So You Want To Start A Cybersecurity Career
This post is geared towards those who want to start a career in cybersecurity—those who love the idea of hunting down hackers, tinkering with electronic devices, understanding how computers and operating systems work, and, of course, wearing a black hoodie in a coffee shop, looking mysterious.
So you want to start a Cybersecurity career?
I made a post like this months ago, but unfortunately, due to some configuration changes, I lost it (insert sad face). We’ve all been there, but oh well. The idea for this post stemmed from my love of cybersecurity and my passion for helping others learn about the field. Cybersecurity is crucial in the modern world, and having some level of knowledge about it can help us all defend ourselves better. This post is geared towards those who want to start a career in cybersecurity—those who love the idea of hunting down hackers, tinkering with electronic devices, understanding how computers and operating systems work, and, of course, wearing a black hoodie in a coffee shop, looking mysterious.
So how do you get started? What is it you want to do in cybersecurity? Are you an IT professional looking to pivot, or are you new to IT altogether and eager to get your foot in the door? There are many paths to take, but hopefully, this post points you in the right direction for your goals and aspirations, helping you decide if this is the right career for you.
About Me
A little bit about me… I’m a Sr. Threat Hunting analyst that works for a government entity. I started my IT/Cybersecurity career working at a small Managed Service Provider (MSP). Anyone who’s worked for an MSP knows they’re not easy to work for. You’re on call, you’re travelling to different clients, remediating network and system outages… it’s a great time… not. BUT! You do learn A LOT and a little bit about everything that occurs in a network. Some MSPs are large and some are small; the MSP I worked for I was 1 of 8 employees with about 30 different clients. Our client list ranged from organizations that had anywhere from 10 to about 100-150 employees, nothing crazy. You’re learning system administration, network administration, troubleshooting issues on Domain Controllers, conducting full infrastructure upgrades for new or existing clients, setting up a Domain Controller or Virtual Environments, or installing and configuring network or edge devices. It’s a great time to learn the basics. Now I’m not saying for your first job to work for an MSP but the learning curve is steep and you WILL learn a lot.
From there I worked my way into a Jr. Network Engineer role working for a slightly larger MSP that had a focus on data retention appliances. I spent a lot of time troubleshooting servers, network issues (it’s always DNS, lol), and remediating issues with our backup platforms. I learned a lot and my supervisor was EXTREMELY knowledgeable, an amazing person to learn from.
After working as Jr. Network Engineer I finally was able to get my foot in the door in a Cybersecurity role as an Information System Security Officer (ISSO) for the federal government. An ISSO mainly works in the governance, readiness, and compliance (GRC) field/area of Cybersecurity. There are many different fields/areas of Cybersecurity and we will get to that shortly so you can decide on the route you want to take to give yourself a fulfilling career. This role consisted of ensuring the environment I was “in-charge” of met regulatory compliance and OPM guidelines. It involved me reviewing Tenable reports, which is a vulnerability management software and communicating with the System and Network administrators to ensure those vulnerabilities were remediated. If they were unable to be remediated due to potentially affecting the availability of other applications in the environment, justification letters had to be requested and someone much much higher had to sign off and accept the risk. I did not stay in this role much longer, due to an amazing opportunity of what I actually wanted to do came up… a Tier 1 (T1) Security Analyst position work in a Security Operations Center (SOC).
When I interviewed for the T1 SOC Analyst position I was STOKED!!! What a great opportunity to be offered. At the end of the interview I was asked a quite comical question “Do you like vinegar or mustard based BBQ sauce?” I laughed haha, now I’m not going to tell you my answer, but you get to ponder that for yourself. As a SOC analyst we work on triaging alerts that come into a Ticket Management System. A lot of this work relies on alert based tools such as System Information and Event Monitoring (SIEM), Endpoint Detection and Response (EDR), and Firewall/Intrusion Prevention/Detection System (IPS/IDS). If you’re in a more established SOC role, hopefully you’ll have what are called Play Books that provide a step-by-step instruction depending on the use case (alert) being triggered. For example, you can have an alert that triggers when a machine in your environment establishes a connection to an IP address that has been reported by intelligence sources as potentially malicious. You’d follow a Play Book that has a step-by-step process on how to investigate this alert via the SIEM and EDR. This is vital to streamlining processes and increasing workflow for your SOC analysts. A good resource for how a SOC works would be the book ‘Blue Team Handbook: SOC, SIEM, and Threat Hunting (V1.02) A condensed Guide for Security Operations Team and Threat Hunter’ by Don Murdoch. Don Murdoch has over 20 years of IT and InfoSec experience and has a great relationship working with SANS. (More on SANS later).
After a year of working as a T1 SOC Analyst, I was given the opportunity for a lateral promotion within the organization as a Sr. Threat Hunting analyst. Threat hunting in general is relatively new to the Cybersecurity industry. The purpose of this role is to proactively look for threats in the environment that your tools were unable to catch, and yes this happens more often than not, especially when dealing with sophisticated threat actors or Advanced Persistent Threats (APTs). As a Threat Hunter you’ll work closely with your Cyber Threat Intelligence (CTI) team to gather Open Source Intelligence (OSINT). The OSINT data can pertain to an APT’s Tactics, Techniques, and Procedures (TTPs) on how they compromise a network environment. You’ll investigate potentially exploited vulnerabilities in your environment and look for compromise. You will also hunt malware and use forensic analysis reports to help understand how the malware executes on a system and what files, registries, and directories to look in. It’s a pretty neat gig and there’s so much more. This is my current position and I’m happy to have this opportunity, it’s pretty much a dream job for me.
What are some cool Cybersecurity roles?
This all depends on the flavor you enjoy… Personally, I like looking for the ‘bad’ on a network as a Sr. Threat Hunting Analyst. It’s fun and reminds me of a book I really enjoy called ‘The Cuckoos Egg’ by Cliff Stroll. Amazing book and a true story about an astronomer that begins a quest to expose a hidden network of spies that threatens national security and leads all the way to the KGB. What started off this investigation was following a 75-cent accounting error at his work place. Amazing if you ask me. This could be you one day… it really could!
So let’s get to it… Cybersecurity Roles
Security Operations Analyst
This is probably one of the most common roles you’ll hear about in the security industry. You’ll be responsible for monitoring, detecting, analyzing, and responding to security threats and incidents within an organization’s environment. They play a crucial role in safeguarding the organization’s data, systems, and networks by identifying vulnerabilities and mitigating risks. As mentioned previously in my ‘About Me’, you’ll respond to SIEM, EDR, and Firewall/IDS/IPS alerts and triage these incidents. You’ll need technical skills such as understanding how a SIEM and EDR function, how to analyze logs and correlate the events with one another, you’ll also need to know how TCP/IP works, how Domain Name Systems (DNS) works, and the Internet Protocol (IP) and much more. Soft skills are very important as well; it is crucial that you have communication skills, verbal and written. Although we are IT professionals, sometimes we are socially awkward, and that’s okay. I’d like to say written skills over verbal, you’ll be conducting write-ups of your investigations and you’ll need to elaborate why you looked at xyz log for xyz reason and how it can or cannot be malicious in nature. This is so other analysts can reference your investigation if a similar alert or incident occurs in the environment. An amazing book that some of our analysts reference is the ‘Effective Threat Investigation for SOC Analysts: The ultimate guide to examining various threats and attacker techniques using security logs’ by Mostafa Yahia.
Core Responsibilities (to list a few…)
- Investigate, analyze, and respond to security incidents in real time.
- Contain and mitigate security breaches or threats to minimize impact.
- Continuously monitor security alerts, logs, and events from various tools and systems (e.g.SIEM, IDS/IPS).
- Analyze and correlate data from multiple sources to identify complex threats.
- Identify suspicious activities or patterns that may indicate a potential security threat.
Technical Skills
- Understanding of Security Information and Event Management (SIEM) tools (Splunk, QRadar, Azure Sentinel, Elastic Stack, etc. etc.)
- Endpoint Detection and Response (EDR) tools (SentinelOne, Carbon Black, Crowdstrike)
- Log Analysis and Event Correlation (Windows Event Logs, Linux Syslogs, Application, and Network)
- TCP/IP, DNS, and HTTP/HTTPs protocols Scripting (Powershell, Python, bash, etc. etc.)
Soft Skills
- Verbal and Written Communication
- Analytical thinking
- Attention to detail
- Continuous Learning
- Problem-Solving
Cybersecurity Incident Responder
Large organizations have multiple teams that work alongside one another such as the SOC team, Cyber Incident Response Team (CIRT), and a Red Team (more on that soon). If a SOC analyst conducts triage on an incident that results in a True Positive finding and depending on the defined scope of the incident, you as an Incident Responder get to conduct digital forensics and incident response (DFIR) on the device. During the DFIR process you’ll identify malicious activity that has occurred on the device which can include malware and associated artifacts (file paths, DLL files, executables, C2 communication, etc. etc.), if lateral movement occurred, credential dumping, and more! This can also lead to a further investigation by the CIRT to look for the malicious artifacts in the rest of the environment. The latter can also be a Threat Hunting function as well, which is called looking for ‘Attack Residue’. A great resource for DFIR would be ‘Digital Forensics and Incident Response’ by Gerard Johansen.
Core Responsibilities
- Digital Forensics and Incident Response
- Incident Containment
- Eradication of Threats
- Recovery and Restoration
- Incident Documentation
- Post-Incident Analysis
Technical Skills
- Malware Analysis
- Reverse Engineering
- Log Analysis (System Logs, Windows Event Logs, Network & Application Logs)
- Digital Forensics
- Disk Imaging and Analysis
- Identifying Indicators of Compromise (IoCs)
- Scripting (Python, Bash, Powershell, Perl, etc. etc.)
- Cryptography and Encryption
Soft Skills
- Attention to detail
- Verbal and Written Communication Skills
- Analytical thinking
- Problem-Solving
- Adaptability
- Curiosity and Continuous Learning
- Organizational skills
Penetration Tester (lol)
Also known as a PenTester or Ethical Hacker can work as an individual contractor or as a member of a Red Team. A PenTester simulates cyberattacks against organizations under a contractual agreement to identify vulnerabilities in an organization’s systems, networks, applications, and processes. PenTesters have a designated scope they have to abide by when conducting a pentest against an organization so they do not disrupt or impact the confidentiality, integrity, or availability of systems in the environment. This scope is identified by key stakeholders of the organization and what they want accomplished by the PenTester. The goal of a PenTester is to enhance the security posture of the organization by providing actionable recommendations to mitigate risks. Although all of this sounds ‘cool’ a large portion of your job will be writing the report and how the vulnerabilities can be remediated. P.S. PenTesters are not only focused on systems and networks, but they also can conduct physical pentesting! Physical PenTesters look for ways to enter an organization’s facility by exploiting physical security protocols in the environment. This could entail copying or fabricating Common Access Cards, impersonating as a 3rd party company that works with the organization, tailgating, etc. etc. The Lockheed Martin Kill chain provides a great representation of how threat actors and ethical hackers would exploit an environment. There are several different books out there but this one hits the nail on the head and will provide insights for an aspiring PenTest; ‘The Hacker Playbook 3: Practical Guide to Penetration Testing’ by Peter Kim.
Core Responsibilities
- Planning and Scoping with Stakeholders
- Vulnerability Assessments
- System, Network, Physical Exploitation
- Reconnaissance and Information Gathering
- Reporting and Documenting
- Collaborate with teams
- Tool Development and Custom Exploits
- Staying up to date with emerging threats, attacks, and tools.
Technical Skills
- Scripting/Automation (Python, Bash, Powershell, Javascript)
- PenTesting Tools (Metasploit, Burp Suite, WireShark, Nessus)
- Network Architecture Knowledge
- Windows Active Directory
- Familiarity with exploits and vulnerabilities
- Network Protocols
- Defense Evasion
- Web Applications
Soft Skills
- Analytical Thinking
- Strong Verbal and Written Communication
- Attention to detail and persistence
- Ability to explain findings to non-technical audiences
- Problem-Solving
These are just a few of the many different roles you can pursue in a cybersecurity career. Some other ones that may be of interest to you will be an Information System Security Officer/Manager, Cybersecurity Consultant, DevSecOps, Security Automation Engineer, and many others. I’ll dive more into different opportunities you can pursue to help establish some of your technical skills and provide some reading material for you as well.
Ah yes, education!
Education is FUTILE in this career field! Whether it’s personal education through white pages, books, and googling or through professional education via a university, education will provide beneficial skills and knowledge to help you excel at your job and life in general. I’m going to cover different certifications you can pursue, online hands-on training, and online sources for webinars and white pages. Although I feel that my education from a university was beneficial, I feel that you can gain a lot of knowledge of equal, if not better value from other sources.
Certifications
Here’s a small list of cybersecurity certifications or general IT certifications that will assist you in providing baseline knowledge of relevant cybersecurity topics. Certifications are meant to give you a BASELINE not make you an expert. They will NOT get you a job, but they can give you the opportunity to acquire an interview.
CompTIA Security+ - this certification is the cream-of-the-crop, globally recognized, basic cybersecurity certification that provides and validates foundational cybersecurity knowledge and skills. It really is the baseline of cybersecurity knowledge and can definitely assist with getting an intro-level position in cybersecurity. Some federal and state agencies do require CompTIA Security+ in order to acquire and maintain a position. Check out this qualification matrix. The current CompTIA Security+ Exam is SYO-701. The skills you acquire are general security concepts, you’ll learn about threats, vulnerabilities, mitigations, security architecture, security operations, and security program management and oversight.
CompTIA CySA+ - CySA stands for Cybersecurity Security Analyst, it’s a bit more advanced than the Security+ certification and a lot of the material actually transfers over from the Comptia Security+ exam. For myself, I actually took the CySA+ not too long after completing the CompTIA Security+ 601 exam. This certification is an intermediate-level credential focused on the detection, prevention, and response to cybersecurity threats. It is ideal for cybersecurity professionals looking to advance their careers in threat management, vulnerability management, and incident response.
CompTIA Network+ - If you want to get a baseline of how network operations work with a bit of network security in there, then Network+ is a great addition to your repertoire. I believe that networking provides fundamental knowledge
Security Blue Team - BTL1 is designed to train technical defenders that are capable of defending networks and responding to cyber incidents. The skills and tools you’ll learn in this course will be directly applicable to a range of security roles, and are actively used by defenders around the world.
EC-Council Certified Incident Handler - A Certified Incident Handler is a skilled professional who is able to handle various types of incidents, risk assessment methodologies, and various laws and policies related to incident handling. A certified Incident Handler will be able to create incident handling and response policies and deal with various types of computer security incidents such as network security incidents, malicious code incidents, and insider attack threats.
SANS GSOC SEC450 - SEC450 is a course designed from the ground up to be the most comprehensive SOC analyst training course available. If you are working in cyber defense operations, building a SOC, or want to improve the SOC you already with better data, workflow, and analysis technique, SEC450 is the course for you! By providing a detailed explanation of the mission and mindset of a modern cyber defense operation, this course will jumpstart and empower those on their way to becoming the next generation of blue team members. With six days of training, six course books, twenty hands-on labs, and an all-day Defend the Flag Capstone competition, there is simply no other offering on the market as complete as SEC450 for SOC and security analyst training.
SANS GCFA - Threat hunting and incident response tactics and procedures have evolved rapidly over the past several years. Your team can no longer afford to use antiquated incident response and threat hunting techniques that fail to properly identify compromised systems, provide ineffective containment of the breach, and ultimately fail to rapidly remediate the incident or contain propagating ransomware. Incident response and threat hunting teams are the keys to identifying and observing malware indicators and patterns of activity in order to generate accurate threat intelligence that can be used to detect current and future intrusions. This in-depth incident response and threat hunting course provides responders and threat hunting teams with advanced skills to hunt down, identify, counter, and recover from a wide range of threats within enterprise networks, including APT nation-state adversaries, organized crime syndicates, and ransomware operators.
ISC2 CGRC - CGRC professionals utilize frameworks to integrate security and privacy within organizational objectives, better enabling stakeholders to make informed decisions regarding data security, compliance, supply chain risk management and more.
OSCP - The OffSec Certified Professional (OSCP+ & OSCP) certification, are designed for cybersecurity professionals to validate practical, hands-on skills in ethical hacking and penetration testing. The OSCP+ certification is issued upon completion of the exam, anytime after November 1, 2024. Successful candidates demonstrate proficiency in identifying vulnerabilities, exploiting systems, escalating privileges, and documenting their findings in a real-world environment. The certification is relevant to roles such as penetration testers, security analysts, and consultants, confirming their ability to conduct comprehensive security assessments.
Hands-On Training!
Everyone in this field, well almost everyone LOVES hands-on training, especially if it’s directly applicable to our everyday roles and responsibilities.
Vuln Hub -
Build a Home Lab!
Honestly, this one of the best ways for you get your foot in the door with some practical experience, besides my favorite, Try Hack Me. With a home lab you’ll receive hands-on experiencing setting up a SOHO (Small Office/Home Office) network. You can deploy a virtual firewall (pfSense) to achieve hands implementation of network security. Adding a small network switch to connect your devices to, maybe implementing a Wireless Access Point (AP) as well to customize your WiFi. Setup Virtual Local Area Networks (VLANS) to isolate maybe your PC from your Internet of Things (IoT) devices (TV, Alexa, Wireless Lights, etc. etc.). You can also setup a small Security Operations Center environment by implementing Security Onion. Security Onion is an open-source software with a suite of tools that range from an Incident Management System (IMS) to a Security Information and Event Management (SIEM) system known as Elastic. Another avenue of approach includes taking a laptop (with enough ram and space, of course) or finding a server and building a virtual environment with ProxMox. Building a virutal environment will allow you to create a testing environment to learn how different attacks work. Essentially, ingesting your virutal machine logs into Elastic, learning how to use the SIEM, you can detect and investigate events occuring in your testing environment, and even identify the mock experiments you conduct in a safe environment.
My home lab is quite small but it includes the following…
GeekPi 8U 10” Server Rack (Tiny)
GeekPi DeskPi RackMate Mini-ITX 1U Rack
GeekPi 12 Port Patch Panel
GeekPie 7 Port DC Power Distribution Unit
Netgear 8 Port PoE Switch
Unifi Wireless Access Point
Protectli Vault with pfsense installed
1ft 10Gbps 5-Pack Cat 6 Ethernet Cables
MINISFORUM BD790i Mini PC Ryzen 9 (Hosts My ProxMox)
6” (.5ft) 10-Pack Cat6 Shielded Ethernat Cable\
Reading Material
Operator Handbook - The Operator Handbook takes three disciplines (Red Team, OSINT, Blue Team) and combines them into one complete reference guide. The book contains 100+ individual cheat sheet references for many of the most frequently used tools and techniques by practitioners. Includes content to assist the most seasoned cybersecurity veteran or someone just getting started in the career field. The goal of combining all disciplines into one book was to remove the artificial barriers that only certain knowledge exists within a “Team”. The reality is today’s complex digital landscape demands some level of knowledge in all areas. The “Operator” culture should mean a well-rounded team member no matter the “Team” you represent. All cybersecurity practitioners are Operators. The Blue Team should observe and understand Red Team tactics, Red Team should continually push collaboration with the Blue Team, and OSINT should continually work to peel back evidence of evil doers scattered across disparate data sources. In the spirit of having no separation, each reference is listed in alphabetical order. Not only does this remove those team separated notions, but it also aids in faster lookup. Also almost every topic is covered in “How to exploit X” and “How to defend X” perspectives. Tools and topics covered: Cloud Services, Operating Systems, Mobile, OSINT, Ports, Forensics, Malware Resources, Defender tools, Attacker tools, OSINT tools, and various other supporting tools (Vim, iptables, nftables, etc…). This handbook was truly meant to be a single source for the most common tools and techniques an Operator can encounter while on the job.
Practical Malware Analysis - For those who want to stay ahead of the latest malware, Practical Malware Analysis will teach you the tools and techniques used by professional analysts. With this book as your guide, you’ll be able to safely analyze, debug, and disassemble any malicious software that comes your way.
Blue Team Handbook: SOC, SIEM, and Threat Hunting - Blue Team Handbook: SOC, SIEM, and Threat Hunting Use Cases is having an amazing impact on Security Operations worldwide. This listing is for V1.02.BTHb:SOCTH provides the security practitioner with numerous field notes on building a security operations team, managing SIEM, and mining data sources to get the maximum amount of information out of them with a threat hunting approach. The author shares his fifteen years of experience with SIEMs and security operations is a no frills, just information format. This book covers the topics below using a “zero fluff” approach as if you hired him as a security consultant and were sitting across the table with him (or her).The book begins with a discussion for professionals to help them build a successful business case and a project plan, decide on SOC tier models, anticipate and answer tough questions you need to consider when proposing a SOC, and considerations in building a logging infrastructure. The book goes through numerous data sources that feed a SOC and SIEM and provides specific real world guidance on how to use those data sources to best possible effect. Most of the examples presented were implemented in one organization or another. These uses cases explain on what to monitor, how to use a SIEM and how to use the data coming into the platform, both questions that Don found is often answered poorly by many vendors.
Effective Threat Investigation for SOC Analyst - Effective threat investigation requires strong technical expertise, analytical skills, and a deep understanding of cyber threats and attacker techniques. It’s a crucial skill for SOC analysts, enabling them to analyze different threats and identify security incident origins. This book provides insights into the most common cyber threats and various attacker techniques to help you hone your incident investigation skills.
Learn Computer Forensics - Computer Forensics, being a broad topic, involves a variety of skills which will involve seizing electronic evidence, acquiring data from electronic evidence, data analysis, and finally developing a forensic report. This book will help you to build up the skills you need to work in a highly technical environment. This book’s ideal goal is to get you up and running with forensics tools and techniques to successfully investigate crime and corporate misconduct. You will discover ways to collect personal information about an individual from online sources. You will also learn how criminal investigations are performed online while preserving data such as e-mails, images, and videos that may be important to a case. You will further explore networking and understand Network Topologies, IP Addressing, and Network Devices. Finally, you will how to write a proper forensic report, the most exciting portion of the forensic exam process.
Practical Threat Intelligence and Data-Driven Threat Hunting - Threat hunting (TH) provides cybersecurity analysts and enterprises with the opportunity to proactively defend themselves by getting ahead of threats before they can cause major damage to their business. This book is not only an introduction for those who don’t know much about the cyber threat intelligence (CTI) and TH world, but also a guide for those with more advanced knowledge of other cybersecurity fields who are looking to implement a TH program from scratch. You will start by exploring what threat intelligence is and how it can be used to detect and prevent cyber threats. As you progress, you’ll learn how to collect data, along with understanding it by developing data models. The book will also show you how to set up an environment for TH using open source tools. Later, you will focus on how to plan a hunt with practical examples, before going on to explore the MITRE ATT&CK framework.