Pentester to SOC Analyst journey

gunmr

Hello all,

A few years ago, i was preparing OSCP exam. After years I dedicated myself to becoming a SOC analyst. I was already familiar with attacking techniques but have some problems with defending and SOC environment, and started to search some resources and practicing labs about the blue team. Finally i found a job as security analyst Here is my guideline

1- Learn detection techniques (like how to detect priv esc, brute force etc.)
2- Log analysis 101
3- Malware analysis 101
4- SOC fundamentals

And which resources i used:

Ten Strategies of a World‑Class Cybersecurity - It explains how SOC works very well.
SOC Analyst training - LetsDefend is good platform for soc analyst or incident response hands-on training 
Tool list - Necessary tools during investigation
Reports - Some APT attack reports, it's good to understand what will i do in future

I hope it helps those who want to change their career from Pentester to SOC analyst / blue team member.

E Double U

Interesting to see someone go from red to blue because I usually see more people interested in going from blue to red. What made you want to go blue team? Are you leading purple team activities within your team?

gunmr

E Double U said:

Interesting to see someone go from red to blue because I usually see more people interested in going from blue to red. What made you want to go blue team? Are you leading purple team activities within your team?

I like investigating incidents more than penetrating the systems. This is my main reason.
And also I think the blue team side is more challenging because there is no lots of resources like red time side. And its motivating me.

JDMurray

Going Blue-to-Red is usually because Blue Team duties can be much more siloed (i.e., restricted), routine, and boring than the (seemingly) exciting and glamorous work found on IR and the Red Team, although both Blue and Red are both SecOps. (In other words, same fence/difference grass.) The only times I've heard people going Red-to-Blue is if they tried the Red side of the fence and didn't like the work or the management.

JDMurray

And further more:

Most "How to Get a Job in a SOC" sources recommend that you should learn many different skill sets; so many that you could get a job in ANY SOC. This would be like a musician learning every musical instrument so s/he could get a job in ANY symphony orchestra. This isn't practical or even possible. Because each SOC is designed, operated, and managed around the organization that it protects, no two SOCs are identical, and therefore no single template for the requirements of a SOC analyst exists--or is practical to invent. And for people who have never worked as SOC analysts, you can't practice many skills required of a SOC analyst until you are actually working in a SOC.

As a SOC manager myself, I would advise junior people looking for their first start as a SOC analyst to have lots of the following: customer service skills (i.e., Help Desk) that includes both email and telephone work, documentation writing, fluency in using Excel, hands-on experience with ticketing systems, presentation skills good both in-person and remote, a mind for problem-solving and a memory for details, and a "command presence" that will cause others to believe and follow you. (OK, that last one is optional, but very useful for moving up the ladder.) None of these skills and qualities have anything specifically to do with security, but they are the groundwork for what you will be mostly doing on your new career path of Security Operations, and you will impress the heck out of a lot of hiring managers if you do them all well.