Search Results

How to Build a Resume Funnel When you're just starting in cybersecurity, you're up against tough competition. After all, a hiring manager can open a job requisition and get 500 applicants the same day. Getting a cybersecurity job has always been semi-difficult, but today, it's tough. A perfect storm of an influx of candidates graduating and preparing for roles in this industry, coupled with the reduced amount of work due to automation and AI, means there are just so many people who want jobs and so few who are hiring. This is how to build a resume funnel. When a hiring manager reviews the 500 applicants, it's a job no one wants to do; it's boring, and all the candidates look the same. The strategy for you is to make the hiring manager invest more time in you as a unique candidate and invest in you as a unique person. On your resume, at the top center should be your name and any significant certifications, the following line should be your contact details, and the third line should be a link to your blog/medium. The hiring manager will immediately see this as unique in a classy, non-flashy way. If the hiring manager scans the rest of your one- to two-page resume and likes it, they will click on this link and your LinkedIn link to learn more about you. The goal of this funnel is to make the hiring manager invest time in you as a candidate. In the following two sections, we are going to talk about your LinkedIn and your Medium LinkedIn Improving your LinkedIn is almost universal advice for increasing your chances of getting a better-paying job. LinkedIn is the new resume; most recruiters find you there if they are looking for your skillset. If your LinkedIn is drab and boring, you significantly reduce your chances of being discovered, no matter how strong your cyber-security knowledge is. Apart from the general stuff like putting in your certifications and job title, there are some tips you should keep in mind. Use the LinkedIn banner image and headline to grab attention. Take full advantage of the “Featured” section on your LinkedIn profile. This is the best place to showcase your achievements and awards you might have won. Also, please provide any good articles you might have written, videos, etc. When describing your current job experience, do not just include your job description and what you do; also include your achievements and the extra stuff you did to stand out in your current position. Remember that the hiring manager is interested in your unique strengths, not just your 9–5 duties! Use the media section for each job to add any awards or conferences you attended while in this position. Medium If you want to start building up a brand as a cybersecurity expert, then Medium is quite possibly one of the best places to start doing it. It is a free blogging site with a massive built-in audience of technology professionals, and the next one might be your new manager. Choose a few topics on your road to cybersecurity, tutorials for any projects you've worked on, cybersecurity product or service reviews, training reviews, and reviews on any books you've read; try not to sound too pessimistic, and write at least two articles every week. Share them on LinkedIn and see the magic happen as more people follow and interact with you. Leave a banner at the end of every Medium article connecting to your LinkedIn profile. SOC Conferences & Meetups Word of mouth is your friend! It is important to grow your network. Having a broad network of people you can talk to professionally opens up new opportunities and gives you people to discuss your new ideas with. Professional connections help you stay on top of the latest trends, such as news or technical techniques, that will benefit you greatly. There are many opportunities to get involved in projects or communities that are local to your area. Some of these include: 2600:  2600 ( 2600.org ) is an organization deeply rooted in hacker culture. Today, it exists as a website, meetup space, conference, and magazine, to name a few. The history of hacking is fascinating, and their name comes from 2600hz, which is the frequency at which a plastic whistle found inside a Captain Crunch box sounded when blown. Blown into a payphone allowed the hacker to make free phone calls. DEF CON:  The crown jewel of hacking conferences. The DEF CON conference is traditionally held annually in the summer in Las Vegas, NV. It is considered a pilgrimage for anyone in infosec! There is so much to do, so many knobs to twist, bells to ding, and big red buttons to push; you will never have time to do it all. What makes this conference great for your career is that recruiters love it! I have heard so many stories of people getting job offers on the spot at DEF CON. DEF CON is even better if you volunteer at the events. You will meet more people and at a deeper level. Additionally, DEF CON has “DEF CON groups,” which are smaller DEF CON meetings in your local areas, usually every month. This is also a great way to network with your regional infosec peers to see what is happening in your local infosec industry and hopefully pick up a lead! BSides:  BSides is a popular conference held locally in many cities and during the same time frame as DEF CON in Las Vegas. It is relatively popular and offers a lot of value. Tickets are cheap (and free if you volunteer), giving you access to what is happening and the people in your area. OWASP:  The Open Web Application Security Project (OWASP) is a nonprofit foundation that works to improve software security. Through community-led open-source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the Web. Hackerspaces   and   Makerspaces:  These meetups in your local areas are a great way to meet people, tinker, pull knobs, and push buttons. Sometimes, these meetings allow their members to give presentations in a show-and-tell format, which is a great way to build your presentation skills. If you have been attending meetings in your surrounding areas, don’t forget to take a pencil and notepad to write down emails and contact info of the people you meet. It is not weird and doesn’t feel uncomfortable; everyone there is there for the same reason, and you’d be lucky to have a notepad. Most people would feel flattered if you cared enough to write their information on the notepad. Tell your new friends you want to keep in contact and be on the lookout for them. Follow up with everyone the day after, and send them your resume to share with others. Knowing someone who will refer you might be your only way in with so many applicants. If someone refers you, you get to skip the line and miss the whole first stage, and they will automatically pick up your resume from the pile and give you an interview. Online Chats Getting your name out there online is also important. Start getting involved in groups like the Cyber NOW Discord and the more popular ones like the Black Hills Information Security Discord (BHIS). There are many other online Discords and Slacks that you can join to get to know people and sometimes get the latest job offerings before they hit the public. Competitions This KB wouldn’t be complete if we didn’t take a minute to talk about capture-the-flag (CTF) competitions.  Capture-the-flag has been around since the beginning, and it started with vulnerable applications and systems with text strings hidden inside of them.  The participant finds the text string and submits it to the judges, and they get points for every proof that they’ve hacked it.  It started in 1996 at DEF CON (mentioned above) and today has evolved into all sorts of various capture-the-flag challenges inside and outside of conferences.  Tyler’s favorite challenge is the DEF CON Blue Team Village capture-the-flag, but he has competed in Ghost in the Shellcode, SANS Netwars, Holiday Hack, and CSAW, and was a mentor for high schoolers for the CyberPatriot program.  Tyler was never fantastic at them but always competed on a team, which was fun. Most bigger conferences other than DEF CON will have their capture-the-flag competitions. For instance, the Splunk conference, Splunk.conf, hosts a popular capture-the-flag called BOTS for the Boss of the SOC, which is very challenging and popular (congrats, VMware, for taking 3rd in 2023!). If you are in college, there are many student-oriented capture-the-flag competitions, and perhaps the biggest one that should be on your radar is the Collegiate Cyber Defense Competition (CCDC). In addition to these, there are many online CTF competitions and challenges that not only have communities that you can join and participate in to enhance your networking by finding common ground with new people but also provide awards, credentials, and overall bragging rights.  The most popular online CTF platform today that I would recommend you look at is TryHackMe (THM).  TryHackMe’s popularity has skyrocketed for being the premier hacking challenge, and it's expected to look around on LinkedIn and see analysts advertising that they are “Top 2% in TryHackMe” or “Top 5% TryHackMe”. If you get serious about playing the game and showing off your skills, you can purchase the subscription to make your learning and earning points faster. TryHackMe offers guided walkthroughs and is best suited for beginners.  Hack the Box (HTB) is another platform like TryHackMe, except it is a little more expensive for its subscription program, and you’re a bit more on your own with its challenges. HTB's claim to fame is that it is the top cybersecurity upskilling platform. However, the platform does require a basic understanding of pen-testing and may not be as beginner-friendly as other alternatives. It is very comprehensive and challenging. On the other hand, for defense (blue team) challenges, Lets Defend is rising in popularity. They have a free option, but it's a subscription purchase for the SOC Analyst track. They have some neat challenges that would give you hands-on exposure to some of the things we do daily and even give you a certificate to share on LinkedIn. I hope this short KB has given you some ideas for building your brand The Resume Funnel Strategy . We will continue to work on building a brand that employers want. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

How to Hack with Google Google is a powerful tool for reconnaissance. It is also a great way to find sensitive information online using what's known as Google Dorks. Google Dorking, also known as Google Hacking, is a search technique that uses advanced search operators to find information on the internet that may not be available through standard search queries. It uses Google's search algorithms to find specific text strings in search results. Notably, while the term “hacking” suggests an illicit activity, Google Dorking is entirely legal and often used by security professionals to identify vulnerabilities in their systems. While Google Dorking can reveal sensitive information if it’s publicly accessible, using this technique doesn’t breach any laws or Google’s terms of service. This is how to hack with Google. Different Google Dorking Techniques Google Dorking techniques primarily involve using specific search operators. Below are some of the most commonly used methods: Filetype: This operator searches for specific file types. For example, `filetype:pdf` would return PDF files. Inurl: The `inurl:` operator can be used to find specific words within the URL of a page. For example, `inurl:login` would return pages with ‘login’ in the URL. Intext: With the `intext:` operator, you can search for specific text within the content of a web page. For example, `intext:”password”` would yield pages that contain the word “password”. Intitle: The `intitle:` operator is used to search for specific terms in the title of a webpage. For example, `intitle:”index of”` could reveal web servers with directory listing enabled. Link: The `link:` operator can be used to find pages that link to a specific URL. For example, `link:example.com` would find pages linking to example.com. Site: The `site:` operator allows you to search within a specific site. For example, `site:example.com` would search within example.com. These techniques are powerful tools for information gathering and should be used responsibly. While Google Dorking is legal and can be used for legitimate research and security purposes, misuse can violate privacy and potentially be illegal. The Google Hacking Database The Google Hacking Database (GHDB) is a collection of Google search queries, or "Google Dorks", that are organized into categories to help cybersecurity professionals identify potential vulnerabilities . The database was created in 2004 by cybersecurity researcher Johnny Long, who began collecting Google search queries in 2002 that uncovered sensitive information or vulnerable systems.  Attackers use the GHDB as a tool for advanced Google searching and information gathering. For example, the wildcard operator (*) can be used to search for variable words in a phrase, and the Site: operator can be used to find results on a specific website or domain.  Google Dorking can also return information that isn't intended for public viewing. Fast Finds intitle:"hacked by" inurl:upload inurl:/admin/login.php intitle:("Iniciar sesion" OR "hacked") intitle:"(SSI Web Shell)" AND intext:"(ls -al)" s3 site:amazonaws.com filetype:xls password inurl: document/d intext: ssn Hack NOW! course by Dr. Bryson Payne out now on the on-demand section of the website. 8.5 hours of learning to hack with quizzes and lab to earn your Certified Junior Hacker (CJH) certification. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, Kindle, or PDF versions. The downloadable PDF version can be grabbed here .

Want to go snooping? Go to any website, facebook, banks, school logins, where a password is saved and hope that its reused everywhere. Learn how to hack facebook passwords with lab. Open Google Chrome and go to https://facebook.com/login If they have a saved password then right-click (or CONTROL-click on a Mac) on the password field and select Inspect Find type="password" and double-click on the word password With password highlighted, press the spacebar to replace password with a space (type= " ") Press ENTER to display the updated code in the browser This is a perfect example of why everyone should always use two factor authentication every chance they get, and never ever save passwords in your browser. HACK NOW! course based on the book by Dr. Bryson Payne Go H*CK Yourself  out for purchase now. He's even got car hacking covered. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

Common Port Scanning Techniques In the world of information security, port scanning is a vital part. Enterprises, organizations or regular users use port scans to probe systems for open ports and their respective services. If you think of a computer as a hallway of doors, port scanning can be compared with walking through the hallway looking for open doors. Penetration testers like I once was use this information to find entry ways into the computer. Port scanning is part of the “active reconnaissance” phase, a vital part of any penetration test. I aim to explain to you a few of the common port scanning techniques. PING PORT SCANING Ping Scans are used to sweep a whole network block or a single target to check to see if the target is alive. It sends an ICMP echo request to the target – if the response is an ICMP reply, then you know the target is alive. However, it is increasingly becoming more common that ICMP pings are being blocked by firewalls and routers that you will likely have to resort to other methods to accurately tell if the target is alive. TCP Half-Open This is probably the most common type of port scan. This is a relatively quick scan that can potentially scan thousands of ports per second. It works this way because it does not complete the TCP handshake process. It simply sends a packet with the SYN flag set and waits for the SYN-ACK from the target and does not complete the connection. When you initiate a TCP connection you first send a packet with the SYN (synchronize) flag set to the destination. The destination then acknowledges this synchronize request with a packet with the SYN-ACK (synchronize-acknowledge) flag set. Finally, the sender acknowledges that it got the SYN-ACK response packet by sending the destination a packet with the ACK flag set. Now, a connection is established. By not sending the final ACK packet to the target after receiving a SYN-ACK, a connection is not established; however, you now know if the target/port is available and listening. If you receive a RST (reset) packet back from the target, then you know that the target is active; however, the port is closed. If no response is received and you know that the target is alive, then the port is considered filtered. TCP CONNECT This is essentially the same as the half-open scan above but instead, we finish the handshake process and establish a connection by sending the final ACK packet. This is a much slower means of port scanning as it takes more packets to finish. UDP UDP scans are most common to detect DNS, SNMP and DHCP services. UDP scans work by sending a packet, which is usually empty. This can be changed or even set to a random payload for each port. If the target responds with an ICMP unreachable error (type 3, code 3) packet, you know the port is considered closed. If it responds with an ICMP unreachable error packet with other codes, the packet is considered filtered. If no response is received at all, the port is considered open or filtered. The reason why it might be filtered is that packet filters might be in use that are blocking the communication. Version enumeration could very well help in knowing if packet filters are involved. The problem with using any communication with UDP is that it is unreliable – it has no way of creating an established connection or synchronizing the packets like TCP does. For this reason, UDP scans are typically slow. Because you are waiting for a packet that may never come, nor do you have any real way of telling if the packet even got there in the first place, you might have to send numerous packets then wait to make sure a port is considered open or filtered. STEALTH SCANNING – NULL, FIN, X-MAS These scan types are known as stealth scanning because you are crafting the packets flags in such a way that you are trying to induce some type of response from the target without actually going through the handshaking process and establishing a connection. The FIN scan sends a packet that would never occur in the real world. It sends a packet with the FIN flag set without first establishing a connection with the target. If a RST (reset) packet is received back from the target due to the way the RFC is written, the port is considered closed. If no packet is received at all, the port is considered open. The X-MAS tree scan gets its name because it “lights up the packet light a Christmas tree.” It sets a TCP packet with URG, PUSH, FIN flags and fires it at the target. Again, if no packet is received, the port is considered open and if a RST packet is received, the port is considered closed. NULL scans also send a packet that should never occur in the real world. It does not set any flags on the TCP packet and fires it at the target. Like above, a RST packet response means it's a closed port – no response is considered an open port. These scans are great because they are unlikely to appear in logs and are some of the most minimal port scanning techniques available. The bad thing is, though, the way Microsoft implements the TCP/IP stack, all ports will be considered closed. However, if you DO receive an open port, you now know that the target is NOT running a Microsoft Operating System. As a conclusion, port scanning is one of the first steps in any vulnerability analysis or penetration test. Knowing which ports are open is the beginning of being able to actively communicate with the target. One of the best port scanners available is www.nmap.org . Nmap is an incredibly powerful and versatile port scanner with its own scripting engine. I can’t stress enough how much nmap comes in handy and is used professionally. I hope you have found this information to be useful.   Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

What to Do if You Make a Mistake in Cybersecurity At some point in your career, you will make mistakes—small mistakes, big mistakes, even career-defining mistakes. I am writing this in retrospect because during the course of my job duties, I made a big mistake. This is what to do if you make a mistake in cybersecurity. The details are irrelevant, but I wanted to share my experience with making mistakes in the professional world. Mistakes and human error in Information Security account for 70 percent of the initial intrusion vectors for attackers, states the 2023 Verizon Data Breach Investigations Report . This report suggests that, “basic security hygiene is what matters the most in terms of effective defensive countermeasures.” Security starts with you. Understanding the impact of what a careless mistake could mean to the security of your organization and to your personal reputation as a security practitioner could very well be detrimental. In one case , an employee working in the finance department of a wire and cable manufacturer was sent an email claiming to be from the company’s executive, demanding to have 40 million Euros transferred to a bank account in the Czech Republic. This is one instance where a mistake caused a company an incredible financial hardship due to human error. When making mistakes, especially as a security practitioner, it is important that you look yourself as a brand. You are your personal brand—your brand is defined by your actions. If you have good actions, then your brand will sell very well. If you promote your brand, there will be a higher demand for it. However, in the case of an event where you just made a royal mistake, it’s time to think about your options. If you are genuinely unsure if you made this error, it is important that you first seek clarity. It has been extremely important in my life to take ownership and accountability for my mistakes. But don’t be a martyr. Every mistake comes with a prolific opportunity to grow from it, but if it wasn’t your mistake, then you are hurting your brand without gaining the opportunity to grow. My first suggestion to you if you are unsure of the mistake is to find the evidence. If in your search you do indeed find that it was entirely you and you are the problem, the second piece to the puzzle for is to accept ownership. I have seen people go to vast means to deny, deny and deny. In all aspects of my life, this has never worked to my favor. You need to accept that you can, will, and do make mistakes in life. Taking accountability for your mistake comes with a price tag. There will be some level of consequences for your mistake. We will call consequences “amendments” because to amend something is to change it, and that is exactly what you need to do. The worst thing that could ever come out of this is for you to be wrong once then continue to be wrong for the rest of your life, so call your consequences “amendments.” You want to change the impact of your mistake. Changing the impact of your mistake could mean a lot of things. However, it starts by asking those you’ve impacted, “How can I change things?” This seems simple but the magic in this is meaning it. I’ve done this enough to know that people will feel if you are sincere or not. Amending may very well be not behaving that way from that point forward; it may be a financial payment, it may even be jail time (let’s hope not). Whatever it may be, I have learned that walking away with an action step is the only way to repair your brand. It starts with asking that question. Seek an agreement between you and those affected. Carrying out your obligation to agreement is the only way to repair your brand. I must warn you that entering into this agreement and not carrying out the obligation to the full extent will demolish any credibility you might have beyond repair. It’s very serious and you must treat it so. Handling mistakes this way has proven to be the most effective way to overcome and grow beyond any obstacle I have ever faced thus far. Remember: Seek Clarity Accountability Amendments And remember that security starts with you. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

Cybersecurity Monitoring During the US Elections With all the Russian election hacking scandals in the news during and after the 2016 Presidential election, curiosity consumed me to architect and run an experiment to see if I could monitor changes in the threat landscape in Moscow, Russia and Washington D.C. during the 2018 U.S. midterm elections. This is cybersecurity monitoring during the US elections. I have worked at many Security Operations Centers (SOC) and have been in a leadership capacity at two. These SOCs have ranged in size from smaller companies to the Big 4. I am no stranger to security monitoring, and if there is anywhere that I like to be, it is where the action is. My expertise and passion led me to a honeypot project. Honeypots are deceptive security technology that are designed to sit strategically on a network with services that entice attackers to hack. When a honeypot monitors a connection to these services, it sends detailed logs to a centralized log server that monitors in real time the threat landscape. I used the Modern Honey Network for this project, a brilliantly designed network which allows you to deploy deceptive honeypots. I began on this project by deciding what I wanted to monitor and what a significant change in the threat landscape would need to look like if it were to indicate increased or decreased cyber activity resulting from the elections. I decided to buy two dedicated Virtual Private Servers (VPS) located in Moscow, Russia, and one VPS in Washington, D.C. I deployed the Dionaea honeypots to each of the VPS on Ubuntu 14.04 LTS servers. Dionaea honeypots are designed to have numerous vulnerable-looking services as well as a trap to capture malware. Additionally, I spun up two Amazon AWS Dionaea Honeypots in Ohio to act as a control. Roughly a month before the elections, the infrastructure was completely set up, and all the honeypots were sending hundreds of thousands of security events a day to my Elastic, Logstash, Kibana (ELK) stack . Within seconds of deploying it to the public internet, the honeypot got attacked. The takeaway from this observation is that if anyone in your company deploys a non-patched, unhardened system to the public internet for any amount of time, they should assume that the system has been compromised. I played with Kibana to create the best dashboards to visualize the data I was getting. I created this dashboard to be the dashboard that would run 15 days prior to and after the election.       This basic dashboard shows a list and pie chart of what country the attacking IP address was sourcing from, the numbers on unique attacks and a list of the top 15 attack source IP addresses. Also, it lists the samples of malware that they picked up. Now, I waited for 15 days after the election. What I expected to find was two distinct sets of data. One for Moscow and one for the United States. Midterm Elections As it turns out, there were not any significant changes in threat landscape during the election no matter how hard I tried to find a correlation of data. What I found was that the Top 100 attackers in Moscow were almost identical to those in Washington D.C. – I had the same findings in the Ohio honeypots. As time continued, the data normalized across all the geographical locations of honeypots. All the honeypots captured multiple instances of the same malware samples, and during my observations, there were not any instances of regional malware outbreaks. The below pie chart represents one Moscow, Russia honeypot. The Ohio and Washington D.C. honeypots had a similar breakdown of source countries and became almost identical at the close of the project:   My conclusions are that the internet is a war zone that does not discriminate on which country the data lives in. My analysis of all these attackers proved that these are all known bad actors who are generally bots or compromised web and file servers. IP addresses that are found in a public-facing honeypots are almost always true representations of malicious attacker. These IP addresses can feed back into your SIEM and thereby determine if there is any suspicious outbound activity from your internal network to these hosts. With a reasonable amount of checks, they can be inserted into blacklists on your firewalls to improve your security posture. I discovered that there is no product to my knowledge that can take a large set of attacker IP addresses and tell you which emanated from an intelligent human. The intelligent human signifies a more persistent, patient and even more targeted attack source. Something worth investigating further. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here .

How to Access the Dark Web What is the Dark Web? The deep web, not to be confused with the dark web, is the part of the web that can't be reached typical search engines and often requires getting through additional layers of encryption to access. The dark web goes a step further, providing even more layers of encryption to grant users complete anonymity. To access to the dark web you need specific software called The Onion Router (TOR). You can access the deep web through Google Chrome or a typical web browser. I am going to get you online with TOR, but I do warn you, don't go looking for stuff on the dark web that you don't want to see. I am scared for life because one time, out of curiosity, I went exploring just to see if stuff was there - it was there and I'll never unsee it. What can you buy on the dark web? You can buy credit card numbers, all sorts of drugs, guns, counterfeit money, stolen subscription credentials, hacker Netflix accounts and software and services used for spying and hacking. I haven't been on the dark web in the better part of ten years probably because its not my cup of tea, but everyone should know how. There might be a day when you need to know how to use it for legitimate purposes. If our critical infrastructure was compromised, it might mean the health and wellness of your family to be able to anonymously access resources on the dark web. The bottom line is, you should know how, because the time might come when you need it just like you might rotate gas cans in your garage just in case of a disaster. There once was a time when trackers didn't exist, and it was easy to coast through the internet with your handle and be pretty safe knowing no one knew who you are. The fabric of society is now tied into the internet and its just not a separate world anymore. I wish it was. Anyhow, I don't want to get off on some tangent about the hopelessness of privacy and teach you how to be private in case you ever need it. First, this is best done on a fresh burner Linux machine. Microsoft has trackers built into their operating system. But let's just assume you don't care about Microsoft knowing what you're doing and just want to explore the dark web out of curiosity, but remember don't go looking for stuff to see if its there; its there. Understanding TOR To understand The Onion Router, you have to understand the OSI model. There are two different, let's say, products that TOR offers. There is TOR, which is the routing software. You can kind of think of it like a VPN. And there is TOR Browser. Think of it like TOR works at the routing layer and takes all of your internet traffic and adds a bunch of wrappers to it so no one can see what’s inside of it and it addresses that package to a point somewhere on the internet. When the traffic leaves your computer it goes to your upstream router that your ISP owns and at this point they know that you are sending traffic to the TOR network, but they don't know what's inside of the wrapper. They know this because TOR exit nodes are public knowledge. So while your traffic is anonymized, the fact that you're using TOR is well known. OK, your ISP hands off this wrapped package and delivers it to someone that has setup what's called a TOR Exit Node. Contrary to its name, TOR exit nodes both ingress encrypted traffic and egress plain traffic. So your encrypted traffic goes into this exit node and then it just hops around the planet with the intention to mask where it came from. It keeps removing a layer of wrapping to this package. This hopping makes TOR SLOOOOW. It takes a long time to send your package back and forth across the globe. Now, it has only one wrapper on it that it can now leave the TOR network. Normal internet wouldn't know what to do it with it if it didn't look like normal traffic.. so it goes back out a different TOR exit node that it came in and this time that exit node strips away the last wrapper and your traffic leaves the TOR network as plain jain traffic as if it were leaving your computer, except now, no one knows who the traffic came from. It looks like it came from the exit node, not from you. But there are many problems with this. First, most of the internets traffic is already encrypted using SSL/TLS. People would know who you're sending to, and where it came from, but they couldn't see what's inside the package already. When you use TOR the destination won't know where the traffic came from, unless its inside of the package.... which a lot of the time it is, by cookies or other trackers and fingerprints or whatever personally identifiable information that may be in it. There is usually a way to identify the sender if you had enough data. Also, the exit node that strips away all of the layers to send your plain traffic, they can and will inspect the package and they might be able to determine it came from you so they'll know what you're doing and who you're communicating with. Law enforcement is notorious for operating TOR Exit Nodes so they can keep a log on who is sending what traffic. Tor Browser is a package that TOR offers that includes a FireFox privacy variant bundled with their routing software. Its an easy way to get on the TOR Network and that is what we will be using. Since TOR Browser works at the application layer, specifically with TOR Browser, any other traffic for any other applications would not be routed over TOR. Which means if you're not doing it in TOR Browser then it's not anonymized. TOR can also be used to encrypt and send tunneled traffic that isn't through a browser. That was it's original intent before it became used primarily for browsing websites anonymously. If you are using a command line program to execute and send commands over the internet and not using the web browser, you can anonymize that traffic using TOR. But just so that we're clear TOR Browser wouldn't help you much keeping you anonymized. Downloading TOR Browser We are going to be browsing the internet today, not launching a command and control server so the rest of this is fairly straightforward. Visit here and download TOR Browser. The TOR network websites all end with a ".onion" address. From here you can search around the the normal web for information leading you to illicit ".onion" addresses. You can start by going to a search engine like this and looking for stuff. http://haystak5njsmn2hqkewecpaxetahtwhsbsa64jom2k22z5afxhnpxfid.onion/ May you explore safely with an understanding of TOR and the dark web.

A decree for the ages. Cybersecurity Certs are Dead After you look through hundreds of resumes from certification factories (people who get one certification after another), they all seem to blur together. This is Cybersecurity Certs are Dead? "How many certs do I need?" or "What kind of certs do I need? The question comes up again and again, and I'm here to tell you that cybersecurity certifications are dead. They won't make you stand out anymore. While they are great achievements, they don't make a hiring manager scream, "THIS IS THE ONE." Two things will make you stand out: A strong personal brand, and Hands-on experience A strong personal brand A hiring manager will review a resume before the interview. Before they know if you have hands-on experience, you have to make them want to email you back. Your two-page resume should scream, "You know you want to talk to me." A link to your blog should be at the very top of your resume. If you have a link there, the hiring manager will click it and briefly scan your blog to see what you've been up to. Your blog should be personable. Against conventional advice, it should show your personality. You should write in a language that is natural to you and avoid sounding too formal. Your blog should have walkthroughs and how-tos of labs you've done here at Cyber NOW®. Pick one of the dozens of labs and write your version. Change it up some, give credit to me (please), but do it. Your blog should also contain reviews of Jump-start Your SOC Analyst Career, SOC Analyst NOW!, and any other training you've done. Write about how you felt the training went, what you learned, and how you will apply it to your career. Your blog should be about your journey to becoming an SOC analyst. Write about your successes and failures. Be honest about areas where you can improve by writing about your shortcomings and what you're doing about them. Write about how difficult it is to land a job in cybersecurity, but it means so much to you. In addition to your blog, you should be attending local meetups. Places like Def Con groups, OWASP, 2600, BSides, hackerspaces, makerspaces, and any conventions that are nearby. Get out of the house once or twice a month and do this. You should find opportunities to present and volunteer at these meetups. There should be a section at the bottom of your resume for Volunteering/Presentations/Publications, whichever fits. This should lure the hiring manager into finding out more about you. You should also create a GitHub page with information about the projects you've worked on, your home lab, and your involvement in the community. There should be a link at the top of your resume next to "blog" that says "GitHub." You can try teaching by making short YouTube videos or creating a course on Udemy. Udemy requires a lot of work, but it's not as bad as you think. Your goal isn't to make a bunch of money; it's to list a course or training on your resume. Who cares if it's not popular? These things will spark the hiring manager's curiosity to want an interview. Hands-on experience You've got the interview now, and this is when your hands-on experience will shine. Wait? What hands-on experience? By now, you should have been participating in the Cyber Range here at Cyber NOW® and completed the dozens of projects that we have walked you through. The muscle memory with security analysis will help you answer questions in the interview about how you know if something is bad. The projects give you much experience with system administration and the cloud. These are all topics they might ask you about in your interview. If you do all of this, you will be recognized as someone who walks the walk and isn't just out to add letters to their name. It's essential to have a few critical certs like the Sec+, even Net+, but more is not better. It's time to change your strategy because the role of certifications and education has changed. The jobs now go to those most qualified to do the work, not necessarily those who could afford a premium education or a bunch of certifications. It doesn't take much money to learn cybersecurity, believe it or not. Be the only one who does a lot more with a lot less; in this declining economy, that is how you will earn the respect of your superiors.

Is the 5-Step SOC Analyst Method a Method or Template? Security analysis is what security analysts do. There's no escaping it. If you aren't interested in security analysis, then a SOC analyst may not be the best role for you. The SOC may just be a stepping stone, but you'll have a hard time moving out of it if you're not good at security analysis and aren't a great SOC analyst. At first glance, the five steps look like a template for documenting a security event. And it is that. But it's more than a template because it teaches you a method for conducting security analysis. Each step comes in a particular order, and inside each step is a way to transform a security log into a conclusion about whether something is malicious activity or not. More than anything else the 5-step SOC analyst method is a training tool to teach you how to do security analysis. Many companies may not even want you to spend the time documenting your analysis in such a verbose way. They might even just care about the conclusion. Many managers just want to see their metrics get better and could care less about analysis (or even if it's any good). Unfortunately, that is the world we live in, where the security posture of an organization is just a number of how many alerts have been analyzed but take no heed of the quality of analysis. This leads to who can close alerts the fastest and an ever-growing number of alerts to be analyzed since no one has the time to improve on the SOC. If you're stuck at one of these companies, my advice to you is to find work elsewhere when you can. You will not learn anything there that is valuable to you in your career moving forward, and it will feel like a dead-end job that's no more than a factory line sweat job. I have worked at companies like these before, and I resigned. If at any point in your career, you're not learning, it's time to move on. For Managers that do value analysis, results, and the overall security posture of the organization they are running, they won't see the 5-step SOC analyst method but see your thoroughness, and they will also see the diligence and care you take to protect the company. Coupled with your recommendations for improvement, they will see you as someone who is capable of producing a more efficient SOC, and you will be picked to help automate the SOC. Automation is what every SOC is trying to do and is the skill most in demand in the SOC, and they won't ever pick someone to help automate who doesn't know how to do a thorough analysis. Is the 5-Step SOC Analyst Method a template? Yes. Is it a method? Yes. But more than anything else it is a training tool for you to practice to become efficient at security analysis. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here

What are the Risks of Cloud Computing? Like any disruptive technology which comes along and shakes things up; cloud computing brings its own unique challenges and risks. Understanding these risks is the first step to putting in a proper mitigation strategy to protect your data in the cloud. Despite the cloud’s obvious advantages, it is a seriously bad idea for companies to jump into cloud adoption without knowing the security risks. This is What are the Risks of Cloud Computing? So, without further delay, let's look at some of the key risks in the cloud Lack of Cloud Security Skills Easily the number one challenge facing most companies is the lack of cloud security skills. The cloud has a learning curve and without investing in training and certifications; cybersecurity teams will not be able to meet the challenge that cloud security brings. Remember that the cloud removes several of the security perimeters which companies take for granted and replaces it with other (and in some cases better) controls. There is already a lack of cloud expertise in the market and an even bigger gap for cloud security. The 2022 Cloud Security Report states that shortage of experienced staff is one of the biggest barriers that stops companies from going all in when it comes to the cloud. This problem becomes even greater in a multi-cloud environment which puts a huge burden on your IT and cybersecurity teams. Securing one cloud is hard enough but imagine trying to secure multiple! Unless CIOs and CISOs think smart and put dedicated cloud training in their roadmaps they will find themselves saddled with a cloud environment that is just waiting for a data breach to happen. This relates also to the next risk. Misconfigurations Misconfigurations in the cloud are the primary reason for most data breaches and it grows exponentially with the size of your cloud footprint. This directly ties into the previous risks as staff without proper training are more prone to make these mistakes. The cloud makes it VERY easy to make changes and push them to production thus a simple mistake can lead to your database containing credit card numbers being exposed over the internet. Despite cloud providers putting in numerous controls to prevent these mistakes from happening, customers are frequently unaware of their security obligations. We will discuss this in detail when we go over the Shared Responsibility Model. Most cybersecurity teams also do not take advantage of the cloud’s native security controls and automation resulting in delayed response times. Increased attack surface The public cloud by its nature is accessible outside an organization’s on-premises perimeter and thus becomes a very attractive target for attackers. Poorly configured cloud storage, ingress ports can become the steppingstone they need to access and take over workloads in the cloud. This problem also increases with the common mistake of companies accidentally hard coding and storing their credentials in cloud repos which are regularly scanned by attackers. Security in the cloud requires a mindset change and a focus on identity as the firewall which leads us to the next risk Lack of Focus on Securing Cloud Identities Managing identities on the cloud becomes a major problem if it is not given priority at the beginning. As a cloud environment increases, user management becomes increasingly complex as each cloud usually has its own identity store which is set up differently with different authorization policies and access privileges. AWS Identity and Access Management (IAM) and Azure Active Directory are different from each other and managing identities can become a major hassle unless you have a strategy setup for handling this from the start. The best way to solve this issue is to federate to a Single Sign On solution so you have a single source of truth for your identities. This is much easier than handling each cloud identity differently and allows the centralization of user access policies. We will discuss this in detail when we go over cloud security tools in the coming lectures. Lack of Standardization and Visibility CISOs (pronounced see-so’s) or Chief Information Security Officers who have executive leadership of cybersecurity teams often have two main concerns in the cloud: How do I enforce security controls consistently in all cloud environments? How do I know what is happening where in the cloud? Enforcing your cloud security policies can be a serious challenge in one environment but imagine doing that in several! Azure, AWS, and Google each have different security tooling, and enforcing a cloud security standard uniformly across the same can be a massive challenge if done manually. The lack of visibility and control is further extended in the Platform as a Service and Software as a Service cloud models. Cloud customers often cannot effectively identify and quantify their cloud assets or visualize their cloud environments. Additionally, you can potentially have hundreds to thousands of daily automated changes happening in your environment which are impossible for security teams to secure unless they invest in something like a Cloud Security Posture Management tool (CSPM). In short, a CSPM will automate the detection and remediation of cloud policy violations provided it is implemented properly and give you a centralized dashboard of your cloud security posture. Data Leakage We discussed Broad Network Access earlier as one of the defining characteristics of cloud computing. The cloud was designed to make IT services and systems available at any time and place without the restrictions of physical infrastructure which is amazing. Unfortunately, as a side effect, it also increases the risk of data leakage and exfiltration as the traditional security perimeter went away. The ease at which data can be shared i.e., with a simple URL or button click can become a major cloud security issue if staff are not aware of what they are doing. For example, sharing collaboration links to third parties without putting in restrictions can lead to a cloud folder being accessible over the entire internet. This problem increases with the number of vendors and service providers that usually are provided access to a company’s cloud infrastructure. Around 51% of teams cite accidental over sharing as a major concern for companies considering cloud migrations especially if their workloads contain customer data or PII. One of the best ways to mitigate the risk of data leakage is via implementation of a Cloud Access Security Broker (CASB). Data privacy and compliance Data privacy and compliance is another area that can become a key cloud security risk for companies that rush into cloud adoption. Standards like PCI DSS, HIPAA (pronunced hippa), and GDPR require controls to be put in place or limit access to sensitive data such as card numbers, medical data, PII, etc. and this requires a good understanding of cloud security controls to be effectively done. The cloud operates on a shared responsibility model and compliance is shared between the customer and the cloud service provider. Most providers are usually compliant with standards like PCI DSS, NIST, HIPAA (hippa), GDPR, etc. however customers need to understand where their obligations begin and this changes depending on what model or service they are using. Data Sovereignty, Residence and Control One of the great features of the cloud is how easy it is to move data between geographical regions which makes disaster recovery and continuity much easier than on-prem. However, this same issue can also become a regulatory nightmare for companies who must comply with strict data residency laws. Data residency refers to where data can be stored and is usually governed by a country’s data laws with strict fines for non-compliance. In some cases, it is not allowed to transfer data out of a country’s borders which becomes a problem if a company does not even know where their data is being stored. Make sure you are aware of the fine print in your cloud service provider if you have data residency controls before you start putting customer data in the cloud. Incident Response in the Cloud Less of a risk and more of a mindset change but this is still important enough to be mentioned is incident response and how it changes. In the cloud, changes can happen rapidly and if your company is still relying on email tickets to be raised before the security team investigates anything then you might be putting your environment at serious risk. The cloud lends itself to automation and without using cloud-native controls, the security team will find themselves unable to respond effectively to potential security incidents. Summary We quickly covered cloud computing risks. The majority of these risks are a result of the skills required to effectively manage assets in the cloud. The cloud is fast emerging and even faster adopted and it has so much power to make data available at the click of a button that the majority of risks associated with the cloud are unintended misconfigurations by your own people. In security, our data is often our crown jewel and the cloud, by design, makes it so that data is easily accessed and shared. To complicate things more, formal incident response hasn’t been well ironed out in most cases. Knowing where your data is, and governing who has access to it is among the top concerns of security in the cloud. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here

The following is a list of common interview questions that might be asked during an interview for a junior SOC analyst. Some are very basic and some are harder, but we feel if you can answer these questions you have the required technical knowledge to become a SOC analyst: What is an RFC 1918 address? Do you know them? Define a Class A, B, or C network. What are the seven phases of the cyber kill chain? What is the purpose of the Mitre ATT&CK Framework? What is the difference between TCP and UDP? What are ports 80, 443, 22, 23, 25, and 53? What is data exfiltration? What Windows protocol is commonly used for data exfiltration? Do you have a home lab? Explain it. What is AWS? Azure? Explain how you’ve used it. What is a DMZ, and why is it a common target for cyberattacks? The importance of having technical knowledge cannot be overstated. The above questions are pretty simple, but you might be surprised to learn that seven out of ten candidates don’t know the common TCP/UDP ports used by modern services. I highly suggest using a common study guide to prepare for your interview. An example of this is the website Quizlet.com . They provide a flashcard style learning platform for information technology certifications like Network+ or Security+. Also, Udemy has a few SOC Analyst interview question courses that you can take. Despite the need for a basic understanding of information technology, that only covers half of the requirement to be a SOC analyst. An analyst should be a critical thinker and possess an acumen for problem solving. Interviewers will usually test a candidate’s ability for problem solving with scenario-based questions. Let’s cover some scenarios I’ve seen and used to conduct interviews: “You are a tier 1 SOC analyst, responsible for monitoring the SOC inbox for user-reported incidents. The SOC receives an email from the VP of Human Resources stating that they can’t access their personal cloud drive. The VP knows this is against company policy, but the VP is adamant that this is required for legitimate business requirements.” Do you process the access request for the VP? What is your response to the VP? Who else should you include in the reply email? “You are monitoring the SIEM dashboard for new security events. A network IDS alert is triggered, and you begin investigating. You see a large amount of network traffic over UDP port 161 originating from dozens of internal IP addresses, all with the same, internal destination IP address. Some quick Googling shows that UDP port 161 is used for by the Simple Network Management Protocol and the byte count of the traffic is miniscule.” Do you think this is data exfiltration? If this is not data exfiltration, what legitimate services could cause this alert?, What team could provide an explanation for the traffic? The first scenario is an example of what you might be asked when applying for an entry level analyst role, while the second is a little more advanced. Let’s go over what the interviewer is looking for. Scenario 1 is designed to identify if the applicant can be easily intimidated by senior leadership in your organization. Information security is the responsibility of all members of the organization; it should not be waived for the convenience of one senior leader. The larger lesson here is about making risk-based decisions. A junior analyst should never assume the risk of policy exceptions. The interviewer will ask how the applicant will respond to the VP as it will showcase their experience with customer service. Customer service is another very important task of a SOC analyst. Whether working for an MSSP or for a company internal SOC, there will be times when interfacing with other teams will require the analyst to show a certain level of tact and professionalism. The third question helps the interviewer to understand the prioritization skills of the analyst. If an analyst is working with a VP, there is a high probability there is a procedure around communicating with senior leadership within the org. Scenario 2 is designed to test the applicant’s critical thinking and technical knowledge while also providing the interviewer with insight to the applicant’s investigative reasoning. This scenario also gives insight to the most important quality of a SOC analyst; if you don’t know the answer, admit it. The last thing the SOC team needs is a “know-it-all”; they are dangerous and toxic to the workplace. If this KB teaches you one thing, let it be this lesson. There will be questions you can’t answer, and that’s fine. The worst thing you can do is give a wrong answer with the confidence that you are 100% correct. Remember that the above scenarios are examples only; each interviewer will use their own set of questions. The goal remains the same, to locate and select the best applicant for the position. Our goal is to assist you in becoming that applicant. One last thing to end this KB. You are entering the world of “cybersecurity”. Cybersecurity is defined as , “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack” This is always correctly spelled as one word to denote a profession, a practice, even an industry. Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts. You can connect with him on LinkedIn . You can sign up for a Lifetime Membership  of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits. Download the Azure Security Labs  eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing. Some of our free resources include the  Forums , the Knowledge Base , our True Entry Level SOC Analyst Jobs , Job Hunting Application Tracker , Resume Template ,  and Weekly Networking Checklist . Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer. Check out my latest book,  Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success,  2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here