CSIS Lead Investigator

Citigroup   •  

New York, NY

Less than 5 years

Posted 251 days ago

This job is no longer available.


About CitiCiti, the leading global bank, has approximately 200 million customer accounts and does business in more than 160 countries and jurisdictions. Citi provides consumers, corporations, governments and institutions with a broad range offinancial products and services, including consumerbanking and credit, corporate andinvestmentbanking, securities brokerage, transaction services, andwealth management. Our core activities are safeguarding assets, lending money, making payments and accessing thecapital markets on behalf of our clients.Citi’sMission and Value Proposition  explains what we do andCiti Leadership Standards explain how we do it. Our mission is to serve as a trusted partner to our clients by responsibly providingfinancial services that enable growth and economic progress. We strive to earn and maintain our clients’ and the public’s trust by constantly adhering to the highest ethical standards and making a positive impact on the communities we serve. Our Leadership Standards is a common set of skills and expected behaviors that illustrate how our employees should work every day to be successful and strengthens our ability to execute against our strategic priorities.Diversity is a key business imperative and a source of strength at Citi. We serve clients from every walk of life, every background and every origin. Our goal is to have our workforce reflect this samediversity at all levels. Citi has made it a priority to foster a culture where the best peoplewant to work, where individuals are promoted based on merit, where we value and demand respect for others and where opportunities to develop are widely available to all.

  • Conduct analysis and publish cybersecurity related information in a timely fashion
  • Assess cyberrisk; analyze information creatively; identify lynchpin arguments that support analytic conclusions
  • Identify data points that, if changed, would change or undermine key arguments in analytical and awareness products
  • Contrast and compare new information with previously acquired information; and make use of limited, ambiguous, unreliable, and deceptive information
  • Publish cybersecurityreports and analytical activity that adequately represents and defends a view point on security topics, emphasizing enterprise decisions to prevent, detect, or alert information security professionals while considering other business cases
  • Maintain a constant awareness of CSFC team actions, significant internal and external information security incidents, and changes in Citi information security policy, procedure or technology, and events that indicate change to material risk at Citi
  • Contribute to the CSFC Core Team in all areas in which the work of CSFC Teams has touch points, whether through analytic research or incident and accurately translating them into situation or analytic reports
  • Contribute to the CSFC Core Team on the publication of Global CSFC communications for products such as daily and weekly Cyber Reports, Monthly Technical Reports, ad-hoc Situation Reports, Fusion Tracker summaries and internal publications
  • Conduct briefings to internal and external audiences on the CSFC mission, current cyberthreatlandscape, and CSFC team actions, particularly in the event of a significant cyber incident


At least 3years ofexperiencein:

  • Conducting forensic investigation, threat intelligence, adversary hunting, anomaly detection and analysis, and the discovery of previously undiscovered cyberthreats or attacks
  • Knowledge in network protocols and operating system structures and hierarchy
  • IT and InfoSec background including cryptography and network/systems/physical security
  • Forensics reports and investigation summaries to include the reporting of the why, what, how, and when of a cyber-attack
  • Incident handler with Level 1 and experience
  • Analyzing indicators of compromise
  • Querying and analyzing Security Operations Center datasets using a variety of tools including but not limited to Splunk
  • Strong understanding of:
    • Forensic analysis, threat intelligence, adversary hunting, anomaly detection and analysis, and the discovery of previously undiscovered cyberthreats or attacks
    • Network protocols and operating system structures and hierarchy
    • Security Operations Center tools, methods, and procedures
    • Leveraging big data to conduct analysis to identify information of value related to cyberrisks and artifacts
  • Knowledge of APT and the basic strategies on how they operate, defense methods, and attack remediation.
  • Knowledge of the artifacts created by the Windows operating system during the execution of programs, system start up and use of removable devices.
  • Knowledge of the concepts and relationship behind reconnaissance, resource protection, risks, threats, and vulnerabilities including preliminary abilities to create network maps and perform penetration testing techniques
  • Knowledge of file access artifacts created by the Windows operating system.
  • Knowledge of the methodologies and tools used to collect and process static and volatile digital forensic evidence.
  • Knowledge of the forensic examination of user communication applications and methods, including host-based and mobile email applications, instant messaging, and other software and Internet-based user communication applications.
  • Knowledge of the artifacts created by user activity on current Windows operating systems.
  • Knowledge of forensic methodology, key forensic concepts, identifying types of evidence on current Windows operating systems and be familiar with the structure and composition of modern Windows file systems
  • Knowledge of the purpose of the various types of Windows event, service and application logs, and the forensic value that they can provide.
  • Knowledge of the artifacts created by Microsoft browsers during user activity.
  • Knowledge of the artifacts created by third party browsers and when privacy settings are applied during user activity.
  • Knowledge of terminology and approaches to cybersecurityrisk management including identification of the steps of the Threat Assessment process
  • Knowledge of the registry artifacts created by system and user activity.
  • Knowledge of the structure and purpose of the Windows registry and the types of tools used to analyze and parse the data.
  • Broad knowledge of business processes including business operations, information technology, security, fraud investigations, and intelligence production 
  • Exceptional project management skills. Ability to coordinate several projects simultaneously and supervise the execution of daily duties with minimal supervision
  • Strong organizational and facilitation skills
  • Highly developed communication and presentation skills
  • Experience analyzing large data sets
  • Strong understanding of Advanced Persistent Threat (APT) actors, cyber criminals, their motivations, skillsets, toolsets and intent
  • Operate under the mode of thinking that a network is always in a state of compromise in order to detect persistent activity that is not otherwise detected by existing process, procedure and technology
  • Qualifications
  • Bachelor's degree, preferred, post graduate degrees welcomed
  • Degrees in national security, cyber intelligence and various technology and analytics fields preferred
  • Exceptional written and oral communication skills essential 
  • Proven ability to analyze information and publish reports
  • Ability to think critically about topics and offer creative conclusions
  • Understanding of cybersecurity topics, the internet, and security with a passionate desire to learn more
  • Experience working in Information security operation, network operations, intelligence assessment or cyber fusion center environments preferred
  • Experience formatting and editing Word, Power Point and PDF documents
  • Demonstrated ability to collaborate on information technology related topics with multiple teams
  • Ability to quickly analyze to determine its significance, validate its accuracy and assess its reliability and present findings to both technical and non-technical audiences
  • Driven, self-motivated and able to work independently with little oversight
  • Demonstrated capability to create products on a reoccurring basis incorporating findings from cross-functional and cross-enterprise teams
  • Strong understanding of the tools and sources available to conduct cybersecurity alerting, analysis, and enhanced situational awareness
  • Ability to manage changes in priorities frequently and remain productive and effective

One or more of the DOD 8075 required certifications to include but not limited to (GREM, GSEC, GCIH, GCIA, GCED, GCPM, etc.)

ID: 18015132