Blue Teaming
sebh24,
Feb 16
2024
The threat landscape is always evolving and SOC analysts are seeing their responsibilities shift. With more pressure to adapt to new tech and threats, assessing your skillset and embracing continuous upskilling is key to progressing your career.
In this post, we share vital technical and soft skills that SOC analysts need to master their roles, whether they are new to the job or experienced professionals.
By conquering these skills, you’ll not only be a better analyst but will stand out as a forward-thinking SOC who’s leading the way.
SOC stands for Security Operations Center. Pair this with the term analyst, and you’ve got a professional who safeguards an organization’s critical IT infrastructure.
Essentially, a SOC analyst constantly monitors an organization’s computer systems, monitoring any suspicious activity or security breaches. They investigate anything suspicious to understand whether it’s a real threat to the company.
This involves identifying, investigating, and escalating security alerts, making them an essential player in any organization’s cybersecurity team.
Want to learn more about the wonderful world of SOC analysts? Check out our Q&A with a seasoned Blue teamer!
There are no set rules or boxes that need to be ticked in order to become a SOC analyst. However, there are some steps you can take to get your foot in the door.
Education: a degree isn’t a prerequisite for a cybersecurity career, but a bachelor’s degree in computer science, information technology, or a related field can be useful.
Certifications: most SOC analysts will have taken CompTIA certifications (including A+, NetworkX, and Security+). At Hack The Box (HTB), we offer the Certified Defensive Security Analyst (CDSA), a highly hands-on certification that assesses the candidates’ security analysis, SOC operations, and incident handling skills. Not to mention it looks great on your resume, covering all of the skills listed below!
Related experience: whether you’ve previously worked in information security at a helpdesk or have tackled some HTB Machines, having proof of practical skills or experience will help you stand out.
Start your cybersecurity career with HTB CDSA
Why choose HTB Certified Defensive Security Analyst (CDSA)?
Start as a noob. Finish as a “job-ready” professional. CDSA is beginner-friendly certification that leaves you with intermediate-level skills upon completion. Stand out to recruiters and hit the ground running!
Highly hands-on certification that builds and tests your analysis, SOC operations, and incident handling skills in real-world environments. (You’ll have to compose a commercial-grade security incident report to pass.)
Stand out with unique skills: HTB is recognized for content that builds creativity, in-depth knowledge, and outside-of-the-box thinking required for real-world incidents.
As the demand for SOC analysts grows, so does the scope of their roles. Over recent years, we’ve seen a huge migration to the cloud alongside remote work, expanding the attack surface of many organizations.
This forces SOC analysts to continuously upskill in order to stay ahead of the latest attacks and threats to infrastructure. As a result, modern analysts are required to adopt a number of skills to effectively safeguard an organization’s systems.
The technical foundations need to be built before embarking on a career as an analyst. These skills will set you up for success and allow you to effectively safeguard IT infrastructure. Many of these can be learned through hands-on upskilling when following our SOC analyst job-role path.
Become a job-ready SOC analyst
Learn core security monitoring and security analysis concepts. You’ll gain a deep understanding of tools, attack tactics, and methodologies used by cybercriminals.
Practice with hands-on exercises. Put theory into practice with plenty of exercises to push your knowledge to its limits!
Leave with the right mindset. Becoming a SOC analyst is about the mindset, you’ll learn how to think like a hacker so you can defend against them.
As a SOC analyst, you’ll often collaborate with cybersecurity engineers and security experts to cultivate threat mitigation strategies. So an understanding of coding and programming is vital to help you and other teams analyze large datasets, detect threats, and build network monitoring and incident response tools.
Some of the best programming languages to learn for SOC analysts include:
Python.
PowerShell.
Bash.
SQL.
Perl.
Get everything you need to know to create valuable scripts.
Make your first “homemade” tool for cybersecurity using Python.
Enjoy a hands-on guided learning environment to practice Python-related cybersecurity skills for both offensive and defensive security.
An incident in cybersecurity refers to an event that compromises the integrity, confidentiality, or availability of an information system or the data it contains.
In other words: a potential threat that negatively impacts a network or environment.
Incident handling is a clearly defined set of procedures teams use to document, manage, and rapidly respond to potential and actual threats.
In fact, in our report on developing the modern SOC analyst, we found that 46% of incident responders rated knowledge of Incident Handling Processes and Methodologies as the most important technical skill for SOC analysts.
A log is a detailed computer record that captures information, documenting things such as messages, errors, file requests, file transfers, and sign-in requests.
So, a log analysis is the act of reviewing and interpreting these logs to identify bugs or potential security threats. A log analysis can also be conducted to ensure that users are acting compliant.
Often, a log analysis is required by law to ensure compliance with regulatory requirements. However, a SOC analyst also needs to understand how to analyze logs to ensure anomalies are quickly identified and threats are contained.
Part of a SOC analyst’s role is to reduce the “dwell time” between an actual security breach and its detection.
Enter: threat hunting. This is an important skill for SOC analysts as it helps reduce dwell time and stop malicious actors at the very beginning of the cyber kill chain.
So, what does threat hunting entail? It’s a practice that involves the monitoring and analysis of network data to uncover the more stealthy threats that can evade existing security systems.
As a SOC analyst, you’re the defender and gatekeeper of your organization’s network. So, it's your responsibility to monitor, discover, and analyze any potential threats that are accessing or infiltrating the network.
But monitoring a network for anomalies sounds a little broad. What are the use cases? Here’s why you might conduct network traffic analysis:
Collecting a record of what’s happening on your network.
Detecting any malware.
Improve the visibility of devices connected to your network.
Responding to security incidents faster due to the additional detail and context you have from historical network records.
Monitor any suspicious traffic.
DFIR skills should be a part of any SOC analyst’s toolbelt. Applying a form of forensic science to defense ensures that any cyber attacks are quickly identified, investigated, and remediated.
DFIR comprises of two skill sets:
Digital forensics: the examination of digital evidence to gain information about an attack and who the attackers may be. This includes the recovery, investigation, examination, and analysis of information on devices.
Incident response: a process you follow to prepare, detect, contain, and recover from a possible data breach.
💡 Recommended read: Our top 5 DFIR labs for beginner analysts (to get good fast)
Whilst digital forensics is more reactive to cyber threats, when paired with a strong incident response skillset, you’re proactively preparing to detect and contain any possible data breaches.Related read: 5 anti-forensics techniques to trick investigators
As our workforce becomes more distributed with a sharp rise in remote work, we are becoming increasingly reliant on the cloud to store data and host IT infrastructure. This was highlighted in our SOC analyst report, which found that over 40% of professionals believe cloud security skills will be a key priority for analysts over the next five years.
Better detection of vulnerabilities in cloud landscapes is a critical skill for the next generation of analysts entrusted with defending cloud infrastructure.
Put your cloud defensive skills to the test with our Sherlocks Labs:
Nubilum 1 | Nubilum 2 |
Scenario: Our cloud administration team recently received a warning from Amazon that an EC2 instance deployed in our cloud environment is being utilized for malicious purposes. |
Scenario: A user reported an urgent issue to the helpdesk: an inability to access files within a designated S3 directory. This disruption has not only impeded critical operations but has also raised immediate security concerns. The urgency of this situation demands a security-focused approach. |
Security Information and Event Management (SIEM) is the lifeblood of a SOC analyst. This skill set helps cybersecurity teams spot and prevent threats and vulnerabilities early before they have a chance to do damage.
SOC analysts will use SIEM tools for log management, event correlation, and incident response purposes. Understanding how to collect and analyze this data is essential to detect and block attacks, making it a valued skill in your arsenal.
Whilst SOC analysts aren’t hackers like penetration testers, they still need to understand how cyber criminals think by embracing the offensive side of security.
Does this mean analysts need to learn how to hack?
Of course not! But a strong grasp of penetration testing is essential to assess systems, networks, and web applications, spotting vulnerabilities, and alerting teams to potential threats.
SOC analysts who think like hackers are more effective at their roles, as they are able to actively predict behavior and understand what vulnerabilities cybercriminals exploit.
This purple team approach is essential for both red and blue teams to effectively attack and defend. Our Sherlocks Labs facilitate purple team upskilling with defensive and offensive versions of Machines for the full 360 learning experience:
Sherlocks |
Offensive |
There’s been a potential security breach within Forela's internal network. It’s your job to investigate, putting your digital forensics and network security skills to the test. |
Exploit an unauthenticated arbitrary file read vulnerability, gaining full administrative access to the machine. |
A critical alert has been raised over a newly implemented Apache Superset setup. You need to investigate and confirm the presence of any compromise. |
Test your web application skills as you attempt to exploit a vulnerability in Apache Superset. |
You have been tasked with the analysis of artifacts from a potentially compromised GitLab server. |
Explore how you can exploit and gain a foothold in a GitLab server. |
Whilst technical skills are essential for all analysts, there are plenty of soft skills that’ll help you excel in your career. Being able to work with a variety of different teams and spread the message of cybersecurity throughout the organization will be invaluable.
All cybersecurity professionals require a hacker mindset, whether they are blue, red, or purple. The hacker mindset is a way of thinking like a hacker would, driven by curiosity and a need to discover how things work.
Having the unique ability to think outside the box and anticipate problems, proactively thinking of solutions, will help you effectively defend your company against cybercriminals.
Thinking outside the box is facilitated by continuous upskilling and never settling with your learning.
Becoming a lifelong learner is a must for SOC analysts.
As a SOC analyst, you’ll be working with both technical and non-technical teams. This means that you must be able to speak in plain English when explaining situations to stakeholders.
Clear and concise communication when escalating urgent incidents is also essential. Writing incident response reports requires great communication skills to explain what happened, what your actions were, and why.
Not only will you work with a larger security team of other cybersecurity professionals, but you’ll also collaborate with IT, legal, and public relations, so being empathetic and open to feedback and ideas is essential.
Being able to communicate and placate non-technical management while dealing with an incident is a vital skill.
You’ll need to work with a clear mind when under pressure, no matter the stakeholder expectations or time constraints.
There’ll be pressure to answer questions immediately and get systems back online quickly. It’s your job to appropriately manage expectations whilst responding to threats.
Risk management is about assessing what could go wrong, considering the severity of a threat, and gauging its overall impact on the organization. It’s is an important skill that will empower you to focus security resources on areas that will have the greatest impact.
This pairs well with strong critical thinking skills. Being able to examine facts and data to form a judgment lies at the heart of a SOC analyst’s role.
This analytical approach to problem solving will help you to perform under pressure and make the right decisions when in the face of data breaches.
Continuous upskilling and self-reflection are essential for any modern SOC analyst. This is why we recommend building strong technical foundations with our CDSA certification.
The technical foundations that are built I see as the pillars to a strong analyst & defender. The opportunity to demonstrate your practical skill set in an immersive environment is something I wish I had when I first entered the industry.
Sebh24 - Defensive Content Lead @ HTB
You can really tell both the exam and accompanying course were made by security analysts for security analysts. I wish I had something like this when I was starting out, as it would have saved a lot of heartache and late nights sifting through a million different browser tabs.
Not quite ready to take the exam yet?
Then work on your technical skills with our SOC analyst job role path that covers core security monitoring and security analysis concepts.
You’ll gain a deep understanding of the fundamentals and tools required whilst testing your knowledge with practical exercises.
Got a SOC analyst interview coming up or looking for your first role in the industry? Our SOC analyst interview questions blog is a great place to brush up on your skills whilst preparing yourself to ace the interview.
Author Bio: Sabastian Hague (sebh24), Defensive Content Lead, Hack The Box Sabastian Hague is a seasoned cybersecurity professional with over eight years of experience in the field. After serving in the Royal Air Force as a specialist in all things SOC, he went on to work for Vodafone's global CERT team before taking on a role as a senior security consultant with SpiderLabs and working on numerous high-profile incidents. He is now the Defensive Content Lead at Hack The Box. Seb has numerous industry certifications, including GIAC Certified Detection Analyst (GCDA), GIAC Continuous Monitoring Certification (GMON), GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst, Offensive Security Certified Professional (OSCP), Blue Team Level 1 (BTL1), Blue Team Level 2 (BTL2), Cybereason Threat Hunter (CCTH). |