Cyber security sometimes means learning things backwards

2023-03-26  Cyber Security

Stick around cyber security Twitter or LinkedIn for long enough and you’ll likely see somebody raise a question about how to get into the industry. You’ll also likely see a reply that describes a kind of rite of passage from sysadmin, to SOC analyst, to just about any other security role.

The logic behind this - that you need to know how systems work in order to defend them - is sound, but I feel like the entry requirements are often exaggerated as a form of gatekeeping, and that years in a full-on sysadmin role aren’t necessarily required to investigate cyber attacks effectively. There are other paths.

Learning the ropes

I’m a good example here. From childhood I was vaguely technical in a hobbyist sense. That was enough for me to peer through the glass into the tech world and get a rough feeling for how computers work, but I certainly wasn’t administrating corporate Active Directory domains during my years as a journalist.

Some education was required. At the SANS Cyber Retraining Academy I took courses that equipped me with fundamentals covering operating systems, networking, and components of business environments that I hadn’t had any exposure to in my days tinkering with my home computer. It took the scattered knowledge I’d accumulated, filled in the blanks, and gave it better structure and context.

One of the best decisions I made around that time was to teach myself Python and the Linux command line. Do I use these specific tools every day now? No. But defensive PowerShell scripts, malicious JavaScript files, and commands run by threat actors all use very similar syntax, to a level that I could decode and roughly understand them even before I properly taught myself the languages involved.

Beyond the basics

Not everything can be learnt in the classroom, and I’ve written peviously about how applying foundational knowledge outside of a lab environment takes some practice, but with the basics under your belt, you can sometimes learn just as much about the way technology works by examining the way threat actors try to abuse it as you can by building and configuring the systems yourself.

The key as far as I’m concerned isn’t years on the helpdesk (although that won’t hurt), it’s staying curious and doing more digging than your day job requires. Let your investigations and administrative duties point you in a useful direction (who better to show you what you need to learn to stop attackers than the attackers themselves?) but stick with the material and go deeper than you need to.

Eventually you’ll develop a computing literacy that extends beyond your immediate knowledge. As an example, I recently helped an administrator to troubleshoot an Active Directory group policy object (GPO). As a non-sysadmin, I’d never configured one myself, but my training taught me what a GPO is, I’d seen enough to know what they look like, and some quick research was enough to work out the specifics.

Cyber security - particularly on the defensive side, where your work is rarely planned ahead - can throw practically anything at you, and it’s impossible to learn everything to the depth that an administrator looking after a certain type of system would. The best approach is to know your basics and stay curious to continuously grow and build on top of that. This way you’ll be clued up enough to understand the documentation (and, let’s face it, your Google results) when something new lands on your desk.

Looking for the comments? My website doesn't have a comments section because it would take a fair amount of effort to maintain and wouldn't usually present much value to readers. However, if you have thoughts to share I'd love to hear from you - feel free to send me a tweet or an email.