Blue Teaming
sebh24,
Mar 15
2023
Are you interested in becoming an analyst but not sure where to start? In this blog post, I will guide you through the necessary steps and share resources you can use to hit the ground running!
First, I will start with the basics and explain what a cybersecurity analyst is and what the role involves. Then, you'll hear a bit about my path into my first Analyst position. Next, I'll outline the important skills needed to be a successful cybersecurity analyst, including technical and soft skills.
Practice is essential to mastering any skill, and this applies to cybersecurity as well. So I'll also share how you can gain practical experience and build a portfolio to showcase your skills to potential employers.
Finally, I'll explain how analyst positions are changing and what the future of this field is starting to look like.
A cybersecurity analyst or (SOC analyst) is a professional who specializes in protecting IT systems and networks from unauthorized access, theft or damage. Analysts employ a large variety of various tooling and utilize multiple analytical techniques to monitor and investigate any suspicious activities that might indicate a potential attack.
Their role is to identify security threats, often assess the impact of those threats and in some positions, take necessary actions to prevent or mitigate any damage. Think of a cybersecurity analyst as a person on the “frontline” of digital warfare - they play a critical role in safeguarding digital assets and protecting sensitive information from malicious threat actors.
The responsibilities of an analyst often vary depending on the organization they work for and their seniority, so it's very hard to nail down exactly what an “analyst” would usually do - as I don’t really think there is or should be a “usual.” Detailed below are some responsibilities that would often be assigned to the more “traditional” cybersecurity analyst role at an organization:
Monitoring and analyzing enterprise networks for security breaches and other suspicious activity.
Investigating and responding to security incidents and vulnerabilities, and mitigating potential damage.
Developing and implementing security protocols, procedures, and policies to prevent future attacks.
Conducting security audits and risk assessments to identify vulnerabilities and recommend solutions.
Collaborating with other teams within an organisation to ensure compliance with industry standards and regulations.
Staying up to date on emerging security threats and technologies to continuously improve security practices.
Training employees on safe computing practices and raising awareness about potential security risks.
Maintaining and updating security systems and software to ensure they are operating effectively.
I didn’t attend university prior to landing an Analyst position, and my initial role in security was within the Royal Air Force (RAF). My route into information security leading up to my first Analyst position went a bit like this:
1. Generic System Administrator
As a System Administrator, I played an essential role in ensuring that our deployable hardware and software were performing optimally. Due to the nature of my job, we regularly re-deployed and tore down server architecture for specific prolonged periods. The job also entailed managing the upgrade and patching cycle to ensure the smooth performance and security of the systems we deployed.
2. Network Administrator
A network administrator is responsible for the smooth operation of computer networks, the backbone of IT infrastructure. This role entailed being responsible for designing and implementing a network, ensuring its security, and maintaining and troubleshooting when necessary.
3. First Analyst position within the RAF
I can’t stress enough the importance of having an adequate understanding of networking and computer systems prior to venturing into your first information security role. Think of this understanding as the solid foundation for a house that's being built. The stronger the foundational knowledge, the easier it will be to pick up and retain information while preventing the feeling of "information overload" that inevitably comes with our pretty complex industry. This foundational knowledge is also something that may set you apart from your peers as more and more professionals attempt to break into the industry.
Fret not! You can still work towards becoming a cybersecurity analyst. Below are specific starting points (apart from continuing to follow the guidance in this post) you could take if you don't have an IT background:
It is important to have a solid foundation of IT concepts. This can be done by taking online courses or attending workshops on topics like networking, system administration or even some cybersecurity fundamentals (I would recommend saving this until you’ve covered the IT basics, though!).
Soft skills such as critical thinking, problem-solving, and communication are valuable in any profession, including cybersecurity. Developing these skills can make someone a strong candidate for a cybersecurity analyst role.
To succeed in information security, cybersecurity analysts must possess various technical and non-technical skills. Here are some of the most important cybersecurity analyst skills:
Fundamental IT knowledge: A strong understanding of computer systems, networks, and security protocols. This includes knowledge of operating systems, firewalls, intrusion detection systems, and EDR or SIEM tooling.
Threat intelligence: Identify and understand emerging threats to an organization's computer systems and networks. This also means staying current with the latest threats and security trends.
Incident response: Respond quickly and effectively to cyber attacks. This includes identifying the source of the attack, containing the damage, and restoring affected systems and data.
Recommended read: Memory forensics with Volatility on Linux and Windows
Assessing risk: Assess the potential impact of a cyber attack on an organization's operations and reputation. This requires an understanding of the organization's business processes and critical data.
Analytical thinking: Analyze large amounts of data and identify patterns and anomalies that could indicate a potential threat. They must also be able to identify false positives and separate them from real threats.
Knowledge of a scripting language: Allows analysts to automate repetitive tasks and improve efficiency. Cybersecurity analysts are responsible for monitoring and analyzing large amounts of data, and much of this work can be tedious and time-consuming. Scripting languages can help automate these tasks, freeing up analysts' time to focus on more complex issues.
Communication skills: Communicate effectively with both technical and non-technical stakeholders. This includes explaining technical concepts in layman's terms and presenting information to senior management.
Attention to detail: Analysts must be meticulous and detail-oriented. They should be able to identify small clues that could indicate a potential threat or vulnerability.
Teamwork: Collaborating with other analysts, as well as with other departments within an organization, is key to detecting and responding to threats.
Creativity: Thinking creatively and outside the box helps an analyst anticipate new threats and develop innovative solutions to protect against them.
Continuous learning: Analysts must be committed to continuous learning and professional development. They must stay up-to-date with the latest threats and security trends, as well as with new technologies and techniques for protecting against cyber attacks.
We’ve discussed the skills that help you become a cybersecurity analyst, but just how do you get them?
As the heading suggests, practice makes perfect. I wholeheartedly believe that nothing builds a skillset like performing practical activities. I mean, some platforms offer the opportunity to literally perform identical tasks that you’d perform in an analyst role.
I was initially introduced to OverTheWire as my first step into practical learning, and then slowly progressed to Wargames on the platform. OverTheWire is an excellent place to hone those command line skillsets. Don’t be afraid to follow some guides that exist for the levels if needed! There isn’t anything wrong with using walkthroughs - it's often the best way to learn.
Following some time on OverTheWire I moved to “Malware-traffic-analysis” to brush up a fun bit of pcap analysis, once again still enjoying the analysis I was performing. A huge shout out to @malware_traffic for keeping the site going with some excellent content and analysis of the latest threats.
After this, the next move to further my knowledge from an attacker's perspective was to play on the Hack The Box (HTB) platform. “But how does HTB help a cybersecurity analyst?” you might say.
Well, we already have an array of defensive content under challenges, with additional defensive content inbound! In fact, at the time of writing, there are 13 active Forensic challenges & 21 Reversing challenges.
Test your Forensic and Reversing skills
Additionally, I found on numerous incidents I dealt with both as an analyst and Digital Forensics and Incident Response (DFIR) professional that the “hackers mindset” gained from completing a variety of machines was extremely beneficial. It helps you understand both “what an attacker might do next” and what is within “the art of the possible.”
Related read: How to become a penetration tester.
Understanding this as an analyst can greatly help your decision-making abilities within the environment you're defending. It could eventually be the difference between an attacker achieving their actions on objectives or not.
So I guess to summarize, on your path to becoming a cybersecurity analyst, put the necessary hours into practicing. You will reap the benefits.
Develop the "attack mindset"
Master cybersecurity with guided and interactive cybersecurity training courses and certifications (created by real hackers and professionals from the field) on the HTB Academy. (Student discounts are available.)
Certifications are important and can be a way of demonstrating that you are competent and should at least make it to the interview stage to further demonstrate your skill set and value.
Gone are the days when you needed multiple unaffordable GIAC certifications to land positions. More and more organizations are making practical Blue team certifications valuable. The key word here is practical.
As someone who has hired Blue teamers, I always keep an eye out for practical, exam-based certifications. This is the best way to confirm the skillset of a cybersecurity analyst or any other technical Blue teamer.
Now is probably a good time to mention that I’ve seen a huge move away from traditional Security Operations Center (SOC) environments, with many “normal” analyst roles inching ever closer to Analyst/Engineer focused roles. The transition from a traditional cybersecurity analyst role to an analyst/cybersecurity engineer role is driven by the need for a more integrated and proactive approach to cybersecurity.
Traditional cybersecurity analyst roles typically focused on identifying and mitigating security threats, often in a reactive manner. In contrast, modern analyst/engineer roles focus more on designing, implementing, and maintaining security controls that proactively prevent and detect threats.
The shift toward a more proactive analyst/engineer role is being driven by several factors, some of which include the following:
The growing complexity of security threats: As cyber threats become more sophisticated and complex, organizations need security professionals who can design and implement more advanced security controls that can protect against these threats.
The need for proactive threat detection and prevention: Traditional cybersecurity analyst roles often focus on identifying and mitigating security threats after they have occurred. However, the analyst/engineer role is more focused on proactively preventing and detecting threats by implementing security controls that can prevent attacks from happening in the first place.
The increasing importance of data analytics and automation: With the rise of big data, organizations are looking for security professionals who can use data analytics and automation tools to improve their security posture. Analysts/engineers are well-suited to this role, as they possess the technical skills needed to use these tools effectively.
In summary, the move away from a traditional cyber security analyst role to an analyst/engineer role is driven by the need for a more proactive, integrated approach to cybersecurity that can address the growing complexity of security threats and the need for more advanced security controls. This is why a great defensive skillset involves an ability, or at least an understanding, of how to attack.
So once you’ve got Blue team knowledge, I’d encourage strengthening and future-proofing your skills repertoire with knowledge of offensive security.
Author Bio: Sabastian Hague (sebh24), Defensive Content Lead, Hack The Box Sabastian Hague is a seasoned cybersecurity professional with over eight years of experience in the field. After serving in the Royal Air Force as a specialist in all things SOC, he went on to work for Vodafone's global CERT team before taking on a role as a senior security consultant with SpiderLabs and working on numerous high-profile incidents. He is now the Defensive Content Lead at Hack The Box. Seb has numerous industry certifications including GIAC Certified Detection Analyst (GCDA), GIAC Continuous Monitoring Certification (GMON), GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst, Offensive Security Certified Professional (OSCP), Blue Team Level 1 (BTL1), Blue Team Level 2 (BTL2), Cybereason Threat Hunter (CCTH). |