This is a work in progress, and I will continue to add more and more to this post in the future!
Looking back, it seems like I just got into security yesterday… But that’s not the case (aka I’m getting old!). Every time I go to a non-security conference, I started to get a lot of questions about “what do you do in security”, “why does XYZ need security?”, and “how do I get started in security?“.
Instead of repeatedly giving people half-ass answers and an empty promise of me following up with additional resource, I thought I’d write a blog here to share instead. This way, every time I think about this subject, or if someone give a really good resource, I can add it here.
I went to college originally with the intention of becoming a pharmacist. I got an internship in high school to work in a research lab, working on how to deliver medication more effectively by trying to get it past blood barriers. Then my first job in college was working as a lab assistant, working on genetic engineering trying to understand the basic molecular mechanisms regulating reproduction, immunity, and lifespan in mosquito to control mosquito-borne diseases.
After sophomore year, I realized pretty quick that I wasn’t passionate about becoming a pharmacist anymore. The lab life moved way too slow for me. That’s when I added on MIS as a major, so I can get a feel of technology and see if I would like it. Turned out I did. In order to catch up with the rest of my peers and graduate on time, I took a bunch of classes. I remembered there was a semester that I was taking 28 units between the U of A and a CC while working 2 jobs… that was a fun time! Then during my senior year, I went to a hackathon every other week to improve my skills. I graduated with a triple majors in Molecular & Cellular Biology, Management Information Systems, and Operations Management. And once I was done, I got a job as a software developer. Soon after, someone reached out and offered me an opportunity to work on building some cool in-house security tools for detections. I thought that would be sweet, so I switched. It was indeed pretty sweet, and the rest is history!
Anyways, I’m getting wayyyy off topic reminiscing about the past… But the main point here is that I did not have a traditional path into infosec. And you don’t have to either. Despite what the gatekeepers or anybody might say, you can do it if you really want to do it! :)
I started out in security by working on an in-house developed custom SIEM. So that got me to understand where all the log sources come from, how it get ingested, how it get parsed, and how it can be queried. I also got to work on developing a IR case management platform, so that taught me a lot about what the IR analysts have to do, where it would be good to automate, what kind of steps and procedures to follow, and what type of playbooks to create.
During my work, my company also sent me to a few trainings. I got to take a few SANS classes, and it only grew my love for security more and more. I spent many months after work at a coffee shop to read/watch videos/learn more about anything related. These are the classes that I got to take, and also paid out of pocket to take:
- SANS 560 (GPEN), FOR 508 (GCFA), ICS 410 (GCISP), SEC 504 (GCIH), FOR 610 (GREM)
- Penetration Testing with Kali Linux
- Black Hat: Purple Teaming with TrustedSec
- Conferences: Bsides, Grrcon, Defcon/BlackHat
TLDR: Non-traditional path to infosec. First software engineer, turned security engineer.
Here is a list of the security roles that I can think of, general skills you need in that field, and some free rabbit holes for you to go to (under resources). Being in security = you having a desire to learn and know all the things despite the impossibility. So cheers to my fellow nerds! ;D
But first, let me link you to Lesley Carhart (@hacks4pancakes)‘s blog. It’s a series of blog posts that I wish I knew about when I first started out in security, not 4 years after into my career. So here it is, let me save you the trouble:
Let’s think of it as a pre-requisite to read the rest of this blog. For mine, I’m going to focus on summarizing the role shortly, and mainly giving out resources for you to dig deeper into whatever role you desire!
~Am I bombarding you with information? Oops, too late!~
- Must have/know: OWASP Top 10, SAST/DAST/IAST tools
- Nice to have: infrastructure, devops, attention to detail
- Preferred Skills: software development background
- https://github.com/i0natan/nodebestpractices - Node.js best practice git
- https://medium.com/@nodepractices/were-under-attack-23-node-js-security-best-practices-e33c146cb87d - Node.js 23 best security practices recommendation
- https://github.com/michenriksen/gitrob - recon for github org users (iterate through commit logs and find sensitive files)
- https://github.com/OWASP/Amass - subdomain enumeration to find attack surfaces https://github.com/EdOverflow/can-i-take-over-xyz - subdomain takeover https://github.com/m4ll0k/takeover - more subdomain takeover https://github.com/EdOverflow/bugbounty-cheatsheet - bug bounties cheat sheet - good for testing web app
- Must have/know: IR lifecycle,
- Nice to have: SIEM, write queries
- Preferred Skills: windows, linux, mac
- https://gchq.github.io/CyberChef/ - a web app for decoding/encoding, compression and data analysis.
- https://github.com/Asymmetric-InfoSec/Power-Response - Powershell framework for IR
- https://github.com/davehull/Kansa - More Powershell IR framework
- https://github.com/sans-blue-team/DeepBlueCLI - threat hunting through Win Event Log
- https://wiki.sans.blue/#!Tools/LinuxCLI101.md - Sans tips/tricks/tools - look @ navigation bar for info on whatever + pocket guides
- https://docs.velociraptor.velocidex.com/ - endpoint monitoring and dfir tool
- https://github.com/MHaggis/sysmon-dfir - sysmon dfir
- https://github.com/maliceio/malice - VirusTotal Hipster version
- https://github.com/sense-of-security/ADRecon - AD recon
- Must have/know: memory collection, collection tools such as (Kape, Encase, Redline, Volatility)
- Nice to have: Patience
- Preferred Skills:
- Mac OSX - https://docs.google.com/spreadsheets/d/1X2Hu0NE2ptdRj023OVWIGp5dqZOw-CfxHLOW_GNGpX8/edit#gid=1317205466
- Must have/know: scanning, enumerate, exploitation, lateral movement
- Nice to have: responder, metasploit, empire, cobalt strike, whatever popular tools that are out there
- Preferred Skills: curiosity, thinking outside of the box
- https://github.com/lgandx/Responder - LLMNR, NBT-NS and MDNS poisoner - rogue point
- https://github.com/samratashok/nishang - powershell framework
- https://www.exploit-db.com/ (searchsploit)
A lot of the skills from here will come with experience.
- Must have/know: ability to do research, read reports,
- Nice to have: knowledge of MITRE ATT&K Framework, the threat group you are trying to emulate,
- Preferred Skills: some reverse engineering, some malware writing, a little bit of everything else
- Must have/know: Assembly
- Nice to have: IDA, xdbg, Process Hacker, C,
- Preferred Skills:
- Flare VM - play with some decompilers and disassemblers, IDA…etc
- https://github.com/horsicq/Detect-It-Easy - detect packers
Under the “assumed breach” mindset, threat hunter proactively hunt, detect, isolate, and neutralize any threats within the network.
- Must have/know: the topic to hunt for, eyes for detail, current & past malware methods, TTPs, OS, network
- Nice to have: querying, technical writing/reporting and communication skills
- Preferred Skills: knowledge of SIEM and analytics tools
In this role, you will help to enrich and enhance detection capabilities, write rules, utilize logs to detect malicious activities
- Must have/know: Yara, network, security loggings, AD
- Nice to have: knowledge of adversary capabilities, coding skills, ability to write good regex and queries
- Preferred Skills: strong written and communication skills
Help to create an adversary playbooks. Research into threat actor’s technical profile, their TTPs (typical plays), and defenses (such as recommending actions), and technical indicators. Track threat groups - identify tradecraft techniques. Collect data and IOCs (atomic, computed, behavioral) and utilize it for analysis. There are strategic intel (forms overall picture of intent and capabilities of malicious theats), operational intel (assess specific/potential incidents related to events), and tactical intel (real time)
- Must have/know: Diamond model/kill chain, OODA loops, pyramid of pain, IOCs
- Nice to have: knowledge of certain threat groups, general knowledge of current threat landscape, TTPs
- Preferred Skills:
- MITRE Att&ck framework - https://attack.mitre.org/
- APT Group - https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/edit#gid=1864660085
Securing all things “cloud” related. AWS/Azure/GCP
- Must have/know: CloudTrail, GuardDuty,
- Nice to have: Terraform
- Preferred Skills: DevOps
Find the equivalent of these products in other cloud environments.
The job is to figure out how individual can be identified in a system, how roles are identified in system and how they are assigned to individuals. These includes adding, removing, updating those entitlements as well.
- Must have/know: All types of Auth (MFA/PAM), OAuth, Active Directory, Role Based Access Control (RBAC), Okta…etc
- Nice to have: past system administrator experience, automation skills
- Preferred Skills: detail oriented
- Microsoft Azure AD
- IBM Security Identity & Access Assurance
- Oracle Identity Cloud services
- RSA SecurID Access
Work on making sure the company is complying with legal regulations and company’s policies and standards. Identify risks, analyze the data, develop policies to benefit the workplace, and consult. Risk is to manage risks, and compliance is adhering to mandated boundaries and voluntary boundaries.
- Must have/know: known and emerging risks, GRC frameworks
- Nice to have: passion for documentation
- Preferred Skills: strong writing and communication skills
Detects potential data breaches/data ex-filtration transmissions and prevents them by monitoring, detecting and blocking sensitive data while in use, in motion, and at rest.
- Must have/know: all vectors of data protection (i.e. data in transit, data at rest, data in use, and cloud access security brokers (CASBs))
- Nice to have: creativity, organizational, and being able to write detection to raise alerts
- Preferred Skills: strong writing and communication skills
- https://github.com/PaulSec/awesome-windows-domain-hardening - Hardening your windows
- https://github.com/CISOfy/lynis - security auditing tools for Linux/Mac
- https://github.com/SwiftOnSecurity/sysmon-config - config file for sysmon that everybody uses … good point to start before tuning
- Youtube: Bsides video, defcon videos, blackhat videos
Goodluck, my friend!