CareFirst Careers

Senior Forensic Cybersecurity Analyst

Resp & Qualifications


The Lead Forensic Analyst is responsible for responding to security incidents which may present an imminent threat of compromise or loss of data. This position is also responsible for review and appropriate disposition of security investigations and working with various senior management groups, such as Executive Leadership, Legal, Risk, etc. to provide accurate and detailed information regarding forensic investigations. The incumbent will research security events to determine severity and perform incident triage as necessary, while engaging appropriate CSIRT members to resolve the security incident.

Leads efforts for performing post-mortem analysis of the magnetic media, optical media, and volatile data (memory images) collected from compromised systems. Provides documentation related to forensic/malware examinations. Reverse engineer’s malware, using Dynamic and Static analysis. Support development of tool custom signature and correlation rules creation to enhance enterprise protections based on indicators discovered during the forensics analysis process. Identifies trends in incidents and malware and recommends enterprise protection measures based on incident trends. Researches new attacks and exploits. Writes and publishes cyber incident forensic/malware reports detailing findings and mitigation/remediation recommendations. Develops and documents malware and forensic analysis guidance, processes, and procedures. Contributes to the completion of milestones associated with specific projects. Provides solutions to a variety of complex technical problems. Plans and conducts assignments, generally involving the larger and more important projects or more than one project.

Perform all phases of the forensic examination of digital media, including on-site and off-site evidence acquisition/seizures, forensic analysis, and reporting, ensuring chain of custody is maintained and that applicable rules of evidence are adhered to.

Perform E-discovery related requests from Human Resources and/or in support of legal investigations. 

PRINCIPLE ACCOUNTABILITIES: Under the direction of the Manager, CyberSecurity Monitoring and Response, the incumbent is responsible for, but is not limited to, the following:

Duties and Responsibilities

  • Maintain the knowledge and ability to professionally perform internet or computer related investigations as well as the capability to collect and manage digital evidence onsite consistent with both state and federal court requirements.
  • The ability to collaborate with key stake holders to include Legal, HR, Internal Audit, Compliance and various Businesses.
  • Develop procedures and processes to analyze and categorize digital evidence/media.
  • General knowledge of network security controls and DLP solutions.
  • Follow industry standard forensic best practices while imaging, preserving, handling and transporting digital data.
  • Conduct investigative interviews and obtain statements in relation to computer evidence. Thoroughly document findings.
  • Perform tasks related to securing and keeping the products, tools, and processes that you are responsible for securing.
  • Participates in the analysis of log files to identify and collect artifacts related to security incidents; analyzes malicious activity to determine weaknesses, methods of exploitation and effects on systems and information.
  • Identifies collects and analyzes threat and intrusion data.
  • Develops process enhancements and efficiencies via custom scripts and API integrations.
  • Create briefings to educate leadership about current technical and intelligence threats, ongoing investigations and industry impacts.
  • Research vulnerabilities in applications and systems.  Provide recommendations for resolution and track remediation activities.
  • Utilizes and adheres to defined workflow and processes driving the Incident Response and mitigation efforts. Collects supporting information and/or relevant artifacts in support of Incident Response activities.
  • Detect and respond to security events by taking the necessary course of actions such as identifying, containing, eradicating, remediating, extracting indicators, disseminating IOCs to supporting teams.
  • Perform incident handling and threat hunting duties while coordinating with business and application owners to identify and remediate issues.
  • Use tools, such as SIEM, IDS/IPS, packet capture, endpoint detection and response (EDR), and cyber threat intelligence platforms, in order to support security across the enterprise.
  • Perform incident response and forensic investigations in Cloud environments.



Years of experience: 3 years of demonstrated work experience. (Additional experience may be substituted for educational requirements.)

Specialized training (preferred, but not required): Malware analysis tools.  Linux or Unix administration. Forensic analysis and Penetration Testing.

Other requirements (preferred, but not required):Forensic Analysis Certification

Required Education and Experience:

Degree or equivalent experience: BA/BS or higher in CyberSecurity, Information Technology, Networking, Computer Science, MIS or related field.  (Enrollment in a higher education will be taken into consideration.)

Required Skills and Abilities:

Must be able to effectively work in a fast-paced environment with frequently changing priorities, deadlines, and workloads that can be variable for long periods of time.  Must be able to effectively communicate with both technical and non-technical individuals.  Incumbent must have a firm understanding of Information and/or Cyber Security principles.  The incumbent must also be able to achieve certification across multiple domains such as networking, security, development languages, etc.

Required skills:

  • Provide forensic analysis on multiple computer and network platforms to include Windows and Linux Operating Systems, mobile devices and virtual machines.
  • In-depth experience with file system forensics
  • In-depth experience with registry analysis
  • In-depth experience with Internet history analysis
  • In-depth experience with timeline analysis
  • In-depth experience with email analysis
  • In-depth experience with signature and hash analysis
  • In-depth experience with network forensic analysis
  • Experience with forensic media imaging
  • Demonstrated experience with forensics tools such as EnCase, Forensic Toolkit, and Xways.
  • Demonstrated experience with E-discovery platforms (EnCase, Nuix, Clearwell, O365 Security and Compliance Center)
  • Demonstrated experience with endpoint detection and response platforms.
  • Demonstrated experience with SIEM technology (QRadar, Splunk, ELK)
  • Demonstrated experience with network packet capture and detection tools.
  • Strong documentation and written communication skills with technical report writing experience

Preferred Skills:

  • Industry standard certification(s) such as: CFCE, EnCE, ACE, GIAC, DoD
  • Forensic tool and script development
  • Programming experience
  • SOAR (Security Orchestration Automation and Response) platform experience
  • Strong attention to detail and the ability to prepare documents for review
  • Mobile forensic experience
  • Cloud forensic experience




Department: InfoSec- CyberSecurity Intelligence

Equal Employment Opportunity

CareFirst BlueCross BlueShield is an Equal Opportunity (EEO) employer.  It is the policy of the Company to provide equal employment opportunities to all qualified applicants without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, age, protected veteran or disabled status, or genetic information.

Hire Range Disclaimer

Actual salary will be based on relevant job experience and work history.

Where To Apply

Please visit our website to apply:

Closing Date

Please apply before: 10/09/2019

Federal Disc/Physical Demand

Note:  The incumbent is required to immediately disclose any debarment, exclusion, or other event that makes him/her ineligible to perform work directly or indirectly on federal health care programs.

PHYSICAL DEMANDS:The physical demands described here are representative of those that must be met by an associate to perform the essential duties and responsibilities of the position successfully.  Requirements may be modified to accommodate individuals with disabilities.

The associate is primarily seated while performing the duties of the position.  Occasional walking or standing is required.  The hands are regularly used to write, type, key and handle or feel small controls and objects.  The associate must frequently talk and hear.  Weights of up to 10 pounds are occasionally lifted.

Sponsorship in US

Must be eligible to work in the U.S. without Sponsorship

Learn more about Information Technology