You are browsing the archive for Cyber – Management.

Blue Sheet Of Cyber v0.2

January 12, 2019 in Cyber - Management, Preaching

I have updated the sheet based on a feedback I got so far.

One of the ideas that drove the development of this sheet was this question: who is a better hire: a forensicator with 15 years of bit-by-bit/primarily encase experience on the LE job, or talented young engineer who loves breaking stuff apart and already made a dent on the industry by discovering new forensic artifacts, writing tools, and presenting novelty ideas at conferences?

This is the reality of cyber (not only blue teams) for last 20+ years, and in my view it is one of the reason why we see everyone talking about ‘talent shortage’. This is because they look at the numbers, and characteristics of people already employed in the space. Not these that could be.

As such, the ‘talent shortage’ may not be an accurate statement if we change the scene. I’d argue that unlike other industries where primarily experience and academically obtained skills matter, the ‘canonical knowledge’, ‘adaptability’ and obviously the actual experience & academic achievements all play important role in diagnosing that ‘shortage’ and for individuals – their ‘hirability’.

And to add insult to the injury, given the fact that most blue team junior analysts are assumed to be almost clueless at first, the ‘jack of all trades’ approach dictates that with a proper mentorship, they can quickly conquer shallow waters of the knowledge necessary to progress to the next higher technical level. The path will quickly become more demanding then, but by the time they get to the next level, it may as well happen they will be already very well prepared. A.K.A. hiring juniors w/o experience should be done with doors open by default, and only closed if candidate makes it happen. Part of me doesn’t believe what I wrote, because I had mixed experience interviewing people for very junior positions, but maybe at that time I was still too biased(?).

The second reason that drove the development of this sheet was this: it tries to support manager’s work; junior analysts often want to know what is that they should learn to ‘climb’. Even if some engineer doesn’t particularly see a need for the ‘advancement’ of their career, and may see such matrix as counter-productive, even anti-climatic and bringing bad blood to the team, they will hopefully appreciate that an ability to self-asses themselves is a nice thing to have. Again, not important today, but may become important tomorrow. Like any other industry before, things will most likely slow down, stagnate, salaries will get adjusted, market saturated with new talent, competition will be harder, etc. etc. – luck favors prepared mind as they say.

And in terms of how to interpret the sheet. I guess we should see the ‘right wing’ on the sheet as a cumulative effort of many years of experience, and a result of many technical ‘lives’ of an individual coming together. The ‘left wing’ is the Jack of Few Trades, the ‘right wing’ is the Jack of Many. I would argue that working for various companies over the years (whether as an FTE, or a consultant) puts people with such a wide experience in a more favorable position here. This is indirectly supported by the process of promotions happening typically when people change the jobs, not on the jobs.

Last, but not least – the stuff that is already in there shows that the era of introvert nerds that just want, and are allowed to do ‘technical’ stuff only is no longer…

The file can be downloaded from here.

Blue Sheet Of Cyber v0.1

January 12, 2019 in Cyber - Management, Preaching

I just finished working on a very early draft of a document that I had in my mind for a very long time. It tries to summarize, on a very high level, expectations towards technical staff doing cyber, and with an obvious focus on blue-teaming.

I took into account 8 stages of a career progression which I created by closely following the traditional software engineer career development path, and only slightly adjusted it to fit with the role titles present today in ‘defensive’ part of IT security.

The criteria I took into account are as follows:

  • Soft Skills (important for team leaders only)
  • Knowledge of Security Controls
  • OS Architecture (experience with various OSes)
  • Programming Experience
  • Network Analysis Skills
  • Malware Analysis Skills
  • Digital Forensics knowledge and experience
  • Incident Response Process/Level of participation
  • Threat Intelligence Know-How
  • Threat Hunting
  • Application Security (minimum)
  • Penetration testing/Red-teaming experience
  • Very light touch on Risk Management

I am pretty sure it’s not a complete list.

Our Blue Teaming efforts heavily rely on being that ‘Jack of All Trades’. While we can’t have the necessary in-depth knowledge about everything, the higher we climb on a career ladder, I am sure the more we will tick boxes to the right. When an employee’s profile matches many of the boxes marked ‘X’ in this particular employee’s vertical, it’s probably a good indicator that it’s time to move up.

As such, the matrix has a very specific function. It defines a career path for each individual on a team. It allows them to self-assess, and assess others. Managers may benefit from such tool as it converts very ‘organic’ ‘jack of all trades’ knowledge of the individuals into a measurable, and quantifiable score. It also takes into account gaps in peoples’ knowledge.

Why?

It is very tempting to include a very detailed list of skills one must have (e.g. for RCE: IDA, Olly, windbg, etc.).

BUT.

Times changed. For every tool you know very well, there are a few that you don’t know at all. Still, your general know-how allows you to learn these new tools quickly, as long as you have the necessary foundation. Someone who e.g. says that knows only assembly platform is probably a beginner; but if you say you know two, it typically means you know one very well, and the second one is something you are looking at right now or came across frequently enough in the past. What it means is that there is usually not a single person that knows just one architecture very well. If you are interested in the topic, reverse a lot, these new architectures will quickly appear on your radar… So, in the end it’s not an absolute skill per se, it’s more an ability to absorb new skills.

An important factor that this matrix covers as well is ‘la passion’. There is a never ending discussion within IT Security circles how important that passion actually is. Some see it as a legacy requirement that doesn’t stand the market reality today, some say it’s just a way to gatekeep this industry from the crowd of ‘I think it’s a good career choice’ types. Some don’t care.

I didn’t make a strict judgment on this, but sneakily included it under most of the listed ‘domains’ under the ‘Active Research’ umbrella. If there is one thing that speaks to passionate part of IT Security crowd it is an active github repo, an animated gif showing the launch of a calculator, or a blog post where IT Security enthusiasts release their new security tool. Even if it is one of the millions published this month, one that doesn’t stand the cruelty of time, and quickly becomes a vaporware (I am guilty of this as charged), such contribution is always better than nothing. Still, being a part of the matrix that doesn’t expect anyone to tick all the boxes, there is plenty of room for non-passionate to easily score high and still make a dent on their organization & move up the ladder.

Anyway…

This is a draft, a Google beta, a work in progress gif from Geocities, and an invitation to comments… If you see anything missing, please let me know.

The file can be downloaded from here.