Skip to content

The most common question about security jobs is how to get the first one. How does one break into security? Where are the entry level security jobs? I went to school and got a bachelors in Information Systems Security. Even before leaving school, I started looking for entry level information security jobs. That concept, an entry level information security job, was built on a flawed premise. They don't exist.

My bias is built around that time period - 2008. The market collapsed, we had unemployment so high congress had to vote to extend unemployment benefits and kick out a stimulus check, and no one was hiring. No one. And, with a few notable exceptions, people were hoarding information. Talks were as technical as you could get, and conferences were financially restrictive - especially to those who didn't have jobs. And people were scared. They were so scared they were hoarding information, doing everything in their power to make sure their company couldn't fire them. They hid the keys to the kingdom, and made sure no jr levels could move up and take their positions. Tales of the older workers making 3x that of junior employees being laid off, or RIFfed (reductions in force), were daily occurrences. Trust between employees and management was at an all-time low. No matter the company culture, everyone's IT got gutted. That affected the world today: Soaring GDP and stagnant or falling wages, everyone wants contractors and not FTEs, and fewer companies are willing to pay for training for anyone not of their mission critical staff. To a degree some of that is changing, but that change exists primarily in specialized areas.

What are the barriers? First and foremost, you don't know what you don't know. I fight with Rest API coding as I took a coding class in 2006 and 2007. It was in visual basic. My coworker can puzzle through these issues in less than an hour when they take me days. I have to hunt through forums of questions to find more questions I didn't know to ask. Even for the veterans, not knowing what we don't know teeters on the edge of crippling. Secondly, I never had a mentor. There was no guiding hand to show me the way. I was the fat, straight, white guy. No one wanted another one of those in the pipeline. Plus, I was not a drinker, so I was never in the social circles of the people in power. I had to fight for my information, learning akin to strip mining or scorched earth, and there was no forgiveness for mistakes. I moved around a lot. Those who had mentors were guided through pitfalls with ease, and taught how to learn, as well as what to learn. Third, the career path was not defined. Listen to any faux humble "I'd never use the phrase thought leader" types, and they talk about a career path utopia where certs are pointless, and they'd take a skill set over formal education any day of the week. Next time you see this, look at the background. I would bet a steak dinner that they are A) ex-military, B) worked for a Federal Government three letter acronym, of C) both. The most notorious of these people went military to NSA - and yes, that's more than one person. So, unless you are 18 with high technical skills about to join the military, most of their career advice is for naught. This fog completely obscures any vision of entry level security.

There is one thing you need to know, above all else. Burn this into your brain in large flaming letters.

THERE IS NO ENTRY LEVEL SECURITY JOB.

People will try to argue that. To do so violates one of my most important maxims: words matter. You can't approach that statement without trying to change the meaning of words. People do online. They then violate another maxim: deal with the world as it is. It's like a triad, pick two. You can have an entry level job, you can have a security job, or you can do entry level security. Entry level jobs don't carry the level of responsibility that security jobs have. Entry level security work is not something people pay for with the risk associated. Security jobs require a degree of expertise that far exceeds anything we think of as entry level.

Starting points in security depend on your background. Security analysts who work in SOC (Security Operations Center) environments have backgrounds looking at operating systems or network traffic, or both. They take expertise in a previous life as a sysadmin or network admin, and parlay that into looking through alerts for outliers in data transmission or deltas (differences) in configurations. SecDevOps were DevOps people who learned to secure and bugfix their code, and the code on their systems. Network admins become firewall admins. Though I loathe to make the comparison, switching from one of the early IT jobs to security is akin to the evolution of a Pokémon, Abra to Kadabra to Alakazam. You can't move up until you've made a firm grasp on the previous level (without potentially crashing your career).

Deal with the three hurdles. First, all you need is a concept. Do you want to secure a network? Secure Windows//Mac//Linux operating systems? Attack networks? Build secure code? Start simply by googling that concept. There are numerous and extensive papers, articles, podcasts, and videos on nearly every subject. Or, even better, search twitter. You will find many a person who tweets and writes about these concepts, and those who will retweet those who do. In doing so, you will clear hurdle one, and make it most of the way over hurdle two. The online community can act as a crowdsourced mentor. Read the writings of established professionals. Look at their histories on LinkedIn and see the evolution of their job titles. Look where they started and you will see you can come from nearly anywhere and get to security. Some are even approachable at conferences and talks. When you look at those histories and talk to those people, you will see that there are some basic funnels to get to where you want to go, but those aren't the only paths. Find something you want to do and pour yourself into it in your soon to be not free time. You will build yourself into a subject matter expert and that will have value. And that will help you clear hurdle number three.

If I could do it again knowing what I know now, what would I do differently?

If I was in college I would find a paid internship. This gets you in and working in a professional environment, and working with the tools they don't have in schools. Plus, it gets a real company on your resume, and then you aren't someone with no experience.

If I was in a career rut, I would build a home lab (very inexpensive with virtual machine software). I would play with tools like Wireshark, looking at traffic. I would rip apart group policy on multiple Windows operating systems. I would read about system vulnerabilities and how to attack them, then test it out. I would find free tools that mimic what the expensive stuff does, to make it easier to work with the tools I have never touched, as the underlying idea is the same.

Where I am now? I would keep learning. I would keep working to make sure I'm not ashamed for not knowing an answer my dramatically younger colleagues take for granted. I'd use twitter more as a learning and networking tool, and as an outlet to share my view on topics I feel are underrepresented.

It doesn't get easier. But then again, neither does life. Keep pushing forward.

Infosec_Samurai

1

Threat hunting and threat intelligence has a special relationship. Think Sonny and Cher, Peanut Butter and Jelly, even cake and ice cream. They each stand on their own, some with great renown, but put them together and you have a whole that far exceeds the sum of its parts. And like the ouroboros, hunting and intel feed off of each other.

Start with a hunt. The purpose of a hunt is to find adversarial behavior on the network. You do this by forming a hypothesis (I believe the adversaries are trying to move laterally through my network using PS Exec), and then reviewing log information testing that hypothesis (what unexpected accounts are attempting type 3 logins on multiple systems, successful or not, spawned by the process psexec.exe). You find an anomaly and you document it, and then you run it down to see if it can be explained by regular user or system behavior. Should you find proof of adversary behavior, you document everything and you kick it over to incident response (assuming you are not also the incident responder). You then work to eliminate that adversary from your network.

Enter threat intelligence. They take the documentation from the hunt and analyze it. Was there a pattern in the remote login attempts? Did it target servers with a specific function? Was it the same user every time? Was it regular users or IT users with higher levels of access? Did it happen during certain times of the day indicating an adversary's working hours? What other processes did the compromised user account attempt? They work to see if it is all the work of one adversary or multiple.

Yes, multiple adversaries can be inside the same network, even doing battle with each other while assuming the other is legit sysadmin or security personnel. See the 2016 DNC hack after action report.

Threat intel works to build a profile, and that includes examining the kill chain from the recon stage to the point the adversary was discovered. The use the diamond model (http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf) shows tracking an adversary along the kill chain (https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html) focusing on four points at each step in the kill chain: adversary, infrastructure, capability, victim. To analyze an adversary's attack, threat intel wants to be able to fill in all four vertices of the diamond. As they build a profile, they will see that an adversary may have undiscovered capabilities. An adversary may be discovering moving laterally with PS Exec, but how did they get on the network to begin with? How did they establish persistence? Building the adversary profile will create more questions. This can be compared against previous adversary documentation, or compared to information from external trusted threat intelligence sources.

The intel team takes these questions back to the hunters. Please hunt the history of the account usage, and look for the origin of anomalous behavior. Something had to happen (a process run, a file downloaded, a website visited) that preceded this anomalous behavior. The hunters then refine the hunt using the parameters given to them by threat intel team to flesh out more of the adversary capabilities. They return their findings to intel, who analyzes and asks more questions, the hunters refine the hunt even more, and this process is cyclical until the adversary tactics, techniques, and procedures can be assessed and documented.

Now, the results of this will be to create alerts (traps) should the adversary ever penetrate the network again. Then incident responders can use the adversary profile created by intel with information gathered from the hunters to contain and eradicate adversary presence with greater rapidity. These profiles can be used to track between similar but separate adversaries, and help paint a picture of motivation. This tracking of adversaries, and intent derived from behavior, can be documented and taken to leadership to say these are the types of organizations targeting our institution, and this is what they find valuable to disrupt and steal. We are better off directing our resources to elevate protection on this set of assets and people.

Documented evidence of intent and capability with a clear target make it easier for leadership to support a course of action. This continual process relies heavily on the coordination between the hunters and gatherers.

None of us is as secure as all of us.

Infosec_Samurai