top of page
Writer's pictureTyler Wall

SOC Analyst Prerequisite Skills

Updated: Aug 6

This article will describe the prerequisite skills that you will need to land your first job in cybersecurity.



Knowing which topics you need to know to land your first role in cybersecurity is crucial. While we can’t teach you everything you need to know, this article will cover the fundamentals of cybersecurity based upon a common baseline of knowledge. Most of the prerequisite knowledge can be gained by formal cybersecurity certifications such as CompTIA Network+ and Security+. This article will discuss the concepts that you should understand before interviewing. Let’s talk about networking first.


Networking

The first requisite skill we’ll talk about is networking. No, this won’t be about how to talk to people, but we will cover the basics of the modern TCP/IP stack and OSI model. The Transmission Control Protocol and Internet Protocol (TCP/IP) was invented in the 1970s by DARPA scientists Vinton Cerf and Bob Kahn. At that time, there was not a recognized network standard. After over a decade of tests and refinement, the TCP/IP stack was officially launched in 1983 and was quickly adopted by the US Department of Defense. The DoD’s adoption of the new protocol secured the TCP/IP’s place as the standard moving forward. Basically, the TCP/IP stack can be viewed as a set of layers; each layer solves a set of problems around the transmission of data. The TCP/IP stack contains four layers.


Alternatively, there is a seven-layer model called the Open Systems Interconnection (OSI) model that contains seven layers. Today, the OSI model is more generally used as it provides a more granular view of the encapsulation process. For the purpose of continuity, we will use the OSI model going forward. Refer to figure 1–1 for the TCP/IP and OSI models.


Figure 1–1: TCP/IP and OSI Models


Data Encapsulation and Decapsulation

Data encapsulation and decapsulation is the process of taking data from one layer of the OSI model and translating it into the next layer. Whether that is adding or peeling layers back, it is being prepared for the next layer. As a broad example, decapsulation is the process of turning the binary 1’s and 0’s in the physical layer into something that is human readable in the application layer. Regardless if you’re viewing a web page or watching a video, data encapsulation and decapsulation is pivotal to the flow of data on our networks.

When data starts out at layer seven, it is one piece of data. As it travels down the layers to layer one where it is sent across as a signal (light, electrical, radio waves) it gets prepared and chopped up into smaller bits to be sent. Each packet of data gets encapsulated with more information to the front and sometimes the back. After it gets sent as a signal, the layers then get peeled back at the destination and assembled until it is one piece of data again to be consumed.


Figure 1–2: Data Encapsulation


Entire books have been dedicated to this topic; however, we suggest you search YouTube for “OSI Model Encapsulation.” There are some great videos that break down the process with animations we can’t properly depict here. One that we found that we really like is here.


IPv4 and IPv6 IP Addresses

On the Internet today, there are two types of IP addresses, IPv4 addresses and IPv6 addresses. The IPv4 address space (e.g., 10.0.0.1) is a 32 bit solution and is what most people are familiar with when they think about IP addresses, but due to changes in the Internet landscape, especially due to the addition of the Internet of Things, we have exhausted all publicly available IPv4 addresses. They are only currently being reassigned to people to replace the space where companies have gone out of business. As a solution, the world has begun to use IPv6 devices (e.g., 2004:0cb8:82a3:08d3:1319:8a2e:0370:7334) which is a 128-bit solution. Take time to learn the differences between IPv4 and IPv6, you can expect to be asked questions during your interview.


RFC1918

Another important thing to know about IP addresses is the difference between public network space and private network space. If you were to ping Google, the message exits my private network and traverses the public Internet until it hits the computer on the public Internet owned by Google, and then Google decides what to do with that message internally. Think of it like driving through a modern neighborhood where the houses are right next to each other. As you drive, you can look to your left and right and see the front doors. You can walk up anyone’s driveway and knock on their front door because that is all publicly accessible. Now consider this: private network address spaces are the bedrooms, bathrooms, and common areas inside the house. In the scheme of the Internet, these three private home spaces are governed by something called the RFC1918 address space (Figure 1-3). There are three IP address subnets in RFC1918.


Figure 1–3: RFC1918 Address Space


Due to the large number of hosts, in a corporate environment, it is most common to see the 10.0.0.0/8 address space used frequently.



Ports and TCP/UDP

Knowing the common port numbers and the difference between TCP and UDP will be helpful. TCP, or Transmission Control Protocol, relies on establishing a three-way handshake connection. UDP, or User Datagram Protocol, requires much less control data when compared to TCP. Think of UDP as the “Unreliable Dang Protocol” because UDP traffic is sent, and neither the sending or receiving host cares if the data arrives. In contrast, if a piece of data is missed in transit in the TCP connection, it will resend the missed packet and put it back together in order. If you’ve ever streamed a movie or watched YouTube, you use UDP to receive the video data. You may have noticed the video skips or has a weird frame; well, that was a UDP packet that didn’t arrive at your computer or TV. TCP connections are used when every bit of data needs to arrive at the destination, such as in a file transfer. If you are transferring a file, if all bits and bytes do not get to the destination, the file will be corrupt and unusable.


Figure 1–4 shows a cheatsheet table for port numbers.


Figure 1–4: Common Port Numbers


TCP Three-Way Handshake

Next is the TCP three-way handshake process. This is important because this three-way handshake establishes a connection between two hosts for a TCP connection. See Figure 1–5.


Figure 1–5 TCP Three-Way Handshake


To explain, let’s say you are uploading a file to an image hosting website. Before the file transfer takes place, your computer would establish the connection to the server by sending a Synchronize or SYN packet. Then the server would send a SYN and Acknowledge packet back, and then your client will finally send the Acknowledge packet back, and the three-way handshake has completed.


How this translates into your new job is if a host on the public Internet is attacking the perimeter of the corporate network, you might only see a SYN packet. Most firewalls will drop this traffic if it isn’t approved traffic and it isn’t a big deal. However, if you are looking at a computer on your network that is under suspicion of communicating with a malicious host and they have completed the handshake process, there is a good chance they have actively communicated and data at some scale has been transferred.


CIA Triad

The basic tenets of security revolved around the concept of CIA Triad, not the Central Intelligence Agency but confidentiality, integrity, and availability. All of security can be broken down from these three high-level categories. Confidentiality is the secrecy of the information, making sure that the information can only be seen by the intended people, no more no less. Integrity revolves around the correctness of the data, making sure that the information you are consuming is the data that you intend to consume, complete and unaltered. Availability consists of making sure that the data is able to be used when it is needed to be used. For instance, a denial of service attack can make a website unavailable to people who try to visit it. This is an attack on availability. Like a three-legged stool or a rigid triangle, the most secure data has a balance of all three.


Figure 1–6 CIA Triad


Firewalls

Firewalls are superb for making sure that access to network resources are only available to those that need access. By use of access control lists (ACLs), firewalls can prevent the general Internet from accessing private network access. ACLs are an example of a confidentiality control as well as an availability control.


As stated earlier in this article, there is a delineation of public Internet space and RFC1918 private Internet space. This boundary is created by using networking appliances and is called the perimeter of a network. If you think of your network as a circle and everything inside of the circle is your private computers and everything on the outside is the Internet, then the perimeter is the circle itself. This is governed by your firewalls. This concept is going out of fashion with the advent of cloud computing but still important to know today.


Least Privilege and Separation of Duties

Also when thinking about access control models, the concept of least privilege should be considered. Least privilege simply is the concept that no one should have more access to information than is minimally required to perform their work. For instance, a janitor needs access to all areas in a building, but probably shouldn’t require the same level of access to digital records.


While considering the principle of least privilege, separation of duties is also important. Separation of duties is the concept that important duties should be separated to provide less opportunity for fraud. The famous example to explain separation of duties is to separate the employee who balances the checkbooks from writing the checks. If they cooked the books (modified it to their advantage), they could easily write a check to themselves for the differences, and no one would ever know.


Cryptography

There are a few cryptography principles that you will need to know as well. The first is the difference between encryption vs. hashing. Basically, encrypting is changing the data in a way that makes it unreadable, but it is intended to be changed back in a way to make the message readable again.


Note: Takeaways to research on your own from encryption principles are knowing what public keys and private keys are and when they are used. Also, know what makes that key process different than using the same key to encrypt and decrypt.

Hashing is the process of taking a set of data and creating a unique fingerprint out of it. For instance, if you had a thousand lines of code, you could save it to a file and hash that file to a 128-bit MD5 hash that would look something similar to this:


97fbca75e134639d48bd83270ae9e045


The main difference between a hash and an encryption is that a hash is one way. There is not any viable way to turn the string above back into the characters “Cyber NOW Education Rulez.”


It might come up in your interview about the difference between encoding and encryption and what you need to remember is that encoding is only an algorithm and doesn’t use a key.


Endpoint Security

According to Verizon’s 2023 Data Breach Investigations Report nearly 74% of all malware infections are caused by actions taken by an individual. This includes opening email attachments, clicking unknown links, and downloading files with embedded malware. While network security is important in protecting your private network’s boundary, network security is completely circumvented when the user downloads and executes the malware on a local system. Once a single system is compromised, the attacker is free to move throughout your network, all while being undetected by your firewall. User laptops, smart phones, and printers are only a few of the targeted devices that attackers can compromise. The difficulty with endpoint security is the plethora of devices on the market. The majority of all devices run on one of these three operating system (OS) families: Windows, Unix, and MacOS.


Note: The Verizon Data Breach Report is perhaps the most respected publication in the cybersecurity industry. We would suggest taking a minute to review the latest breach report online to bring you up to speed with the industry’s latest cyber statistics. This is a great topic during interviews!

When considering endpoint security, I’ve found the most valuable skill is the knowledge of how each one could be compromised or exploited. The following sections will cover the major operating systems and some of their common vulnerabilities.


Windows

Let’s talk about Windows first as they are the global market leader for user endpoints. In fact according to the 2023 stats provided by Net Market Share 82.4% of all computers run some version of Windows. At the time of writing this article, Windows 11 and Windows Server 2022 are the latest iterations of the popular operating system. However, Windows Servers 2012, 2016, and 2019 and Windows 7, 8/8.1, and 10 are still prevalent in many homes and businesses. And herein lies the problem. As new operating systems are released, the older OSs are no longer maintained by Microsoft. This leaves these older operating systems without critical security patches required to combat new variants of malware. If we dig further into the data, we can glean that over 70% of Windows users are running an unsupported version.


Okay, we covered why Windows is targeted, but how are they targeted? As previously stated, 74% of all malware comes in via user actions. Users clicking links or opening attachments in emails cause more initial compromises than any other method. This is called phishing, and it’s been around for as long as there’s been email. Have you ever been asked to help a wealthy, foreign prince by sending him $1000 with the promise of receiving millions in return? If you answered yes, count yourself among the millions of other users who received a version of the same email. Unfortunately, that scheme did trick many people into forking over their hard-earned money with no return on investment.


Today, phishing has evolved into the number one malware delivery platform.


The other common method for a compromised Windows endpoint is weak passwords. If your Windows endpoint is listening for Remote Desktop Protocol sessions, there is a good chance you’ll be targeted by a brute force attack sometime in your future. The strength of your password will determine how successful the attacker will be. When it comes to password complexity, there are two schools of thought. First, the longer the password is, the longer the brute force will take. And second, the more diverse the character set of the password, the longer the brute force will take. At the end of the day, both are true with one caveat. If you use words in your password, the easier it will be to guess. Modern password-cracking tools have the ability to ingest word lists and modify the letters by using modifier rulesets to lessen the time it takes to crack a password. Cracking passwords can be a fun, at-home experiment that any cybersecurity professional should learn to do. We suggest learning tools such as John the Ripper and Hashcat.


Note: Here is our legal disclaimer: stealing or actively attempting to log in to services with passwords of others is illegal. Do not attempt any hacking activity without expressed or written permission.

The final topic we’ll cover on Windows security is user permissions. Most at-home Windows users operate day to day as the local administrator of their endpoint, meaning they do not use a separate, non-admin account for daily activities. At home, this practice is acceptable. When a company allows their workforce to operate as the local administrator accounts on their company endpoints, the risk of malware infection is much higher. Let’s look at a scenario.


Josh is Director of Sales at Acme Brick Company (ABC). ABC Information Security team allows all users’ local administrator accounts on their work laptops. Josh received an email from an old college buddy inviting Josh to join an alumni forum. Josh clicks the link and has become a victim of drive-by malware. The malware begins propagating across other systems in the company and soon spreads to every system on the Sales team.


What’s the danger of having local administrator permissions in this scenario? Simply put, the malware gained total access to Josh’s system immediately upon infection. Comparably if Josh’s account had user level permissions, the malware would be severely limited within the rights of that user. Another key point against local admin is the ability to elevate to system-level privileges. If an attacker gains system-level access, there is nothing on the endpoint that’s safe.


MacOS

Apple’s MacOS is being adopted by more and more companies as their endpoints of choice making it the second most popular OS in the wild. MacOS is currently on release 14.x and can be found in all of Apple’s desktop and laptop products. MacOS is a proprietary flavor of Unix; this allows the OS to operate on lower system resources and provides greater user control. In 2023, MacOS owned 12.9% of the operating system market share. That might not sound like a lot, but that number translates into millions of individual Apple devices at homes and offices globally.


Many people will say that Apple devices are more secure due to the lack of malware. While it is true there is less malware that targets MacOS, that’s not what makes MacOS more secure. Apple has taken endpoint security to the hardware layer with built-in security chips on the motherboard. These chips are dedicated to encrypting the file storage, ensuring a secure boot of the OS every time, and application runtime security. Other software-based technologies like execute disable (XD), address space layout randomization (ASLR), and system integrity protection (SIP) all work to ensure malware can’t affect critical system files. Despite being a very secure platform, signature-based detection is not built into MacOS.


User permissions in MacOS are very similar to most modern Linux distributions. By default, the root user is disabled and cannot be accessed. Users in the administrator group have the ability to elevate their privileges as needed to conduct admin tasks on the local system.


Overall, Apple’s MacOS is a great option for increased security in your enterprise environment. Most small businesses adopt Microsoft’s Active Directory services as their authentication mechanism, so Windows devices make more sense. While there are identity managers that allow MacOS to join Active Directory, it usually calls for a high level of IT support and costs. The price for an Apple device also plays a large role in the fight for endpoint supremacy, leading most small- to middle-sized companies to choose Windows devices as they can be 75% cheaper than a comparable Apple device.


Unix/Linux

Unix and Linux have grown more popular over the last couple of decades as the open source community has increased in size, owning 2% of the market share in 2023. We won’t be covering the differences in Unix and Linux, but if you’re interested, there is a great article on Opensource.com that goes into the history and differences in the operating systems. The most important note to take away about Unix or Linux is how many different flavors or versions exist. Today’s most common Linux distributions are derived from either Debian or Fedora. Most Unix/Linux distros are free to download and use, and we would encourage you to pick a flavor of Linux and start experimenting.

Unix/Linux devices are in more places than you would think. With the advent of the Internet of things (IoT), Unix/Linux have infiltrated their way into every home and office.


Some of the older, more common office devices that run Unix/Linux are printers, A/V systems, and VoIP telephones. Today, all modern smart devices run some form of Unix/Linux under the hood. As the idea of a connected home or office has grown over the last decade, so have the increased number of attacks on the Internet of things. Botnets are the most common use of compromised IoT devices. In 2016, the Mirai botnet was used to cripple much of the online infrastructure in the eastern United States when attackers used it to perform a DDOS attack against the Dyn Company.


Attackers have been targeting Unix/Linux since the very beginning, but not with malware. The majority of compromised Unix/Linux hosts are due to misconfigurations in either the OS or the applications hosted on the system. The majority of all websites are running on a distribution of Linux; a simple misconfiguration in the web application could allow a would-be attacker to gain credentialed access to the underlying operating system.


But we’re talking about endpoints. Even though the majority of the Internet’s infrastructure relies on Unix/Linux, end users haven’t fully adopted Linux as a personal operating system, largely in part to the difficulty in managing the OS. Today, we see the largest adoption of Linux as an endpoint OS in the cybersecurity and software development communities. The biggest challenge to any enterprise environment using Unix/Linux is managing the variety of distributions, despite the existence of tools that manage multiple Unix/Linux distros.


Much like MacOS, malware does exist for Unix/Linux but not widespread. Also the user permissions are basically the same, since MacOS is based on the Linux kernel. Most commonly, Unix/Linux systems are compromised by the tools and packages installed on the system. Many Linux distributions come with a preinstalled programming language like Python.


Python is a very powerful toolset that allows administrators and developers to code out some pretty impressive tasks. Unfortunately, the functionality that makes Python a power admin tool also makes it a favorite toolset for attackers. Python’s popularity has skyrocketed over the last several years, and we would suggest adding Python courses to your “to-do” list.


However, Python isn’t the only language of its type. Every year, there are new scripting languages released, and every one of them can be used to compromise a system. Early on in his career, Jarrett learned of an esoteric programming language that uses spaces, tabs, and new lines as its programming syntax. This language was called Whitespace; it was developed in 2003 by Edwin Brady and Chris Morris. With the number of programming languages in the wild, no one is expected to know them all. I’ve found the best method is to pick one language and dedicate yourself to it. Learning one will help you interpret most of the others when you see it in use.


Other Endpoints

We’ve covered the three largest categories of operating systems for endpoint devices, but there are some honorable mentions we should cover; we’ll start with mobile devices. According to GSMA Intelligence’s 2023 State of Mobile Internet Connectivity Report, 4.6 billion people are using the mobile Internet. That is almost half of the world’s population. These mobile devices include cell phones, cellular-enabled tablets, and cars with built-in Wi-Fi hotspots. Mobile devices come in a few flavors of operating systems; they are Android, iOS, and Linux. Just like the endpoint discussion above, the vulnerabilities for Unix/Linux are shared with Android/Linux mobile OS. iOS, however, is a bit more secure. This is due to the limitations that Apple has placed on their user’s ability to install untrusted, third-party software. This is called the “walled garden” strategy. If you control the application distribution platform, you can ensure that dangerous software never makes it onto your device. Expect Apple’s “walled garden” approach to falter as legislative bodies force laws that open these devices to other application stores not controlled by the manufacturer.


Let’s talk about the Internet of things or IoT devices; odds are you have these in your home already. This is an all-encompassing term for smart devices. The biggest risk to IoT devices is unsecured application vulnerabilities. Since the majority of IoT devices are unmanaged, we place a lot of faith in the developers who made the product. There are countless white papers and articles on IoT devices with security vulnerabilities. If you have a smart device, you should research their vulnerabilities on websites such as Exploit-db.com and Mitre.org.


The final endpoint device we’ll cover is the Chromebook and ChromeOS by Google. This is a very low-cost solution for the laptop market. The Chromebook is running a custom flavor of Linux known as ChromeOS, based on the Gentoo Linux distribution. Google has stated that ChromeOS is the most secure OS on the market. Regardless of how true that claim might be, the system is only as secure as the apps installed. Google has taken efforts to limit the apps installed on their system, but there are methods of circumventing these protections.


Summary

We covered a lot in this article. We started off talking about networking, and the key to remember here is to make sure you know the difference between a public and a private network. RFC1918 governs the Internet for what is considered a private network address space. It is important to know! We also covered common port numbers. It is common to get a pop quiz in a SOC analyst interview to ask you what port number matches which service.


The items that we want you to make sure you remember from network security are that firewalls draw the imaginary circle around your private Internet address space and define the perimeter. If you know what a private IP and public IP address is, you can visualize if it goes inside the perimeter or outside of the perimeter, and firewalls create the boundary.


Note: There is a concept in networking called Network Address Translation (NAT) that allows public IP addresses to communicate with private IP addresses using a NAT table. This would be a great concept to study on your own.

For user endpoints there are three major categories for endpoint security: Windows, which has the lion’s share of market, MacOS, which has a growing market share, and Unix/Linux, which come in third. Additionally, there are mobile and IoT devices to consider in a separate bucket as far as security is concerned.


ARTICLE QUIZ (ANSWERS FOLLOW)

Which of the following isn’t true about the TCP/IP model?

Ⓐ It’s made up of seven layers.

Ⓑ The US Department of Defense adopted it.

Ⓒ It’s made up of four layers.

Ⓓ It was launched in 1983.


_______ addresses are 32-bit while _______ are 128-bit.

Ⓐ IPv6, IPv4

Ⓑ IPv6, IPv8

Ⓒ IPv2, IPv6

Ⓓ IPv4, IPv6


TCP relies on an established connection called a(n) _______.

Ⓐ two-way handshake

Ⓑ three-way handshake

Ⓒ UDP

Ⓓ encryption


______________ create the boundaries of a network and ensure the general Internet can’t access private networks.

Ⓐ Firewall’s access control lists (ACLs)

Ⓑ Intrusion Detection Systems (IDS)

Ⓒ Intrusion Prevention Systems (IPS)

Ⓓ Switches


____________ adds a unique fingerprint to data while _________ changes data from a readable state to an unreadable state with the intent of returning it back to readable.

Ⓐ Hashing, encryption

Ⓑ Encryption, hashing

Ⓒ Perimeters, hashing

Ⓓ Encryption, perimeters


Which of the following OSs grew with the advent of the Internet of Things (IoT)?

Ⓐ MacOS

Ⓑ Linux

Ⓒ Windows

Ⓓ Raspberry PI


Which of the following does not properly represent endpoint OSs and their market share?

Ⓐ MacOS, 10%

Ⓑ Windows, 87%

Ⓒ Unix/Linux, 2%

Ⓓ Unix/Linux, 10%


ARTICLE QUIZ SOLUTIONS

Which of the following isn’t true about the TCP/IP model?

Ⓐ It’s made up of seven layers.

The TCP/IPmodel is made up of four layers. The OSImodel is made up of seven layers.


_______ addresses are 32-bit while _______ are 128-bit.

Ⓓ IPv4, IPv6

IPv4 addresses are 32-bit while IPv6 addresses are 128-bit.


TCP relies on an established connection called a(n) _______.

Ⓑ three-way handshake

TCPrelies on an established connection process called a three-way hand-shake.


______________ create the boundaries of a network and ensure the general Internet can’t access private networks.

Ⓐ Firewall’s access control lists (ACLs)

Firewalls and their Access Control Lists (ACLs) create the boundaries of a network and ensure the general Internet can’t access private networks.


____________ adds a unique fingerprint to data while _________ changes data from a readable state to an unreadable state with the intent of returning it back to readable.

Ⓐ Hashing, encryption

Hashing adds a unique fingerprint to data while encryption changes data from a readable state to an unreadable state with the intent of returning it back to readable.


Which of the following OSs grew with the advent of the Internet of Things (IoT)?

Ⓑ Linux

Most Internet of Things devices run on some flavor of the Linux Operating System.


Which of the following does not properly represent endpoint OSs and their market share?

Ⓓ Unix/Linux, 10%

For endpoint Operating System usage, Unix/Linux represents only around 2% of the market share (though growing).




Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University, and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, four online courses, and regularly holds webinars for new cybersecurity talent.


You can connect with him on LinkedIn.


Get 20% off all courses in our On-Demand catalog with coupon code “Welcome20”


Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.


Also available in the Secure Style Store, download the Job Hunting Application Tracker for FREE to keep track of all your job applications.


Check out my latest book Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success published June 1st, 2024 and winner of the 2024 Cybersecurity Excellence Awards.



Comments


bottom of page