Introduction
Hello and welcome. Today Iām trying something different - Iām going to teach you how to take my job. Now, Iām pretty impatient when it comes to reading stuff and I like learning by doing, so Iāll try to keep it short and sweet.
me: Iām pretty impatient
me: Iāll try to keep it short and practical
narrator: he did not, in fact, keep it short and practical
What to expect
This post is intended to be a guide to working in a Security Engineering team in a Security Operations Center. I can only speak to my experiences and what Iāve done, so this will be advice from me to āmeā. Itās free advice, so keep in mind it might not be very good.
My experience
In order to understand why I do what I do and why I enjoy it, you need to know two things:
- What I enjoy doing
- What Iāve tried and learned from trying
What I enjoy doing
Iām pretty interested in learning, but Iāll never be the guy to do research and publish new findings. I donāt need to understand things 100% to make it work, some of the aspects of the things I do can remain āautomagicalā to me, thatās fine. In my eyes this is both a blessing and a curse; I can get stuff done quickly, but sometimes Iāll misunderstand and something will stop working.
I like to build stuff, and Iād rather read a compact blogpost with 10 commands and some pictures than a long winded post with detailed explaination. Iāll try to fill in the blanks myself.
What Iāve tried
- System administration
- Network administration
- Windows developer/automation engineer
- Penetration tester
- Security Engineering
Technologies Iāve worked with
- Windows Server (2003, 2008, 2012, 2012R2, 2016)
- Active Directory
- Cisco routers and switches
- Palo Alto firewalls
- Powershell
- C, Assembly (donāt remember anything)
- Python
- Azure
- Azure Lighthouse
- Microsoft Sentinel
- AWS (a little)
- Azure DevOps
- Pipelines
- Virtualization
- VMWare vCenter/ESXi
- VirtualBox
- Hyper-V
- Windows (XP, 7, 10, 11)
- Linux (Ubuntu, Kali)
- Probably a lot more that I donāt remember, but these are the main things
What did I learn?
- I like building stuff
- Iām not very organized and easily jump from technology to technology
- I like trying new things
- Because Iām a bit of a untidy person, I need something static (usually my team)
This resulted in a job in Security Engineering - itās not really defined, I do development, maintenance, I create tooling to support analysts, CTI, management and my own team, I get to design solutions etc. I think itās very much āwhat you make itā. I can do a lot of different things while staying in the same team and with the same people.
Basics
To quote from Teri Radichelās post āI Want to Be A Cloud Security Engineerā:
Way too many people try to go straight into penetration testing. In my opinion, youāll be better off if you first get a deep understanding of networking fundamentals, software development, identity and access management, operating systems, and how encryption works prior to diving in and testing for security bugs.
I agree with this sentiment in the general sense - you should learn your basics before working in Cyber Security. I believe any Cyber Security function or role can be enhanced by having some prior experience in that same field. Iām not saying this is the rule and everyone should abide by it, but if we take penetration testing as an example;
If you know how to configure Active Directory, how trusts work, how the Windows operating system work, have some basic knowledge of Powershell and system administration in general - youāll write a much better report for the blue team and chances are youāll also be better at finding weaknesses and misconfigurations, compared to someone running a NESSUS scan.
Someone new might not know that Microsoft often bundles updates into cumulative updates, so for certain windows of time you might have different scan results in NESSUS showing missing critical patches until you updated NESSUS.
Learn operating systems
You should know basic usage of Linux and Windows, including their respective terminals.
Learn scripting
Learn a scripting language (I prefer Powershell, but Python also works very well) that you can use for both writing simple scripts and automation.
My best tip here is to have a project, something you do daily that youād like to automate - then use google and make it in your scripting language of choice.
Resources
Learn a hypervisor
Know how to set up and configure a hypervisor like VMWare, Hyper-V or VirtualBox (this is free) in order to spin up Virtual Machines to test and develop stuff.
Resources
Learn basic networking
Know how you interconnect computers, virtual and physical. Also learn what components usually exist in a network, like routers, switches and firewalls.
Resources
Learn directory structures
You should know your way around Active Directory and know how it allows you to manage users, groups, computers and policies. Learn the basics about how itās built up and how you interconnect it. You should also probably know how it connects to Azure AD.
You should also learn Azure AD or similar tooling from another provider like AWS IAM.
My advice here is to look at the diagrams of the architecture and try to understand how it works. You should probably also spin up a lab using your hypervisor of choice.
Resources
- AWS IAM
- Azure AD Fundamentals
- Building a small lab using VirtualBox by chryzsh
- Building a lab with ESXi and Vagrant by chryzsh
Learn a cloud
Get into a cloud provider like Azure, AWS or GCP. I recommend trying out Azure and looking at the AZ-900 certification and learning path:
- Microsoft Azure Fundamentals: Describe cloud concepts
- Azure Fundamentals: Describe Azure architecture and services
- Azure Fundamentals: Describe Azure management and governance
Try creating some simple services and understanding how it all works together and translate the things youāve looked at earlier to the Cloud, for example networking - how does CloudX implement networks and subnets, firewalls?
Resources
Next step
Moving on from the basics, we need to implement some security into all this.
Learn basic cyber security principles
Thereās a lot to be said about whatās important in Cyber Security and thereās a lot of it, but know the following:
The purpose of the cyber security principles is to provide strategic guidance on how an organisation can protect their systems and data from cyber threats. These cyber security principles are grouped into four key activities: govern, protect, detect and respond.
- Govern: Identifying and managing security risks.
- Protect: Implementing controls to reduce security risks.
- Detect: Detecting and understanding cyber security events to identify cyber security incidents.
- Respond: Responding to and recovering from cyber security incidents.
For more detailed information, look at the cyber security principles by Australian Cyber Security Centre (ACSC).
You should also know the CIA principle:
- Confidentiality - refers to an organizationās efforts to keep their data private or secret. In practice, itās about controlling access to data to prevent unauthorized disclosure.
- Integrity - in everyday usage, integrity refers to the quality of something being whole or complete. In InfoSec, integrity is about ensuring that data has not been tampered with and, therefore, can be trusted. It is correct, authentic, and reliable.
- Availability - systems, applications, and data are of little value to an organization and its customers if they are not accessible when authorized users need them. Quite simply, availability means that networks, systems, and applications are up and running. It ensures that authorized users have timely, reliable access to resources when they are needed.
Or as I drew it for another blogpost (I really am an artist):
Hack your stuff
I think that in order to better understand how things work and how to protect them, we should know in some way how to hack them. I helped write a little book on this topic on how to hack and the general steps are as follows:
- Enumeration
- Vulnerability analysis
- Exploitation
- Privilege escalation
You can read more about it, but the idea is to use tools or commands to enumerate what you currently have access to. This can be on a computer, inside the network or an external web server. From here we analyze what we find, perform a vulnerability analysis which usually consists of googling a lot to see if we can spot any unpatched vulnerable software or misconfigurations.
After this we can exploit what we find and gain access, or higher privileges as mentioned in the last step. Then we loop around and enumerate with our new access or privileges until we find what we want.
I really recommend building your own labs, or trying out a commercial solution. Thereās multiple Github-projects for this, and sites like TryHackMe and HackTheBox that allows you to try hacking single machines/webservers or big environments.
Resources
Automate everything
Take your scripting language and automate everything. Have something you do every single day? Why? Friends donāt let friends right-click publish.
Put your stuff into a pipeline, automate testing as far as possible, automate scheduled tasks. Automate everything.
I wrote about templating analytic rules earlier and included some resources to get started with a free Azure DevOps organization and how to get 1800 minutes free runtime. You can also use Github and actions.
My best advice is to identify a process you manually perform quite often and look into automating it:
- Does it have an API?
- How can I call the API using my scripting language of choice?
- Implement the script in a pipeline with secure variables (we donāt hardcode tokens here)
Resources
Fail a bunch
Not mentioned above; Iāve tried a lot of stuff and most of it probably failed. Part of the reason Iām where I am today isnāt because Iām very intelligent, quite the contrary. My lack of second thought often letās me click ādeployā or run a script I didnāt quite understand, creating some sort of unforeseen circumstance. A simple translation might be āIāve fucked up a lotā or something like that. The end result is that I am quite knowledgeable (at least on what not to do).
Embrace errors, embrace failures. Find yourself a boss, team and company that will allow you to fail a lot and who doesnāt point fingers. Thatās how you learn.
Important note; always be honest. If you donāt know, you donāt know. If youāre unsure about something that means youāre sure youāre unsure, if that makes any sense?
Most importantly
I donāt really subscribe to the whole āpull yourself up by the bootstrapsā or any sort of grindset mentality. You donāt need to work 16 hours a day to make it.
That being said, you need to be curious and hungry to learn new things. If youāre already working then you might need to spend some free time learning, but if you really enjoy what youāre working on the you might not even feel like itās work.
Closing thoughts
Cyber Security is a vast field. I work in a small subsection doing things I enjoy. Try a lot of things, fail a lot and try to find out what makes you tick.
Also - if you have any questions, feedback or want to discuss something relating to this post (or anything else related to security, really) - feel free to reach out. Thereās an email (which I check rarely) supplied in the about me section, or you can find me on LinkedIn, Discord etc.