What to know, what to learn? What are useful skills for cyber in 2022?

~12 years ago I felt I am on the top of the (blue side of cyber) world.

I knew Windows forensics pretty well, Linux forensics far less, but with some help was enough to do the job, wrote a number of tools, did a lot of research, and had practical experience working forensic investigations that I truly loved, did quite a lot of work in IR domain as well, and had many years of combined experience in software development, web development, localization, reverse engineering and malware analysis. I even did some pentesting and source code review which I didn’t like, but I kept following it closely just to stay on top of things (attack methods that were very useful in my forensic analysis, OWASP Top 10, learning tips and tricks of the trade, etc.).

Today I am a noob in more domains that I can count!

What did I do wrong?

Nothing…. ?

The number of users of the internet exploded, software and cloud industry exploded, the OS popularity changed, the way applications deliver their functionality changed (*aaS, App Stores), the browser popularity and their capabilities changed (browser is kinda like OS now), the cybersecurity industry exploded, the startups, the solutions, the rapid hiring and development of many specialized teams happened, real devs finally taking over from random researchers and writing more mature security software, red teaming appeared on the scene, the new types of attacks, the new domains of attacks, blockchain business, ransomware business, and mobile platforms are taking over and shift towards different types of working due to covid accelerates – in essence, changes that once were very predictable and easy to digest — typically associated with a few cons / year f.ex. Blackhat/Defcon – now happen every second, go in many unpredictable directions, and touch literally every single aspect of our life. The cyber got so intertwined with everything that we do in our lives that it had an inevitable effect on us all — we all are now always behind one way or another. The ‘left behind’ bit is happening every day, every minute, and it truly accelerates quickly. We have a really hard time not even keeping up, but catching up!

And the job requirements reach the level of absurdity no one would ever expect f.ex. know Azure/AWS/GCP as if it was the same as knowing how to code in python. These environments are so complex that only a naive mind would request the expertise in 3 of them at once.

The question you may ask yourself in 2022 is what to learn, which direction to take?

The industry is actually pretty mature now! I still cringe seeing vendor’s consoles – yes, these flashy, pastel color interfaces that make the response job slow (too many clicks, why events are not shown as a supertimeline in a tabular format?? why export function is almost always broken, aka limited to first 10K records or so?), but I must admit that thanks to them, the entry level requirements for anyone to enter cybersecurity has substantially dropped. You can literally do anything else for years and then just career change and walk into SOC function, any day of the week, spend a few weeks learning basics, and start closing tickets in no time. Talk about growth opportunities…

I have always believed that cyber work is the one where you learn on the job. I still remember going on site to collect some bit by bit copies of some hard drives from a data center to discover that they used connectors I have never ever seen in my life. Imagine my panic… Consulting job had that appeal at that time… that you would just always enter that foreign territory on regular basis. Today it’s easier and far more predictable – primarily cloud, virtual environments, tenancies, requests for data, or records and new tools make analysis far easier than my primitive tools did 12 years ago. And of course, there are like 50 flavors of these tools today for every single thing we do in cyber, but in fairness, probably only 3 of them that truly work. I’d really like to say that new generations have it easier, but I don’t see it this way. While the entry requirements definitely lowered, if you truly want to be somebody in this field you gonna work far harder than anyone had to work 10-15 years ago!!! I will tell you why…

So… do we still need to deep dive? Do you need to use netflow, learn packet analysis, learn assembly language (but which one? x86, x64, ARM, M1/M2, WASM, Java/Ilasm ?)? Learn reversing? Understand file system layouts? Do we need to know the intricacies of Active Directory on prem, in cloud? Multiple SaaS solutions, AWS/Azure/GCP logs, and at the same time still be on top of WAF, IDS, IPS, proxy, firewall, and other old-school controls? And what about mail and browser security and new technological stacks? Do we need to know how browser plugins work under the hood? And do we need to know it for every single popular browser out there? What about privacy issues? Few years ago it was ‘we see it all’, today it’s regulated markets, FedRamp, we must know about GDPR, Data Across Borders, participate in tones of awareness programs, and more and more often attend compliance calls and produce contextually important RFIs… Complexities pile up!

Let’s agree that there is simply too much to learn and we need to divide and conquer – here are some pointers:

  • You don’t need to know everything
  • Your friends, coworkers, peers, industry friends, vendors have your back — ask more, it’s okay not to know today; let them handle things they understand better than you, be open to take that advice in
  • Unless you are very interested in the topic, keep it high-level — you truly can’t know everything about Active Directory, Jamf, SCCM, auditd, multiple EDRs, AWS, GCP, Azure, Alibaba, CloudFlare, iOS internals, Cisco IOS, Mitre Att&ck, internal workings of sandboxes, threat intel, vulnerabilities, file formats, bug bounties, coding in python, coding in Rust, Go, Lua, Nim, etc at the same time – seriously, there is not a single individual today that knows-it-all (although @dre is probably the closest to it that I know of), and you won’t become that one either…
  • Today’s IR moving very fast towards multiple separate functions
    • Triage — “front door”, first assessments, escalations; a bit like old SOC, but more streamlined
    • Investigations — following the Triage leads, drawing conclusions — a bit like a mix of old L2/L3 and closing tickets
    • Incident Commanding — coordination of efforts of Triage and Investigations with other teams (application, product, customer-facing and legal / HR entities)
    • Detection Engineering — helping with ad hoc threat identification/hunting requests
    • DevSecOps — linking IR efforts with devs, ‘Shift left” attitude, often a dedicated function
    • Management — paving a path to liaise with other teams, table top exercises, keeping the comms open and up to date

Find things that unite these new trends and simplify your life:

  • today process is more important than technology and even people — it’s more a coordination work than technical, investigative or troubleshooting work that it used to be!
  • a decade ago working on ‘cyber’ after hours was a norm; today it’s perceived as ‘are you mad bro? live a bit’; aka don’t live security, it’s no longer a hobby-turned-job; just do your job and don’t waste your private time on getting better, instead – LIVE A BIT! of course, you can play in your lab, but have a limit – as covid has shown, there is a life outside of IT Security and you should fully explore it!
  • write processes down – good documentation is the key to maturity and almost no one wants to do it, almost no one does it right, but everyone will recognize it once it is actually done properly (hint: google ‘Amazon memos’, visit Google’s tutorials on tech writing)
  • we move from build to buy pretty quickly and it is a trend that will stay — do POCs, become a SME
  • SOAR and automation is more important than your reversing skills, IR skills, your offensive skills, and even your forensic/investigative skills — automation is the future!
  • look only at stuff within your scope of work — narrow down learning areas
  • look at what you do, what your peers do — optimize, drive changes, let others drive other areas
  • hone your soft skills — this is the most important part of your IR creds in next 10 years!
  • assume you don’t know everything, because you don’t have all the info, context, or you are simply not educated enough — it’s really okay not to know; inform, discuss, learn — we are past the infosec rockstar time, you can only be seen if you allow others to contribute no less than you; be humble — the cyber domain is now beyond a capacity of a single human and that’s okay!
  • don’t be an asshole – if you are, people will see through you very quickly anyway

As you see, most of the focus is not on technology anymore. These new solutions with their flashy new interfaces have a merit — they bring a repeatable process, and order to a job that once was full of firefighting and whack-a-mole. They bring order to your own quasi-processes and force the OLD you to unlearn bad habits you developed during the wild-wild-west of cyber of last 2-3 decades. We, yes… many of US…, brought a lot of chaos with our ad hoc decisions, untested approaches, and ego. For many of us, it’s best to actually unlearn.

Let’s summarize:

  • It’s okay not to know everything
  • cyber security functions emerged that specialize in specific areas – you don’t need to be an expert in every single one, what used to be a one single wo/man-orchestra is now many functions: incident commanding, L1/triage, analysis/investigations, forensic investigations (both live, and old-school bit-by-bit), optimizations, enablement, sometimes even vulnerability management, DLP and IAM
  • cloud investigations are more about access than anything else – again, process more important than actual forensics which often are trivial these days (logs, logs, everywhere! and result is typically either coinmining or ransomware)
  • climbing to senior, principal role in SOC may be relatively easy now, but if you want to be a game changer, you still need to know the underlying technology very well – RTFM, read RFCs, even the old ones. Understand how protocols work, how MIME works, what is an inode, how NTFS stores data – you can’t escape it if you want to climb positions that actually matter. Security controls may dumb us down, but understanding the basic principles of OSes, network, web, appsec, OWASP, is at the core of making yourself indispensable… this is where you want to be…

Dig in.

And last, but not least….

There are SO MANY different jobs in cybersecurity, that you can literally walk in, and just do it. You may start as a high-level Triage analyst, just following SOPs, and doing what you are asked to do, but you can very quickly climb to do more advanced analysis, automation, optimization. For many years to come, cyber and digital transformation that is accompanying it are very fertile IT areas that you would be fool not to exploit…

Be seen…