Incident Response Commander/Forensic Analyst

We are looking for a skilled and detail-oriented Suite Incident Response Commander/Forensic Analys to join our team.

Location: Hybrid / Remote
Employment Type: Contractor / Freelance (trade license / LLC)
Start Date: By agreement

What will you do?

Incident Response

  • Rapid initial triage of reported incidents, validation of alerts/indicators, initial determination of attack type (ransomware, BEC, supply chain, insider threat, ICS compromise) and impact estimation

  • Live response on endpoints and servers, collection of volatile data (running processes, network connections, loaded modules, handles, scheduled tasks, services), and acquisition of key artifacts

  • Deployment and operation of IR tooling at client environments - EDR in IR mode, forensic collectors (KAPE, Velociraptor, UAC, CyLR, Gryphon, Athena), custom collection scripts in client environments (including segmented or air-gapped networks)

  • Threat hunting across client environments - identification of additional compromised systems using known IOCs (hashes, IPs, domains, registry keys, filenames, mutex names, named pipes) and TTP-based hypotheses

  • Real-time reconstruction of the attack kill chain - identification of the initial access vector, persistence mechanisms, lateral movement, C2 channels, and exfiltration activity

  • Authentication activity analysis - evaluation of compromised accounts (domain, local, service, cloud), identification of golden/silver ticket activity, Kerberoasting/AS-REP roasting artifacts, and abuse of trust relationships

  • Containment actions, including:

    • Isolation of infected hosts (EDR network isolation, VLAN quarantine, host-based firewall)

    • Blocking C2 infrastructure at the perimeter

    • Disabling compromised accounts

    • Revoking session tokens and Kerberos TGTs (krbtgt reset in case of AD compromise)

    • Rotation of keys and certificates

  • Eradication - removal of malware and persistence mechanisms such as scheduled tasks, services, WMI subscriptions, registry run keys, GPO persistence; preparation for infrastructure rebuilds in case of large-scale compromise

  • Recovery validation - verification of restored systems, deployment of temporary detection rules to identify attacker re-entry, post-recovery infrastructure monitoring

  • Creation and continuous updates of IOC packages for clients (hashes, domains, IPs, YARA, Sigma) and deployment to client detection platforms during active incidents

  • Compromise assessments - proactive identification of evidence of previous or ongoing compromise outside active incidents (threat hunting engagements, post-breach assessments after receiving alerts from a third-party/CSIRT)

  • Coordination with the detection engineering team to transform incident findings into detection rules for IstroSec products

Incident Response Coordination

  • Management and coordination of incident response activities during major security incidents at client organizations

  • Coordination of technical teams and communication with client leadership, legal departments, regulators (NBÚ/SK-CERT), and external stakeholders

  • Incident classification, scoping, prioritization, and strategy definition for containment, eradication, and recovery

  • Leading war-room activities, maintaining incident timelines, providing continuous situational updates, and handling escalations

  • Conducting post-incident reviews (“lessons learned”), preparing final reports for clients and regulators in accordance with Act No. 69/2018 Coll. on Cybersecurity and NIS2 requirements

  • Participation in IR retainer exercises, tabletop exercises, and IR readiness assessments for clients

Digital Forensic Analysis

  • Acquisition and analysis of forensic images (Windows, Linux, macOS) and network communications while maintaining chain of custody

  • Endpoint and network forensic analysis including artifacts such as MFT, USN Journal, Prefetch, Amcache/Shimcache, registry artifacts (including BAM, TaskCache, CapabilityAccessManager, SharedAccess\Epoch, SRUDB), event logs, LNK files, jumplists, and browser artifacts

  • Memory forensic analysis (Volatility, MemProcFS)

  • Network forensic analysis - PCAP, NetFlow, proxy/firewall log analysis, correlation with endpoint telemetry

  • Forensic analysis of specialized platforms based on client needs - Active Directory, Microsoft 365/Azure, Google Workspace, AWS, Citrix NetScaler/ADC, and network devices

  • Reverse engineering and behavioral analysis of malware samples obtained during incidents (static and dynamic analysis, IOC and TTP extraction)

  • Mapping attacker activity to the MITRE ATT&CK framework and attribution to known APT groups

Research and Threat Intelligence

  • Active monitoring of TTPs used by APT groups relevant to the Central European region and client sectors (including groups such as Sandworm, APT28, Volt Typhoon, FIN groups, and ransomware affiliate programs)

  • Research and proof-of-concept development of new detection techniques - behavioral analytics, anomaly detection, beaconing detection, lateral movement sequencing

  • Analysis of newly published CVEs (CISA KEV, actively exploited vulnerabilities) and rapid development of detection rules

  • Research of published patents, academic papers, and reports in the field of malicious behavior detection

  • Presentation of research findings internally and within the professional community (conferences, whitepapers, blogs)

Internal Tool Development

  • Design and development of internal DFIR tools - forensic triage scripts (PowerShell, Python, Bash), acquisition tools, parsers of proprietary formatted data

  • Development and maintenance of detection content - Sigma rules, YARA signatures, Sysmon configurations, EDR detections, SIEM correlations

  • Collaboration with internal development teams on the evolution of team detection platforms (e.g., Gryphon) - contribution of detection logic, validation of anomaly detection models, and definition of data pipeline requirements

  • Maintenance of internal knowledge bases - IOC repositories, TTP databases, internal documentation

Internal Process Development

  • Creation and maintenance of IR playbooks for specific incident types (ransomware, BEC, supply chain, ICS/OT incidents, perimeter appliance compromise)

  • Definition and updates of SOPs for forensic acquisition, chain of custody, case documentation, and reporting

  • Participation in defining SLAs, team quality metrics (MTTD, MTTR, report quality scoring), and continuous improvement of internal processes

  • Onboarding and mentoring junior team members, preparation of training materials and lab environments

  • Participation in defining the strategic direction of IstroSec DFIR services, including preparation of RFP materials