding of OSI model
• Proficient in forensic analysis of memory, disk, logs and other artifacts originating from a wide variety of applications, devices and operating systems.
• Proficient in a DFIR toolset (e.g. EnCase, FTK, Sleuth Kit)
• Proficient in some of the following tools: Metasploit, Nuix, Plaso, Powergrep, Relativity, Security Onion, SIFT Workstation, Splunk, Tanium, Volatility, Wireshark, Yara.
• Working knowledge in some of the following: Python, C++, C#, PowerShell, as well as scripting with Bash
• Must have flexibility to work outside of normal business hours when necessary
• Education and Experience
• Graduate degree in a technically rigorous domain such as Computer Science, Information Security, Engineering, etc.
• Minimum 8 years of professional experience as a digital forensic investigator and/or incident responder
• Previous experience in a fusion center and/or exposure to large scale incident response
• Prior success leading forensic investigations and/or managing individual contributors
• Prior experience with information technology and/or information security in the financial services industry
• Prior experience with adversary emulation, red teaming, blue teaming
• Prior experience with one or more SIEMs (e.g. ArcSight, LogRythm, AlienVault)
• Prior experience with penetration testing of cloud environments (e.g. AWS, GCP, Azure) and DevOps technologies (e.g. Docker, Kubernetes, Jenkins, Git)
Knowledge and Skills
• Any professional certifications issued by GIAC, AWS, etc.
• Working knowledge of common security models (Defense-in-Depth), standards (NIST 800-53, CIS 20 Controls) and frameworks (MITRE Attack, Cyber Kill Chain, STIX)
• Working knowledge of reverse engineering, vulnerability discovery/analysis, and/or exploit development
• Proficient in any query language (e.g. SQL)
• Proficient in some of the following: Python, Ruby, C++, C#, PowerShell
• Working knowledge of assembly or low level languages (e.g. C)
• Working knowledge of network components such as switches, routers, firewalls in both Windows/Linux environments
• Working knowledge of virtualization products (e.g. VMware Workstation)
• Working knowledge of security and/or incident response in cloud environments
• Working knowledge of software development best practices, including agile methods
• Familiar with Atlassian tools
Primary Location TBD
Job Function: Corporate Services
Job Family: Cyber Investigations
Job family description: Roles in this family are responsible for investigating cyber incidents and information security events that present increased risk or a threat to the firm, its customers, employees, shareholders, information, systems/networks, assets and clients.
Job Title: Cyber Fusion Center Lead Investigator
Job Grade: C13
Shift Day Job
Employee Status Regular
Travel Yes, 10 % of the Time