GPS - Incident Response Analyst - Associate

From strategy to execution, the Government & Public Sector (GPS) practice of Ernst & Young LLP provides a full range of consulting and audit services to help our Federal, State, Local and Education clients implement new ideas to help achieve their mission outcomes. We deliver real change and measurable results through our diverse, high-performing teams, quality work at the highest professional standards, operational know-how from across our global organization, and creative and bold ideas that drive innovation. We enable our government clients to achieve their mission of protecting the nation and serving the people; increasing public safety; improving healthcare for our military, veterans and citizens; delivering essential public services; and helping those in need. EY is ready to help our government build a better working world.

Our GPS Technology Organization is a structure within the US GPS practice that implements and maintains a new operating and technology model designed specifically to support U.S. defense and Government engagements.

The opportunity

As an Incident Response Analyst – Associate, you will support security incident response efforts related to information security events or incidents stemming from suspected internal or external threats. This role focuses on executing defined incident response tasks under guidance while gaining hands-on experience supporting new and evolving enclave security processes. The role provides exposure to multiple security domains and an opportunity to grow technical and investigative skills within a structured incident response program.

Your Key Responsibilities

• Assist with acquisition and collection of computer artifacts (e.g., malware, system/user logs, data artifacts) in support of Cyber Defense engagements
• Support triage of system assets and assist in determining evidentiary value
• Assist with correlating forensic findings to network events
• Collect and document system state information (e.g., running processes, network connections)
• Support forensic triage activities to help determine scope, urgency, and potential impact
• Track and document forensic analysis activities under supervision
• Assist with collection, processing, preservation, analysis, and presentation of computer-related evidence while maintaining chain-of-custody requirements
• Support coordination efforts with GPS Enclave staff to validate and investigate alerts
• Assist with tuning and building alerts and analytics within SIEM platforms
• Support Vulnerability Management and DLP solution activities by assisting with validation and documentation
• Participate in developing and maintaining incident response procedures and documentation
• Assist with analysis of forensic images and contribute to forensic write-ups
• Support documentation and publication of Computer Network Defense (CND) guidance and reports
  
  

To qualify for the role, you must have

• Bachelor’s Degree in Computer Science, Cybersecurity, Computer Engineering or related field; or equivalent relevant experience
• 0–2 years of relevant experience or internships in cybersecurity, incident response, or digital forensics
• Foundational understanding of Windows operating systems
• Basic understanding of SaaS, PaaS, and IaaS cloud concepts
• Familiarity with evidence handling procedures and chain-of-custody principles
• Understanding of common cyber-attack techniques and MITRE ATT&CK framework
• Ability to work collaboratively across physical and virtual locations
• Action-oriented with a proactive approach to learning and problem solving
• Ability to operate in high-security, least-privilege environments
• Ability to obtain and maintain a Top Secret Security Clearance

Ideally, you’ll also have

• Exposure to Microsoft Azure and Microsoft 365 environments
• Basic familiarity with PowerShell or another scripting language
• Introductory experience supporting cloud or endpoint security operations
• Awareness of NIST 800-171 and CMMC security concepts
• Entry-level certifications such as AZ-900, Security+, or equivalent