DFIR Analyst

Onsite Role based in Abu Dhabi:

1. Expertise in Host and Network based Forensics and Incident Response:

• Proficient in acquiring and analyzing of system-level artifacts from Linux, Windows,

Containers environments.

• Proven expertise in threat hunting through the utilization of advanced security

platforms such as Microsoft Sentinel, XDR, etc.

• Proven experience in responding to telecom-related incidents, including identifying,

analyzing, and mitigating issues within telecommunications networks and systems.

• Proven experience in responding to Microsoft Azure incidents, including Entra ID,

Office365, Graph API, etc.

• Proven experience in responding to Microsoft AWS incidents.

• Expertise in network forensics, with practical hands-on experience utilizing the

Security Onion tool.

2. Development of Customized Scripts

• Tailoring the default UAC script to fit specific incident response or investigation use

cases including the Application logs.

• Performance tuning to minimize system impact during live data acquisition.

• Custom scripts for parsing and pattern based detection (Python, Bash, etc.)

3. Strong Understanding of Telecom Components

• Familiarity with core telecom infrastructure such as:

• Signaling systems (SS7, SIP, Diameter)

• Network elements (MME, PGW, SGW, SIGTRAN, SPF, AMF, UPF, MSC, HLR, VLR, UDC,

GTP, SMSC, SMSHUB etc.)

4. Bulk Analysis of Collected Artifacts

• Triaging and prioritizing systems based on severity and presence of confirmed IOCs or

TTPs.

• Investigating a large number of systems in bulk using collected artifacts from

Linux/Windows systems.

• Leveraging automation and scripting (e.g., Python, Bash, YARA rules) to efficiently

parse and analyze forensic data.

• Identifying Indicators of Compromise (IOCs), suspicious behavior patterns, and

anomaly detection.

• Suspicious behavior patterns, including lateral movement, privilege escalation, and

anomalous process execution.

• Persistence mechanisms (e.g., rootkits, startup script modifications, backdoored binaries).

• Timestamps for tampering or time-skewing to detect anti-forensic behavior.

• Correlation of events across systems and timeframes to establish timelines and root

causes.

• Identification of Unauthorized Access, Unauthorized Configuration related changes,

Malicious binaries, Persistence, Data Exfiltration, etc.

• Support in post-incident activities such as RCA sessions or tabletop exercises.

5. Documentation and Reporting

• Compilation of forensic findings into a structured and comprehensive report,

including:

• Executive summary

• Technical findings with evidence

• Timeline of events

• Mapping the detections to MITRE TTPs

• Recommendations for remediation and mitigation

• Use case recommendation based on the TTPs.

• Maintenance of internal documentation to support audit trails and reproducibility of

analysis.

Job Type: Full-time