Career FAQs
Learn, train, grow... What do you need to know to specialize in cyber security and build a career?
FAQs are divided into the following sections:
Cyber Security Careers
What can I do in cyber security?
 The NIST (National Institute of Standards and Technology) published the NIST Special Publication (SP) 800-181, also called NICE Cybersecurity Workforce Framework to describe cyber security work. Within the framework, NIST identified 7 high-level categories of common cyber security functions. These include:
Within these 7 categories, NIST further defined 33 specialty areas (roles) by their tasks and knowledge as well as skills and abilities required to perform these tasks. The framework is a guideline for employers, current and future cyber security workers and education / training providers alike to align and define the cyber security work force. You can find an interactive version of the framework at the NICCS’s website.
Roles that are closely related with digital forensics and incident response are listed below:
It depends on the entity or organization, which cyber security roles they deem necessary to support their mission. Often times roles are covered by security generalists that wear multiple hats, whereas larger organizations have the resources to implement a more mature cyber security function.
Where can I find more information about the cyber security job market?
CyberSeek.org provides interactive tools and maps to analyze the current cyber security job market across the United States. It shows the constant shortage and the demand for cyber security professionals. Furthermore, it provides insight and tools to suggest cyber security career pathways from entry to advanced levels, including average salaries, job openings, certificates and top skills requested.Â
What is a Blue / Red / Purple Team?
Cyber security defensive roles are commonly referred to as the “Blue Team“. There is also “Red Team“, which includes ethical hackers, penetration testers, adversary simulators, etc. Blue teams are proactively and reactively engaged with defending and securing an environment from malicious adversaries. Sometimes red teams simulate adversary attacks to challenge the blue team, measure its response, and identify potential gaps. This kind of exercise, which includes both teams, is commonly referred to as “Purple Team” exercise.
Job Interviews
How do I find cyber security jobs
While everyone is familiar with the traditional job searching process of checking Google, LinkedIn, Glassdoor, Indeed, etc. in cyber security you may want to think a bit outside the box. Cold emailing or applying can be a long and frustrating process. It’s often times much more fruitful to build and leverage existing connections, join local or virtual conferences and establish relationships. Find Discord and Slack channels and look on Twitter for latest job postings using hashtags such as #infosecjobs. Start networking and direct messaging people that are with a desired team or company. Getting referred by someone can be much more promising, if they are willing to do so. Furthermore, look for a mentor who can help with the journey.Â
How do I pass my first job interviews?
The cyber security job market often times feels like the wild west. Many job postings are stating delusional requirements such as number of years of experience, a number of required certificates that aren’t even relevant for the job, etc. It is no where close to other industries where there are established and formalized paths of how to start and advance a career.
Nevertheless, this is exactly where the opportunity lies for many! It is a relatively new industry that many professionals have cross joined with all kinds of backgrounds. College and Masters degrees aren’t always needed and hands-on experience will beat that anytime. This is why it’s key to understand fundamental areas of the role you are going to apply for. Interviewers for technical roles will always ask questions to see if the candidate is just memorizing books or has actual hands-on experience about a certain topic, or at least the potential and motivation to learn. Only by working in hands-on labs, guided by courses and lectures to understand and apply common concepts, a candidate will be able to learn and internalize knowledge.Â
“Learning how things do not work help to understand how things work”.
What about certificates?
As illustrated in the image above, the cybersecurity industry is swamped with certificates and it’s only getting more and more every day. Each one has their pros and cons, and it there are many different opinions across the industry about the value of each. Additionally, some are only affordable if the employer covers the cost.
However, the general consent is that no certificate beats real world experience and knowledge. It does not mean that some of that can’t be learned through those certifications, but while job descriptions and HR might be looking for certificates, once the foot is in the door an interviewer will usually look for real experience and a candidate’s potential to learn quickly. Certificates can be a great add-on to a resume and they certainly show that the candidate is legitimately interested in the field and is putting in extra efforts to learn and improve.
While not so common in the private sector, it is important to mention that jobs in the government sector sometimes require certain certificates. See DoD Cyber Exchange – Approved Baseline Certificates for various cyber security roles.Â
How can I gain experience (even before starting a job)?
Job descriptions often require experience for entry level roles, which prevents entry level candidates to gain experience. A frustrating and unnecessary problem.
As most things in the digital world, a lot can be learned on your own time. In enterprise organizations, technical cyber security roles often deal with expensive, commercial tools, which are usually not accessible for students. However, there are usually always free, trial or open-source alternatives available. For cyber security starters and experienced ones alike, it is advisable to have a training lab environment ready to go. For beginners, it is a great way to get their feet wet, by learning a variety of tools and technologies that are needed to run a lab environment. From there, hands-on digital forensics and incident response exercises can provide guidance for learning common methodologies that are needed to pass those job interviews.
Digital Forensics and Incident Response (DFIR)
What is DFIR?
DFIR is part of an organizations’ cyber security defense program. It is a multidisciplinary profession where digital forensics covers many technical aspects of an investigation and incident response is the structured process that guides an investigation from start to finish. The goal is to investigate, remediate and recover from cyber-attacks, often performed by sophisticated, internal, or external threat actors. Incident response also includes strategic and proactive approaches to improve an organization’s response effectiveness and increase its security and preparedness to cyber attacks. NIST SP 800-61r2 defines the incident response process as follows:
For any DFIR professional there are several resources and frameworks out there that are commonly accepted by the industry, which every cyber security professional should be aware of:
What does a DFIR professional's day look like?
DFIR requires a mix of soft and technical skills, critical thinking and curiosity. It is a profession where subjects of investigations can change quickly and flexibility and adaptability are highly needed traits. What may be a deep dive forensic investigation of a Windows workstation today, could be mass processing of logs, reverse engineering malware and gathering threat intelligence about a nation state attacker tomorrow. Sometimes it consists of “looking for the needle in the haystack”, however, by gaining skills and experience the search will become easier and by following a methodological pattern.
What do I need to know to become a DFIR professional?
When conducting an investigation within an enterprise environment there are typically a variety of tools in place. The key is to understand what are you looking for and where to find it. In order to conduct become a successful DFIR professional, everything first and foremost starts with:
- Passion
- Curiosity
- Critical Thinking
- Attention to Detail
- Diligence and stress resistance
There are various tools and techniques to perform DFIR investigations, which also change frequently. Gaining a fundamental technical knowledge and experience is indispensable. Technologies that incident responders often come across and likely need to understand in an enterprise environment are:
- Windows enterprise networks and domain controllers
- Network devices such as firewalls, proxies, DHCP servers
- Applications such as Email (Exchange), Identity & Access management and Cloud applications
- Security detection, prevention and investigation tools
- Windows, Linux and Mac end user workstations
While many tools are commercial, there are often free alternatives and every DFIR professional should take advantage of free or low cost training labs to gain hands-on experience.
DFIR book recommendations
Below are a few book recommendations for DFIR professionals, ranging from technical to non-technical areas. BlueCapeSecurity is not affiliated with any of the sellers and there might be better ways to obtain them by using portals such as SafariBooks (O’Reilly), etc.
- Incident Response & Computer Forensics, Third Edition 3rd Edition
- The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory
- Intelligence-Driven Incident Response: Outwitting the Adversary
- Cyber Breach Response That Actually Works: Organizational Approach to Managing Residual Risk