~12 years ago I felt I am on the top of the (blue side of cyber) world.
I knew Windows forensics pretty well, Linux forensics far less, but with some help was enough to do the job, wrote a number of tools, did a lot of research, and had practical experience working forensic investigations that I truly loved, did quite a lot of work in IR domain as well, and had many years of combined experience in software development, web development, localization, reverse engineering and malware analysis. I even did some pentesting and source code review which I didn’t like, but I kept following it closely just to stay on top of things (attack methods that were very useful in my forensic analysis, OWASP Top 10, learning tips and tricks of the trade, etc.).
Today I am a noob in more domains that I can count!
What did I do wrong?
Nothing…. ?
The number of users of the internet exploded, software and cloud industry exploded, the OS popularity changed, the way applications deliver their functionality changed (*aaS, App Stores), the browser popularity and their capabilities changed (browser is kinda like OS now), the cybersecurity industry exploded, the startups, the solutions, the rapid hiring and development of many specialized teams happened, real devs finally taking over from random researchers and writing more mature security software, red teaming appeared on the scene, the new types of attacks, the new domains of attacks, blockchain business, ransomware business, and mobile platforms are taking over and shift towards different types of working due to covid accelerates – in essence, changes that once were very predictable and easy to digest — typically associated with a few cons / year f.ex. Blackhat/Defcon – now happen every second, go in many unpredictable directions, and touch literally every single aspect of our life. The cyber got so intertwined with everything that we do in our lives that it had an inevitable effect on us all — we all are now always behind one way or another. The ‘left behind’ bit is happening every day, every minute, and it truly accelerates quickly. We have a really hard time not even keeping up, but catching up!
And the job requirements reach the level of absurdity no one would ever expect f.ex. know Azure/AWS/GCP as if it was the same as knowing how to code in python. These environments are so complex that only a naive mind would request the expertise in 3 of them at once.
The question you may ask yourself in 2022 is what to learn, which direction to take?
The industry is actually pretty mature now! I still cringe seeing vendor’s consoles – yes, these flashy, pastel color interfaces that make the response job slow (too many clicks, why events are not shown as a supertimeline in a tabular format?? why export function is almost always broken, aka limited to first 10K records or so?), but I must admit that thanks to them, the entry level requirements for anyone to enter cybersecurity has substantially dropped. You can literally do anything else for years and then just career change and walk into SOC function, any day of the week, spend a few weeks learning basics, and start closing tickets in no time. Talk about growth opportunities…
I have always believed that cyber work is the one where you learn on the job. I still remember going on site to collect some bit by bit copies of some hard drives from a data center to discover that they used connectors I have never ever seen in my life. Imagine my panic… Consulting job had that appeal at that time… that you would just always enter that foreign territory on regular basis. Today it’s easier and far more predictable – primarily cloud, virtual environments, tenancies, requests for data, or records and new tools make analysis far easier than my primitive tools did 12 years ago. And of course, there are like 50 flavors of these tools today for every single thing we do in cyber, but in fairness, probably only 3 of them that truly work. I’d really like to say that new generations have it easier, but I don’t see it this way. While the entry requirements definitely lowered, if you truly want to be somebody in this field you gonna work far harder than anyone had to work 10-15 years ago!!! I will tell you why…
So… do we still need to deep dive? Do you need to use netflow, learn packet analysis, learn assembly language (but which one? x86, x64, ARM, M1/M2, WASM, Java/Ilasm ?)? Learn reversing? Understand file system layouts? Do we need to know the intricacies of Active Directory on prem, in cloud? Multiple SaaS solutions, AWS/Azure/GCP logs, and at the same time still be on top of WAF, IDS, IPS, proxy, firewall, and other old-school controls? And what about mail and browser security and new technological stacks? Do we need to know how browser plugins work under the hood? And do we need to know it for every single popular browser out there? What about privacy issues? Few years ago it was ‘we see it all’, today it’s regulated markets, FedRamp, we must know about GDPR, Data Across Borders, participate in tones of awareness programs, and more and more often attend compliance calls and produce contextually important RFIs… Complexities pile up!
Let’s agree that there is simply too much to learn and we need to divide and conquer – here are some pointers:
Find things that unite these new trends and simplify your life:
As you see, most of the focus is not on technology anymore. These new solutions with their flashy new interfaces have a merit — they bring a repeatable process, and order to a job that once was full of firefighting and whack-a-mole. They bring order to your own quasi-processes and force the OLD you to unlearn bad habits you developed during the wild-wild-west of cyber of last 2-3 decades. We, yes… many of US…, brought a lot of chaos with our ad hoc decisions, untested approaches, and ego. For many of us, it’s best to actually unlearn.
Let’s summarize:
Dig in.
And here comes the hardest part: do you need a degree, do you need a certification?
Over last 20-30 years many best hackers didn’t study, were self-learning very quickly, and pwned and dominated. They missed the memo tho — organized study, certifications, they both have something in common — they build solid foundations. I hated many classes at my uni, but thanks to them I still remember some math, many bits about AI, graph theory, algorithms and their inner workings, and these were boring as hell. But we got an exposure and I can often immediately spot fraud in vendor offerings (there is a lot of it, actually).
And last, but not least….
There are SO MANY different jobs in cybersecurity, that you can literally walk in, and just do it. You may start as a high-level Triage analyst, just following SOPs, and doing what you are asked to do, but you can very quickly climb to do more advanced analysis, automation, optimization. For many years to come, cyber and digital transformation that is accompanying it are very fertile IT areas that you would be fool not to exploit…
Be seen…