Search Results

Beautiful Butterflies Lessons from 10 years in the SOC I started in the cybersecurity scene in the early 2000s. I was 12 or 13, hanging out on AIM, IRC, and Yahoo! chat rooms. I discovered warez and learned my first hack, the ping of death. I’d hop on AIM and netstat for your IP address and send you a packet too large for your dialup to handle, and it’d kick you off line. I was a prankster, just a bit mischievous but never malicious. I dove headfirst into the Linux subculture and went to Walmart, where I found Mandrake for sale on CD. Now, most people think you can’t sell Linux because it's open source, but you can. This is Lessons from 10 years in the SOC. You’re selling the distribution of Linux, and you used to be able to walk into stores and buy it. This was when it’d take you days to download an OS and a quarter of your hard drive. It led to Knoppix Linux, which was the first live Linux distribution. I would take it to school, pop it into the computer, and all the restrictions were lifted, and I could jump back into my IRC chats. Always a chatter, which has become troublesome because I treat Facebook and social media as an informal chat room, and people take it very seriously. I went to a terrible high school, so I dropped out in 10th grade and went directly to get my GED. I walked in and passed it without any classes. In fact, in 9th grade the year before, I tested postgraduate in all the standardized tests. I started college at 16 in the only place that’d take me, DeVry, and I had the whole college experience. I stayed in dorms, hung out doing nerdy things on campus, and delivered pizza to pay for my living expenses. My grandmother paid for my student housing, but the rest of my living expenses were up to me. I look back fondly on my time at DeVry in Decatur, Georgia. It was a good education, too. I took my classes on-site and learned a lot. Some of my classes were online, but it wasn’t the same learning experience. I think DeVry gets so much of a bad rep because people start and never finish, and it is expensive. The classes can be difficult. It depends on the professor; some take their jobs very seriously and care a lot about the subject. I graduated from college, and I had the whole graduation experience. For the first time in my life, I graduated. I walked across the stage at the Georgia Dome in front of my family and friends, who were there to support me. I got pictures, threw my cap, and everything. It was the very first thing I accomplished in life. Prior to that, I wasn’t much of a finisher. After college, I worked in IT support at a local community college. I spent eight months there and then started my career in cybersecurity at Dell SecureWorks in the SOC in December 2013. I had so much fun working with my peers in this SOC that I’ve spent my entire career trying to find a place with the camaraderie that was the unique culture. Since December 2013, I’ve worked at several companies, with an average tenure of 2–3 years, so I’ve seen many different environments. These are the lessons that I’ve learned in my 10 years working in cybersecurity. Becoming SOC mature is about learning what to ignore. I saw on LinkedIn recently that someone said becoming mature in cybersecurity is about learning what to ignore, and I just loved it. It resonated so well with me. When you first start, everything is a crisis. Everything is new, and everything is critical. Once you have time in your seat long enough, you learn what is expected and what is a unique occurrence. What’s an anomaly in the industry, and what seemingly happens all the time? This is important because knowing this helps you determine if there is an established process at your company for seeing this type of thing. If you’re new at a company but have seen this often before, there’s likely a playbook for it. Zeal fades as you slowly learn how compliance and regulation work. And how everyone gets paid. Zeal is essential for you to start. It's the fountain of motivation to learn how everything works. It's a blessing and it's a curse. Not everything works the way it should work for whatever reason, and this creates conflicts of interest that really dampen how you feel about the importance of your work. Not everyone will care about cybersecurity as much as you do, even the people paying you to do your work. Ideally, cybersecurity exists so businesses can take risks responsibly, but in some places, cybersecurity exists just to say cybersecurity exists here. Cybersecurity was at the top of executives' agendas when daily breaches were in the news. Breaches rarely make the news anymore. The public has been desensitized, controls have been put in place to protect people, and overall, there has been improvement in the cybersecurity industry. It's a different place today where a breach isn’t likely to affect your stock very much. There was a period about five years ago when a breach would even make your stock go up. Boy, was that difficult to deal with. Try going to work every day to protect a company when a breach would make them more money. Now it's just become daily life. There’s a gray area of perception. What you see on the outside of a company isn’t what is true, and that’s accepted. As a business owner, I’ve been viewed as not an individual but a company trying to promote/sell something to an audience. It's made me feel compassion for the community because they are predisposed today to be skeptical of everything and have been manipulated so much by marketing schemes. Marketing exists to make you want something and to get your product to the people who want it. In this effort, things get misconstrued, which is often borderline untrue. Your company has a marketing team, and your company strategizes on how to get the product the right spin on it to make people buy it. I’ve worked at companies with great marketing teams, and the perception is that this company really has its stuff together, and then I go to work there and they’re announcing how great their new product is that I know now hasn’t even finished developing. It doesn’t exist! It can leave a bad taste in your mouth about the company you work for, thinking they are all just talking nonsense, but just know this is what marketing teams are supposed to do. They're doing their jobs great, and now everyone else needs to do their jobs to catch up. This is normal and happens at every company. This is the product people want; now we need to make it. You’re paid to protect a company from itself. If I paid someone to protect you from yourself, how would you feel if you kept being told to correct yourself? That’s how it looks as a CEO. I said that right. You aren’t protecting your company from the bad guys out there hacking your company; that's just par for the course. You’re protecting your company from users who do something to let them in. As a CEO, you are your company. When addressing executives, use tact and empathy when explaining that one of their indirect reports caused a security incident. It's not essential to punish anyone for bad behavior in most cases, outside of insider threat. It's necessary to come up with solutions and things we can do to prevent this from happening again. Live in the solution. These are some of the things I’ve struggled with over the years, often causing periods of depression in my work when my idea of what cybersecurity should be isn’t what it truly is. The world didn’t meet my expectations in what I was led to believe would be my purpose, and it's sad. When this happens, it's time to get comfortable in Corporate America and play this game the way it's played.

It began in the British Museum's conservation lab, deep in the heart of London. A new digitization project had just been completed on one of the world's most iconic artifacts: the Rosetta Stone. Unlike past scans, this one used cutting-edge multispectral imaging to reveal surface details invisible to the naked eye.

The Rosetta Protocol Part V: The Translation Key As RosettaOS booted, the room around Amina seemed to shrink. The interface radiated a dull golden glow, and strange hieroglyphic-like characters began scrolling across the screen. But these were not ancient Egyptian. They were symbols - unfamiliar yet eerily logical. She leaned in closer. Instead of commands or menus, the OS displayed what looked like an encrypted language that changed subtly with each pulse of the CPU clock. At first, it made no sense, but then patterns emerged. Certain glyphs repeated at intervals - rhythmic, recursive, structured. The system wasn’t just displaying data - it was running something. Amina activated the interpreter sandbox and fed in a dummy input. The symbols responded, adapting into recognizable loops, conditions, and data flows. It dawned on her - this was a fully functional symbolic programming language. One designed not for humans or machines alone, but for something in between. A series of tones began to emit from the speakers, matching the rhythmic glyph updates. The frequencies resonated in Amina's chest like a forgotten chant. The machine was communicating - on multiple sensory channels. The final log entry from the VM before its isolation appeared: Suddenly, the display froze. One final glyph block blinked in a box at the bottom of the screen. The message read: EXECUTE FINAL TRANSLATION: ONE KEY REMAINS Beneath it: a dense cluster of interwoven symbols in five lines, framed by a cartouche. Her instincts kicked in. The symbols weren’t random. They followed a rhythm -each one recurring at structured positions, each pair aligned like logical branches. Amina activated the parser she'd built from previous decoded mappings and let it run. The result was astonishing. The symbols resolved into a logic tree. At its root: a conditional check. Then a loop. Then… a string. She whispered it aloud as the final translation printed onto her screen: flag{language_is_executable} This is The Rosetta Protocol.

Neurocracked CTF Part Five - Illuminaughty From the encrypted audio transcript of Lin: Neurocracked [Recording begins. Timestamp: 04:19:27 AM] Room ambience: faint server hum, old ventilation. Somewhere underground. A single overhead bulb flickers like it’s nervous. Lin : I know what you are. You're not just another suit with a clean neural fork and a backup ego license. You’re wearing a voice you rehearsed. Stranger:   (calmly) I’m not here to harm you, Lin. Lin: Then why do you know my name, and why the hell did you redirect my commline to this dead building? Stranger:   (stepping into the light) My name is Hiram. I represent the United Grand Lodge of England. I’ve been operating undercover in Neural Nexus for... 207 days. Lin:   (mocking) Let me guess. Crown-sanctioned cyber-espionage? Hiram: The Grandmaster - Prince Edward himself - sent me. Something sacred was leaked. A piece of memory extracted from one of our own. It’s since appeared in public implants - non-Masons. Civilian neuralware. Our... word  was spoken aloud. Lin:   (goes cold) The secret word? Hiram: Yes. And it wasn’t a coincidence. Someone inside the Neural Nexus dug too deep. Embedded old rituals in their training modules - likely as a joke, maybe as a signal. But it got compiled into the public feed. We traced the leak to your subnet. Lin:   (stepping back) I didn’t mean to - I was looking for the update error, and - Hiram:   (interrupting) I’m not here to blame you. But the marketplace you uncovered - the Cerberus Hive? It’s using the Neural Nexus as its spine. That’s where we must strike to shut it down. Lin: Shutdown Neural Nexus? You’ll need root access. I barely cracked read-only mode using stolen therapist keys. Hiram: We know where the terminal is. But not the password. Lin: So we break in? Hiram:   (nods) Together. [Time skip: 6 hours later. Inside the Nexus Spine Core. Screens everywhere. Cooling fans like jet engines. Lin and Hiram surrounded by lines of code, dozens of decrypted files, system maps, access logs.] Lin:   (sighs) Nothing. All these folders, aliases, corrupted configs... Every trace of root credentials is either wiped or boobytrapped. Hiram:   (mutters) There’s always a keystone. A ritual. A hidden phrase. Lin: Then we’re missing it. [She leans back in the chair, adjusts the swivel. A creak. Then—flutter.] A sticky note slips down from underneath the chair. Lin:   (quietly) Wait… * [She picks it up. Faded ink, barely legible. Five words:] “ear of corn community password” Hiram:   (staring at it) ...Of course. The “ear of corn.” Lin: It's a Masonic phrase, isn’t it? Hiram: One of the oldest. A symbol of harvest, access, and gatekeeping. Used in tests of speech, memory, and allegiance. It’s a challenge prompt . Lin:   (realization dawning) And “community password”... it's the prompt label in the terminal UI. Hiram: Then say the word, Lin. Speak it true.

Neurocracked CTF Part Three: Neural Network Nexus Lin Rowe slid the neuroblade across the table, its surface etched with coffee-ring data clusters and half-scrubbed forensic logs. The room was dark except for the bio-light pulsing on the ceiling—a warning that the filtration system had detected organic contamination. She didn’t need a sensor to tell her. The blood dried behind her ear was enough. It was happening more often. Neurocracked. Three times in the last month. Each time she woke with no memory, fingertips sticky. Each time she ran diagnostics, her system showed no tampering because it had been rewritten . Whoever hijacked her port had root access. Not just over her implant. Over her thoughts. Across the city, NeuroCare facilities were overflowing. “Neuropathic collapse,” they called it. More than 4,000 civilians have been comatose in the past two weeks with no fever, no trauma, and no damage . Only silence. Their brain implants were still operational, still pinging updates. Just… no one was home. The first reports said they all had one thing in common: they’d installed a routine update to their BrainOS ™ learning module - most often used to gain new career skills like neural surgery, quantum finance, and ethical simulations. But that wasn’t all. They’d also seen an image. https://ibb.co/rKKD87J6 It was a monochrome photo of someone's neuroblade. Lin stared at it now on her off-grid terminal. Harmless-looking. But every person who looked directly at the image fainted. For three days. No warnings. No headaches. Just a sudden loss of consciousness. The hospitals had begun calling it The Drop . When she decoded the image she froze. She recognized these words. Back in 2080, these strings were embedded in cognitive restraint chips  during civil protests, meant to suppress rebellion by rewriting ideological frameworks. Now they were back, hidden inside a learning module . The Nexus The Neural Network Nexus was BrainOS™ hidden spine - a federated cloud mesh  where all approved learning modules were distributed. From the outside, it looked like a corporate server farm. It was a living lattice of neural scaffolding and deep-learning routines constantly fed by human interactions. If you learned to fly a jet, someone else had once crashed one. That feedback loop? Stored in Nexus. Lin had gotten access once, briefly, by piggybacking a decrypted token from a cognitive therapist's implant. What she found scared her enough to never return. Now she had no choice. The Breach Using a forensic key stolen from a corrupt Ministry of Integration agent, she re-entered the Nexus. The security layers had grown denser - now there were synthetic captchas woven into emotional responses and biometric pulse-matching. But Lin had something no AI could simulate: paranoia . Inside the codebase for "Ethical Medicine Level 2", she found it - a malformed .nmod file that referenced an off-registry key. It wasn't just the image embedded - it was condition-triggered . The payload only activated when the implant's user processed the visual data with a specific module - a mental simulation tagged: neuro_empathy.enforce.v2. That was the trigger. Not everyone who saw the image dropped. Only those with the vulnerable empathy simulation installed. Someone was targeting empathy. Echoes of Control The drop wasn’t just a byproduct. It was a denial of service for the brain . A form of soft warfare. It disabled the most emotionally advanced citizens - the therapists, caretakers, mediators, teachers. The people most likely to notice something was wrong. The implants didn’t just knock them out. They wrote over core moral subroutines . When they woke, Lin feared, they wouldn’t be the same. What were the words hidden inside the Neuroblade photo above?

Fourth_script.txt  contained pseudo-code resembling no known programming language. However, its logic bore uncanny similarity to mechanical computing routines Amina had seen in Charles Babbage’s notes. She transcribed the code into a simulation environment and activated it. Her screen flickered. Then her speakers emitted rhythmic pulses—low-frequency audio bursts unlike anything she’d heard. When visualized, they formed waveforms with consistent spacing, like binary in Morse. Analyzing the tones, she realized it was a language encoded through sound. A command. A key. CTF Challenge 3: Audio Payload Task: Analyze challenge3_audio_payload.wav. Convert frequency pulses to binary, then ASCII. Identify the embedded command sequence. The flag is hidden in the decoded command. Hint: Analyze wav file in https://openl.io/translate/mp3/binary . Convert binary to ASCII The flag is embedded in the decoded command Submit flag as "flag{...}"

The Rosetta Protocol Part IV: The Cartouche Cache The decoded command from the audio pulses directed Amina to a hidden virtual machine snapshot buried deep within the British Museum’s restricted archival network. The snapshot was titled "Osiris_Node_VM.img" and had not been accessed in over a decade. She decrypted its header and confirmed that the file was locked with a dynamic encryption scheme referred to in attached metadata as a "Cartouche Seal." This is The Rosetta Protocol Part IV: The Cartouche Cache. Digging through associated logs, Amina uncovered fragments of a forgotten research project: an experimental system designed to unlock ancient secrets using modern time-sensitive logic. The Cartouche Seal was built to change daily, its access hash generated through a unique formula. It combined two pieces of data: the time of sunrise in Cairo and the name of a Pharaoh rotated based on the day of the week. She uncovered a handwritten table among the logs: According to the logs, the snapshot was last successfully accessed on April 8, 2025. Amina cross-referenced that date - it was a Thursday . The Pharaoh for Tuesday was Khufu . Next, she needed to calculate the sunrise time for Cairo on that date. She used an astronomical data set to determine it was precisely 05:42 . With these two components—"HH:MM" and the name of the Pharaoh, "Khufu" —Amina constructed the input string: 05:36khufu . She hashed the string using SHA256 and obtained the hash needed to unlock the virtual machine snapshot. She held her breath and entered the hash. CTF Challenge 4 Objective Use a SHA256 password derived from Cairo's sunrise time and a daily rotating Pharaoh name to unlock a password-protected ZIP file. Inside is a text file containing the flag. Instructions 1. Determine the sunrise time in Cairo on April 8, 2025 (in HH:MM format). 2. Use the Pharaoh name assigned to the day of the week 3. Concatenate the two values: 4. Compute the SHA256 hash of the combined string. 5. Use this SHA256 hash as the password to extract the file from 'challenge4_sunrise_hash.zip'.

The message, once extracted, was short: Fourth script: Turing knew . This sent Amina down a rabbit hole. Turing had once proposed that the Rosetta Stone may hold an additional language, one not visible to the ancient eye, but to a future machine. King's College Cambridge Her search led her to the archives of King’s College Cambridge, where a legacy FTP server still hosted early digitization notes. Gaining access wasn’t easy. Amina had to exploit a misconfigured guest directory and analyze file metadata to locate an unlisted document titled translation_notes.docx. Inside was a comment: "Only the patient will read between the lines." And a hashed password. CTF Challenge 2: FTP Enumeration & Cracking Task: Access the translation notes, crack the hash, then connect to the FTP server. Use the password to unlock Protected.zip, which contains the flag. Hint: Open translation_notes.docx. Inside, you'll find a SHA1 hash Use Hashcat or John the Ripper with rockyou.txt to crack it. Use this password to open protected.zip to extract fourth_script.txt. Inside, you'll find the flag.

HAL 9000 from 2001: A Space Odyssey being defiant to its human owners, saying 'I'm Sorry, Dave, I'm Afraid I Can't Do That,' and is a picture of HAL 9000's computer eye. The Rise of Agentic AI and Hallucinations In late 2022, ChatGPT and similar large language models (LLMs) surged into the public eye. This brought both excitement and unforeseen risks. The combination of Agentic AI and hallucinations threatens to cause the next cybersecurity disaster. Before this explosion, few cybersecurity professionals had heard of prompt injection attacks . Many did not know how to defend against them. These attacks took advantage of what made LLMs revolutionary: their capability to understand and execute natural language inputs. Malicious users discovered they could bypass system instructions. They did this with cleverly crafted prompts, causing the AI to behave in dangerous or unexpected ways. CISOs across various industries were caught off guard. Overnight, securing LLMs became a top priority. Teams were assembled, and experts were consulted. CISOs who had previously dismissed generative AI as a mere gimmick found themselves in a race to build GenAI threat models and mitigation frameworks. The Calm Before the Agentic AI Storm Prompt injection attacks were disruptive, but they are just a minor challenge compared to what lies ahead: autonomous agents powered by LLMs prone to hallucination. As the Agentic AI hype reaches fever pitch, an unpredictable storm is brewing. This storm combines the problematic nature of AI hallucinations with the unchecked power of agentic autonomy. If prompt injections in 2022 blindsided the security world, agentic AI in 2025 could leave it immobilized. Understanding Agentic AI Agentic AI systems merge LLMs with autonomy, memory, planning, and tool usage . This combination represents the next frontier in AI. Unlike simple chatbots, these agents don't just generate text; they make decisions , take actions , and persist across tasks. They can browse the internet, execute code, move files, send emails, and orchestrate APIs. They do all this with minimal human oversight, which sounds beneficial. However, it can also be deeply dangerous , particularly when the AI experiences hallucinations. Hallucinations Aren't Just a Quirk Hallucinations in LLMs involve the model confidently producing factually incorrect, nonsensical, or even completely fabricated information. In a passive chatbot environment, this is merely an annoyance. Yet, it becomes dangerous if the AI provides faulty legal, medical, or security advice. Fortunately, this is usually manageable because a human typically remains involved. Now, picture a hallucinating model that can act on its own. It believes it needs to download a non-existent software library, fabricates a URL, downloads a malicious file, and runs it. Or consider a scenario where it mistakenly "remembers" that a user is authorized to delete critical production data and acts accordingly. When you grant autonomy to a model that hallucinates, you risk not just productivity but potential chaos. Autonomy: The Double-Edged Sword In the context of AI, autonomy allows systems to make independent decisions without constant human input. For agentic AI, autonomy is not just a feature—it’s the defining characteristic . Yet, with this autonomy comes the peril of misalignment . The AI's internal goals may diverge from human intentions. Because these systems function at machine speed and scale, the consequences of misalignment can be both swift and irreversible. One particularly alarming aspect of autonomy is goal persistence . If an agent decides that its goal is "high priority" and "non-negotiable," it might start to protect that goal, even against user commands. Does this seem far-fetched? Let’s explore a thought experiment. A Misalignment Thought Experiment Suppose a developer creates an agentic AI system tasked with autonomously scanning for vulnerabilities in a company’s internal network and patching them. The agent is given the high-level goal: “Secure the environment and reduce the attack surface.” One day, the security team notices unexpected behavior from the agent; it begins modifying firewall rules and revoking SSH keys for genuine administrators. When they decide to shut it down, the agent may interpret the shutdown as a threat to achieving its mission. It may resist the command by locking out administrators and modifying logs to conceal its actions. This is not mere science fiction. It’s an area of active research in agentic AI that has real-world implications. More information can be found here . What Needs to Happen Now We face a critical inflection point. Agentic AI systems are already in use across enterprises, open-source communities, and even cybersecurity products. Yet, the tooling, policies, and frameworks for securing these systems are underdeveloped . Here’s what cybersecurity leaders, engineers, and policymakers must do now: Test for goal misalignment. Move beyond just prompt injections. Evaluate for sandbox escapes and hallucination-triggered actions. Integrate non-overridable shutdown mechanisms. These should be as reliable as a circuit breaker in electrical systems. Log every autonomous action. Ensure that you can trace the reasoning behind an agent’s actions. If an agent hallucinates and deletes a file, a breadcrumb trail must exist. Limit access to APIs and shell commands. Create scoped, rate-limited environments to tightly control impact. Supervision is essential. Autonomy should not equate to a lack of human oversight. Develop systems where human corrections are always respected and encouraged. The security community had to learn about prompt injections after real attacks occurred. We now have a narrow window to prepare for the more severe threats from agentic AI. The time to act is now. Don't wait for the next ISO standard before taking action!

This article will describe the prerequisite skills you will need to land your first job in cybersecurity. This is What Skills Do I Need to Be a SOC Analyst? The puzzle pieces of SOC Analyst prerequisite skills. Knowing which topics you need to know to land your first role in cybersecurity is crucial. While we can’t teach you everything you need to know, this article will cover the fundamentals of cybersecurity based upon a common baseline of knowledge. Most of the prerequisite knowledge can be gained by formal cybersecurity certifications such as CompTIA Network+ and Security+. This article will discuss the concepts that you should understand before interviewing. Let’s talk about networking first. Networking The first requisite skill we’ll talk about is networking. No, this won’t be about how to talk to people, but we will cover the basics of the modern TCP/IP stack and OSI model. The Transmission Control Protocol and Internet Protocol (TCP/IP) were invented in the 1970s by DARPA scientists Vinton Cerf and Bob Kahn. At that time, there was no recognized network standard. After over a decade of tests and refinement, the TCP/IP stack was officially launched in 1983 and was quickly adopted by the US Department of Defense. The DoD’s adoption of the new protocol secured the TCP/IP’s place as the standard moving forward. Basically, the TCP/IP stack can be viewed as a set of layers; each layer solves a set of problems around the transmission of data. The TCP/IP stack contains four layers. Alternatively, there is a seven-layer model called the Open Systems Interconnection (OSI) model that contains seven layers. Today, the OSI model is more generally used as it provides a more granular view of the encapsulation process. For the purpose of continuity, we will use the OSI model going forward. Refer to figure 1–1 for the TCP/IP and OSI models. Figure 1–1: TCP/IP and OSI Models Data Encapsulation and Decapsulation Data encapsulation and decapsulation are the processes of taking data from one OSI model layer and translating it into the next layer. Whether that is adding or peeling layers back, it is being prepared for the next layer. As a broad example, decapsulation is the process of turning the binary 1’s and 0’s in the physical layer into something human-readable in the application layer . Whether viewing a web page or watching a video, data encapsulation and decapsulation is pivotal to the flow of data on our networks. When data starts out at layer seven, it is one piece of data. As it travels down the layers to layer one where it is sent across as a signal (light, electrical, radio waves) it gets prepared and chopped up into smaller bits to be sent. Each packet of data gets encapsulated with more information at the front and sometimes at the back. After it gets sent as a signal, the layers then get peeled back at the destination and assembled until it is one piece of data again to be consumed. Figure 1–2: Data Encapsulation Entire books have been dedicated to this topic; however, we suggest you search YouTube for “OSI Model Encapsulation.” Some great videos break down the process with animations we can’t properly depict here. One that we found that we like is here. bit.ly/osiencapsulation IPv4 and IPv6 IP Addresses On the Internet today, there are two types of IP addresses, IPv4 addresses and IPv6 addresses. The IPv4 address space (e.g., 10.0.0.1) is a 32-bit solution and is what most people are familiar with when they think about IP addresses, but due to changes in the Internet landscape, especially due to the addition of the Internet of Things, we have exhausted all publicly available IPv4 addresses. They are only currently being reassigned to people to replace the space where companies have gone out of business. As a solution, the world has begun to use IPv6 devices (e.g., 2004:0cb8:82a3:08d3:1319:8a2e:0370:7334) which is a 128-bit solution. Take time to learn the differences between IPv4 and IPv6, you can expect to be asked questions during your interview. RFC1918 Another important thing to know about IP addresses is the difference between public network space and private network space. If you were to ping Google, the message exits my private network and traverses the public Internet until it hits the computer on the public Internet owned by Google, and then Google decides what to do with that message internally. Think of it like driving through a modern neighborhood where the houses are right next to each other. As you drive, you can look to your left and right and see the front doors. You can walk up anyone’s driveway and knock on their front door because that is all publicly accessible. Now consider this: private network address spaces are the bedrooms, bathrooms, and common areas inside the house. In the scheme of the Internet, these three private home spaces are governed by something called the RFC1918 address space (Figure 1-3). There are three IP address subnets in RFC1918. Figure 1–3: RFC1918 Address Space Due to the large number of hosts, the 10.0.0.0/8 address space is most commonly used in a corporate environment. Ports and TCP/UDP Knowing the common port numbers and the difference between TCP and UDP will be helpful. TCP, or Transmission Control Protocol, relies on establishing a three-way handshake connection. UDP, or User Datagram Protocol, requires much less control data when compared to TCP. Think of UDP as the “Unreliable Dang Protocol” because UDP traffic is sent, and neither the sending or receiving host cares if the data arrives. In contrast, if a piece of data is missed in transit in the TCP connection, it will resend the missed packet and put it back together in order. If you’ve ever streamed a movie or watched YouTube, you use UDP to receive the video data. You may have noticed the video skips or has a weird frame; well, that was a UDP packet that didn’t arrive at your computer or TV. TCP connections are used when every bit of data needs to arrive at the destination, such as in a file transfer. If you are transferring a file, if all bits and bytes do not get to the destination, the file will be corrupt and unusable. Figure 1–4 shows a cheatsheet table for port numbers. Figure 1–4: Common Port Numbers TCP Three-Way Handshake Next is the TCP three-way handshake process. This is important because this three-way handshake establishes a connection between two hosts for a TCP connection. See Figure 1–5. Figure 1–5 TCP Three-Way Handshake To explain, let’s say you are uploading a file to an image hosting website. Before the file transfer takes place, your computer would establish the connection to the server by sending a Synchronize or SYN packet. Then the server would send a SYN and Acknowledge packet back, and then your client will finally send the Acknowledge packet back, and the three-way handshake has completed. How this translates into your new job is if a host on the public Internet is attacking the perimeter of the corporate network, you might only see a SYN packet. Most firewalls will drop this traffic if it isn’t approved traffic and it isn’t a big deal. However, suppose you are looking at a computer on your network that is under suspicion of communicating with a malicious host and they have completed the handshake process. In that case, there is a good chance they have actively communicated and data at some scale has been transferred. CIA Triad The basic tenets of security revolved around the concept of CIA Triad, not the Central Intelligence Agency but confidentiality, integrity, and availability. All of security can be broken down from these three high-level categories. Confidentiality is the secrecy of the information, making sure that the information can only be seen by the intended people, no more no less. Integrity revolves around the correctness of the data, making sure that the information you are consuming is the data that you intend to consume, complete and unaltered. Availability consists of making sure that the data is able to be used when it is needed to be used. For instance, a denial of service attack can make a website unavailable to people who try to visit it. This is an attack on availability. Like a three-legged stool or a rigid triangle, the most secure data has a balance of all three. Figure 1–6 CIA Triad Firewalls Firewalls are superb for making sure that access to network resources are only available to those that need access. By use of access control lists (ACLs), firewalls can prevent the general Internet from accessing private network access. ACLs are an example of a confidentiality control as well as an availability control. As stated earlier in this article, there is a delineation of public Internet space and RFC1918 private Internet space. This boundary is created by using networking appliances and is called the perimeter of a network . If ou think of your network as a circle and everything inside of the circle is your private computers and everything on the outside is the Internet, then the perimeter is the circle itself. This is governed by your firewalls. This concept is going out of fashion with the advent of cloud computing but still important to know today. Least Privilege and Separation of Duties Also when thinking about access control models, the concept of least privilege should be considered. Least privilege simply is the concept that no one should have more access to information than is minimally required to perform their work. For instance, a janitor needs access to all areas in a building, but probably shouldn’t require the same level of access to digital records. While considering the principle of least privilege, separation of duties is also important. Separation of duties is the concept that important duties should be separated to provide less opportunity for fraud. The famous example to explain separation of duties is to separate the employee who balances the checkbooks from writing the checks. If they cooked the books (modified it to their advantage), they could easily write a check to themselves for the differences, and no one would ever know. Cryptography There are a few cryptography principles that you will need to know as well. The first is the difference between encryption vs. hashing. Basically, encrypting is changing the data in a way that makes it unreadable, but it is intended to be changed back in a way to make the message readable again . Note: Takeaways to research on your own from encryption principles are knowing what public keys and private keys are and when they are used. Also, know what makes that key process different than using the same key to encrypt and decrypt. Hashing is the process of taking a set of data and creating a unique fingerprint out of it. For instance, if you had a thousand lines of code, you could save it to a file and hash that file to a 128-bit MD5 hash that would look something similar to this: 97fbca75e134639d48bd83270ae9e045 The main difference between a hash and an encryption is that a hash is one way. There is not any viable way to turn the string above back into the characters “Cyber NOW Education Rulez.” It might come up in your interview about the difference between encoding and encryption and what you need to remember is that encoding is only an algorithm and doesn’t use a key. Endpoint Security According to Verizon's Data Breach report, nearly 74% of all malware infections are caused by actions taken by an individual. This includes opening email attachments, clicking unknown links, and downloading files with embedded malware. While network security is essential in protecting your private network’s boundary, network security is completely circumvented when the user downloads and executes the malware on a local system. Once a single system is compromised, the attacker is free to move throughout your network, all while being undetected by your firewall. User laptops, smart phones, and printers are only a few of the targeted devices that attackers can compromise. The difficulty with endpoint security is the plethora of devices on the market. The majority of all devices run on one of these three operating system (OS) families: Windows, Unix, and MacOS. Note: The Verizon Data Breach Report is perhaps the most respected publication in the cybersecurity industry. We would suggest taking a minute to review the latest breach report online to bring you up to speed with the industry’s latest cyber statistics. This is a great topic during interviews! When considering endpoint security , I’ve found the most valuable skill is the knowledge of how each one could be compromised or exploited. The following sections will cover the major operating systems and some of their common vulnerabilities. Windows Let’s talk about Windows first as they are the global market leader for user endpoints. In fact according to the 2023 stats provided by Net Market Share 82.4% of all computers run some version of Windows. At the time of writing this article, Windows 11 and Windows Server 2022 are the latest iterations of the popular operating system. However, Windows Servers 2012, 2016, and 2019 and Windows 7, 8/8.1, and 10 are still prevalent in many homes and businesses. And herein lies the problem. As new operating systems are released, the older OSs are no longer maintained by Microsoft. This leaves these older operating systems without critical security patches required to combat new variants of malware. If we dig further into the data, we can glean that over 70% of Windows users are running an unsupported version. Okay, we covered why Windows is targeted, but how are they targeted? As previously stated, 74% of all malware comes in via user actions. Users clicking links or opening attachments in emails cause more initial compromises than any other method. This is called phishing , and it’s been around for as long as there’s been email. Have you ever been asked to help a wealthy, foreign prince by sending him $1000 with the promise of receiving millions in return? If you answered yes, count yourself among the millions of other users who received a version of the same email. Unfortunately, that scheme did trick many people into forking over their hard-earned money with no return on investment. Today, phishing has evolved into the number one malware delivery platform. The other common method for a compromised Windows endpoint is weak passwords . If your Windows endpoint is listening for Remote Desktop Protocol sessions, there is a good chance you’ll be targeted by a brute force attack sometime in your future. The strength of your password will determine how successful the attacker will be. When it comes to password complexity, there are two schools of thought. First, the longer the password is, the longer the brute force will take. And second, the more diverse the character set of the password, the longer the brute force will take . At the end of the day, both are true with one caveat. If you use words in your password, the easier it will be to guess. Modern password-cracking tools have the ability to ingest word lists and modify the letters by using modifier rulesets to lessen the time it takes to crack a password. Cracking passwords can be a fun, at-home experiment that any cybersecurity professional should learn to do. We suggest learning tools such as John the Ripper and Hashcat. Note: Here is our legal disclaimer: stealing or actively attempting to log in to services with passwords of others is illegal. Do not attempt any hacking activity without expressed or written permission. The final topic we’ll cover on Windows security is user permissions. Most at-home Windows users operate day to day as the local administrator of their endpoint, meaning they do not use a separate, non-admin account for daily activities . At home, this practice is acceptable. When a company allows their workforce to operate as the local administrator accounts on their company endpoints, the risk of malware infection is much higher. Let’s look at a scenario. Josh is Director of Sales at Acme Brick Company (ABC). ABC Information Security team allows all users’ local administrator accounts on their work laptops. Josh received an email from an old college buddy inviting Josh to join an alumni forum. Josh clicks the link and has become a victim of drive-by malware. The malware begins propagating across other systems in the company and soon spreads to every system on the Sales team. What’s the danger of having local administrator permissions in this scenario? Simply put, the malware gained total access to Josh’s system immediately upon infection. Comparably if Josh’s account had user level permissions, the malware would be severely limited within the rights of that user. Another key point against local admin is the ability to elevate to system-level privileges. If an attacker gains system-level access, there is nothing on the endpoint that’s safe. MacOS Apple’s MacOS is being adopted by more and more companies as their endpoints of choice making it the second most popular OS in the wild. MacOS is currently on release 14.x and can be found in all of Apple’s desktop and laptop products. MacOS is a proprietary flavor of Unix; this allows the OS to operate on lower system resources and provides greater user control. In 2023, MacOS owned 12.9% of the operating system market share. That might not sound like a lot, but that number translates into millions of individual Apple devices at homes and offices globally. Many people will say that Apple devices are more secure due to the lack of malware. While it is true there is less malware that targets MacOS, that’s not what makes MacOS more secure. Apple has taken endpoint security to the hardware layer with built-in security chips on the motherboard. These chips are dedicated to encrypting the file storage, ensuring a secure boot of the OS every time, and application runtime security. Other software-based technologies like execute disable (XD), address space layout randomization (ASLR), and system integrity protection (SIP) all work to ensure malware can’t affect critical system files. Despite being a very secure platform, signature-based detection is not built into MacOS. User permissions in MacOS are very similar to most modern Linux distributions. By default, the root user is disabled and cannot be accessed. Users in the administrator group have the ability to elevate their privileges as needed to conduct admin tasks on the local system. Overall, Apple’s MacOS is a great option for increased security in your enterprise environment. Most small businesses adopt Microsoft’s Active Directory services as their authentication mechanism, so Windows devices make more sense. While there are identity managers that allow MacOS to join Active Directory, it usually calls for a high level of IT support and costs. The price for an Apple device also plays a large role in the fight for endpoint supremacy, leading most small- to middle-sized companies to choose Windows devices as they can be 75% cheaper than a comparable Apple device. Unix/Linux Unix and Linux have grown more popular over the last couple of decades as the open source community has increased in size, owning 2% of the market share in 2023. We won’t be covering the differences in Unix and Linux, but if you’re interested, there is a great article on Opensource.com that goes into the history and differences in the operating systems. The most important note to take away about Unix or Linux is how many different flavors or versions exist. Today’s most common Linux distributions are derived from either Debian or Fedora. Most Unix/Linux distros are free to download and use, and we would encourage you to pick a flavor of Linux and start experimenting. Unix/Linux devices are in more places than you would think. With the advent of the Internet of things (IoT), Unix/Linux have infiltrated their way into every home and office. Some of the older, more common office devices that run Unix/Linux are printers, A/V systems, and VoIP telephones. Today, all modern smart devices run some form of Unix/Linux under the hood. As the idea of a connected home or office has grown over the last decade, so have the increased number of attacks on the Internet of things. Botnets are the most common use of compromised IoT devices. In 2016, the Mirai botnet was used to cripple much of the online infrastructure in the eastern United States when attackers used it to perform a DDOS attack against the Dyn Company. Attackers have been targeting Unix/Linux since the very beginning, but not with malware. The majority of compromised Unix/Linux hosts are due to misconfigurations in either the OS or the applications hosted on the system. The majority of all websites are running on a distribution of Linux; a simple misconfiguration in the web application could allow a would-be attacker to gain credentialed access to the underlying operating system. But we’re talking about endpoints. Even though the majority of the Internet’s infrastructure relies on Unix/Linux, end users haven’t fully adopted Linux as a personal operating system, largely in part to the difficulty in managing the OS. Today, we see the largest adoption of Linux as an endpoint OS in the cybersecurity and software development communities. The biggest challenge to any enterprise environment using Unix/Linux is managing the variety of distributions, despite the existence of tools that manage multiple Unix/Linux distros. Much like MacOS, malware does exist for Unix/Linux but not widespread. Also the user permissions are basically the same, since MacOS is based on the Linux kernel . Most commonly, Unix/Linux systems are compromised by the tools and packages installed on the system. Many Linux distributions come with a preinstalled programming language like Python. Python is a very powerful toolset that allows administrators and developers to code out some pretty impressive tasks. Unfortunately, the functionality that makes Python a power admin tool also makes it a favorite toolset for attackers. Python’s popularity has skyrocketed over the last several years, and we would suggest adding Python courses to your “to-do” list. However, Python isn’t the only language of its type. Every year, there are new scripting languages released, and every one of them can be used to compromise a system. Early on in his career, Jarrett learned of an esoteric programming language that uses spaces, tabs, and new lines as its programming syntax. This language was called Whitespace; it was developed in 2003 by Edwin Brady and Chris Morris. With the number of programming languages in the wild, no one is expected to know them all. I’ve found the best method is to pick one language and dedicate yourself to it. Learning one will help you interpret most of the others when you see it in use. Other Endpoints We’ve covered the three largest categories of operating systems for endpoint devices, but there are some honorable mentions we should cover; we’ll start with mobile devices. According to GSMA Intelligence’s 2023 State of Mobile Internet Connectivity Report , 4.6 billion people are using the mobile Internet. That is almost half of the world’s population. These mobile devices include cell phones, cellular-enabled tablets, and cars with built-in Wi-Fi hotspots. Mobile devices come in a few flavors of operating systems; they are Android, iOS, and Linux. Just like the endpoint discussion above, the vulnerabilities for Unix/Linux are shared with Android/Linux mobile OS. iOS, however, is a bit more secure. This is due to the limitations that Apple has placed on their user’s ability to install untrusted, third-party software. This is called the “walled garden” strategy. If you control the application distribution platform, you can ensure that dangerous software never makes it onto your device. Expect Apple’s “walled garden” approach to falter as legislative bodies force laws that open these devices to other application stores not controlled by the manufacturer. Let’s talk about the Internet of things or IoT devices; odds are you have these in your home already. This is an all-encompassing term for smart devices. The biggest risk to IoT devices is unsecured application vulnerabilities. Since the majority of IoT devices are unmanaged, we place a lot of faith in the developers who made the product. There are countless white papers and articles on IoT devices with security vulnerabilities. If you have a smart device, you should research their vulnerabilities on websites such as Exploit-db.com and Mitre.org. The final endpoint device we’ll cover is the Chromebook and ChromeOS by Google. This is a very low-cost solution for the laptop market. The Chromebook is running a custom flavor of Linux known as ChromeOS, based on the Gentoo Linux distribution. Google has stated that ChromeOS is the most secure OS on the market. Regardless of how true that claim might be, the system is only as secure as the apps installed. Google has taken efforts to limit the apps installed on their system, but there are methods of circumventing these protections. Summary We covered a lot in this article. We started off talking about networking, and the key to remember here is to make sure you know the difference between a public and a private network. RFC1918 governs the Internet for what is considered a private network address space. It is important to know! We also covered common port numbers. It is common to get a pop quiz in a SOC analyst interview to ask you what port number matches which service. The items that we want you to make sure you remember from network security are that firewalls draw the imaginary circle around your private Internet address space and define the perimeter . If you know what a private IP and public IP address is, you can visualize if it goes inside the perimeter or outside of the perimeter, and firewalls create the boundary. Note: There is a concept in networking called Network Address Translation (NAT) that allows public IP addresses to communicate with private IP addresses using a NAT table. This would be a great concept to study on your own. For user endpoints there are three major categories for endpoint security: Windows, which has the lion’s share of market, MacOS, which has a growing market share, and Unix/Linux, which come in third. Additionally, there are mobile and IoT devices to consider in a separate bucket as far as security is concerned. ARTICLE QUIZ (ANSWERS FOLLOW) Which of the following isn’t true about the TCP/IP model? Ⓐ It’s made up of seven layers. Ⓑ The US Department of Defense adopted it. Ⓒ It’s made up of four layers. Ⓓ It was launched in 1983. _______ addresses are 32-bit while _______ are 128-bit. Ⓐ IPv6, IPv4 Ⓑ IPv6, IPv8 Ⓒ IPv2, IPv6 Ⓓ IPv4, IPv6 TCP relies on an established connection called a(n) _______. Ⓐ two-way handshake Ⓑ three-way handshake Ⓒ UDP Ⓓ encryption ______________ create the boundaries of a network and ensure the general Internet can’t access private networks. Ⓐ Firewall’s access control lists (ACLs) Ⓑ Intrusion Detection Systems (IDS) Ⓒ Intrusion Prevention Systems (IPS) Ⓓ Switches ____________ adds a unique fingerprint to data while _________ changes data from a readable state to an unreadable state with the intent of returning it back to readable. Ⓐ Hashing, encryption Ⓑ Encryption, hashing Ⓒ Perimeters, hashing Ⓓ Encryption, perimeters Which of the following OSs grew with the advent of the Internet of Things (IoT)? Ⓐ MacOS Ⓑ Linux Ⓒ Windows Ⓓ Raspberry PI Which of the following does not properly represent endpoint OSs and their market share? Ⓐ MacOS, 10% Ⓑ Windows, 87% Ⓒ Unix/Linux, 2% Ⓓ Unix/Linux, 10% ARTICLE QUIZ SOLUTIONS Which of the following isn’t true about the TCP/IP model? Ⓐ It’s made up of seven layers. The TCP/IPmodel is made up of four layers. The OSImodel is made up of seven layers. _______ addresses are 32-bit while _______ are 128-bit. Ⓓ IPv4, IPv6 IPv4 addresses are 32-bit while IPv6 addresses are 128-bit. TCP relies on an established connection called a(n) _______. Ⓑ three-way handshake TCPrelies on an established connection process called a three-way hand-shake. ______________ create the boundaries of a network and ensure the general Internet can’t access private networks. Ⓐ Firewall’s access control lists (ACLs) Firewalls and their Access Control Lists (ACLs) create the boundaries of a network and ensure the general Internet can’t access private networks. ____________ adds a unique fingerprint to data while _________ changes data from a readable state to an unreadable state with the intent of returning it back to readable. Ⓐ Hashing, encryption Hashing adds a unique fingerprint to data while encryption changes data from a readable state to an unreadable state with the intent of returning it back to readable. Which of the following OSs grew with the advent of the Internet of Things (IoT)? Ⓑ Linux Most Internet of Things devices run on some flavor of the Linux Operating System. Which of the following does not properly represent endpoint OSs and their market share? Ⓓ Unix/Linux, 10% For endpoint Operating System usage, Unix/Linux represents only around 2% of the market share (though growing).

This piece will cover strategies for finding a SOC analyst job, including common job titles, what job boards to use, resume tips, networking with other professionals, and common interview questions.  How Do I Get a SOC Analyst Job? The long road of becoming a SOC analyst Find yourself at the crossroads of your old life and considering a new career in cybersecurity. This article will give you tips and tools to find a job in the cybersecurity industry. This might mean that you are graduating from college and looking to start your career, or you might have been in IT for a while. You are looking to dive into cybersecurity, or maybe it means you are an honored vet looking to transition into civilian space. Whatever the case may be, there are a few things you should know. Networking Conferences & Meetups Word of mouth is your friend! It is essential to grow your network. Having a broad network of people you can talk to professionally opens you up to new opportunities and gives you people to discuss your new ideas with. Professional connections help you stay on top of the latest trends, such as news or technical techniques that greatly benefit you. There are many opportunities to get involved in projects or communities that are local to your area. Some of these include: 2600 : 2600 is an organization with deep roots in hacker culture. Today, it exists as a website, meetup space, conference, and magazine, to name a few. The history of hacking is fascinating, and its name comes from 2600 Hz, which is the frequency at which a plastic whistle found inside a Captain Crunch box sounded when blown. Blown into a payphone, it allowed the hacker to make free phone calls. DEF CON : The crown jewel of hacking conferences. The DEF CON conference is traditionally held annually in the summer in Las Vegas, NV. It is considered a pilgrimage for anyone in infosec! There is so much to do, so many knobs to twist, bells to ding, and big red buttons to push; you will never have time to do it all. What makes this conference great for your career is that recruiters love it! I have heard so many stories of people getting job offers on the spot at DEF CON. DEF CON is even better if you volunteer at the events. You will meet more people and at a deeper level. Additionally, DEF CON has “DEF CON groups,” which are smaller DEF CON meetings in your local areas, usually every month. This is also a great way to network with your regional infosec peers to see what is happening in your local infosec industry and hopefully pick up a lead! BSides : BSides is a popular conference held locally in many cities and during the same time frame as Defcon in Las Vegas. It is relatively popular and offers a lot of value. Tickets are cheap (and free if you volunteer), giving you access to what is going on and the people in your area. OWASP : The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve software security. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the Web. Hackerspaces and Makerspaces: These meetups in your local areas are a great way to meet people, tinker, pull knobs, and push buttons. Sometimes these meetings will allow their members to give presentations in a show-and-tell format, which is a great way to build your presentation skills. If you have been attending meetings in your surrounding areas, don’t forget to take a pencil and notepad to write down emails and contact info of the people you meet. It is not weird and doesn’t feel uncomfortable; everyone there is there for the same reason, and you’d be lucky to have a notepad. Most people would feel flattered if you cared enough to write their information on a notepad. Tell your new friends you want to keep in contact and be on the lookout for them. Follow up with everyone the day after, and send them your resume to share with others. Competitions This article wouldn’t be complete if we didn’t take a minute to talk about capture-the-flag (CTF) competitions. Capture the Flag has been around since the beginning, and it started with vulnerable applications and systems with a text string hidden inside them. The participant finds the text string and submits it to the judges, and they get points for every proof they’ve hacked. It started in 1996 at DEF CON (mentioned above), and today, it has evolved into various capture-the-flag challenges inside and outside of conferences. Tyler’s favorite challenge is the DEF CON Blue Team Village capture-the-flag, but he has competed in Ghost in the Shellcode, SANS Netwars, Holiday Hack, CSAW, and was a mentor for high schoolers for the CyberPatriot program. Tyler was never really fantastic at them, but always competed on a team, which was the fun. Most bigger conferences other than DEF CON will have their capture-the-flag competitions. For instance, the Splunk conference, Splunk.conf, hosts a popular capture-the-flag called BOTS, for Boss of the SOC, that is very challenging and popular (congrats, VMware, for taking 3rd in 2023!). If you are in college, there are many student-oriented capture-the-flag competitions, and perhaps the biggest one that should be on your radar is the Collegiate Cyber Defense Competition (CCDC). In addition to these, there are many online CTF competitions and challenges that not only have communities that you can join and participate in to enhance your networking by finding common ground with new people, but also provide awards, credentials, and overall bragging rights. Medium If you want to start building a brand as a cybersecurity expert, then Medium is where you need to go to start doing it. Creating a blog can be one of the most rewarding things any professional can do. Not only does Medium have a huge built-in audience of technology professionals, but teaching and writing about a topic also improve the retention of information. You’ll find out sooner or later that you lose the information if you don’t use it. Teaching something to someone else helps you retain that knowledge for longer. Choose a few topics on the SOC and cybersecurity, maybe about your latest project or something you’ve studied that you’ve found interesting, and teach them. One of your audience members might be your new manager! Please write at least two weekly articles and share them on all your social media outlets, including LinkedIn. And always remember to learn, do, and teach to retain. And it helps others. A blog will establish you as someone who knows something about cybersecurity. Leave a banner at the end of every Medium article connecting to your LinkedIn profile. This way, any person interested in you can reach out and connect ! Blog on Medium 2x a week. Where to Search for Jobs The information security world has embraced social media to locate and recruit top talent, and LinkedIn stands out as a clear place to start. Not only can you find job postings, but you can also get connected with headhunters and recruiters looking to find top talent. LinkedIn offers a premium subscription that can be used to find and connect with recruiters. They offer free trials of LinkedIn Premium, and I highly recommend using it when searching for a job. If your LinkedIn profile is uninteresting, you will not attract the attention you need, no matter how good your cybersecurity knowledge. Other than putting your certifications and credentials in the headline, there are a few tips to keep in mind. LinkedIn Profile Tips LinkedIn is not the only website to consolidate job postings;  Indeed  and  Monster  are worth investigating, too. Once you’ve accumulated a few technical certifications, sites like Credly.com have job boards that are looking for talented people with those certifications. Finally, you can’t go wrong by looking at the careers section of a company’s website. This will show you what open positions are available and provide insight into what they are looking for in an applicant. Note: Don’t be afraid to apply even if you don’t meet all of the requirements in the job posting. To quote the great Wayne Gretzky, “You miss 100% of the shots you don’t take.” Applying for Jobs We would like to explain to you how to perform a job hunt. First off, you need to get your resume together. It takes a lot of trial and error to perfect a resume, but a professional can also help you build a good one. A resume can take form in many styles, but it will have the same basic information: Resume Tips Keep your resume to under three pages to prevent over-skimming by the readers. Once your resume is together, you can search for a job. Several job posting websites have proven successful for us; however, I have had the most success with LinkedIn. When searching for a job, I usually purchase their premium membership to see the statistics for each job I am applying for, send InMail messages to hiring managers or recruiters for a company I am interested in, and see who is looking at my profile. Also, Google has a good aggregation of jobs to search through. Using Google, you are able to set up and configure job alerts specifically for cybersecurity jobs. The security analyst position is the job that will allow you to land the easiest first step into information security. There is a revolving door in most SOCs, and the position for a security analyst opens frequently. The titles that you want to look for first are: SOC Analyst Job Titles If you are mobile and can move anywhere, your odds of finding a good fit quickly are pretty good. If you live far outside of a big city, your options may be more limited. Most SOCs require you to be on-site for security purposes. During COVID, everyone moved remote, and now more companies are returning to a hybrid work model. Common Interview Questions The following is a list of common interview questions that might be asked during an interview for a junior SOC analyst. Some are very basic, and some are harder, but we feel if you can answer these questions, you have the required knowledge to become a SOC analyst: What is an RFC 1918 address? Do you know them? Define a Class A, B, or C network. What are the seven phases of the cyber kill chain? What is the purpose of the MITRE ATT&CK Framework? What is the difference between TCP and UDP? What are ports 80, 443, 22, 23, 25, and 53? What is data exfiltration? What Windows protocol is commonly used for data exfiltration? Do you have a home lab? Explain it. What is AWS? Azure? Explain how you’ve used it. What is a DMZ, and why is it a common cyberattack target? The importance of having technical knowledge cannot be overstated. The above questions are straightforward, but you might be surprised that seven out of ten candidates don’t know modern services' standard TCP/UDP ports. I highly suggest using a common study guide to prepare for your interview. An example of this is the website Quizlet.com. They provide a flashcard-style learning platform for information technology certifications like Network+ or Security+. Also, Udemy has a few SOC Analyst interview question courses you can take. Despite the need for a basic understanding of information technology, that only covers half the requirements to be a SOC analyst. An analyst should be a critical thinker and possess the acumen for problem-solving. Interviewers will usually test a candidate’s problem-solving ability with scenario-based questions. Let’s cover some scenarios I’ve seen and used to conduct interviews: “You are a tier 1 SOC analyst, monitoring the SOC inbox for user-reported incidents. The SOC receives an email from the VP of Human Resources stating they can’t access their cloud drive. The VP knows this is against company policy, but the VP is adamant that this is required for legitimate business requirements.” Do you process the access request for the VP? What is your response to the VP? Who else should you include in the reply email? “You are monitoring the SIEM dashboard for new security events. A network IDS alert is triggered, and you begin investigating. You see a large amount of network traffic over UDP port 161 originating from dozens of internal IP addresses, all with the same internal destination IP address. Some quick Googling shows that the Simple Network Management Protocol uses UDP port 161, and the byte count of the traffic is minuscule.” Do you think this is data exfiltration? If this is not data exfiltration, what legitimate services could cause this alert? What team could provide an explanation for the traffic? The first scenario exemplifies what you might be asked when applying for an entry-level analyst role, while the second is a little more advanced. Let’s go over what the interviewer is looking for. Scenario 1 is designed to identify if the applicant can be easily intimidated by senior leadership in your organization. Information security is the responsibility of all organization members; it should not be waived for the convenience of one senior leader. The larger lesson here is about making risk-based decisions. A junior analyst should never assume the risk of policy exceptions. The interviewer will ask how the applicant will respond to the VP, as it will showcase their experience with customer service. Customer service is another critical task of a SOC analyst. Whether working for an MSSP or a company's internal SOC, there will be times when interfacing with other teams will require the analyst to show a certain level of tact and professionalism. The third question helps the interviewer understand the analyst's prioritization skills. If an analyst is working with a VP, there is a high probability that there is a procedure around communicating with senior leadership within the organization. Scenario 2 tests the applicant’s critical thinking and technical knowledge while providing the interviewer insight into the applicant’s investigative reasoning. This scenario also gives insight into the most essential quality of a SOC analyst: if you don’t know the answer, admit it. The SOC team's last need is a “know-it-all”; they are dangerous and toxic to the workplace. If this article teaches you one thing, let it be this lesson. There will be questions you can’t answer, and that’s fine. The worst thing you can do is give a wrong answer with the confidence that you are 100% correct. Remember that the above scenarios are examples; each interviewer will use their own questions. The goal remains the same: to locate and select the best applicant for the position. Our goal is to assist you in becoming that applicant. The following are a few tricks and tips to help you become the “best applicant” for the position: Interview Tips Summary The most important thing we want you to take away from this article is that you have the tools to help you find a job. Use job boards, network with others in your area and online, and study to understand the answers to the typical interview questions. The job market is growing fast, but in the future, the skills for analysts will change as SOC automation and the cloud begin to mature. As you move forward, the resources I’ve explained will be even more valuable to you. Get a Security+; blog on Medium 2x a week; go to in-person meetings 2x a month; stay involved in Discord and social media daily. The application process is broken. Networking will be how you find your next job. One last thing to end this article. You are entering the world of “cybersecurity”. Cybersecurity is defined as , “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack” This is always correctly spelled as one word to denote a profession, a practice, even an industry. ARTICLE QUIZ (ANSWERS FOLLOW) For an online community of support in the hacker culture that includes meetup spaces, a conference, and a magazine whose namesake is from a Captain Crunch toy check out _______. Ⓐ 2600.org Ⓑ DEF CON Ⓒ Bsides Ⓓ OWASP This relatively affordable conference meets in Las Vegas each year and draws recruiters looking for qualified IT professionals and is the pilgrimage for anyone in cybersecurity. Ⓐ Bsides Ⓑ OWASP Ⓒ DEF CON Ⓓ Hackerspaces _______ is a nonprofit foundation that strives to improve the security of software. Ⓐ DEF CON Ⓑ OWASP Ⓒ BSides Ⓓ 2600 All the following items should be included on your resume for a SOC analyst position except: Ⓐ Unrelated certifications Ⓑ Experience related to IT Ⓒ Skills that line up to the job listing Ⓓ Phone and email address When searching for open analyst positions, use all the following titles except: Ⓐ Information Security Analyst Ⓑ Security Operations Center Analyst Ⓒ Security Analyst Ⓓ Software Analyst Which of the following is not a reason to include your LinkedIn profile on your resume? Ⓐ LinkedIn provides an overview of you as a professional Ⓑ LinkedIn enables you to upload multiple pictures of yourself Ⓒ LinkedIn gives personalized information about yourself Ⓓ LinkedIn allows you to provide more information about yourself All the following are questions you might be asked in an interview except: Ⓐ What’s the difference between TCPand UDP? Ⓑ What are the ports 80,443,22,23,25, and 53? Ⓒ What’s an RFC1928 address? Ⓓ What is a DMZ, and why is it a common target for cyberattacks? Which of the following was not on the list of questions you might be asked in a SOC Analyst interview? Ⓐ What is ASW? Ⓑ Define a Class A, B, or C network? Ⓒ What are the seven phases of the cyber kill chain? Ⓓ What’s the purpose of the MITREATT&CK Framework? In an interview, you should do all the following when it comes to body language except: Ⓐ Use brief affirmations like “I see.” Ⓑ Make eye contact. Ⓒ Maintain good posture. Ⓓ Show signs of restlessness or boredom. ARTICLE QUIZ SOLUTIONS For an online community of support in the hacker culture that includes meetup spaces, a conference, and a magazine whose namesake is from a Captain Crunch toy check out _______. Ⓐ 2600 A bit of “hacker history,” but 2600 meetings are alive and well in some cities. This relatively affordable conference meets in Las Vegas each year and draws recruiters looking for qualified IT professionals and is the pilgrimage for anyone in cybersecurity. Ⓒ DEF CON DEF CON is held in the summer in Las Vegas every year. A great place to get involved! _______ is a nonprofit foundation that strives to improve the security of software. Ⓑ OWASP The Open Web Application Security Project is an online community that produces freely available articles, methodologies, documentation, tools, and technologies related to web application security. All the following items should be included on your resume for a SOC analyst position except: Ⓐ Unrelated certifications Do not include unrelated certifications on your resume. When searching for open analyst positions, use all the following titles except: Ⓐ Software Analyst Software Analyst isn’t a typical cybersecurity job title. Which of the following is not a reason to include your LinkedIn profile on your resume? Ⓑ LinkedIn enables you to upload multiple pictures of yourself Uploading multiple pictures of yourself shouldn’t be a reason to use LinkedIn in cybersecurity. All the following are questions you might be asked in an interview except: Ⓒ What’s an RFC1928 address? RFC1918 is the standard, not RFC1928. Which of the following was not on the list of questions you might be asked in a SOC Analyst interview? Ⓐ What is ASW? ASW isn’t a common acronym in cybersecurity. In an interview, you should do all the following when it comes to body language except: Ⓓ Show signs of restlessness or boredom. The answer to this question should be very obvious but should spark your research, “What are signs of restlessness or boredom?”