Security Analyst Interview - Some of what you need to know:

2»

Comments

  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    I'm happy to see this post helped some people over the years. I've gotten several requests to update / enhance it, so I'll do that here I'm going to add a few things:

    1. Expand on two pieces of my original post (linux, scripting)
    2. Add a section regarding host-based forensics
    3. Answer questions posed by User Kiyori

    This post isn't meant to be a replacement to the original - I think everything in the original post still applies. The end of this post will be open-ended, feel free to ask me to address something I may have left out.
    yfzblu wrote:
    First and foremost, Linux. It's everywhere in infosec as many of you know. I won't get too specific on this, but definitely dig in and learn Linux.

    From a tactical perspective, and from the perspective of doing work, I still believe this; however the 'why' is important too and needs to be addressed. For beginners Linux can be clunky, and difficult to work with. You should accept the constant failure you will inevitably have with it as a challenge. In my experience, Linux can set you on the path to learning important lessons:

    - working through frustration and failure: your stuff will break, and you will break your stuff
    - learning to become resourceful: man pages, google, trial and error, etc.
    - learning to learn: technical documentation can be terse and sometimes you must understand various background topics/technologies before you can address the problem at hand. Something like this is often repeated: 'you cannot secure what you do not understand'. While this is true, as analysts we often encounter situations and technology that we do not understand. Finding solutions does not necessarily require years of direct experience with a given technoology - being able to 'figure it out' (sometimes on the fly) is a vital skill that can be acquired over time. In my experience, Linux helped me get started with this.
    yfzblu wrote:
    Code: I said this in a post the other day - Do yourselves a huge favor and learn to script and at least learn to read some code. I put it off forever and it is biting me in the butt. I'm basically drinking from the firehose trying to get up to speed. Much like the Linux thing I won't get too detailed about why/how, just learn it.

    This, still, a thousand times over. Everything I said about Linux applies here as well. With very few exceptions, not having scripting/programming ability will automatically put a ceiling on your technical career in security. Learning Python has allowed me to:

    - Contribute to the security community with my own open source projects URL="https://github.com/PoorBillionaire/USN-Journal-Parser"]1[/URLURL="https://github.com/PoorBillionaire/Windows-Prefetch-Parser"]2[/URL. The ability to show my work to an employer during an interview has been insanely valuable to me.
    - Automate otherwise manual tasks, enabling teams I have been on to focus on more important work.
    - Gain a deeper understanding of open source offerings by examining source code directly. Examples of this are Snort/Suricata, Elasticsearch, and Volatility.
    - Learn a given technology at a deeper level. By first understanding Python and its data structures, I was able to begin to understand more complex data structures presented by other languages and operating systems, which in turn helps me as an analyst.

    Adding something new here: host-based forensics. Over the last several years forensics has taken a huge leap forward. More than ever it's a vital skill to have for any analyst. Organizations are now (or should be) leveraging live response frameworks to supplement traditional log data. A couple of great places to start would be Windows-based forensic artifacts, as they're the most well known and well documented - and offer a large payoff considering most organizations are largely comprised of Microsoft technologies. IMO, these are three of the best books to help get someone started:

    - File System Forensic Analysis (the more general chapters at the beginning and the chapters on NTFS specifically)
    - The Art of Memory Forensics
    - Windows Registry Forensics, Second Edition

    These books cover both the artifacts themselves and sound analysis methodologies.

    And blogs:

    - Another Forensics Blog
    - Windows Incident Response
    - SANS DFIR Blog
    - Hacking Exposed Computer Forensics Blog (David hasn't posted in a while, but all of the past content is good)

    Taking all of this a step further, not only is it important to understand the artifacts, but you'll eventually want to contrast them with offensive techniques. For example, how will this help an organization detect the presence of Mimikatz executing in an environment? What residue does it leave behind? How can this be leveraged in monitoring scenarios?
    Kiyori wrote: »
    How have you progressed so far

    Unhappy with the way organizations have refused to protect and invest in systems they supposedly care about, I have left several security jobs over the years. In some ways being unsatisfied has been a burden on me personally. In other ways, I've experienced roles and technologies that I never would have been exposed to had I stayed with one or even two organizations.

    At this time I'm working as an incident response consultant on a forensics team - being in this role is what I've wanted since I got into security, so things have worked out well. I'm a big proponent of seeking out opportunities and going for them - for the most part, nobody is going to hand you anything.
    Kiyori wrote: »
    Do you get to look at candidates' profiles for positions? Other than a general knowledge what kind of skills should a tier 1 be bringing to the table

    I've been interviewing candidates for a couple of years now. Regarding a tier 1, the technical pieces are less important to me personally. As a senior it's my responsibility to get people up to speed, and provide enough process/prcedure and documentation for a less technically inclined person to do some of the more routine aspects of the job. Additionally, I feel responsible to help bring others up and point them in the right direction to eventually help with less trivial work streams. Coming from this perspective, I look for:

    - An enthusiastic desire to learn. Most notably, I want to see someone try to learn in the interview itself. When a candidate recognizes he/she has a short window of time with experienced members of the industry and wants to take advantage of it, this stands out to me. It's a good indicator that if the team brought this person on, they would likely continue doing the same.

    - Someone who wants to understand the data, not just use the tools. A big issue in this field is that there are a lot of 'button pushers' who rely exclusively on the tools they are given, instead of first understanding the data. Tools can lie, they can break, etc. For example if an Analyst knows the basics of TCP/IP and regular expressions, learning something like Snort or Suricata will happen much faster than someone who is trying to learn the tool first. Similarly when the tool breaks or if it doesn't provided some needed functionality, that same person might be lost, while another analyst is busy finding solutions based on what the underlying data is reflecting.

    - Vision for his/her career. I want to know why this person wants to be an analyst and what direction they see their career moving towards. For someone right out of college this vision may not make sense jut due to a lack of experience, or may not be be completely hashed out yet - but I care less about that. Having a vision and a plan for getting there to me shows this person is motivated and explicitly engaged in the direction of his/her career.

    - As I said in my first post, know what you claim to know. A minor pet peeve of mine: I can't tell you how many times I've seen C and x86 assembly listed on someone's resume under the 'programming' section, because the candidate took a couple of computer science courses in college. If you do this, I will ask you to program in C in the interview. I hate doing this.

    Hope this helps!
  • BlucodexBlucodex Member Posts: 430 ■■■■□□□□□□
    YFZblu wrote: »
    Man - I vividly remember writing this post. A lot has changed, a lot has stayed the same. If there's interest, I could write a follow-up post in this thread based on my experiences over the last 3-4 years.



    In 2013 when I got my first security job (as an L1), I made $55,000. The interview I posted about here, also for an L1 analyst role, bumped me to something like 70k. These days I routinely see L1 Analysts just starting out making 75k+

    I am seeing L1's being hired at 88k+ right now.
  • DatabaseHeadDatabaseHead Member Posts: 2,754 ■■■■■■■■■■
    Blucodex wrote: »
    I am seeing L1's being hired at 88k+ right now.

    What country, what part of that country?
  • LordQarlynLordQarlyn Member Posts: 693 ■■■■■■□□□□
    Good stuff here! Very useful and helpful.
  • kabooterkabooter Member Posts: 115
    Fantastic. Learnt a lot from YFZblu's post. Much appreciated.
  • BlucodexBlucodex Member Posts: 430 ■■■■□□□□□□
    What country, what part of that country?

    Phoenix. The market is hot out here.

    Phoenix is transforming from a call center hub to a tech hotbed

    [h=1][/h]
  • slatkinslatkin Member Posts: 23 ■□□□□□□□□□
    Hey Blu,

    Are you aware of any regional specific resources for job seekers, specifically related to Cyber Security? I moved out to Phoenix earlier this year and am looking to take the next step after working as helpdesk/desktop support for the past two years.

    I managed to land an interview with a Cyber Security provider as a SOC Analyst and did great on the technical interview. Then their job posting changed from 'able to obtain a security clearance' to requesting candidates to have an active clearance which I don't have.

    Also found a few workshops and networking events on meetup.com I'm planning on attending, but am wondering if there is any other resource besides your typical job board and recruiters that you are aware of.
  • BlucodexBlucodex Member Posts: 430 ■■■■□□□□□□
    Slatkin,

    The Meetup app has some good things. I would keep an eye on the OWASP meet ups that are done at Early Warning.

    CactusCon just happened last month and would have been a good opportunity.

    There is the non profit CyberWarfare range which now has an east valley and west valley location inside GCU. Azcwr.org

    I’ve recently learned of first Friday’s at Lux coffee shop in downtown/midtown which is run by https://www.phx2600.org
  • slatkinslatkin Member Posts: 23 ■□□□□□□□□□
    Thanks for the info. The CyberWarfare range looks awesome, something I'm really interested in and hope to hear from them soon.
  • BlucodexBlucodex Member Posts: 430 ■■■■□□□□□□
    slatkin wrote: »
    Thanks for the info. The CyberWarfare range looks awesome, something I'm really interested in and hope to hear from them soon.

    If you would like PM me your resume and I can pass it to the powers who be to see if you're a good fit.
Sign In or Register to comment.