Insider Risk Investigator - USDS

Responsibilities
- Conduct investigations into suspected insider threats including cases involving intellectual property theft, unauthorized access/use of sensitive systems or data, fraud/embezzlement activities, or violations of internal policies.
- Utilize advanced digital forensic techniques to collect evidence from endpoints (Windows/macOS/Linux), mobile devices (iOS/Android), network logs, cloud-based services (AWS/Azure/GCP), file shares/repositories (e.g., SharePoint), databases, and other relevant sources.
- Analyze system artifacts such as registry files, event logs, browser histories/cache data/memory dumps/timelines to accurately contextualize insider actions.
- Use endpoint detection tools (EDR) or SIEM platforms to identify behavioral anomalies that may indicate malicious intent or policy violations.
- Develop workflows for identifying high-risk behaviors such as exfiltration attempts via email/cloud storage/USB devices or lateral movement within internal networks.
- Collaborate with cross-functional stakeholders including Legal teams (for compliance/litigation support), HR/Ethics teams on employee-related investigations, IT/Security teams on mitigation measures or technical controls post-investigation findings.
- Generate detailed reports summarizing investigative findings with defensible documentation while maintaining chain-of-custody principles for potential legal proceedings.
- Provide recommendations for improving proactive monitoring mechanisms/tools for early detection of insider risks across physical/digital environments.
- Stay current on emerging threats related to insider risk programs as well as best practices in forensic analysis and security incident handling frameworks.

Qualifications

Minimum Qualifications
- Bachelor's degree in Cybersecurity/Digital Forensics/Information Technology/Computer Science or equivalent professional experience in related fields.
- 5+ years of experience conducting technical investigations into cybersecurity incidents with a strong emphasis on insider risk management cases.
- Expertise in digital forensic tools such as EnCase®, FTK®, Cellebrite®, X-Ways®, AXIOM®; familiarity with scripting languages like Python/Bash/PowerShell preferred.
- Advanced knowledge of Windows/macOS/Linux operating systems at a forensic level-including file systems (NTFS/APFS/HFS+), memory analysis techniques/artifacts extraction methods/log parsing capabilities.
- Experience working with EDR solutions (e.g., CrowdStrike Falcon®, Carbon Black®) or SIEM platforms such as Splunk®/QRadar®/ArcSight® for anomaly detection during investigations.
- Familiarity with cloud service providers like AWS/Azure/GCP-specifically their logging capabilities (e.g., CloudTrail/Azure Monitor)-and cloud-native investigation techniques.

Preferred Qualifications
- Certifications in Digital Forensics and Incident Response domains: GCFE®, GCFA®, CCE®, EnCE®, CISSP®, OSCP® preferred but not required depending upon experience level validation!
- Practical hands-on training certifications like SANS FOR508/MITRE ATT&CK fundamentals mastery ideal complements too
- Extended skill flexibility needs