April 12, 2023
Hello and once again, I want to thank you all for contributing to my articles and videos being in a state of “trending” in cybersecurity weekly. I hope I can continue to provide content that you find valuable and helpful. The goal of all this is to help as many as possible join this great industry that has allowed me to live the life I’ve wanted to live. And as usual, thank you for suggestions on job roles to cover, keep them coming! As is my standard for this article format, we will address the following things;
- Entry-Level Outlook
Let’s go ahead and take a look at the first job.
When I entered IT way back in the day, it was often considered “common knowledge” that IT auditing was boring, and not considered to be very important. Of course, I quickly learned that both these myths were unfounded and untrue in general. One of the more interesting experiences I’ve ever had in cybersecurity was to be pulled in as the incident response and data breach SME to assist a large audit practice inside a very large organization conducting an audit of their internal incident response and data breach capabilities. It was one of my first times having to simply observe, assess, and not actually do anything or “fix” anything. It was also one of the best learning experiences I’ve ever had. While this project lasted about 3 months, I feel like I learned as much or more about audit as the audit team learned about IR and Cybersecurity. With audit, a lot of the focus is related to risk. You will probably not be trying to audit whether or not an organization is secure, but you may be trying to see if they even have the controls in place to even measure security. You will be establishing audit standards within the organization and making sure chartered audits follow those standards. Your audits can extend to the network, applications, cloud services, and even people. You might even conduct work observation activities, where you or you and an expert in the area, might actually sit and observe staff using certain tools and performing techniques and comparing how they’re doing to how well they should be doing given a certain level of competence. Yes, it could get very deep and very detailed. Also it is usually up to your audit team to determine when you need to bring in outside experts to assist with a charter. I was fascinated with how strict they were to adherence to the audit standards. As an auditor, you may also be responsible for ensuring the IT or security organization adheres to compliance and regulatory requirements. There are different kinds of IT and Cybersecurity audits. Some examples from cio.com include the following;
- Technological innovation process: an audit process that creates a risk profile for current and future projects with a focus on the company’s experience with those technologies and where it stands in the market
- Innovative comparison audit: an audit that looks at an organization’s ability to innovate compared to competitors and evaluates how well the company produces new products
- Technological position audit: an audit that examines current technology in the organization and future technologies that will need to be adopted
- Systems and applications: an audit process that specifically evaluates whether systems and applications are controlled, reliable, efficient, secure and effective
- Information processing facilities: an audit to evaluate an organization’s ability to produce applications even in disruptive conditions
- Systems development: an audit for verifying that systems that are being developed are suited for the organization and meet development standards
- Management of IT and enterprise architecture: an audit of the IT management’s organizational structure for information processing
- Client, server, telecommunications, intranets and extranets: audits to examine controls on client-connected servers and network.
Most of the IT Audit jobs I see advertised and hear about from my colleagues still prefer a bachelors degree in either computers science, finance or some type of management in information systems degree. This is not surprising because half the IT/IS auditors I know come from a CPA/Accounting background. Since in most organizations, IT audit falls under the internal audit practice its logical that a lot of the talent comes from that background.
Some Complimentary CertificationsCISA – Certified Information Systems Auditor – This certification is created specifically for this job role, and created mostly by people who serve in this role.
CISSP – Certified Information Systems Security Professional – The premier security management certification. It provides a great high-level view of all things cybersecurity, which provides someone with CISA level knowledge a little bit more depth in cyber with less focus on audit.
CCSP- Certified Cloud Security Professional – This is the first ISC2 Cloud Security certification. In the same spirit of CISSP, it’s very broad and covers a large area of cloud security. This certification is also vendor-neutral and gives a good overall view of cloud security. For budding IT/IS auditors, one of your future (or immediate) roles will be to assess and audit readiness, and control migration to cloud services. Get ahead of this now. If you’re in an organization that uses a specific Cloud Service Provider (CSP), consider some of the CSP vendor-specific certifications as well.
CRISC – Certified in Risk and Information Systems Control – This certification focuses on risk management for IT and Enterprise. Out of the certifications listed here, it is likely the most natural partner of CISA, as it’s also from the same organization ISACA.
There are clearly more options for certification if you want to focus on a specific area in IT/IS audit. For example, if you’re doing a significant amount of incident response audit, it may be advisable to nail down something like CSIH or ECIH
Average Salary – $91,000/year.As usual, I want to remind you that this number is an average across the US. If you look at the sources I pooled and averaged this from, you’ll see that some of the higher-end roles are near $150,000/year, and for some senior-level managers, over $200k. Sources:indeed.com, monster.com, glassdoor.com ziprecruiter.com
Summary And Entry Level OutlookThis is actually a very entry-level friendly role. In most of the larger organizations I’ve worked with, there’s usually one or a few people right out of college with a computer science degree or accounting degree and freshly minted CPA working as juniors in these roles. This role is also a good pivot role in that you will be auditing many different cybersecurity-related technologies and jobs, which is exposure and an opportunity for you to take a look under the hood of that role and see if it’s one you might want to pursue. I truly believe that the IT/IS Audit role is by far one of the most overlooked and underrated roles.
Cyber Threat Hunter
Cyber Threat Hunting happens to be one of the core services provided by my organization. It’s also an activity I find myself enjoying the most aside from training. A lot of what we do in cybersecurity is relatively reactive. Cyber threat hunting is truly proactive. When we go into an environment to hunt, we assume the threat actors are there. We are not there because and IDS alerted, or we got some outside intel that the organization was compromised. We are proactively hunting forming a hypothesis, then hunting based on that hypothesis. We assume that everything you’ve done to keep threat actors out has failed and they have made it into the environment and are actively moving around, stealing data, or doing whatever else they choose. One key requirement is understanding the movements of advanced threat actors in an environment. What makes them look different than all the other activities going on in the environment? We know that advanced threat actors go through a lot of effort to blend, including “living off the land”, which is a methodology that the attacker masters to use what’s there vs trying to bring in and install malware or tools. We are there looking to do battle with the actual threat actors on the actual battleground; our customer’s networks. If you want to take a deep dive into what that actually looks like, check out my youtube series on cyber threat hunting. You can find it here; Introduction to Threat Hunting.
Threat hunting is one of the very few things I do that is actually enhanced by all the other things I’ve done throughout my career. Forensics, incident response, penetration testing, exploit development, threat intelligence are all knowledge areas that can aid you in performing threat hunting operations. We regularly find operators establishing RDP sessions internally from one device to another. We find them exfiltrating data to AWS, Azure, or Google cloud devices from inside the network. I’ve learned about covert channel techniques that I didn’t know about before discovering a particular group using that technique. It really is a job that puts you right in the face of the adversary. Yes, all cybersecurity jobs try to sound as if they “put you in a battle of wits with the bad guys” but this is one of those roles that actually follows through on that. By the way, you have to be able to find and track them while also remaining relatively stealthy. You don’t necessarily want the threat actor to know that you’re tracking them. And to be honest, some of threat actors are so advanced and have been inside the environment so long, that they have better visibility than some of the network defenders in the organization. This is in no way a slam on those defenders, but a testament to how deeply rooted into the environment some of these threat actors are.
RequirementsA lot of the cyber threat hunter jobs are asking for a bachelor’s degree, however most of them say that experience can substitute for the degree requirement. You will most likely be expected to have significant (5 years or more) technical hands-on security experience. You will need to understand how SIEM’s, firewalls, routers, switches, IDS/IPS modules, packet brokers, and various logging systems work. You will also need a nice dose of cloud knowledge. You will need to be skilled with memory forensics and analysis, traffic forensics and analysis as well as understand threat actor behavior and movement.
Some Complimentary CertificationsCEH – Certified Ethical Hacker – You need a solid proven foundation in offensive skills. This certification remains one of the top for entry-level technical offensive security.
CCTHP – Certified Cyber Threat Hunting Professional – This is definitely a good professional certification for threat hunting. Preparing for this certification, you will learn all the things you need to master, as well as get a solid foundation in how hypotheses are formed to conduct a hunt, data sources, machine learning application to large of amounts of data, and much more.
SEIM Certifications – Splunk, QRadar, Logrythm, Exabeam, others. Of course, I’m not endorsing any of these products, but if you’re going to hunt in an enterprise environment, you will have to be able to speak and walk SIEM. Much of the information and data you will need to get access to and correlate will be made many scales more efficient and easy by properly integrating SIEM output and logs into your hunt. You don’t need to be an expert with every SEIM listed here, but you do need to know what a SIEM is, what it can an cannot provide you and some fundamentals of how the work. These links are here specifically in case you wanted to go see demonstrations, whitepapers, or other literature on the vendors sites, to learn more about them.
Cloud Certifications – Amazon, Microsoft, Google. To hunt properly, you will need to have a detailed understanding of the environment type you’re hunting in. You will need to understand where you might get certain data or logs. You might even be interested in data and logs that most of the IT or security organizations never use for anything. Trying to hunt in a cloud environment on traditional infrastructure knowledge without cloud knowledge is like taking one of my many good friends from where I grew up in Mississipi who are expert deer and turkey hunters, dropping them in a sub-Saharan forest with only knowledge of the Mississippi woods and telling them to bag a few lions. It is not going to end well, and neither will your threat hunting if you’re hunting in any cloud environment without knowledge of it.
I would like to add here that gaining some knowledge of data science will help tremendously. I am personally on this endeavor right now and spending a decent amount of hours per week studying, working on projects, and turning out code that I can use to take full advantage of some machine learning algorithms and the knowledge people in that field have left behind for the rest of us. I won’t put this as a core recommendation, but I will say if you’re already a seasoned threat hunter, I would add this to my to-do list. I’ve worked on a couple of significant projects which I can’t publically discuss that were 100% based on developing offensive capabilities that are automatic and based mostly on machine learning, deep learning, with the eventual goal of something that resembles actual AI. Those projects have given me knowledge that’s translated nicely into finally knowing what to do with the overwhelming amount of log data we deal with in threat hunting operations in big environments.
Average Salary – $87,000/year.Don’t let the low average throw you off. Remember this job is really very very new and not even known about in a lot of the cybersecurity world. As environments become more abstract (cloud) and harder to defend, this role will probably grow in importance and you will see the salaries spike as a result. I know of a few threat hunters making more 180K to 200k. And personally, my billing rate for threat hunting operations is in line with incident response rates. Sources:indeed.com, monster.com, glassdoor.com
Summary And Entry Level OutlookWhile this is clearly not an entry-level position, there are definitely some ways to enter threat hunting without being an expert. If there’s an entry-level opportunity available, it is worth looking into. Last year I helped an organization build a threat hunting team and the team consisted of about 3 pentesters, 2 incident response people and 1 senior SOC analyst, and an entry-level SOC analyst. So the opportunities may be there for a entry-level person, but the chances are low. I do believe this role has a great long team outlook. I’ve noticed that we get a request for this kind of work more frequently from organizations who have been through data breaches and have matured to the point that they understand the threat actors will get in, and now we have to proactively look for them. This change in attitude and maturity are happening at a pretty quick rate amongst enterprise and government. Look for this role to be around for a while.
Bug Bounty Hunter
This role was a suggestion of Kwame Bediako Asare one of the people who’ve commented on these articles. He mentioned a great point, which is while bug bounty hunting is generally considered to be an advanced role, it is also a great role for someone to slide into as a part-time type of role. And part-time is definitely one safe way to ease into cybersecurity. It’s also something you can get into without the approval of some HR person or having to go through a gauntlet of interviews. For example, Verizon has paid out $9,500,000 in bug bounties, with some of the payouts being individually as much as $70,000! You will definitely need to spend some time learning about protocols, how they are intended to work, how they actually work, and everything in between. It’s also a good idea to start brushing up on your understanding of web applications and how they work as so many of the bug bounty programs focus on web applications. Hackerone has some great information about how to become a bug bounty hunter here; Hackerone bug bounty resources.
Some Complimentary CertificationsThese are come certifications that can definitely help you on your path to finding your first bug.
CREA Certified Reverse Engineer This is a great reverse engineering certification and it also does a tremendous job of introducing you to fuzzing technologies and even creating your own fuzzers. Most importantly, you’ll gain some decent knowledge of breaking down how applications work without having their source code, which can be key to finding bugs.
CEPT Certified Expert Penetration Tester – This certification also does a great job of thoroughly covering the topic of fuzzing. The official training for this certification is where the real value is. You’ll also learn about bypassing memory protections, ROP chain exploitation and other things that get you around most protection mechanisms that might keep you from finding a bug in an application.
SANS SEC542 Web Application Penetration Testing – This is one of the best Web Application testing an fuzzing courses out there. It goes in depth with techniques for mapping out the functionality of web applications and moving into how to exploit that functionality. It also lays a great framework and workflow for testing web applications and API’s in general.
Definitely learn some cloud technology. You will have access to resources for fuzzing, massive compute power that you would not otherwise be able to afford were it not for cloud services and the metered servicing and rapid elasticity.