Insights and resources for aspiring security analysts.
??Carlos E.
CIRT @ Accenture | Cybersecurity Incident Response, Threat Detection, Identity Governance
In July, I will have accumulated four years of experience in a Security Operations Center role. Every now and then, I get messages from aspiring security analysts, and the question is usually the same: I want to break into Cybersecurity, what do you recommend?
I've spoken with a few other analysts, and unfortunately, getting an entry level job in cyber is a double-edged sword: there isn't a clear and defined path. This is great because it means anyone can get a job if they are persistent and have time plus resources. On the other hand, what worked for some will not work for others. Some people network with others via LinkedIn, others were interns through college, and sometimes, people got lucky.
I got into Cybersecurity because I was at the right place and time. I had finished a cybersecurity boot camp, obtained the Security+ certification, and met recruiters at school. Thinking about it, I owe my networking professor, Mohamed Hosain, a huge thank you. Four to five years ago, the networking class was about to start, and I informed the professor that I had passed the CompTIA Security+ exam; he told me that I would be excused from class and to speak to the recruiters that were at the school. I did and the rest is history. If I had not done that, I doubt I would be where I am today. I am here to share my experience and journey over the last four years.
I have divided the sections into:
Job Hunting - Searching for your first role:
The challenge of breaking into a security analyst role, or any other Cybersecurity-related role, is the multitude of technologies to learn, with each company having its preferred security tools. Additionally, cybersecurity, in my opinion, isn't considered a true entry-level job as analysts are expected to have foundational knowledge across various areas - Windows, Linux, CLI/Powershell/Bash, networking, SIEM, TTPs/IOCs, etc.
You don't have to learn all the tools out there, so narrowing your focus is best. I highly recommend Jason's job-hunting guide from Antisyphon training if you're new cyber or looking to pivot into a different role. His guidance is not only concise but also of high quality:
Additionally, if you are interested in a security analyst role, the HackTheBox interview questions are solid, and I've been asked a fair amount of them when I've gone through interview rounds:
Certifications or College Degree:
The short answer is to get both if you can.
The debate between certifications and college degrees in cybersecurity often boils down to individual preferences or employer requirements. While some employers prioritize certifications, others place greater emphasis on a college degree. In some cases, specific roles may mandate a college degree as a prerequisite.
Having experienced both sides of this debate, I've learned that the right path depends on your circumstances. For those considering a college degree but facing financial challenges, institutions like Western Governors University (WGU) offer affordable programs that include well known certifications.
If pursuing a degree isn't feasible, I recommend obtaining at least the CompTIA Security+ certification as a foundational step. While it won't make you a cybersecurity expert, it demonstrates dedication and provides essential theoretical knowledge.
However, given the prevalence of Security+ among aspiring analysts, additional efforts are necessary to differentiate yourself. Building home labs, attending cybersecurity events to network, and actively sharing your projects and insights on platforms like LinkedIn can significantly enhance your visibility and appeal to potential employers.
Training Platforms:
The industry is now flooded with various training platforms. If you look at my history, I've done a bit of everything throughout the past four years. Online training platforms like TryHackMe, HackTheBox, Security Blue Team, Cyber Defenders, and others are great if you are limited on physical resources or time and prefer to work on labs rather than try to fix things breaking apart.
That said, I have found that I learn more from platforms or books that push home labs because I am forced to configure applications, forward logs to SIEMS, and understand the underlying complexities of technologies. This understanding will help more down the road as you go from trying to understand alerts to understanding why a threat was not detected. It could be that logging needed to be correctly in place, or it is a new TTP.
Online Platforms:
Home Labs:
Now, in my opinion, there isn't any perfect training platform that will teach you everything that you need to know. What's considered easy or fundamental knowledge for some may be challenging for others, depending on individual skill levels. As you advance, you'll discover that learning from multiple sources is best, albeit with one caveat: commit to completing what you start.
Pre SOC Path: Training I wish I would have done prior to starting my SOC role.
Once you have completed Jason's job-hunting guide and decided on certifications or skills you need to improve, below is a path I recommend based on my experience. This path assumes you have already earned the CompTIA Security+, possibly Network+ looked at a SIEM like Splunk, Elastic, or another, and refined your job search to 3-5 roles that touch on similar security products. The trainings below will only help a little on a resume; however, if you do them, you will come into an interview more confidently. They are not listed in any specific order; I just shared them as I looked at my notes.
领英推荐
Before a SOC Role:
The course from Level Effect is free and will greatly expand on the theoretical knowledge from the Security+. The course is very hands on, make sure to take notes. For the record, I have only started it, but can already tell it is pretty solid.
Enterprise security fundamentals from Blue Cape Security touches on fundamental topics that are often missed in other training courses I've taken. You will learn how threat actors abuse GPO policies, enabling and checking the right logging, LOLbin abuse for network recon, and more. If you don't have Sysadmin experience this will help tons.
TryHackMe | SOC Level 1 Training (monthly subscription)
A great and affordable training path that covers a diverse set of tools and knowledge for aspiring analysts. I would even go as far as to recommend Level 2.
After attaining SOC role - Year 0 - 2:
Blue Team Level 1 Certification ? Security Blue Team (My #1 pick for entry level analyst.)
By far the best entry level certification that covers most if not all areas of security that an analyst will touch day to day. That said it isn't a walk in the park. The 24hr exam is challenging if you don't have prior experience in a SOC role or spent some hours doing labs/training.
The HTB path covers various attack paths and techniques that I have observed over time in an enterprise environment. Their training will strengthen your analysis skills on Windows attacks and more. I have not taken the exam yet, but I enjoyed the training modules.
A great playlist that will help with file hashes, knowing how to use open-source intelligence for analysis and how to discard false positives. This is a tool that you will use quite a lot so understanding how it works is crucial.
TCMs practical malware analysis course covers in depth how to safely analyze malware. You don't have to become a master at it, but understanding the basics behind it will help.
Understanding web application security even at a foundational level will put you above the rest. This will also pay its dividends down the road if you wish to pursue red or purple teaming.
CCD is possibly the most difficult one out of the resources listed above. However, it does an exceptional job in digital forensics and closely resembles a SANS course. It is also heavy on the threat hunting and having a solid understanding of Windows and Linux is expected.
Resources to read or bookmark:
People to follow:
If you are interested in KQL:
Summary:
I hope the article provided some guidance. The resources and bookmarks I shared are what I typically share with others via direct messages. The critical point here is to ensure you are continuously learning and staying curious. Read the DFIR Report to understand breaches and known TTPs to watch out for that should raise red flags.
Network with other professionals on LinkedIn, but please limit DM's with generic questions that could be answered via a quick Google search. Additionally, limit guidance from people with questionable records and thoroughly review a professional's credentials.
I like to follow a select few users for updates, to see what they are working on, and to add their training to my list. Lastly, remember to be kind; we all start somewhere.
Cleared Professional | CySA+ | Sec+ | Net+
6 个月Great post with valuable insight. Thank you.
Dispatcher/Helpdesk at Overview Technology Solutions
6 个月This is super useful. Thank you for posting this!
Cybersecurity Professional |GRC|Python|Azure|Sentinel|Digital Forensics
6 个月Bookmarked! I'll be coming back to this page regularly to follow links. Thanks!
SOC Analyst at Triskele Labs | Cybersecurity Analyst | Certified CyberDefender (CCD) | CySA+ | Network+ | AZ-900 | SC-900 | Former Scientist |
6 个月Great guidelines and tips as usual! Thanks for sharing it. I would suggest following Simply Cyber for daily cybersecurity news and Jack Rhysider's darknet diaries podcast for interesting stories.
Cybersecurity Practitioner | GRC Specialist
6 个月Nicci Colby