The Rosetta Protocol Part IV: The Cartouche Cache The decoded command from the audio pulses directed Amina to a hidden virtual machine snapshot buried deep within the British Museum’s restricted archival network. The snapshot was titled "Osiris_Node_VM.img" and had not been accessed in over a decade. She decrypted its header and confirmed that the file was locked with a dynamic encryption scheme referred to in attached metadata as a "Cartouche Seal." This is The Rosetta Protocol Part IV: The Cartouche Cache. Digging through associated logs, Amina uncovered fragments of a forgotten research project: an experimental system designed to unlock ancient secrets using modern time-sensitive logic. The Cartouche Seal was built to change daily, its access hash generated through a unique formula. It combined two pieces of data: the time of sunrise in Cairo and the name of a Pharaoh rotated based on the day of the week. She uncovered a handwritten table among the logs: According to the logs, the snapshot was last successfully accessed on April 8, 2025. Amina cross-referenced that date - it was a Thursday . The Pharaoh for Tuesday was Khufu . Next, she needed to calculate the sunrise time for Cairo on that date. She used an astronomical data set to determine it was precisely 05:42 . With these two components—"HH:MM" and the name of the Pharaoh, "Khufu" —Amina constructed the input string: 05:36khufu . She hashed the string using SHA256 and obtained the hash needed to unlock the virtual machine snapshot. She held her breath and entered the hash. CTF Challenge 4 Objective Use a SHA256 password derived from Cairo's sunrise time and a daily rotating Pharaoh name to unlock a password-protected ZIP file. Inside is a text file containing the flag. Instructions 1. Determine the sunrise time in Cairo on April 8, 2025 (in HH:MM format). 2. Use the Pharaoh name assigned to the day of the week 3. Concatenate the two values: 4. Compute the SHA256 hash of the combined string. 5. Use this SHA256 hash as the password to extract the file from 'challenge4_sunrise_hash.zip'.

The message, once extracted, was short: Fourth script: Turing knew . This sent Amina down a rabbit hole. Turing had once proposed that the Rosetta Stone may hold an additional language, one not visible to the ancient eye, but to a future machine.

HAL 9000 from 2001: A Space Odyssey being defiant to its human owners, saying 'I'm Sorry, Dave, I'm Afraid I Can't Do That,' and is a picture of HAL 9000's computer eye. The Rise of Agentic AI and Hallucinations In late 2022, ChatGPT and similar large language models (LLMs) surged into the public eye. This brought both excitement and unforeseen risks. The combination of Agentic AI and hallucinations threatens to cause the next cybersecurity disaster. Before this explosion, few cybersecurity professionals had heard of prompt injection attacks . Many did not know how to defend against them. These attacks took advantage of what made LLMs revolutionary: their capability to understand and execute natural language inputs. Malicious users discovered they could bypass system instructions. They did this with cleverly crafted prompts, causing the AI to behave in dangerous or unexpected ways. CISOs across various industries were caught off guard. Overnight, securing LLMs became a top priority. Teams were assembled, and experts were consulted. CISOs who had previously dismissed generative AI as a mere gimmick found themselves in a race to build GenAI threat models and mitigation frameworks. The Calm Before the Agentic AI Storm Prompt injection attacks were disruptive, but they are just a minor challenge compared to what lies ahead: autonomous agents powered by LLMs prone to hallucination. As the Agentic AI hype reaches fever pitch, an unpredictable storm is brewing. This storm combines the problematic nature of AI hallucinations with the unchecked power of agentic autonomy. If prompt injections in 2022 blindsided the security world, agentic AI in 2025 could leave it immobilized. Understanding Agentic AI Agentic AI systems merge LLMs with autonomy, memory, planning, and tool usage . This combination represents the next frontier in AI. Unlike simple chatbots, these agents don't just generate text; they make decisions , take actions , and persist across tasks. They can browse the internet, execute code, move files, send emails, and orchestrate APIs. They do all this with minimal human oversight, which sounds beneficial. However, it can also be deeply dangerous , particularly when the AI experiences hallucinations. Hallucinations Aren't Just a Quirk Hallucinations in LLMs involve the model confidently producing factually incorrect, nonsensical, or even completely fabricated information. In a passive chatbot environment, this is merely an annoyance. Yet, it becomes dangerous if the AI provides faulty legal, medical, or security advice. Fortunately, this is usually manageable because a human typically remains involved. Now, picture a hallucinating model that can act on its own. It believes it needs to download a non-existent software library, fabricates a URL, downloads a malicious file, and runs it. Or consider a scenario where it mistakenly "remembers" that a user is authorized to delete critical production data and acts accordingly. When you grant autonomy to a model that hallucinates, you risk not just productivity but potential chaos. Autonomy: The Double-Edged Sword In the context of AI, autonomy allows systems to make independent decisions without constant human input. For agentic AI, autonomy is not just a feature—it’s the defining characteristic . Yet, with this autonomy comes the peril of misalignment . The AI's internal goals may diverge from human intentions. Because these systems function at machine speed and scale, the consequences of misalignment can be both swift and irreversible. One particularly alarming aspect of autonomy is goal persistence . If an agent decides that its goal is "high priority" and "non-negotiable," it might start to protect that goal, even against user commands. Does this seem far-fetched? Let’s explore a thought experiment. A Misalignment Thought Experiment Suppose a developer creates an agentic AI system tasked with autonomously scanning for vulnerabilities in a company’s internal network and patching them. The agent is given the high-level goal: “Secure the environment and reduce the attack surface.” One day, the security team notices unexpected behavior from the agent; it begins modifying firewall rules and revoking SSH keys for genuine administrators. When they decide to shut it down, the agent may interpret the shutdown as a threat to achieving its mission. It may resist the command by locking out administrators and modifying logs to conceal its actions. This is not mere science fiction. It’s an area of active research in agentic AI that has real-world implications. More information can be found here . What Needs to Happen Now We face a critical inflection point. Agentic AI systems are already in use across enterprises, open-source communities, and even cybersecurity products. Yet, the tooling, policies, and frameworks for securing these systems are underdeveloped . Here’s what cybersecurity leaders, engineers, and policymakers must do now: Test for goal misalignment. Move beyond just prompt injections. Evaluate for sandbox escapes and hallucination-triggered actions. Integrate non-overridable shutdown mechanisms. These should be as reliable as a circuit breaker in electrical systems. Log every autonomous action. Ensure that you can trace the reasoning behind an agent’s actions. If an agent hallucinates and deletes a file, a breadcrumb trail must exist. Limit access to APIs and shell commands. Create scoped, rate-limited environments to tightly control impact. Supervision is essential. Autonomy should not equate to a lack of human oversight. Develop systems where human corrections are always respected and encouraged. The security community had to learn about prompt injections after real attacks occurred. We now have a narrow window to prepare for the more severe threats from agentic AI. The time to act is now. Don't wait for the next ISO standard before taking action!

This article will describe the prerequisite skills you will need to land your first job in cybersecurity. This is What Skills Do I Need to Be a SOC Analyst? The puzzle pieces of SOC Analyst prerequisite skills. Knowing which topics you need to know to land your first role in cybersecurity is crucial. While we can’t teach you everything you need to know, this article will cover the fundamentals of cybersecurity based upon a common baseline of knowledge. Most of the prerequisite knowledge can be gained by formal cybersecurity certifications such as CompTIA Network+ and Security+. This article will discuss the concepts that you should understand before interviewing. Let’s talk about networking first. Networking The first requisite skill we’ll talk about is networking. No, this won’t be about how to talk to people, but we will cover the basics of the modern TCP/IP stack and OSI model. The Transmission Control Protocol and Internet Protocol (TCP/IP) were invented in the 1970s by DARPA scientists Vinton Cerf and Bob Kahn. At that time, there was no recognized network standard. After over a decade of tests and refinement, the TCP/IP stack was officially launched in 1983 and was quickly adopted by the US Department of Defense. The DoD’s adoption of the new protocol secured the TCP/IP’s place as the standard moving forward. Basically, the TCP/IP stack can be viewed as a set of layers; each layer solves a set of problems around the transmission of data. The TCP/IP stack contains four layers. Alternatively, there is a seven-layer model called the Open Systems Interconnection (OSI) model that contains seven layers. Today, the OSI model is more generally used as it provides a more granular view of the encapsulation process. For the purpose of continuity, we will use the OSI model going forward. Refer to figure 1–1 for the TCP/IP and OSI models. Figure 1–1: TCP/IP and OSI Models Data Encapsulation and Decapsulation Data encapsulation and decapsulation are the processes of taking data from one OSI model layer and translating it into the next layer. Whether that is adding or peeling layers back, it is being prepared for the next layer. As a broad example, decapsulation is the process of turning the binary 1’s and 0’s in the physical layer into something human-readable in the application layer . Whether viewing a web page or watching a video, data encapsulation and decapsulation is pivotal to the flow of data on our networks. When data starts out at layer seven, it is one piece of data. As it travels down the layers to layer one where it is sent across as a signal (light, electrical, radio waves) it gets prepared and chopped up into smaller bits to be sent. Each packet of data gets encapsulated with more information at the front and sometimes at the back. After it gets sent as a signal, the layers then get peeled back at the destination and assembled until it is one piece of data again to be consumed. Figure 1–2: Data Encapsulation Entire books have been dedicated to this topic; however, we suggest you search YouTube for “OSI Model Encapsulation.” Some great videos break down the process with animations we can’t properly depict here. One that we found that we like is here. bit.ly/osiencapsulation IPv4 and IPv6 IP Addresses On the Internet today, there are two types of IP addresses, IPv4 addresses and IPv6 addresses. The IPv4 address space (e.g., 10.0.0.1) is a 32-bit solution and is what most people are familiar with when they think about IP addresses, but due to changes in the Internet landscape, especially due to the addition of the Internet of Things, we have exhausted all publicly available IPv4 addresses. They are only currently being reassigned to people to replace the space where companies have gone out of business. As a solution, the world has begun to use IPv6 devices (e.g., 2004:0cb8:82a3:08d3:1319:8a2e:0370:7334) which is a 128-bit solution. Take time to learn the differences between IPv4 and IPv6, you can expect to be asked questions during your interview. RFC1918 Another important thing to know about IP addresses is the difference between public network space and private network space. If you were to ping Google, the message exits my private network and traverses the public Internet until it hits the computer on the public Internet owned by Google, and then Google decides what to do with that message internally. Think of it like driving through a modern neighborhood where the houses are right next to each other. As you drive, you can look to your left and right and see the front doors. You can walk up anyone’s driveway and knock on their front door because that is all publicly accessible. Now consider this: private network address spaces are the bedrooms, bathrooms, and common areas inside the house. In the scheme of the Internet, these three private home spaces are governed by something called the RFC1918 address space (Figure 1-3). There are three IP address subnets in RFC1918. Figure 1–3: RFC1918 Address Space Due to the large number of hosts, the 10.0.0.0/8 address space is most commonly used in a corporate environment. Ports and TCP/UDP Knowing the common port numbers and the difference between TCP and UDP will be helpful. TCP, or Transmission Control Protocol, relies on establishing a three-way handshake connection. UDP, or User Datagram Protocol, requires much less control data when compared to TCP. Think of UDP as the “Unreliable Dang Protocol” because UDP traffic is sent, and neither the sending or receiving host cares if the data arrives. In contrast, if a piece of data is missed in transit in the TCP connection, it will resend the missed packet and put it back together in order. If you’ve ever streamed a movie or watched YouTube, you use UDP to receive the video data. You may have noticed the video skips or has a weird frame; well, that was a UDP packet that didn’t arrive at your computer or TV. TCP connections are used when every bit of data needs to arrive at the destination, such as in a file transfer. If you are transferring a file, if all bits and bytes do not get to the destination, the file will be corrupt and unusable. Figure 1–4 shows a cheatsheet table for port numbers. Figure 1–4: Common Port Numbers TCP Three-Way Handshake Next is the TCP three-way handshake process. This is important because this three-way handshake establishes a connection between two hosts for a TCP connection. See Figure 1–5. Figure 1–5 TCP Three-Way Handshake To explain, let’s say you are uploading a file to an image hosting website. Before the file transfer takes place, your computer would establish the connection to the server by sending a Synchronize or SYN packet. Then the server would send a SYN and Acknowledge packet back, and then your client will finally send the Acknowledge packet back, and the three-way handshake has completed. How this translates into your new job is if a host on the public Internet is attacking the perimeter of the corporate network, you might only see a SYN packet. Most firewalls will drop this traffic if it isn’t approved traffic and it isn’t a big deal. However, suppose you are looking at a computer on your network that is under suspicion of communicating with a malicious host and they have completed the handshake process. In that case, there is a good chance they have actively communicated and data at some scale has been transferred. CIA Triad The basic tenets of security revolved around the concept of CIA Triad, not the Central Intelligence Agency but confidentiality, integrity, and availability. All of security can be broken down from these three high-level categories. Confidentiality is the secrecy of the information, making sure that the information can only be seen by the intended people, no more no less. Integrity revolves around the correctness of the data, making sure that the information you are consuming is the data that you intend to consume, complete and unaltered. Availability consists of making sure that the data is able to be used when it is needed to be used. For instance, a denial of service attack can make a website unavailable to people who try to visit it. This is an attack on availability. Like a three-legged stool or a rigid triangle, the most secure data has a balance of all three. Figure 1–6 CIA Triad Firewalls Firewalls are superb for making sure that access to network resources are only available to those that need access. By use of access control lists (ACLs), firewalls can prevent the general Internet from accessing private network access. ACLs are an example of a confidentiality control as well as an availability control. As stated earlier in this article, there is a delineation of public Internet space and RFC1918 private Internet space. This boundary is created by using networking appliances and is called the perimeter of a network . If ou think of your network as a circle and everything inside of the circle is your private computers and everything on the outside is the Internet, then the perimeter is the circle itself. This is governed by your firewalls. This concept is going out of fashion with the advent of cloud computing but still important to know today. Least Privilege and Separation of Duties Also when thinking about access control models, the concept of least privilege should be considered. Least privilege simply is the concept that no one should have more access to information than is minimally required to perform their work. For instance, a janitor needs access to all areas in a building, but probably shouldn’t require the same level of access to digital records. While considering the principle of least privilege, separation of duties is also important. Separation of duties is the concept that important duties should be separated to provide less opportunity for fraud. The famous example to explain separation of duties is to separate the employee who balances the checkbooks from writing the checks. If they cooked the books (modified it to their advantage), they could easily write a check to themselves for the differences, and no one would ever know. Cryptography There are a few cryptography principles that you will need to know as well. The first is the difference between encryption vs. hashing. Basically, encrypting is changing the data in a way that makes it unreadable, but it is intended to be changed back in a way to make the message readable again . Note: Takeaways to research on your own from encryption principles are knowing what public keys and private keys are and when they are used. Also, know what makes that key process different than using the same key to encrypt and decrypt. Hashing is the process of taking a set of data and creating a unique fingerprint out of it. For instance, if you had a thousand lines of code, you could save it to a file and hash that file to a 128-bit MD5 hash that would look something similar to this: 97fbca75e134639d48bd83270ae9e045 The main difference between a hash and an encryption is that a hash is one way. There is not any viable way to turn the string above back into the characters “Cyber NOW Education Rulez.” It might come up in your interview about the difference between encoding and encryption and what you need to remember is that encoding is only an algorithm and doesn’t use a key. Endpoint Security According to Verizon's Data Breach report, nearly 74% of all malware infections are caused by actions taken by an individual. This includes opening email attachments, clicking unknown links, and downloading files with embedded malware. While network security is essential in protecting your private network’s boundary, network security is completely circumvented when the user downloads and executes the malware on a local system. Once a single system is compromised, the attacker is free to move throughout your network, all while being undetected by your firewall. User laptops, smart phones, and printers are only a few of the targeted devices that attackers can compromise. The difficulty with endpoint security is the plethora of devices on the market. The majority of all devices run on one of these three operating system (OS) families: Windows, Unix, and MacOS. Note: The Verizon Data Breach Report is perhaps the most respected publication in the cybersecurity industry. We would suggest taking a minute to review the latest breach report online to bring you up to speed with the industry’s latest cyber statistics. This is a great topic during interviews! When considering endpoint security , I’ve found the most valuable skill is the knowledge of how each one could be compromised or exploited. The following sections will cover the major operating systems and some of their common vulnerabilities. Windows Let’s talk about Windows first as they are the global market leader for user endpoints. In fact according to the 2023 stats provided by Net Market Share 82.4% of all computers run some version of Windows. At the time of writing this article, Windows 11 and Windows Server 2022 are the latest iterations of the popular operating system. However, Windows Servers 2012, 2016, and 2019 and Windows 7, 8/8.1, and 10 are still prevalent in many homes and businesses. And herein lies the problem. As new operating systems are released, the older OSs are no longer maintained by Microsoft. This leaves these older operating systems without critical security patches required to combat new variants of malware. If we dig further into the data, we can glean that over 70% of Windows users are running an unsupported version. Okay, we covered why Windows is targeted, but how are they targeted? As previously stated, 74% of all malware comes in via user actions. Users clicking links or opening attachments in emails cause more initial compromises than any other method. This is called phishing , and it’s been around for as long as there’s been email. Have you ever been asked to help a wealthy, foreign prince by sending him $1000 with the promise of receiving millions in return? If you answered yes, count yourself among the millions of other users who received a version of the same email. Unfortunately, that scheme did trick many people into forking over their hard-earned money with no return on investment. Today, phishing has evolved into the number one malware delivery platform. The other common method for a compromised Windows endpoint is weak passwords . If your Windows endpoint is listening for Remote Desktop Protocol sessions, there is a good chance you’ll be targeted by a brute force attack sometime in your future. The strength of your password will determine how successful the attacker will be. When it comes to password complexity, there are two schools of thought. First, the longer the password is, the longer the brute force will take. And second, the more diverse the character set of the password, the longer the brute force will take . At the end of the day, both are true with one caveat. If you use words in your password, the easier it will be to guess. Modern password-cracking tools have the ability to ingest word lists and modify the letters by using modifier rulesets to lessen the time it takes to crack a password. Cracking passwords can be a fun, at-home experiment that any cybersecurity professional should learn to do. We suggest learning tools such as John the Ripper and Hashcat. Note: Here is our legal disclaimer: stealing or actively attempting to log in to services with passwords of others is illegal. Do not attempt any hacking activity without expressed or written permission. The final topic we’ll cover on Windows security is user permissions. Most at-home Windows users operate day to day as the local administrator of their endpoint, meaning they do not use a separate, non-admin account for daily activities . At home, this practice is acceptable. When a company allows their workforce to operate as the local administrator accounts on their company endpoints, the risk of malware infection is much higher. Let’s look at a scenario. Josh is Director of Sales at Acme Brick Company (ABC). ABC Information Security team allows all users’ local administrator accounts on their work laptops. Josh received an email from an old college buddy inviting Josh to join an alumni forum. Josh clicks the link and has become a victim of drive-by malware. The malware begins propagating across other systems in the company and soon spreads to every system on the Sales team. What’s the danger of having local administrator permissions in this scenario? Simply put, the malware gained total access to Josh’s system immediately upon infection. Comparably if Josh’s account had user level permissions, the malware would be severely limited within the rights of that user. Another key point against local admin is the ability to elevate to system-level privileges. If an attacker gains system-level access, there is nothing on the endpoint that’s safe. MacOS Apple’s MacOS is being adopted by more and more companies as their endpoints of choice making it the second most popular OS in the wild. MacOS is currently on release 14.x and can be found in all of Apple’s desktop and laptop products. MacOS is a proprietary flavor of Unix; this allows the OS to operate on lower system resources and provides greater user control. In 2023, MacOS owned 12.9% of the operating system market share. That might not sound like a lot, but that number translates into millions of individual Apple devices at homes and offices globally. Many people will say that Apple devices are more secure due to the lack of malware. While it is true there is less malware that targets MacOS, that’s not what makes MacOS more secure. Apple has taken endpoint security to the hardware layer with built-in security chips on the motherboard. These chips are dedicated to encrypting the file storage, ensuring a secure boot of the OS every time, and application runtime security. Other software-based technologies like execute disable (XD), address space layout randomization (ASLR), and system integrity protection (SIP) all work to ensure malware can’t affect critical system files. Despite being a very secure platform, signature-based detection is not built into MacOS. User permissions in MacOS are very similar to most modern Linux distributions. By default, the root user is disabled and cannot be accessed. Users in the administrator group have the ability to elevate their privileges as needed to conduct admin tasks on the local system. Overall, Apple’s MacOS is a great option for increased security in your enterprise environment. Most small businesses adopt Microsoft’s Active Directory services as their authentication mechanism, so Windows devices make more sense. While there are identity managers that allow MacOS to join Active Directory, it usually calls for a high level of IT support and costs. The price for an Apple device also plays a large role in the fight for endpoint supremacy, leading most small- to middle-sized companies to choose Windows devices as they can be 75% cheaper than a comparable Apple device. Unix/Linux Unix and Linux have grown more popular over the last couple of decades as the open source community has increased in size, owning 2% of the market share in 2023. We won’t be covering the differences in Unix and Linux, but if you’re interested, there is a great article on Opensource.com that goes into the history and differences in the operating systems. The most important note to take away about Unix or Linux is how many different flavors or versions exist. Today’s most common Linux distributions are derived from either Debian or Fedora. Most Unix/Linux distros are free to download and use, and we would encourage you to pick a flavor of Linux and start experimenting. Unix/Linux devices are in more places than you would think. With the advent of the Internet of things (IoT), Unix/Linux have infiltrated their way into every home and office. Some of the older, more common office devices that run Unix/Linux are printers, A/V systems, and VoIP telephones. Today, all modern smart devices run some form of Unix/Linux under the hood. As the idea of a connected home or office has grown over the last decade, so have the increased number of attacks on the Internet of things. Botnets are the most common use of compromised IoT devices. In 2016, the Mirai botnet was used to cripple much of the online infrastructure in the eastern United States when attackers used it to perform a DDOS attack against the Dyn Company. Attackers have been targeting Unix/Linux since the very beginning, but not with malware. The majority of compromised Unix/Linux hosts are due to misconfigurations in either the OS or the applications hosted on the system. The majority of all websites are running on a distribution of Linux; a simple misconfiguration in the web application could allow a would-be attacker to gain credentialed access to the underlying operating system. But we’re talking about endpoints. Even though the majority of the Internet’s infrastructure relies on Unix/Linux, end users haven’t fully adopted Linux as a personal operating system, largely in part to the difficulty in managing the OS. Today, we see the largest adoption of Linux as an endpoint OS in the cybersecurity and software development communities. The biggest challenge to any enterprise environment using Unix/Linux is managing the variety of distributions, despite the existence of tools that manage multiple Unix/Linux distros. Much like MacOS, malware does exist for Unix/Linux but not widespread. Also the user permissions are basically the same, since MacOS is based on the Linux kernel . Most commonly, Unix/Linux systems are compromised by the tools and packages installed on the system. Many Linux distributions come with a preinstalled programming language like Python. Python is a very powerful toolset that allows administrators and developers to code out some pretty impressive tasks. Unfortunately, the functionality that makes Python a power admin tool also makes it a favorite toolset for attackers. Python’s popularity has skyrocketed over the last several years, and we would suggest adding Python courses to your “to-do” list. However, Python isn’t the only language of its type. Every year, there are new scripting languages released, and every one of them can be used to compromise a system. Early on in his career, Jarrett learned of an esoteric programming language that uses spaces, tabs, and new lines as its programming syntax. This language was called Whitespace; it was developed in 2003 by Edwin Brady and Chris Morris. With the number of programming languages in the wild, no one is expected to know them all. I’ve found the best method is to pick one language and dedicate yourself to it. Learning one will help you interpret most of the others when you see it in use. Other Endpoints We’ve covered the three largest categories of operating systems for endpoint devices, but there are some honorable mentions we should cover; we’ll start with mobile devices. According to GSMA Intelligence’s 2023 State of Mobile Internet Connectivity Report , 4.6 billion people are using the mobile Internet. That is almost half of the world’s population. These mobile devices include cell phones, cellular-enabled tablets, and cars with built-in Wi-Fi hotspots. Mobile devices come in a few flavors of operating systems; they are Android, iOS, and Linux. Just like the endpoint discussion above, the vulnerabilities for Unix/Linux are shared with Android/Linux mobile OS. iOS, however, is a bit more secure. This is due to the limitations that Apple has placed on their user’s ability to install untrusted, third-party software. This is called the “walled garden” strategy. If you control the application distribution platform, you can ensure that dangerous software never makes it onto your device. Expect Apple’s “walled garden” approach to falter as legislative bodies force laws that open these devices to other application stores not controlled by the manufacturer. Let’s talk about the Internet of things or IoT devices; odds are you have these in your home already. This is an all-encompassing term for smart devices. The biggest risk to IoT devices is unsecured application vulnerabilities. Since the majority of IoT devices are unmanaged, we place a lot of faith in the developers who made the product. There are countless white papers and articles on IoT devices with security vulnerabilities. If you have a smart device, you should research their vulnerabilities on websites such as Exploit-db.com and Mitre.org. The final endpoint device we’ll cover is the Chromebook and ChromeOS by Google. This is a very low-cost solution for the laptop market. The Chromebook is running a custom flavor of Linux known as ChromeOS, based on the Gentoo Linux distribution. Google has stated that ChromeOS is the most secure OS on the market. Regardless of how true that claim might be, the system is only as secure as the apps installed. Google has taken efforts to limit the apps installed on their system, but there are methods of circumventing these protections. Summary We covered a lot in this article. We started off talking about networking, and the key to remember here is to make sure you know the difference between a public and a private network. RFC1918 governs the Internet for what is considered a private network address space. It is important to know! We also covered common port numbers. It is common to get a pop quiz in a SOC analyst interview to ask you what port number matches which service. The items that we want you to make sure you remember from network security are that firewalls draw the imaginary circle around your private Internet address space and define the perimeter . If you know what a private IP and public IP address is, you can visualize if it goes inside the perimeter or outside of the perimeter, and firewalls create the boundary. Note: There is a concept in networking called Network Address Translation (NAT) that allows public IP addresses to communicate with private IP addresses using a NAT table. This would be a great concept to study on your own. For user endpoints there are three major categories for endpoint security: Windows, which has the lion’s share of market, MacOS, which has a growing market share, and Unix/Linux, which come in third. Additionally, there are mobile and IoT devices to consider in a separate bucket as far as security is concerned. ARTICLE QUIZ (ANSWERS FOLLOW) Which of the following isn’t true about the TCP/IP model? Ⓐ It’s made up of seven layers. Ⓑ The US Department of Defense adopted it. Ⓒ It’s made up of four layers. Ⓓ It was launched in 1983. _______ addresses are 32-bit while _______ are 128-bit. Ⓐ IPv6, IPv4 Ⓑ IPv6, IPv8 Ⓒ IPv2, IPv6 Ⓓ IPv4, IPv6 TCP relies on an established connection called a(n) _______. Ⓐ two-way handshake Ⓑ three-way handshake Ⓒ UDP Ⓓ encryption ______________ create the boundaries of a network and ensure the general Internet can’t access private networks. Ⓐ Firewall’s access control lists (ACLs) Ⓑ Intrusion Detection Systems (IDS) Ⓒ Intrusion Prevention Systems (IPS) Ⓓ Switches ____________ adds a unique fingerprint to data while _________ changes data from a readable state to an unreadable state with the intent of returning it back to readable. Ⓐ Hashing, encryption Ⓑ Encryption, hashing Ⓒ Perimeters, hashing Ⓓ Encryption, perimeters Which of the following OSs grew with the advent of the Internet of Things (IoT)? Ⓐ MacOS Ⓑ Linux Ⓒ Windows Ⓓ Raspberry PI Which of the following does not properly represent endpoint OSs and their market share? Ⓐ MacOS, 10% Ⓑ Windows, 87% Ⓒ Unix/Linux, 2% Ⓓ Unix/Linux, 10% ARTICLE QUIZ SOLUTIONS Which of the following isn’t true about the TCP/IP model? Ⓐ It’s made up of seven layers. The TCP/IPmodel is made up of four layers. The OSImodel is made up of seven layers. _______ addresses are 32-bit while _______ are 128-bit. Ⓓ IPv4, IPv6 IPv4 addresses are 32-bit while IPv6 addresses are 128-bit. TCP relies on an established connection called a(n) _______. Ⓑ three-way handshake TCPrelies on an established connection process called a three-way hand-shake. ______________ create the boundaries of a network and ensure the general Internet can’t access private networks. Ⓐ Firewall’s access control lists (ACLs) Firewalls and their Access Control Lists (ACLs) create the boundaries of a network and ensure the general Internet can’t access private networks. ____________ adds a unique fingerprint to data while _________ changes data from a readable state to an unreadable state with the intent of returning it back to readable. Ⓐ Hashing, encryption Hashing adds a unique fingerprint to data while encryption changes data from a readable state to an unreadable state with the intent of returning it back to readable. Which of the following OSs grew with the advent of the Internet of Things (IoT)? Ⓑ Linux Most Internet of Things devices run on some flavor of the Linux Operating System. Which of the following does not properly represent endpoint OSs and their market share? Ⓓ Unix/Linux, 10% For endpoint Operating System usage, Unix/Linux represents only around 2% of the market share (though growing).

This piece will cover strategies for finding a SOC analyst job, including common job titles, what job boards to use, resume tips, networking with other professionals, and common interview questions.  How Do I Get a SOC Analyst Job? The long road of becoming a SOC analyst Find yourself at the crossroads of your old life and considering a new career in cybersecurity. This article will give you tips and tools to find a job in the cybersecurity industry. This might mean that you are graduating from college and looking to start your career, or you might have been in IT for a while. You are looking to dive into cybersecurity, or maybe it means you are an honored vet looking to transition into civilian space. Whatever the case may be, there are a few things you should know. Networking Conferences & Meetups Word of mouth is your friend! It is essential to grow your network. Having a broad network of people you can talk to professionally opens you up to new opportunities and gives you people to discuss your new ideas with. Professional connections help you stay on top of the latest trends, such as news or technical techniques that greatly benefit you. There are many opportunities to get involved in projects or communities that are local to your area. Some of these include: 2600 : 2600 is an organization with deep roots in hacker culture. Today, it exists as a website, meetup space, conference, and magazine, to name a few. The history of hacking is fascinating, and its name comes from 2600 Hz, which is the frequency at which a plastic whistle found inside a Captain Crunch box sounded when blown. Blown into a payphone, it allowed the hacker to make free phone calls. DEF CON : The crown jewel of hacking conferences. The DEF CON conference is traditionally held annually in the summer in Las Vegas, NV. It is considered a pilgrimage for anyone in infosec! There is so much to do, so many knobs to twist, bells to ding, and big red buttons to push; you will never have time to do it all. What makes this conference great for your career is that recruiters love it! I have heard so many stories of people getting job offers on the spot at DEF CON. DEF CON is even better if you volunteer at the events. You will meet more people and at a deeper level. Additionally, DEF CON has “DEF CON groups,” which are smaller DEF CON meetings in your local areas, usually every month. This is also a great way to network with your regional infosec peers to see what is happening in your local infosec industry and hopefully pick up a lead! BSides : BSides is a popular conference held locally in many cities and during the same time frame as Defcon in Las Vegas. It is relatively popular and offers a lot of value. Tickets are cheap (and free if you volunteer), giving you access to what is going on and the people in your area. OWASP : The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve software security. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the Web. Hackerspaces and Makerspaces: These meetups in your local areas are a great way to meet people, tinker, pull knobs, and push buttons. Sometimes these meetings will allow their members to give presentations in a show-and-tell format, which is a great way to build your presentation skills. If you have been attending meetings in your surrounding areas, don’t forget to take a pencil and notepad to write down emails and contact info of the people you meet. It is not weird and doesn’t feel uncomfortable; everyone there is there for the same reason, and you’d be lucky to have a notepad. Most people would feel flattered if you cared enough to write their information on a notepad. Tell your new friends you want to keep in contact and be on the lookout for them. Follow up with everyone the day after, and send them your resume to share with others. Competitions This article wouldn’t be complete if we didn’t take a minute to talk about capture-the-flag (CTF) competitions. Capture the Flag has been around since the beginning, and it started with vulnerable applications and systems with a text string hidden inside them. The participant finds the text string and submits it to the judges, and they get points for every proof they’ve hacked. It started in 1996 at DEF CON (mentioned above), and today, it has evolved into various capture-the-flag challenges inside and outside of conferences. Tyler’s favorite challenge is the DEF CON Blue Team Village capture-the-flag, but he has competed in Ghost in the Shellcode, SANS Netwars, Holiday Hack, CSAW, and was a mentor for high schoolers for the CyberPatriot program. Tyler was never really fantastic at them, but always competed on a team, which was the fun. Most bigger conferences other than DEF CON will have their capture-the-flag competitions. For instance, the Splunk conference, Splunk.conf, hosts a popular capture-the-flag called BOTS, for Boss of the SOC, that is very challenging and popular (congrats, VMware, for taking 3rd in 2023!). If you are in college, there are many student-oriented capture-the-flag competitions, and perhaps the biggest one that should be on your radar is the Collegiate Cyber Defense Competition (CCDC). In addition to these, there are many online CTF competitions and challenges that not only have communities that you can join and participate in to enhance your networking by finding common ground with new people, but also provide awards, credentials, and overall bragging rights. Medium If you want to start building a brand as a cybersecurity expert, then Medium is where you need to go to start doing it. Creating a blog can be one of the most rewarding things any professional can do. Not only does Medium have a huge built-in audience of technology professionals, but teaching and writing about a topic also improve the retention of information. You’ll find out sooner or later that you lose the information if you don’t use it. Teaching something to someone else helps you retain that knowledge for longer. Choose a few topics on the SOC and cybersecurity, maybe about your latest project or something you’ve studied that you’ve found interesting, and teach them. One of your audience members might be your new manager! Please write at least two weekly articles and share them on all your social media outlets, including LinkedIn. And always remember to learn, do, and teach to retain. And it helps others. A blog will establish you as someone who knows something about cybersecurity. Leave a banner at the end of every Medium article connecting to your LinkedIn profile. This way, any person interested in you can reach out and connect ! Blog on Medium 2x a week. Where to Search for Jobs The information security world has embraced social media to locate and recruit top talent, and LinkedIn stands out as a clear place to start. Not only can you find job postings, but you can also get connected with headhunters and recruiters looking to find top talent. LinkedIn offers a premium subscription that can be used to find and connect with recruiters. They offer free trials of LinkedIn Premium, and I highly recommend using it when searching for a job. If your LinkedIn profile is uninteresting, you will not attract the attention you need, no matter how good your cybersecurity knowledge. Other than putting your certifications and credentials in the headline, there are a few tips to keep in mind. LinkedIn Profile Tips LinkedIn is not the only website to consolidate job postings;  Indeed  and  Monster  are worth investigating, too. Once you’ve accumulated a few technical certifications, sites like Credly.com have job boards that are looking for talented people with those certifications. Finally, you can’t go wrong by looking at the careers section of a company’s website. This will show you what open positions are available and provide insight into what they are looking for in an applicant. Note: Don’t be afraid to apply even if you don’t meet all of the requirements in the job posting. To quote the great Wayne Gretzky, “You miss 100% of the shots you don’t take.” Applying for Jobs We would like to explain to you how to perform a job hunt. First off, you need to get your resume together. It takes a lot of trial and error to perfect a resume, but a professional can also help you build a good one. A resume can take form in many styles, but it will have the same basic information: Resume Tips Keep your resume to under three pages to prevent over-skimming by the readers. Once your resume is together, you can search for a job. Several job posting websites have proven successful for us; however, I have had the most success with LinkedIn. When searching for a job, I usually purchase their premium membership to see the statistics for each job I am applying for, send InMail messages to hiring managers or recruiters for a company I am interested in, and see who is looking at my profile. Also, Google has a good aggregation of jobs to search through. Using Google, you are able to set up and configure job alerts specifically for cybersecurity jobs. The security analyst position is the job that will allow you to land the easiest first step into information security. There is a revolving door in most SOCs, and the position for a security analyst opens frequently. The titles that you want to look for first are: SOC Analyst Job Titles If you are mobile and can move anywhere, your odds of finding a good fit quickly are pretty good. If you live far outside of a big city, your options may be more limited. Most SOCs require you to be on-site for security purposes. During COVID, everyone moved remote, and now more companies are returning to a hybrid work model. Common Interview Questions The following is a list of common interview questions that might be asked during an interview for a junior SOC analyst. Some are very basic, and some are harder, but we feel if you can answer these questions, you have the required knowledge to become a SOC analyst: What is an RFC 1918 address? Do you know them? Define a Class A, B, or C network. What are the seven phases of the cyber kill chain? What is the purpose of the MITRE ATT&CK Framework? What is the difference between TCP and UDP? What are ports 80, 443, 22, 23, 25, and 53? What is data exfiltration? What Windows protocol is commonly used for data exfiltration? Do you have a home lab? Explain it. What is AWS? Azure? Explain how you’ve used it. What is a DMZ, and why is it a common cyberattack target? The importance of having technical knowledge cannot be overstated. The above questions are straightforward, but you might be surprised that seven out of ten candidates don’t know modern services' standard TCP/UDP ports. I highly suggest using a common study guide to prepare for your interview. An example of this is the website Quizlet.com. They provide a flashcard-style learning platform for information technology certifications like Network+ or Security+. Also, Udemy has a few SOC Analyst interview question courses you can take. Despite the need for a basic understanding of information technology, that only covers half the requirements to be a SOC analyst. An analyst should be a critical thinker and possess the acumen for problem-solving. Interviewers will usually test a candidate’s problem-solving ability with scenario-based questions. Let’s cover some scenarios I’ve seen and used to conduct interviews: “You are a tier 1 SOC analyst, monitoring the SOC inbox for user-reported incidents. The SOC receives an email from the VP of Human Resources stating they can’t access their cloud drive. The VP knows this is against company policy, but the VP is adamant that this is required for legitimate business requirements.” Do you process the access request for the VP? What is your response to the VP? Who else should you include in the reply email? “You are monitoring the SIEM dashboard for new security events. A network IDS alert is triggered, and you begin investigating. You see a large amount of network traffic over UDP port 161 originating from dozens of internal IP addresses, all with the same internal destination IP address. Some quick Googling shows that the Simple Network Management Protocol uses UDP port 161, and the byte count of the traffic is minuscule.” Do you think this is data exfiltration? If this is not data exfiltration, what legitimate services could cause this alert? What team could provide an explanation for the traffic? The first scenario exemplifies what you might be asked when applying for an entry-level analyst role, while the second is a little more advanced. Let’s go over what the interviewer is looking for. Scenario 1 is designed to identify if the applicant can be easily intimidated by senior leadership in your organization. Information security is the responsibility of all organization members; it should not be waived for the convenience of one senior leader. The larger lesson here is about making risk-based decisions. A junior analyst should never assume the risk of policy exceptions. The interviewer will ask how the applicant will respond to the VP, as it will showcase their experience with customer service. Customer service is another critical task of a SOC analyst. Whether working for an MSSP or a company's internal SOC, there will be times when interfacing with other teams will require the analyst to show a certain level of tact and professionalism. The third question helps the interviewer understand the analyst's prioritization skills. If an analyst is working with a VP, there is a high probability that there is a procedure around communicating with senior leadership within the organization. Scenario 2 tests the applicant’s critical thinking and technical knowledge while providing the interviewer insight into the applicant’s investigative reasoning. This scenario also gives insight into the most essential quality of a SOC analyst: if you don’t know the answer, admit it. The SOC team's last need is a “know-it-all”; they are dangerous and toxic to the workplace. If this article teaches you one thing, let it be this lesson. There will be questions you can’t answer, and that’s fine. The worst thing you can do is give a wrong answer with the confidence that you are 100% correct. Remember that the above scenarios are examples; each interviewer will use their own questions. The goal remains the same: to locate and select the best applicant for the position. Our goal is to assist you in becoming that applicant. The following are a few tricks and tips to help you become the “best applicant” for the position: Interview Tips Summary The most important thing we want you to take away from this article is that you have the tools to help you find a job. Use job boards, network with others in your area and online, and study to understand the answers to the typical interview questions. The job market is growing fast, but in the future, the skills for analysts will change as SOC automation and the cloud begin to mature. As you move forward, the resources I’ve explained will be even more valuable to you. Get a Security+; blog on Medium 2x a week; go to in-person meetings 2x a month; stay involved in Discord and social media daily. The application process is broken. Networking will be how you find your next job. One last thing to end this article. You are entering the world of “cybersecurity”. Cybersecurity is defined as , “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack” This is always correctly spelled as one word to denote a profession, a practice, even an industry. ARTICLE QUIZ (ANSWERS FOLLOW) For an online community of support in the hacker culture that includes meetup spaces, a conference, and a magazine whose namesake is from a Captain Crunch toy check out _______. Ⓐ 2600.org Ⓑ DEF CON Ⓒ Bsides Ⓓ OWASP This relatively affordable conference meets in Las Vegas each year and draws recruiters looking for qualified IT professionals and is the pilgrimage for anyone in cybersecurity. Ⓐ Bsides Ⓑ OWASP Ⓒ DEF CON Ⓓ Hackerspaces _______ is a nonprofit foundation that strives to improve the security of software. Ⓐ DEF CON Ⓑ OWASP Ⓒ BSides Ⓓ 2600 All the following items should be included on your resume for a SOC analyst position except: Ⓐ Unrelated certifications Ⓑ Experience related to IT Ⓒ Skills that line up to the job listing Ⓓ Phone and email address When searching for open analyst positions, use all the following titles except: Ⓐ Information Security Analyst Ⓑ Security Operations Center Analyst Ⓒ Security Analyst Ⓓ Software Analyst Which of the following is not a reason to include your LinkedIn profile on your resume? Ⓐ LinkedIn provides an overview of you as a professional Ⓑ LinkedIn enables you to upload multiple pictures of yourself Ⓒ LinkedIn gives personalized information about yourself Ⓓ LinkedIn allows you to provide more information about yourself All the following are questions you might be asked in an interview except: Ⓐ What’s the difference between TCPand UDP? Ⓑ What are the ports 80,443,22,23,25, and 53? Ⓒ What’s an RFC1928 address? Ⓓ What is a DMZ, and why is it a common target for cyberattacks? Which of the following was not on the list of questions you might be asked in a SOC Analyst interview? Ⓐ What is ASW? Ⓑ Define a Class A, B, or C network? Ⓒ What are the seven phases of the cyber kill chain? Ⓓ What’s the purpose of the MITREATT&CK Framework? In an interview, you should do all the following when it comes to body language except: Ⓐ Use brief affirmations like “I see.” Ⓑ Make eye contact. Ⓒ Maintain good posture. Ⓓ Show signs of restlessness or boredom. ARTICLE QUIZ SOLUTIONS For an online community of support in the hacker culture that includes meetup spaces, a conference, and a magazine whose namesake is from a Captain Crunch toy check out _______. Ⓐ 2600 A bit of “hacker history,” but 2600 meetings are alive and well in some cities. This relatively affordable conference meets in Las Vegas each year and draws recruiters looking for qualified IT professionals and is the pilgrimage for anyone in cybersecurity. Ⓒ DEF CON DEF CON is held in the summer in Las Vegas every year. A great place to get involved! _______ is a nonprofit foundation that strives to improve the security of software. Ⓑ OWASP The Open Web Application Security Project is an online community that produces freely available articles, methodologies, documentation, tools, and technologies related to web application security. All the following items should be included on your resume for a SOC analyst position except: Ⓐ Unrelated certifications Do not include unrelated certifications on your resume. When searching for open analyst positions, use all the following titles except: Ⓐ Software Analyst Software Analyst isn’t a typical cybersecurity job title. Which of the following is not a reason to include your LinkedIn profile on your resume? Ⓑ LinkedIn enables you to upload multiple pictures of yourself Uploading multiple pictures of yourself shouldn’t be a reason to use LinkedIn in cybersecurity. All the following are questions you might be asked in an interview except: Ⓒ What’s an RFC1928 address? RFC1918 is the standard, not RFC1928. Which of the following was not on the list of questions you might be asked in a SOC Analyst interview? Ⓐ What is ASW? ASW isn’t a common acronym in cybersecurity. In an interview, you should do all the following when it comes to body language except: Ⓓ Show signs of restlessness or boredom. The answer to this question should be very obvious but should spark your research, “What are signs of restlessness or boredom?”

In this article, we’ll discuss the many disciplines that make up a successful company, their scope of duties, and how their role involves the Security Operations Center (SOC). We’ll also cover the external organizations with which the SOC might interact in their day-to-day work. These are the Areas of Expertise in the SOC . Cybersecurity Icons in a Circle with a Padlock in the Middle Your time as a SOC analyst will bring you into contact with many teams from within your organization. Everyone, including the CEO, could be involved in a security investigation. However, the SOC plays an essential role in the functions of other teams as well, including external organizations. This article will break down the teams into three sections: information security teams, internal teams, and external teams. So, let’s get started. Information Security Information security teams in most large organizations today are made up of three groups: analysts , engineers , and architects . The size of the companies’ enterprise network is usually the main factor in determining if the team is staffed internally or outsourced to third-party organizations. Some mid-sized organizations might combine the duties of two teams to save costs. Regardless of who staffs these positions, the scope of responsibility for each group is different and distinct. Job titles vary from company to company, so instead we are categorizing each function into the type of work they do, whether its analysis, engineering, or architecture. Analysts Let’s start with an easy one. The Security Operations is where you work as a SOC analyst. I hope by now you’ve learned that “SOC” is an acronym for Security Operations Center. Right, now that we’ve gotten that large knee-slapper out of the way, let’s talk briefly about the Security Operations’ scope of duties. Security Operations is home of Analysts : threat intelligence, threat hunting, digital forensics, and incident response analysts. Sometimes more subgroups and sometimes less. Sometimes companies give analysts an engineer or specialist job title. Job titles are just made up so we are referring to the type of work that you’ll be doing. Each subgroup works together to ensure that day-to-day operations are running smoothly. The SOC is responsible for monitoring, investigating, and remediating security events. Their scope of responsibility depends on who is staffing the SOC. As previously discussed, SOCs can be internal to the company or outsourced to an MSSP. Internal SOCs typically have higher privileges to take remedial actions during an incident, where Managed Security Services Providers (MSSPs) usually must report the incident to a customer’s information technology (IT) team. The key benefit to an internal SOC vs. an MSSP is the ability of the internal SOC to learn the details of a single network. MSSPs have multiple customers and must monitor several enterprise networks at once. This leaves the SOC analysts at a disadvantage as they never truly learn the granular details of a customer’s enterprise. This is most people’s starting point in cybersecurity. Threat Intelligence (TI) is usually a smaller team that’s focused on researching new threat reports, determining if the new threat is a danger to the company, and provides pertinent details to management and other information security teams. In some situations, the TI team is responsible for managing the Threat Intelligence Platform, which serves as a single point of collection for indicators of compromise and intelligence reports from multiple intel sources. Some typical intel sources are threat feeds such as AlienVault or Talos Intelligence and Open Source Intelligence. The best threat feeds require a subscription and can get expensive. However, they have dedicated security researchers teamed with intelligence collection specialists to generate high fidelity reports. Open Source Intelligence, or OSINT for short, can provide excellent intel if you have a team dedicated to sifting through it all. A quick Google search for “Open Source Intel Feeds” will net you a plethora of top ten lists of the best OSINT feeds out there. Threat Intelligence Analyst requires foundational knowledge of all cybersecurity, good communication skills both written and verbal, presentation skills, technical knowledge of cybersecurity threats, and a love for reading tons of information and fostering relationships with people who share information. Threat Intelligence Analysts empower the operations teams to detect and protect efficiently. This is not a junior position and can be staffed without having worked in the SOC. This could be a great position to try right out of the gate for transitioning military. The Digital Forensics and Incident Response (DFIR) teams are responsible for conducting investigations on long and enduring incidents. Sometimes this team is split into two separate teams at more defined companies and other times its one team known as the DFIR team. In both cases, they are common escalation points from the SOC. The SOC conducts the initial investigation, and if the incident isn’t resolved after it has travelled through all of the tiers, the incident transitions to Digital Forensics and Incident Response who often have to work together to resolve it. This is why it’s common to learn that the team is combined into one (Figure 1–1) Figure 1–1.  DF and IR Shared Responsibility Any engagements with legal, privacy, fraud, or external law enforcement organizations get filtered through the Digital Forensics and Incident Response teams, essentially becoming the experts on such matters. Also, in most organizations, the Digital Forensics and Incident Response teams work hand in hand with threat intelligence to conduct threat hunting. These are not junior positions and are often staffed by people who first worked in the SOC. The Threat Hunting team is an advanced security function that combines a proactive methodology, innovative technology, highly skilled people, and in- depth threat intelligence to find and stop the malicious, often hard-to-detect activities executed by stealth attackers that automated defenses may miss. Threat Hunting Analysts proactively search environments for traces of malicious activity. It requires knowledge of common SIEM tools and their query languages and familiarity with all of the rest of the tools in an environment such as endpoint tools, vulnerability scanners, and cloud security brokers, to name a few. Anything that is currently producing security events, the Threat Hunter needs to know about it. They also need expert knowledge of offensive security and how attacks happen. Just because the title might say Analyst doesn’t mean this is a Junior position. It requires a lot of expertise but is becoming more accessible to smaller companies as tools automate threat-hunting and/or make suggestions for threat-hunting queries. This position is often staffed by people who first worked in the SOC. The Red Team are your in-house penetration testing analysts . Not all businesses have a Red Team, as it might be more cost-efficient to outsource the function, but they play a critical role in any company. How do you test to ensure your security controls are working? Easy, hack yourself. Ethical hackers are analysts with the skills needed to compromise your enterprise network. Let’s talk briefly about a few types of penetration tests businesses utilize today. Black Box Test: The penetration tester has no prior knowledge of the target environment. This mimics an attacker with a limited understanding of the company. Typically, this type of test is contracted from a third-party penetration testing firm due to the Red Teams’ experience with the network. White Box Test: Testers have full knowledge of the target environment. This type of test is usually more pointed at a smaller portion of the enterprise. It could be a software company’s code pipeline or source code repository. The Red Team thrives in this type of penetration test. Gray Box Test: A combination of black box and white box, with the tester having partial knowledge of the target environment. This replicates a malicious insider or an outside attacker that has successfully infiltrated your network and has established a foothold. Purple Team Test: This type of test is used to measure the effectiveness of the SOC and DFIR teams (Blue Teams). This is a planned exercise where the Red Team will intentionally trigger a security alert to force the Blue Team to respond. The findings of this test will be used to drive improvements in the security program. Blue Team + Red Team = Purple Team! Cyber Professionals sure love their colors. This list is not all-encompassing; there are many other types of penetration tests that can be conducted. But generally speaking, these four will cover the large majority of all tests performed. Penetration testers are a special breed of security professionals; they dedicate a lot of time to honing their skills and testing new hacking tools and techniques. Red Team is often staffed by people who first worked in the SOC but also has a knack to attract the special lone wolves in the wild with special talent and skills. Engineers The Security Engineering team is responsible for deploying, managing, and maintaining the enterprise’s security tools and appliances. Many smaller companies will combine this function with the SOC analysts. They’re able to do this due to the small footprint of the network; however, more defined companies will have entire teams for engineering. Whether this role is staffed or handled by the SOC, security engineers are also responsible for updating and tuning the security tools. Many organizations will assign a single technology group to an engineer. Common technology groups for engineers are: Application Security Engineer: Responsible for identifying and addressing security weaknesses in applications that a business develops or uses. They implement controls, including app authentication, encryption, and authorization settings, test software, set up firewalls, and scan/test applications. Network Security Engineer: Responsible for maintaining the safety of a business’ organizational network. They monitor the network for breaches, identify vulnerabilities, and develop solutions and safeguards to protect the network against attacks. Cloud Security Engineer: Responsible for defending a business against attacks within the cloud. The engineer is responsible for configuring the network security, building applications, identifying and addressing vulnerabilities, and maintaining a secure cloud infrastructure. SIEM Engineer: Responsible for collaborating with various stakeholders to understand business requirements and devise strategies for utilizing data in a more effective and efficient manner. Works closely with the Security Operations Center (SOC) team, assisting in the implementation and management of SIEM and SOAR technologies, while also focusing on leveraging ML/AI techniques to enhance threat detection and analysis. Detection Engineer: Responsible for designing, building, and fine-tuning systems and processes to detect malicious activities or unauthorized behaviors. They also maintain the monitoring portfolio and track the coverage gaps in the security tools. They define change management processes to ensure alerts aren’t modified or removed and often develop “detection as code” by migrating threat detection development into code pipelines such as Github or Gitlab. Vulnerability Management Engineer: Responsible for scanning the environment for known vulnerabilities, prioritizing them, and assisting with managing the patching of these devices. This list isn’t inclusive of all of the types of engineers and it’s essential to understand the need for cross-leveling of skills here and how big the teams can get. A single person managing the Network Security would leave the organization in a predicament if the employee were to tender their notice. A best practice is to have a minimum of two engineers on a technology group; this allows for a checks-and-balances approach that limits the risk of a single point of failure. The number one customer of the Security Engineering team is the SOC. Because these teams work so closely together, security engineering is a natural progression for SOC analysts in the ladder upward to architect. This role requires advanced knowledge of how to administer systems and technologies. If you’re interested in engineering, take on some projects in your spare time at home. Learn a new technology group, such as virtualization or containers. The best way to learn this job is by doing it. So get out there and experiment, and when you fail, delete it all and start again. A note on Vulnerability Management Engineers, they also work closely with a different department in helping prioritize vulnerabilities. Prioritizing vulnerabilities isn’t as straightforward as you might think. When a vulnerability is found, it gets assigned a criticality that is adjusted by them based on many factors such as if the device is dev or prod, if it’s public-facing, or if it can be patched at all because it’s a legacy system with dependencies that require older versions of software. It’s not as easy as reading a report and taking action on it. These engineers typically work closely with the IT teams who are the ones that conduct the patching, often trying to convince them to patch things out-of-cycle or in a higher priority. Vulnerability Management requires a specific knowledge of how corporate environments operate and specifically how their company operates. It also requires good people skills, and knowing how to manage without authority. Those two skills should be practiced throughout your career no matter which technology group you fall into place with. Engineers usually have worked in the SOC first, but can come from other areas of IT such as Software Development, or IT/Cloud Engineering. Architects The Cybersecurity Architecture team is unique to large organizations and is focused on enforcing best security practices and compliance controls while implementing new technology in the enterprise. Let’s look at an example: Your company wants to move its on-premises database into a cloud solution such as Amazon AWS or Microsoft Azure. It’s the Security Architecture team’s job to work with the database and cloud administrators to ensure that the systems and data being migrated into the cloud are as secure as possible. This team is usually composed of senior security specialists with several years of experience in cybersecurity. Some organizations will outsource this to a third-party security consulting firm due to the limited scope of work needed for individual projects. A common practice for Cybersecurity Architecture teams at large companies is to have a small team with a broad knowledge of all of cybersecurity and each one has mastery skill of a different specialty. To name a few of these specialties, they are software security, network security, infrastructure security, and cloud security. At smaller companies there might only be one or two Cybersecurity Architects often with a broad cybersecurity background with a mastery of the specific company’s IT practices. An example of a cybersecurity architect’s objective is that they might devise the security and logging plan for a project to ensure a proper balance of security and cost saving. Security Architecture is one of the many pathways for a SOC analyst to move up in their career, but typically it happens after they’ve progressed as an engineer. You should have at least 7–10 years of cybersecurity experience before considering a move into Security Architecture. It is a highly stressful job and just because you’re able to do it, doesn’t mean that it’s what you should do. Tyler was a Cybersecurity Architect at a Fortune 50 company for only about four months before he resigned and decided they couldn’t pay him enough to do the job. He hardly slept the entire four months worrying about the ramifications if just one tiny calculation was incorrect. It just wasn’t for him, yet. Maybe when he’s much older and wiser. Architects are typically Engineers first (Figure 1–2) Figure 1–2. Typical Analyst Career Progression In summary, most organizations have some embodiment of these three information security teams: Security Operations, Security Architecture, Security Engineering. Whether the team is outsourced or owned by the SOC, the roles exist in every company. Each is a puzzle piece that fits together to form a well-rounded cybersecurity program. No one team is more important than the other, and I ask that you remember this as you move forward in your career. You’ll likely leave the SOC one day and pick a specialty. You’ll make more money, and you’ll have more freedoms like being able to work your own schedule and you’ll not have to do shift work. You’ll need less hand holding and you’ll become more independent as you grow more senior and you might one day look down on the SOC. It’s a typical progression that a lot go through in their careers, but know that it’s not leadership. No one team is more important than the other… and to lead is to serve. On that note, let’s move on to the next section. Internal Teams As you gain and demonstrate experience as a SOC analyst, opportunities to interact with teams outside of the SOC will occur. These opportunities are an excellent way to stand out and make a great impression on your leadership. Regardless of the task, you should approach each encounter with external teams with a high level of professionalism and confidence. You’ll find that when you’ve put in maximum effort toward the task, word of your accomplishments will make it back to your supervisor. And of course, the reverse is true as well. The last thing you want is for your supervisor to learn that you failed to contribute to a task. They tend to remember those conversations when reviewing compensation adjustments. Let’s first talk about Management . Technically, not all of management works outside the SOC. The SOC has a manager, and usually, somewhere up the chain, there’s a director. But, management makes business decisions, so this topic will cover the standard positions and scope of responsibility of those in management. It’s important to know that every organization is different in how they staff their management team. We’ll start in the SOC with the SOC manager and work upward to the executive staff. The SOC manager is the direct and first-line supervisor for all SOC analysts. Your interactions with them begin in the interview process as they’re also responsible as the hiring manager for the open analyst positions. SOC managers have a wide range of duties: everything from mentoring the junior analysts to driving collaboration between the SOC and other teams. In fact, the SOC manager has so many duties that there could be an entire article dedicated to the topic. We’ll begin with their responsibilities to you, the newly hired SOC analyst. The SOC manager is responsible for all aspects of compensation for the analysts under them, including the offer letter when you first applied, bonus payouts, and promotions. However, promotions can’t happen without mentorship, and that’s also a large part of their duties. Each company has different mentorship requirements, but you can expect to sit down with your manager and discuss personal and business goals. Your progress toward achieving these goals is taken into account during the bonus and promotion decisions. Time-off requests, work schedules, and SOC duty assignments are all decided upon by the SOC manager. The SOC manager is also responsible for generating reports on the number and type of security events the SOC sees to upper management. These reports inform the members of the executive staff on the latest trends of cyberattacks that are targeting the company. The SOC manager is the first level of the management team and is by far one of the hardest jobs in information security. Let’s move on. The SOC director is the next step up in the chain of managers to the SOC. This title is different for almost every company; some examples are “Director of Security Operations,” and “Director of IT Security.” Regardless of title, this position is usually the SOC manager’s supervisor. They’re responsible for the overall strategic decisions that face the company regarding cybersecurity, including budgeting requests, SOC staffing approval, and the metrics reporting to executive leadership. They also coordinate with other directors to plan and coordinate joint projects. We’ll cover them more later. The next rung in the management ladder is the Chief Information Security Officer or CISO for short. Depending on the company, the responsibilities of the CISO range considerably. Due to this, we won’t spend too much time discussing the CISO. All you need to understand from a SOC analyst perspective is the CISO is responsible for the high- level decisions regarding information security. They will most likely be the first executive officer you’ll meet, and depending on your company, the CISO likely reports directly to the CEO. So, no pressure trying to make an excellent first impression. That’ll wrap it up for the management team; from here, let’s move on to some of the common organizations you’ll work with as a SOC analyst. Each team we discuss will have a similar management structure as the SOC. I’ll skip going into detail about the team members and focus on the scope of the team itself. The Risk Management team is responsible for measuring, reporting, and mitigating the company’s risk levels. In regard to cybersecurity, they’ll look at the likelihood of a compromise, determine the impact on the business if the attack happened, and generate a report to management on the risk. This data allows management to make an informed decision to assume or mitigate the risk. Most likely, if all this sounds familiar, you’ve learned about risk matrices somewhere along the way. “But how does the SOC assist the Risk Management Team?” I’m so glad you asked. Risk Management teams are not cybersecurity experts. Their understanding of attacks and compromises is limited to what they read in the news. That’s when the SOC consults to define the impact of a compromise. An example of a SOC consultation would be to describe how a critical system is vulnerable to a particular type of compromise. Maybe you’re asked what security control would best stop the attack before it happens. Regardless of the request from Risk Management, the goal is to provide them with the worst-case scenario. To measure risk, Risk Management needs to know the most dangerous outcome for the company and how often it might occur. The Governance and Compliance team ensures “the overall management approach that board members and senior executives use to control and direct an organization”1 is disseminated and adhered to. They also ensure the company meets or exceeds compliance standards related to certain industries. An example of this would be the Payment Card Industry Data Security Standard (PCI DSS), which enforces controls around payment and card systems. The purpose of compliance is to ensure that proper cybersecurity practices are followed in a uniform manner. There are several global compliance standards, and each has a different set of controls, although some overlap. Table lists the common and well- known compliance standards. The most common interaction the SOC will have with Governance and Compliance teams is during the auditing process. The SOC plays a vital role in providing evidence of compliance for the Audit team. Some common evidence requests might be logs collected, process documentation, and a security event walk-through. We’ll cover more about the Audit team later in this article. Definition Auditing is the information gathering and analysis of assets to ensure such things as policy compliance and security from vulnerabilities. The next team we’ll cover is the Privacy and Legal team. Usually, you’ll interact with Privacy and Legal during security incidents that involve evidence collection or public disclosure of a compromise. In the previous article, we briefly discussed the Capital One data breach.3 The privacy half of this team was responsible for identifying the nature of the data that was stolen. Working with legal, together they inform executive leadership on disclosure requirements, legal obligations, and options to pursue actions against the attacker. In the case of Capital One, the Privacy and Legal team notified victims of the data breach and assisted the FBI in apprehending the suspect. Let’s segue to our final team for this section, the Fraud team. The Fraud team works hand in hand with Privacy and Legal in investigations of a data breach to determine if the data has been leaked, sold, or used for malicious means. For example, the data stolen from Capital One included 140,000 US Social Security Numbers. The Fraud team is responsible for investigations tied to the use of stolen data such as identity theft or data brokerage on the dark web. The Fraud team’s responsibilities shift depending on the company’s industry. A software company’s Fraud team might scour the Internet for license key generators, while a manufacturing company has their Fraud team looking for signs of stolen blueprints. External Teams For this article, external teams are defined as any team that does not work for your company. So far, we’ve covered information security and internal teams that the SOC will interact with to accomplish business objectives. Your interaction with external teams requires special considerations. The most important note is that you are a representative of your organization and company. The first external team we’ll discuss is government agencies, and they’ll play a critical role in any country. Whether it’s for compliance, reports of data breaches, or interpreting privacy laws, the SOC will eventually find itself interacting with the local or federal government. As both authors are located in the United States, we’ll cover what we know and not speculate on other countries’ stance on cybersecurity. I urge you to research local laws and regulations in your region to prepare yourself when interacting with your local government agency. There are different types of government agencies that we need to cover, and the SOC will interact with each one in various capacities. Law enforcement agencies will be the most common government entity you’ll encounter. Some examples of law enforcement agencies in the United States are the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and State and Local Police. Like the Legal and Privacy team, the SOC will most likely work to provide evidence of data breaches or insider threats to the investigating agency. When communicating with law enforcement agencies, it’s important to only state facts. Try to remain professional and pay respect to the members of the agency you are working beside. The majority of individuals you’ll deal with won’t be cybersecurity analysts, so speak in common terms. The second government entity we’ll discuss is military and intelligence agencies. Today, many companies provide services or goods to their federal government, and most countries have cybersecurity regulations that must be followed by companies that do business with the government. This comes in the form of tighter compliance controls and mandatory reporting requirements. A benefit of working with the government is the shared threat intelligence provided by the network of companies that work with the government. In the United States, companies that work with the federal government can join the Defense Industrial Base Cybersecurity (DIB CS) program . This program allows companies to share threat reports, indicators of compromise, and malware samples in a central location. The Department of Defense (DoD) also provides threat reports and alerts based on intelligence collected by military or intelligence agencies. The last government organization we’ll cover is regulatory agencies. Regulatory agencies are bodies created to set a baseline of standards for a particular field of activity in the private sector of the economy and then enforce those standards. Regulatory agencies are commonly broken out into business sectors; for example, the US Department of Health and Human Services regulates the HIPAA compliance standards. Not all regulatory bodies are government-affiliated; the International Organization for Standardization is an independent, nongovernmental international organization with a membership of 164 national standards bodies. Since nongovernment regulatory agencies can’t enforce compliance or issue punishment to companies out of compliance, government agencies who adopt compliance standards such as ISO 27001 will assume responsibility for enforcement and punishment. In this model, a committee of representatives from the member countries developed new and revamped compliance standards. The second external team we’ll discuss is Audit teams. Auditors play a significant role in a company’s path to regulatory compliance and will be a source of many headaches for the SOC. The auditor’s primary responsibility is to understand the compliance standards and the security controls that satisfy the requirement. Next, they apply their knowledge and expertise in their field to compare a company’s security posture against the compliance standards. Let’s look at an example of how an auditor might interact with the SOC during a compliance engagement by looking at a PCI DSS Version 1.2 controls in Table 2–2. The goal, “Regularly Monitor and Test Networks,” is a typical example of data the SOC will be responsible for providing. Specifically, the SOC would be the team monitoring access to network resources, and the data that auditors will want to see most likely resides in the SOC’s SIEM. Each auditor is different, so the exact data they’ll ask for will vary depending on the experience level and individual preference. Some auditors will request for the SOC to give a live demo of their ability to access and monitor the data, while others will request screenshots of the monitoring platform and the data held within. Depending on the compliance standard, audits will happen anywhere from every three months to annually. Also, depending on your company, the SOC might be responsible for providing evidence to multiple audit teams throughout the year. As a new SOC analyst, you won’t likely interact with the auditors directly. If a demo is requested, it’s usually handled by a senior analyst due to their experience with the company’s data sources and monitoring portfolio. Your manager and team lead will own the responsibility of planning and coordinating with the compliance and audit teams, and your tasks begin with evidence collection. Let’s move on to our final team for this article, and likely the most common external team you’ll interact with as a junior analyst. Vendors are external product or service providers that have sold a product to your company or are attempting to sell a product. Any tool the SOC uses, which wasn’t created by your company, came from a vendor. The SOC’s interaction level with existing vendors will be limited to requesting assistance with issues, feature requests, and bug reports. However, you might be asked to join a tool demo or proof of concept (POC) evaluation of a security tool. Insight Working with vendors can be a great networking opportunity; leaving a good impression with the vendor could lead to future job offers if you decide to move away from the SOC. When working with existing vendors, there are specific ethical concerns around requesting features or accepting gifts. It’s important to remember that you’re a representative of your company. Vendors who provide an existing service or product could take your feature request and bill your company for the hours spent on the work. That shouldn’t deter you from asking for new features. When communicating with the vendor, be sure to ask them if the company will be billed before any agreement is made. Similarly, when communicating with vendors trying to sell your company a product or service, it’s important not to promise anything to the vendor. The best conversation you can have with a vendor providing a demo or POC is by offering your honest feedback on their product. Good or bad, they will take your feedback to their company for product changes. So when providing your thoughts on their product, be sure to offer constructive criticism. Comments like “your product adds no value for us” and “we could build this ourselves” is a surefire way to get you removed from future vendor conversations. Summary Working in the SOC brings you into contact with many other teams, both from within and external to your company. Each team covered in this article combines to shape your SOC’s daily scope of duties. The team names and roles discussed in this article are not standardized from company to company. As previously mentioned, some team member responsibilities might belong to the SOC. Regardless of whether the positions exist, the team’s functions are required for a company to succeed. We’ve talked previously about our purpose for this book and how we hope to prepare you for a great, new career in cybersecurity by way of the SOC. Consider the overhead of having to teach a new SOC analyst the functions of each team member, external organization, and government entity for a moment. This article helps you set yourself up for success by providing a cursory introduction to the areas of expertise in cybersecurity. Whether you’re working with your local law enforcement to investigate a malicious insider or collecting audit evidence to the compliance team, your better understanding of the groups and their roles and responsibilities will help to make you stand out as a productive member of the SOC team. ARTICLE QUIZ (SOLUTIONS FOLLOW) Large organizations often consist of three general teams for cybersecurity. Which of the following is not one of them? Ⓐ IAM Ⓑ Operations Ⓒ Engineering Ⓓ Architecture The Threat Intelligence (TI) team does which of the following? Ⓐ Takes over incidents from the SOC and conducts investigations on long and enduring incidents. Ⓑ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. Ⓒ Focuses on enforcing the best security practices and compliance controls while implementing new technology. Ⓓ Identifies, catalogs, and remediates new and existing vulnerabilities. Relating to responsibilities, the Digital Forensics and Incident Response (DFIR) Team does which of the following? Ⓐ Focuses on enforcing the best security practices and compliance controls while implementing new technology. Ⓑ Deploys, manages, and maintains security tools. Ⓒ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. Ⓓ Takes over incidents from the SOC and conducts investigations on long and enduring incidents. The Security Engineering Team covers which of the following tasks? Ⓐ Identifies, catalogs, and remediates new and existing vulnerabilities. Ⓑ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. Ⓒ Deploys, manages, and maintains security tools. Ⓓ Focuses on enforcing the best security practices and compliance controls while implementing new technology. The Vulnerability Management team is responsible for which of the following? Ⓐ Researching new threats, determining if they’re dangerous, and providing details to management. Ⓑ Identifying, cataloging, and remediating existing vulnerabilities throughout a network. Ⓒ Taking over incidents from the SOC and conducting investigations on long and enduring incidents. Ⓓ Deploying, managing, and maintaining security tools. Responsibilities of the Security Architecture team include which of the following? Ⓐ Focusing on enforcing the best security practices and compliance controls while implementing new technology. Ⓑ Deploying, managing, and maintaining security tools. Ⓒ Researching new threats, determining if they’re dangerous, and providing details to management. Ⓓ Taking over incidents from the SOC and conducting investigations on long and enduring incidents. The _________ is the first level of management and one of the most difficult jobs in cybersecurity. Ⓐ SOC Director Ⓑ SOC Manager Ⓒ Chief Information Security Officer (CISO) Ⓓ Risk Management Team The SOC Director may also be called _______. Which of the following does not apply? Ⓐ Director of Security Operations Ⓑ Director of Threat Management Ⓒ Director of ITSecurity Ⓓ Director of Risk Management Which of the following internal teams focuses on the worst-case scenario and how often that may occur? Ⓐ Risk Management. Ⓑ Governance and Compliance. Ⓒ Privacy and Legal. Ⓓ Digital Forensics and Incident Response (DFIR). ARTICLE QUIZ SOLUTIONS Large organizations often consist of three general teams for cybersecurity. Which of the following is not one of them? Ⓐ IAM While there may be an IAM team in very large organizations, the three general teams can be broken down into Operations, Engineering, and Architecture The Threat Intelligence (TI) team does which of the following? Ⓑ Researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. The Threat Intelligence team typically researches new threats to enhance detection, determines if they’re dangerous, and provides details to management and the SOC. Relating to responsibilities, the Digital Forensics and Incident Response (DFIR) Team does which of the following? Ⓓ Takes over incidents from the SOC and conducts investigations on long and enduring incidents. Typically, the DFIR team takes over incidents from the SOC and conducts investigations on long and enduring incidents. The Security Engineering Team covers which of the following tasks? Ⓒ Deploys, manages, and maintains security tools. Typically the Security Engineering team deploys, manages, and maintains security tools. The Vulnerability Management team is responsible for which of the following? Ⓑ Identifying, cataloging, and remediating existing vulnerabilities throughout a network. The Vulnerability Management teams Is responsible for identifying, cataloging, and remediating existing vulnerabilities throughout a network. Responsibilities of the Security Architecture team include which of the following? Ⓐ Focusing on enforcing the best security practices and compliance controls while implementing new technology. The Security Architecture team typically focuses on enforcing the best security practices and compliance controls while implementing new technology. The _________ is the first level of management and one of the most difficult jobs in cybersecurity. Ⓑ SOC Manager The first level of management and the one that you will interact with most frequently is the SOC Manager. The SOC Director may also be called _______. Which of the following does not apply? Ⓓ Director of Risk Management The SOC Director typically isn’t called a Director of Risk Management. Which of the following internal teams focuses on the worst-case scenario and how often that may occur? Ⓐ Risk Management. The Risk Management team focuses on all of the “bad” things that can happen and how often they may occur, as well as the impact they have on the organization.

A circle with gears in it, with a shield over it, with a circle with gears in it, with the title "Azure Cybersecurity Labs" Azure Cybersecurity Labs - Part Three To kick Azure Cybersecurity Labs - Part Three off, we first need to install Terraform and then continue completing our first Terraform lifecycle. Follow along in these two videos as we install Terraform on Mac and Windows, then proceed with the instructions. Installing Terraform on Windows https://youtu.be/1er-WkfUBmU curl.exe -O https://releases.hashicorp.com/terraform/0.12.26/terraform_0.12.26_windows_amd64.zip Expand-Archive terraform_0.12.26_windows_amd64.zip Rename-Item -path .\terraform_0.12.26_windows_amd64\ .\terraform Insta lling Terraform on Mac brew install terraform terraform -install-autocomplete Running your first Terraform With Terraform, there is a lifecycle for a resource, and it can be broken down into four phases: Init, Plan, Apply, and Destroy. The cycle of init, plan, apply, destroy of Terraform init — Init. Initialize the (local) Terraform environment. Usually executed only once per session. plan — Plan. Compare the Terraform state with the as-is state in the cloud, build and display an execution plan. This does not change the deployment (read-only). apply — Apply the plan from the plan phase. This potentially changes the deployment (read and write). destroy — Destroy all resources that are governed by this specific Terraform environment. This article assumes that you have created an Azure account and subscription. The first thing we will do is install the Azure CLI tools and configure them to be used with Terraform. The Azure CLI Tool is installed Install the Azure CLI tool with brew on macOS: brew update  && brew install azure-cli To install the Azure CLI using PowerShell in Windows, start PowerShell as an administrator and run the following command: $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; Remove-Item .\AzureCLI.msi You can now run the Azure CLI with the az command from Windows Command Prompt, PowerShell, or Mac Terminal. You will use the Azure CLI tool to authenticate with Azure. Terraform must authenticate to Azure to create infrastructure. In your terminal, use the Azure CLI tool to set up your account permissions locally. az login You have now logged in using your account, which you created in previous lectures. In the output in the terminal, find the ID of the subscription that you want to use: {       "cloudName": "AzureCloud",     "homeTenantId": "0envbwi39-home-Tenant-Id",     "id": "35akss-subscription-id",     "isDefault": true,     "managedByTenants": [],     "name": "Subscription-Name",     "state": "Enabled",     "tenantId": " 0envbwi39-TenantId ",     "user":  {     "name": "your-username@domain.com",       "type": "user" } } Once you have chosen the account subscription ID, set the account with the Azure CLI. az account set --subscription " 35akss-subscription-id " Next, we create a Service Principal. A Service Principal is an application within Azure Active Directory with the authentication tokens that Terraform needs to perform actions on your behalf. Update the with the subscription ID you specified in the previous step. az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/ The output includes credentials that you must protect . Ensure you do not include these credentials in your code or check the credentials into your source control. For more information, see the assignment details {   "appId": "xxxxxx-xxx-xxxx-xxxx-xxxxxxxxxx",   "displayName": "azure-cli-2022-xxxx",   "password": "xxxxxx~xxxxxx~xxxxx",   "tenant": "xxxxx-xxxx-xxxxx-xxxx-xxxxx" } Next, you need to set your environment variables. HashiCorp recommends setting these values as environment variables rather than saving them in your Terraform configuration. Open a Mac terminal or PowerShell and input the values from the previous command. We got the subscription ID from the previous step. For Mac Terminal export ARM_CLIENT_ID=""  export ARM_CLIENT_SECRET=""  export ARM_SUBSCRIPTION_ID=" "  export ARM_TENANT_ID="" For PowerShell $env:ARM_CLIENT_ID = "APPID_VALUE" $env:ARM_CLIENT_SECRET = "PASSWORD_VALUE" $env:ARM_TENANT_ID = "TENANT_VALUE" $env:ARM_SUBSCRIPTION_ID = " SUBSCRIPTION_ID " Install Visual Studio Code and Set Up Environment Great! We are all configured to use Azure now. Now, the next thing we are going to do is open up a terminal and install Visual Studio Code by issuing this command on a Mac: brew install visual-studio-code Or on a Windows machine navigating to this URL to download . Next, in the terminal on Mac, we will issue the following commands to create a directory that will contain our Terraform configuration: mkdir  ~/tf-exercise-1 cd  ~/tf-exercise-1 And open up a file for main.tf code   main.tf On Windows create a folder anywhere called "tf-exercise-1" and create a new file called "main" with the file extension ".tf" and open that file with Visual Studio Code Now we need to write a configuration to create a new resource group. Copy and paste the code snippet into the "main.tf" file # Configure the Azure provider terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "~> 3.0.2" } } required_version = ">= 1.1.0" } provider "azurerm" { features {} } resource "azurerm_resource_group" "rg" { name = "myTFResourceGroup" location = "westus2" } Note: The location of your resource group is hardcoded in this example. If you do not have access to the resource group location westus2, update the main.tf file with your Azure region. This is a complete configuration that Terraform can apply. In the following sections we will review each block of the configuration in more detail. Terraform Block The terraform {} block contains Terraform settings, including the required providers that Terraform will use to provision your infrastructure. For each provider, the source attribute defines an optional hostname, a namespace, and the provider type. Terraform installs providers from the Terraform Registry by default. In this example configuration, the azurerm provider’s source is defined as hashicorp/azurerm, which is shorthand for registry.terraform.io/hashicorp/azurerm . You can also define a version constraint for each provider in the required_providers block. The version attribute is optional, but we recommend using it to enforce the provider version. Without it, Terraform will always use the latest version of the provider, which may introduce breaking changes. Providers The provider block configures the specified provider, in this case azurerm. A provider is a plugin that Terraform uses to create and manage your resources. You can define multiple provider blocks in a Terraform configuration to manage resources from different providers. Resource Use resource blocks to define components of your infrastructure. A resource might be a physical component, such as a server, or it can be a logical resource, such as a Heroku application. Resource blocks have two strings before the block: the resource type and the resource name. In this example, the resource type is azurerm_resource_group and the name is rg. The prefix of the type maps to the name of the provider. In the example configuration, Terraform manages the azurerm_resource_group resource with the azurerm provider. Together, the resource type and name form a unique ID for the resource. For example, the ID for your network is azurerm_resource_group.rg. Resource blocks contain arguments which you use to configure the resource. The Azure provider documentation documents supported resources and their configuration options, including azurerm_resource_group and its supported arguments. Initialize your Terraform configuration Initialize your learn-terraform-azure directory in your terminal. The terraform commands will work with any operating system. Your output should look similar to this one: terraform init Initializing the backend...Initializing provider plugins... - Finding hashicorp/azurerm versions matching "~> 3.0.2"... - Installing hashicorp/azurerm v3.0.2... - Installed hashicorp/azurerm v3.0.2 (signed by HashiCorp) Terraform has been successfully initialized! You may now begin working with Terraform. Try running “terraform plan ” to see any required changes for your infrastructure. All Terraform commands should now work. If you ever set or change modules or backend configuration for Terraform, rerun this command to reinitialize your working directory. If you forget, other commands will detect it and remind you to do so if necessary. Format and validate the configuration We recommend using consistent formatting in all of your configuration files. The terraform fmt command automatically updates configurations in the current directory for readability and consistency. Format your configuration. Terraform will print out the names of the files it modified, if any. In this case, your configuration file was already formatted correctly, so Terraform won’t return any file names. terraform fmt You can also make sure your configuration is syntactically valid and internally consistent by using the terraform validate command. The example configuration above is valid so Terraform will return a success message. terraform validate Success! The configuration is valid. Apply your Terraform Configuration Run the terraform apply command to apply your configuration. This output shows the execution plan and will prompt you for approval before proceeding. If anything in the plan seems incorrect or dangerous, it is safe to abort here with no changes made to your infrastructure. Type yes at the confirmation prompt to proceed. terraform apply An execution plan has been generated and is shown below. Resource actions are indicated with the following symbols: + create Terraform will perform the action of creating a resource group: azurerm_resource_group.rg will be created + resource "azurerm_resource_group" "rg" { + id = (known after apply) + location = "westus2" + name = "myTFResourceGroup" } Plan: 1 to add, 0 to change, 0 to destroy. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes azurerm_resource_group.rg: Creating... azurerm_resource_group.rg: Creation complete after 1s [id=/subscriptions/c9ed8610-47a3-4107-a2b2-a322114dfb29/resourceGroups/myTFResourceGroup] Apply complete! Resources: 1 added, 0 changed, 0 destroyed. Navigate to the Azure portal in your web browser to ensure the resource group was created. Inspect your state When you apply your configuration, Terraform writes data into a file called terraform.tfstate. This file contains the IDs and properties of the resources Terraform created to manage or destroy those resources going forward. Your state file includes all of the data in your configuration and could contain sensitive values in plaintext, so do not share it or check it into source control. Inspect the current state using terraform show. terraform show azurerm_resource_group.rg: resource "azurerm_resource_group" "rg" { id = "/subscriptions/c9ed8610-47a3-4107-a2b2-a322114dfb29/resourceGroups/myTFResourceGroup" location = "westus2" name = "myTFResourceGroup" } When Terraform created this resource group, it also gathered the resource’s properties and metadata. These values can be referenced to configure other resources or outputs. To review the information in your state file, use the state command. If you have a long state file, you can see a list of the resources you created with Terraform using the list subcommand. terraform state  list azurerm_resource_group.rg If you terraform state, you will see a full list of available commands to view and manipulate the configuration’s state. terraform state Usage: terraform state  [options] [args] This command has subcommands for advanced state management. These subcommands can be used to slice and dice the Terraform state. This is sometimes necessary in advanced cases. For your safety, all state management commands that modify the state create a timestamped backup of the state before making modifications. The structure and output of the commands are specifically tailored to work well with the standard Unix utilities such as grep, awk, etc. We recommend using those tools to perform more advanced state tasks. Terraform Destroy Lastly, issue the terraform destroy command to complete the lifecycle and undo the changes that you made. Terraform keeps a state of the changes you made in the terraform state file, so it knows exactly which ones to undo. terraform destroy # azurerm_resource_group.rg will be destroyed resource "azurerm_resource_group" "rg" { id = "/subscriptions/b7b18fdb-6e24-4934-a25e-2957c9e62d05/resourceGroups/myTFResourceGroup" -> null location = "westus2" -> null name = "myTFResourceGroup" -> null tags = {} -> null } Plan: 0 to add, 0 to change, 1 to destroy. Do you really want to destroy all resources? Summary You have now completed your very first terraform lifecycle. Congratulations! It's fairly simple, the configuration files get more complex from here but the steps and lifecycle remain the same. We just created a resource group in Azure, but we will continue the Terraform exercises by doing something a little more complex and deploying a honeypot using Terraform.

Becoming an SOC analyst is often viewed as the gateway to a career in cyber. Many aspiring professionals see it as the easiest entry point into this lucrative field. While entering the SOC can lead to a prosperous future, the application process isn't as easy as you might think. The SOC Analyst Job Application Process is Broken . My Journey as a Cybersecurity Analyst Let me share my journey into the world of cyber. I enjoyed a successful career in cyber with a significant income. At least, to me, it felt like I had more money than I could ever spend. However, money alone didn't bring me happiness. Eventually, I sought something meaningful in my life. I was disillusioned by my previous role as a SOC Consultant, which felt monotonous and uninspiring. I often compared my situation to Sisyphus, who endlessly pushes a boulder up a hill only to have it roll back down. Curved lines, almost scribbles, making out a person pushing a boulder up a hill. Around a recreation tangle (rectangle) with triangles at perpendicular edges. Someone's journey. This myth encapsulated my feelings of futility in my job. After having traveled extensively and accumulated material possessions, I realized that living a fulfilling life was all that mattered. Thus, I made a bold decision to leave a $185,000-a-year SOC job. How Much Does a SOC Analyst Make? Salaries can vary greatly depending on location and cost of living. Here are some insights based on my experience in Cumming, Georgia. SOC Analyst Career Trajectory Example Here’s a quick glimpse of my salary progression as a SOC Analyst: 2013: $55k/year as an entry-level SOC analyst 2014: $75k/year after 1.5 years at a different company 2015: $105k/year as a Sr. SOC Analyst 2016: $135k/year as a Sr. Security Engineer 2018: $135k/year plus $25k in RSUs as a Sr. Security Engineer 2020: $160k/year as a Cybersecurity Architect 2020: $140k/year plus a 10% bonus as a Cyber Advisor 2021: $185k/year as a SOC consultant As you can see, starting salaries in the Managed Security Service Provider (MSSP) sector are typically lower, ranging from $60k to $80k. However, permanent positions within a company's internal SOC offer starting salaries from $80k to $100k. It is essential to accept that you might not be able to go headfirst into an exotic specialty, and need to start cyber however you can, even if that means accepting a contract role. Why SOC Analyst Jobs Are Accessible There are three keys to why SOC analyst roles are the most accessible entry-level jobs in cyber: Many individuals use the SOC to begin their cyber career. Consequently, backfill positions open up. SOCs must operate all day, every day, requiring constant staffing. High SOC turnover, especially for overnight positions, leads to new job openings. Staffing can be complicated due to geographic limits and FedRamp regulations, leading to additional recruitment challenges. For many, the SOC remains the best entry point into cyber. Yet, if you're ready for more specialized roles, don't hesitate to explore those options. The SOC Analyst Job Application Process is Broken If you aim to secure a SOC job by 2026, prioritize networking. The hiring process is notably broken. Many job seekers use AI to enhance their resumes, leading to multiple applications from the same candidate just to be seen. Hiring managers are inundated with job applications, filling their inboxes with thousands of applications. It's a DDoS! They often favor referrals and existing connections over cold applications because cold applications are impossible to evaluate. With thousands of aspiring SOC analysts vying for attention, differentiating yourself is essential. You have control over your narrative and cannot change the competition of SOC analysts. Essential Networking Strategies To effectively network, consider these tactics: Attend two in-person meetups each month. Make daily appearances in relevant online communities. Write two blog posts per week on Medium. A strong network can propel your career to new heights. A Note to Your Future Self As you navigate your career, begin collecting contacts and building your email list. This will prove invaluable in a future where AI and entrepreneurship shape the job market. In summary, while the SOC analyst job application process has its challenges, you can position yourself for success in the cybersecurity field with the right strategy. Let us help you with that. Our course SOC Analyst NOW!, SOC JOB NOW!, and Cloud Security NOW! is the trifecta that can set you apart. Explore our course offerings here .

It was 2013 and I was 26 years old just starting out in the Security Operations Center of an Managed Security Services Provider. I sat in a room filled with hopes and dreams of money, money, money from my colleagues. We were all just starting out and at the lowest rung of the ladder not making much money at all but everyone knew somebody that made what felt like billions of dollars doing cybersecurity. What did they do with all that money? This is Is the best of the SOC behind us? We would wake up and check the news outlets because breaches were happening and making big news. The public was very concerned about cybersecurity, and companies were throwing cash at cybersecurity to avoid being in the news. There weren’t many people trained in cybersecurity, and the demand for talent was high. Companies couldn’t hire the talent they needed, so they threw cash at training people. The training business was booming. It was a time to be in cybersecurity; it was the golden age. Before we go further, I want to say that this blog doesn’t end depressingly; it ends on a high note, and not the high note that you might be thinking right now. It is 2020, COVID is a hot topic, I am just leaving VMware as an SOC Automation Developer after having what someone could describe as a breakdown, just realizing what the future of cybersecurity would look like. I spent my time slowly taking away work from the SOC and automating it, scribbling in my notebook next steps until I reached what would be the master plan for automating not only the SOC, but what would be “Mastering Cybersecurity Automation” which led to a book deal with the publisher Manning that I ultimately backed out of. When I began the book, starting with the matrix, I realized something that haunted me, something I haven’t told anyone until now. Computing at its fundamental level is fundamental. It's a combination of 1s and 0s, and a 1 and a 0 can be organized into four combinations: 11, 00, 10, 01. We are adding complexity. From there, you can take those same 11, 00, 10, 01 and make 16 combinations, adding more complexity. This is the same thing that we’ve done in cybersecurity. The fundamental cybersecurity tasks, or in this outline, “building blocks”, can be organized into increasing complexity to accomplish all of our tasks, meaning all you need to do is automate the building blocks of your company and use a matrix to combine them in various combinations to achieve the result of full automation. This draft could use some more refining, but it is presented to understand the idea. We do very few fundamental tasks in cybersecurity. And thats when I stopped. We overcomplicated and convoluted a 180 billion dollar industry that provides jobs to millions of people, and I wasn’t prepared to face an internal struggle over what was right. I went back and forth with this for some time. Eventually, I couldn’t stomach being responsible for building the master matrix of tasks, leaving everyone unemployed, so I left automation altogether. Today, it is well known that automation, not AI, is replacing cybersecurity jobs, and we feel its impact. It's like I am seeing this evolve, whether or not I was responsible for it. Someone is going to figure this out. Now, I mentioned that this blog leaves on a high note. Are you ready for it? The high note is the demand for automation. The threat landscape continuously evolves, leaving more to automate. Automation tools have become incredibly user-friendly, meaning you don’t have to be a developer to use them. The SIEM we used as a single pane of glass is now an SOAR tool. There will be a race for efficiency that will never, ever, ever, end. Companies will continuously tweak automation forever to get more and more efficient. It will never end, and the demand will shift for people with better and better automation skills. Automation BREAKS all the time. People will be needed to repair the automation. Some processes you just can’t leave to automation and require human approval. People will be needed to do this, too. I am writing about this only because I believe the net sum of labor from before and after will be near zero when it's all said and done. Companies are undergoing some changes, laying off people they will have to rehire when they reskill. There are some unrealistic expectations of the cost savings of automation. The only real way to save costs is by accepting more risk, which they could have done from the beginning. It’s an industry that fluctuates, and that is where I have landed lately. All those nights lying awake, worried about the future, just seemed to work themselves out. And then AI happened. PART ONE: Understanding Automation CHAPTER 1: Introduction Why this book was written What this book aims to accomplish CHAPTER 2: The Demand for Automation The evolving cybersecurity threat landscape The cybersecurity workforce The traditional security operations center The solution of cybersecurity automation Value Stream Map CHAPTER 3: Mastering Cybersecurity Automation Cybersecurity automation architecture Cybersecurity automation processes Cybersecurity automation technology CHAPTER 4: Prerequisites and Assumptions The similarities between SMB and Large Enterprises International legal and data privacy considerations Government regulations and certifications Industry-related regulations and certifications Organization policies/Asset policy PART TWO: Building Blocks CHAPTER 5: Sending Emails Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 6: Enrichment Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 7: Analyzing Malware Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 8: Actioning Endpoints Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 9: Firewall/web proxy Blocking Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 10: Escalate to Incident Response Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 11: SIEM Automation Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 12: Responding to Emails Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 13: Asset Discovery Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 14: Manual Exception Playbook Technical integration components Process flowchart Explanation of steps and decisions CHAPTER 15: Whitelist Playbook Technical integration components Process flowchart Explanation of steps and decisions PART THREE: Fully Automated CHAPTER 16: Phishing Response Automation Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 17: Unusual Privileged Account Activity Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 18: Banned Programs Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 19: Threat Intelligence Response Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 21: Vulnerability Management Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 22: Emergency Vulnerability Management Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 23: Data Loss Prevention Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 24: Cloud Orchestration and Response Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 25: Insider Threat Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 26: Threat Hunting Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 27: User Account Provisioning/Termination Building Blocks Required Flowchart Description of the phases of this automation: Potential response actions How this automation is used CHAPTER 28: Rogue Assets Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 29: Metrics Building Blocks Required Flowchart Description of the phases of this automation Potential response actions How this automation is used CHAPTER 30: Cybersecurity Automation Matrix Building blocks and their components Automations and their building blocks Cybersecurity roles and their automation Table of Illustrations About the Authorship About the Technical Review

A circle with gears in it with a shield in front of it with a gear inside another circle with the title "Azure Cybersecurity Labs" Azure Cybersecurity Labs - Part Two The first thing that we will be covering in this course, Azure Infrastructure as Code, is what infrastructure as code is and why it is important. This is Azure Cybersecurity Labs - Part Two. Infrastructure as Code (IaC) is about using code to manage the computing infrastructure in the cloud rather than pointing and clicking and using the GUI. This includes things like operating systems, databases, and storage, to name a few. Traditionally, we had to spend lots of time setting up and maintaining infrastructure... going through lengthy processes when we wanted to create something new or delete entire environments. With IaC, you can define what you want your infrastructure to look like with code without worrying about all the detailed steps to get there. For instance, you can just say that you want a Debian server with 12gb of ram and 80gb of hard drive space and it figures out everything it needs to do to make that happen. Benefits of Infrastructure as Code Automation is a key goal in computing, and IaC is a way to automate infrastructure management. There are several benefits of using IaC, one of which is easy environment duplication. You can use the same IaC to deploy an environment in one location that you do in another. Suppose a business has IaC describing its entire regional branch's environment, including servers and networking. In that case, they can copy and paste the code, then execute it again to set up a new branch location. Another benefit of using IaC is that it reduces configuration errors. Manual configurations are error-prone due to human mistakes, so having them automated with IaC minimizes the error. It also makes error checking more streamlined. Later in this course, we will be using tools to check IaC configurations for issues, but for now, you can just take a piece of IaC code and evaluate it for misconfigurations before you deploy it. The last benefit I want to cover for IaC is the ability to build and branch on environments easily. For instance, if a new feature like a machine learning module is invented, developers can branch the IaC to deploy and test it without affecting the main application. How does IaC work? IaC describes a system's architecture and functionality, just like software code describes an application. It uses configuration files treated like source code to manage virtualized resources in the cloud. These configuration files can be maintained under source control and part of the overall codebase. Immutable vs. Mutable Infrastructure There are two approaches to IaC: mutable and immutable infrastructure. In a mutable infrastructure, components are changed in production while the service usually operates. With immutable infrastructure, components are set and assembled to create a full service or application. If any change is required, the entire set of components has to be deleted and redeployed wholly to be updated. Approaches to IaC There are two basic approaches to IaC: declarative and imperative. Declarative describes the desired end state of a system, and the IaC solution creates it accordingly. It's simple to use if the developer knows what components and settings are needed. An imperative describes all the steps to set up resources to reach the desired running state. It's more complex but necessary for intricate infrastructure deployments where the order of events matters. Terraform IaC An open-source tool, Terraform , takes an immutable declarative approach and uses its language, Hashicorp Configuration Language (HCL). HCL is based on Go and is considered one of the easiest languages for IaC to pick up.  I have the Terraform Associate certification, and it took me three days to pick up the language. By the end of these labs, I'd highly suggest you pick up a study guide for the exam since you'll already be 2/3rds of the way there. With Terraform , you can use the same configuration for multiple cloud providers. And since many organizations today opt for the hybrid cloud model , Terraform can easily be called the most popular IaC tool. Terraform is capable of provisioning and configuration management, but it’s inherently a provisioning tool that uses cloud provider APIs to manage required resources. And since it natively and effortlessly handles the orchestration of new infrastructure, it’s more equipped to build immutable infrastructures, where you must replace components fully to make changes. Terraform uses state files to manage infrastructure resources and track changes. State files record everything Terraform builds, so you can easily refer to them. We'll get more into this later. Often considered an obvious choice for an IaC tool, Terraform is what we will be using in this course.  So let's get started.

A circle with gears in the middle, with a shield over it, with a circle with a gear in it, with the title "Azure Cybersecurity Labs" Azure Cybersecurity Labs - Final Are you ready to wrap this up? In Azure Cybersecurity Labs - Final, we will assemble everything and generate a report that can be presented to small to medium-sized businesses on their cloud security posture. First, we are going to analyze the Terraform code with Checkov. So let's do that. Make a Terraform Directory and Move There mkdir ~/wrappingup cd ~/wrappingup Create main.tf file with VS Code code main.tf Paste Code into File, and Save terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "3.90.0" } } } provider "azurerm" { # Configuration options features { } } variable "prefix" { default = "tpot" } resource "azurerm_resource_group" "tpot-rg" { name = "${var.prefix}-resources" location = "East US" } resource "azurerm_virtual_network" "main" { name = "${var.prefix}-network" address_space = ["10.0.0.0/16"] location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name } resource "azurerm_subnet" "internal" { name = "internal" resource_group_name = azurerm_resource_group.tpot-rg.name virtual_network_name = azurerm_virtual_network.main.name address_prefixes = ["10.0.2.0/24"] } resource "azurerm_virtual_machine" "main" { depends_on = [ azurerm_resource_group.tpot-rg ] name = "${var.prefix}-vm" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name network_interface_ids = [azurerm_network_interface.tpot-vm-nic.id] vm_size = "Standard_A2m_v2" # Uncomment this line to delete the OS disk automatically when deleting the VM delete_os_disk_on_termination = true # Uncomment this line to delete the data disks automatically when deleting the VM delete_data_disks_on_termination = true storage_image_reference { publisher = "canonical" offer = "ubuntu-24_04-lts" sku = "minimal-gen1" version = "latest" } storage_os_disk { name = "tpot-disk" caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Standard_LRS" } os_profile { computer_name = "hostname" admin_username = "azureuser" admin_password = "CyberNOW!" } os_profile_linux_config { disable_password_authentication = false } } # Create Security Group to access linux resource "azurerm_network_security_group" "tpot-nsg" { depends_on=[azurerm_resource_group.tpot-rg] name = "linux-vm-nsg" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name security_rule { name = "AllowALL" description = "AllowALL" priority = 100 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "*" source_address_prefix = "Internet" destination_address_prefix = "*" } security_rule { name = "AllowSSH" description = "Allow SSH" priority = 150 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "22" source_address_prefix = "Internet" destination_address_prefix = "*" } } # Associate the linux NSG with the subnet resource "azurerm_subnet_network_security_group_association" "tpot-vm-nsg-association" { depends_on=[azurerm_resource_group.tpot-rg] subnet_id = azurerm_subnet.internal.id network_security_group_id = azurerm_network_security_group.tpot-nsg.id } # Get a Static Public IP resource "azurerm_public_ip" "tpot-vm-ip" { depends_on=[azurerm_resource_group.tpot-rg] name = "tpot-vm-ip" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name allocation_method = "Static" } # Create Network Card for linux VM resource "azurerm_network_interface" "tpot-vm-nic" { depends_on=[azurerm_resource_group.tpot-rg] name = "tpot-vm-nic" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name ip_configuration { name = "internal" subnet_id = azurerm_subnet.internal.id private_ip_address_allocation = "Dynamic" public_ip_address_id = azurerm_public_ip.tpot-vm-ip.id } } output "public_ip" { value = azurerm_public_ip.tpot-vm-ip.ip_address } Format the file terraform fmt Execute Checkov Make sure you're in the directory that your Terraform is in. checkov -f main.tf Results Checkov screenshot showing 8 passed checks, 7 failed checks, and 0 skipped checks. We have seven failed checks. Looking through the list, it warns us about stuff that we have explicitly configured, like ports exposed to the public internet. Since this is the honeypot that we just configured in Azure Cybersecurity Labs - Part Four, we know that this works, and we know that this is how it needs to be configured to work correctly. So let's go ahead and deploy this to Azure. Type az login in the terminal to establish your credentials if they aren't cached already. az login Initialize the directory terraform init Now terraform plan terraform plan Note:  Take a look at the Terraform Plan and see the 8 resources that we are creating. While not mandatory, it's good practice to 'Terraform Plan' to review your changes BEFORE deploying. Now terraform apply terraform apply Make sure you have previously deleted this project from Azure so that you can deploy it again. Prowler Now we're getting into new stuff. Prowler  is an open-source security tool to perform AWS, Azure, Google Cloud, and Kubernetes security best practices assessments, audits, incident response, continuous monitoring, hardening, forensics readiness, and remediations! We have Prowler CLI (Command Line Interface), which we call Prowler Open Source. You can install Prowler using Pip3 like we did with Checkov in Azure Cybersecurity Labs - Part Five. So let's do that. pip3 install prowler And then we run Prowler prowler azure --az-cli-auth The results are displayed on your screen and also exported to your 'output directory' I like to view HTML files and use HTML to JPG or HTML to PDF converters online. Our environment is new, so it doesn't have much on here other than turning Microsoft Defender on for our resources, which we do not currently have deployed. Using Prowler is very simple, and the value you add as a freelancer is discerning the results and narrowing them down for the business to what is useful and actionable to them. Do not just give them this report and be done with it. They will be unhappy. Instead, write specific recommendations in your report with your template, with step-by-step instructions on how to fix each issue that is important to them. That wraps up the Azure Cybersecurity Labs series, but stick around for one BONUS as we discuss serverless computing.

A circle with gears in it, with a shield, on top, with another circle with gears in it, with the title "Azure Cybersecurity Labs" Azure Cybersecurity Labs - Part Four Let's get started on Azure Cybersecurity Labs - Part Four. In this lab, we will continue our Terraform exercises by deploying a honeypot via Terraform. If you have been following along, previously on this blog I had you install a T-Pot manually using the GUI in Azure. There's a much easier way to do this, so let's get rolling. Create the Terraform Configuration File First, in the terminal on Mac, we will issue the following commands to create a directory that will contain our Terraform configuration: mkdir  ~/tpot cd  ~/tpot And open up a file for main.tf code   main.tf On Windows create a folder anywhere called "tpot" and create a new file called "main" with the file extension ".tf" and open that file with Visual Studio Code Now we need to write configuration to create a few new resources. Copy and paste the code snippet into the "main.tf" file terraform { required_providers { azurerm = { source = "hashicorp/azurerm" version = "3.90.0" } } } provider "azurerm" { # Configuration options features { } } variable "prefix" { default = "tpot" } resource "azurerm_resource_group" "tpot-rg" { name = "${var.prefix}-resources" location = "East US" } resource "azurerm_virtual_network" "main" { name = "${var.prefix}-network" address_space = ["10.0.0.0/16"] location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name } resource "azurerm_subnet" "internal" { name = "internal" resource_group_name = azurerm_resource_group.tpot-rg.name virtual_network_name = azurerm_virtual_network.main.name address_prefixes = ["10.0.2.0/24"] } resource "azurerm_virtual_machine" "main" { depends_on = [ azurerm_resource_group.tpot-rg ] name = "${var.prefix}-vm" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name network_interface_ids = [azurerm_network_interface.tpot-vm-nic.id] vm_size = "Standard_A2m_v2" # Uncomment this line to delete the OS disk automatically when deleting the VM delete_os_disk_on_termination = true # Uncomment this line to delete the data disks automatically when deleting the VM delete_data_disks_on_termination = true storage_image_reference { publisher = "canonical" offer = "ubuntu-24_04-lts" sku = "minimal-gen1" version = "latest" } storage_os_disk { name = "tpot-disk" caching = "ReadWrite" create_option = "FromImage" managed_disk_type = "Standard_LRS" } os_profile { computer_name = "hostname" admin_username = "azureuser" admin_password = "CyberNOW!" } os_profile_linux_config { disable_password_authentication = false } } # Create Security Group to access linux resource "azurerm_network_security_group" "tpot-nsg" { depends_on=[azurerm_resource_group.tpot-rg] name = "linux-vm-nsg" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name security_rule { name = "AllowALL" description = "AllowALL" priority = 100 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "*" source_address_prefix = "Internet" destination_address_prefix = "*" } security_rule { name = "AllowSSH" description = "Allow SSH" priority = 150 direction = "Inbound" access = "Allow" protocol = "Tcp" source_port_range = "*" destination_port_range = "22" source_address_prefix = "Internet" destination_address_prefix = "*" } } # Associate the linux NSG with the subnet resource "azurerm_subnet_network_security_group_association" "tpot-vm-nsg-association" { depends_on=[azurerm_resource_group.tpot-rg] subnet_id = azurerm_subnet.internal.id network_security_group_id = azurerm_network_security_group.tpot-nsg.id } # Get a Static Public IP resource "azurerm_public_ip" "tpot-vm-ip" { depends_on=[azurerm_resource_group.tpot-rg] name = "tpot-vm-ip" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name allocation_method = "Static" } # Create Network Card for linux VM resource "azurerm_network_interface" "tpot-vm-nic" { depends_on=[azurerm_resource_group.tpot-rg] name = "tpot-vm-nic" location = azurerm_resource_group.tpot-rg.location resource_group_name = azurerm_resource_group.tpot-rg.name ip_configuration { name = "internal" subnet_id = azurerm_subnet.internal.id private_ip_address_allocation = "Dynamic" public_ip_address_id = azurerm_public_ip.tpot-vm-ip.id } } output "public_ip" { value = azurerm_public_ip.tpot-vm-ip.ip_address } Something I'm just going to note here because it's difficult information to find, is if you want to find the SKU of a particular image you can search for it like this syntax: az vm image list --publisher Canonical --sku gen1 --output table --all  Type az login in the terminal to establish your credentials az login Initialize the directory terraform init Now terraform plan terraform plan Note: Take a look at the Terraform Plan and see the 8 resources that we are creating. While not mandatory, it's good practice to 'Terraform Plan' to review your changes BEFORE deploying. Now terraform apply terraform apply It will output the public IP address. Just SSH into it with the credentials (ssh azureuser@) Username: azureuser Password: CyberNOW! And install the honeypot. env bash -c "$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)" Select "Hive" install sudo reboot (when finished) Note: The installation script changes the port to SSH on, so if you want to ssh to it you have to use this syntax "ssh azureuser@ -p 64295" You can now log in to the honeypot web interface via https://:64297 See how much easier this is than configuring it manually? This blog series won't detail how to create a Terraform from scratch, but at this point, you understand the basic Terraform lifecycle, its application, and what it's used for. I recommend picking up a Udemy course on the Terraform Associate exam and spending the next couple of days studying for the exam. The Terraform Associate exam isn't very costly, and makes great wall art. When you are finished with the Tpot, make sure you aren't charged anything further and use the "terraform destroy” command to remove everything you did in one swoop. Easy peasy. Join us next in this series as we conduct automated scans of Terraform files for configuration issues using the open-source tool Checkov.