This is a short blog based on what someone who’s looking to be employed as a cyber security analyst as their first cybersecurity job. This post is entirely based on my personal experiences and is in no way the final say on the matter. I feel like there are levels to this topic, and many have already written about it before me. I’m trying to frame my thoughts in a brief format, without going too deep into the rabbit holes of any topic, as there are endless details in all of them.
TL;DR: Learn basic IT skills first, then delve deeper into Windows/Linux internals and basic networking. Then get knowledgeable about security concepts and tools: build a lab; tinker with VMs, firewalls and more advanced networking concepts; pick a training platform and start grinding; never stop grinding until you’ve reached the required skills to land that sweet trainee/junior position.
~
- Basic IT skills
- Windows and Linux
- Networking
- Security concepts
- Analysis tools
- Soft skills and mindset
- Bonus: what about programming?
1. Basic IT skills
This one might go without saying, but if you’re looking for a job in the security domain of IT, you should already have an understanding of some basic concepts of IT. This means stuff like how to navigate your chosen operation system’s file system, installing and configuring computer hardware and software, using the internet and its search engines swiftly and safely etc. Security can be considered an advanced subdomain of IT, which means that it’s impossible to work in the domain unless you have solid grasp of the basics. Chances are that you are already familiar with these, unless you are someone who has just now decided to get into IT and the cybersecurity industry.
raik’s recommendations: see objectives for certifications like CompTIA A+ and CompTIA IT Fundamentals to figure out if there are topics mentioned that you are unfamiliar with. You can then go and learn about the topics on the internet for free. There’s no need to actually take these certs I mentioned.
2. Windows and Linux
These are the two operations systems that you’ll face the most in your work as a security analyst. Both are often used in servers, with Windows being a common endpoint in a business environment. With Linux it’s good to understand common commands and how they are used, as you’ll be analyzing actions of administrators or potential attackers often. You should have a basic understanding of permissions, daemons, processes etc., so that you can distinguish between what’s normal activity and what’s anomalous. Pretty much the same goes for Windows, with addition of knowing error codes (don’t worry, that’s what Google is for). Getting some experience with databases is great as well, since you’ll see lots of those in your work as an analyst and should be knowledgeable about them in the case that they’re being under attack and you are supposed to detect things like injections.
raik’s recommendations: get hands-on experience. Install Linux on a virtual machine and start fiddling around, or follow a tutorial like Linux Journey. The same goes for Windows, but unfortunately I don’t know any similar sites like the previous one. Most of the stuff I know I’ve picked up at work or in my free time. Google is your friend here.
3. Networking
Understanding networking is possibly the most important skill to have as an analyst. As this post is geared towards entry level people by a junior professional, I’m trying to cover the basics. So, the most important things under this topic is to understand things like how protocols like TCP, UDP, DNS, HTTP, IP work. This can be extended to mean basically all of the most used protocols of each layer of the OSI model. Knowledge about ports and firewalls is equally important. (Azure) Active Directory (AD) is being used in almost every customer’s environment, so being familiar with it is golden and possibly puts you above other candidates, as it can be considered a little more advanced topic in networking if you don’t have prior enterprise IT experience. In your job as an analyst you will face lots of different tools that refine or handle logs from different sources, but the basics are the same behind every application. That’s why you need to know the basics. Cloud computing is used by every organization nowadays, but the concepts stay the same with little provider-specific stuff sprinkled on top.
raik’s recommendations: again, try to get hands-on experience. Install a server (VM), configure it, secure it. Go to your home router’s settings and learn to forward a port, or fiddle with your firewall’s settings. You can go wild and build a home lab, combining the previous point and this one. The process of building itself is a great way to learn and an amazing project to write about, one that you can show to your potential employer! YouTube and sites like Udemy are filled to the brim with great resources regarding this topic. I’ve personally enjoyed PowerCert Animated Videos for their easy to understand explanations on complex topics, and creators like David Bombal for longer videos on different topics.
4. Security concepts
Get familiar with some security concepts, if you haven’t already. After you’ve learned basics of IT, operation systems and networking, you can start playing around with trying to make them more secure. Learn how to harden your servers, learn to configure your firewall, learn about encryption, learn what honeypots or CVSS are for, what’s MITRE ATT&CK etc. This is what you wanted to do in the first place, right? Sorry it took so long to get here. Now go wild and ingest as much information as you can. I can guarantee that it won’t go to waste, because there will always come a situation where something that you read about before has something to do with the thing that’s right in front of you. Reading things like threat intelligence reports or Twitter posts about vulnerabilities is a great way to learn and will help you understand things.
raik’s recommendations: again, install a VM and figure things out. Find mailing lists or Twitter accounts to follow that post interesting and relevant content. Do training on sites like TryHackMe or HackTheBox, or Udemy. Install intentionally vulnerable VMs like Metasploitable, JuiceShop or DVWA and start having fun. Maybe check out Blue Team Labs Online, CyberDefenders, malware-traffic-analysis.net…
5. Analysis tools
Now, after the previous steps you need to learn some tools that are relevant to your work as security analyst. I’m talking about SIEMs and the like, of course. The most common ones I’ve seen are QRadar, Splunk and Azure Sentinel. Each of them is different, but the basic idea is the same: logs are fed into the SIEM, alerts are raised based on the rulesets that are created in them and you, the analyst, are the one who looks through them and decides what will happen next. I think at least Splunk has a free training, but the problem often is that these things are built and sold to companies, with free training being hard to come by. It’s possible to build your own SIEM lab by using Security Onion and other tools, but personally I’ve never done so. But it’s an option.
Additionally, you should get familiar with tools that are used in analysis. Every analyst has different tools that they like to use, but personally I’ve used sites like VirusTotal, AbuseIPDB, Censys, Shodan, CyberChef…
raik’s recommendations: check out free training from Google to the said products, sometimes there might be some available from different sources. For example, Black Hills Information Security has offered a free (or very inexpensive) SOC fundamentals course before. Explore ways to get training with relevant tools and technologies. Check “awesome lists” on Github, like: https://github.com/meirwah/awesome-incident-response.
6. Soft skills and mindset
Everyone knows it, but soft skills are just as important in IT as they are in normal life. You won’t be working alone ever as a security analyst, so it’s crucial to have the ability to work as a team. Chances are you will be talking to customers as well, as they might call you in the case of a security incident to ask for assistance or you might need to call them to inform about an incident. This ties in with the mindset that you need to bring as a beginner: you don’t know much. That is OK! But you need to have the courage to admit it and ask around. Your seniors will know when you’re trying to bullshit your way in with your vague or plain wrong answers. Instead, honesty is seen as sign of trustworthiness in this industry. I know it sucks to lose a potential job if you don’t know something in the interview, but it’s even worse for you if you get caught lying about your skills or knowledge during the interview or after you’ve been hired. That’s why I advocate brutal honesty, which doesn’t mean you aren’t allowed to stop and think on your feet for a moment. That’s an admirable trait, compared to lying. Other traits that are marks of a potentially good analyst are critical thinking, analytical mindset, precision and orientation to details, without forgetting curiosity and real interest in the industry.
Communication is key. Two distinct and different styles of communication come to mind right away: the clear, concise, explicit style needed when giving out information to another technical person or a customer service desk, for example. The other, perhaps a little more verbose style that is used when explaining technical security topics to people who might not have a deep understanding of the domain, but work in close proximity to the industry regardless. Good, meaning transparent, clear and effective communication sets a great analyst apart from a good one, offering even better prospects for the future. The world can never have enough people who are able to transform their ideas to clear speech or writing consistently.
raik’s recommendations: learn to talk with and be around people. Get comfortable with the idea of having to answer a phone call when a customer is having the worst day of their lives in a good while, with their servers burning in the background. Understand that you are only a human that makes human errors and recognize the same humanity in everyone you meet when you’re on the job, be they coworkers or customers, cleaners or CEOs. Ask for help and give help when asked. I believe most of soft skills can only be learned through practice, so go and be with people. And maybe read How to Win Friends and Influence People by Dale Carnegie.
7. Bonus: what about programming?
No, you don’t need to know how to code. Yes, you will need to know how to read code. You will see Powershell scripts and you need to understand what they do. Knowing how to code also sets up apart from those who don’t know, opening new possibilities for your career and possibly making certain steps of your work as an analyst easier through automation.
raik’s recommendations: none. I’m very bad at coding. Ok, maybe start with Python and Google some free courses for it. Like the programming courses from University of Helsinki’s MOOC platform. I’ve learned Python through some Udemy courses, but I guess there are better sources for courses as well. Powershell is also a worthwhile thing to learn, if you’ve got the guts and work on/with Windows.
~
I guess that concludes this short-ish, opinionated piece on relevant skills for someone who is looking for a trainee or junior position within a SOC as an analyst, with some practical steps sprinkled here and there.
To be honest, I just wanted to get this document off of my desktop, since it’s been waiting for finishing touches for ages.
So yeah: go get ‘em, tiger. And don’t stop before you’ve reached your goals.