EY VAPT - Senior in Kochi, India
VAPT - Senior
Requisition # KOC0024L
Post Date Feb 18, 2021
EY- Cyber – Technology Consulting – Senior Consultant
As part of our Cyber Technology Consulting team, you will be performing managed or ad-hoc vulnerability assessment and penetration testing for various clients across the MENA region. Working with Cyber Technology consulting team, you will also perform application security assessments, code & architecture reviews, threat modelling, configuration audit, AD assessments, social engineering assessments, red/purple teaming etc. The client base spans across various sectors and includes collaboration with other teams within Advisory services.
We’re looking for Senior Consultants with real hands-on expertise in performing cyber security assessments to join the group of our Cyber Technology Consulting team. The candidate would be expected to work in diverse consulting engagements and are willing to travel to Middle East countries for project execution atleast 50% of their time. This is a fantastic opportunity to be part of a leading firm whilst being instrumental in the growth of our service offering.
Your key responsibilities
Perform end-to-end project execution for end clients (VAPT domain) both offshore and onshore
Perform infrastructure penetration testing and vulnerability assessments
Perform web/mobile/API penetration testing.
Perform threat modelling, security code reviews and architecture reviews
Perform security configuration reviews for OS, Databases, Network & Security devices, applications etc.
Perform Active directory assessments
Perform Red Team assessments/Attack Simulations aligned to cyber kill-chain and MITRE ATT&CK
Experience with AV evasion, obfuscation, bypass windows ASR/device guard, network security controls, emails gateway filtering etc.
Experience with both commercial & open-source tools mapped to the different stages in the cyber kill-chain
Review operational logs and event console activity to determine cause of security-related events or to identify potential security related events
Analysis of the patches released by the vendors
Prepare reports and convey the observations to the top management in layman’s language emphasizing on the business risks.
Mentor junior resources or managing a group of resources.
Skills and attributes for success
Collaborating with other members of the engagement team to plan the engagement and develop work program timelines, risk assessments and other documents/templates.
Good Communication skill and willingness to travel at a short notice
Demonstrating and applying strong project management skills, inspiring teamwork and responsibility with engagement team members
Hands on experience will tools/frameworks like Kali, Burp Suite, Nessus, Qualys, Acunetix scanners (DAST and SAST)
Good knowledge of OWASP and Secure SDLC standards
Hands on experience with programming using Python/Perl/PowerShell/C++ Hands on experience with exploit development and VS code compilation.
Hands on experience with C2 frameworks (e.g.PoshC2, Covenant, Metasploit etc.)
Hands on experience with setting-up phishing and red teaming infrastructure
Good knowledge of encryption technologies & MiTM attacks
Good understanding of MITRE ATT&CK framework and how to leverage it.
Good understanding of AD administration, different authentication mechanisms, trust boundaries etc.
Knowledge of Linux administration, TCP/IP, DNS, Network protocols and OSI model
To qualify for the role, you must have
A bachelor's or master's degree
5+ years of experience working as an Information security professional with cyber security assessment background in a professional services firm.
Excellent communication skills with consulting experience preferred
A valid passport for travel.
Ideally, you’ll also have
Experience with performing assessment related to Red Teaming, Network Penetration Testing, Web Application Penetration Testing, Mobile Application Penetration Testing, Secure Code review, AD Security Assessments, Vulnerability Management, Social Engineering Assessments, Wireless Penetration Testing.
OSCE, OSCP, GPEN, LPT, ECSA, CEH, CompTIA Security+ (atleast two certifications are desired)