I just finished working on a very early draft of a document that I had in my mind for a very long time. It tries to summarize, on a very high level, expectations towards technical staff doing cyber, and with an obvious focus on blue-teaming.
I took into account 8 stages of a career progression which I created by closely following the traditional software engineer career development path, and only slightly adjusted it to fit with the role titles present today in ‘defensive’ part of IT security.
The criteria I took into account are as follows:
- Soft Skills (important for team leaders only)
- Knowledge of Security Controls
- OS Architecture (experience with various OSes)
- Programming Experience
- Network Analysis Skills
- Malware Analysis Skills
- Digital Forensics knowledge and experience
- Incident Response Process/Level of participation
- Threat Intelligence Know-How
- Threat Hunting
- Application Security (minimum)
- Penetration testing/Red-teaming experience
- Very light touch on Risk Management
I am pretty sure it’s not a complete list.
Our Blue Teaming efforts heavily rely on being that ‘Jack of All Trades’. While we can’t have the necessary in-depth knowledge about everything, the higher we climb on a career ladder, I am sure the more we will tick boxes to the right. When an employee’s profile matches many of the boxes marked ‘X’ in this particular employee’s vertical, it’s probably a good indicator that it’s time to move up.
As such, the matrix has a very specific function. It defines a career path for each individual on a team. It allows them to self-assess, and assess others. Managers may benefit from such tool as it converts very ‘organic’ ‘jack of all trades’ knowledge of the individuals into a measurable, and quantifiable score. It also takes into account gaps in peoples’ knowledge.
It is very tempting to include a very detailed list of skills one must have (e.g. for RCE: IDA, Olly, windbg, etc.).
Times changed. For every tool you know very well, there are a few that you don’t know at all. Still, your general know-how allows you to learn these new tools quickly, as long as you have the necessary foundation. Someone who e.g. says that knows only assembly platform is probably a beginner; but if you say you know two, it typically means you know one very well, and the second one is something you are looking at right now or came across frequently enough in the past. What it means is that there is usually not a single person that knows just one architecture very well. If you are interested in the topic, reverse a lot, these new architectures will quickly appear on your radar… So, in the end it’s not an absolute skill per se, it’s more an ability to absorb new skills.
An important factor that this matrix covers as well is ‘la passion’. There is a never ending discussion within IT Security circles how important that passion actually is. Some see it as a legacy requirement that doesn’t stand the market reality today, some say it’s just a way to gatekeep this industry from the crowd of ‘I think it’s a good career choice’ types. Some don’t care.
I didn’t make a strict judgment on this, but sneakily included it under most of the listed ‘domains’ under the ‘Active Research’ umbrella. If there is one thing that speaks to passionate part of IT Security crowd it is an active github repo, an animated gif showing the launch of a calculator, or a blog post where IT Security enthusiasts release their new security tool. Even if it is one of the millions published this month, one that doesn’t stand the cruelty of time, and quickly becomes a vaporware (I am guilty of this as charged), such contribution is always better than nothing. Still, being a part of the matrix that doesn’t expect anyone to tick all the boxes, there is plenty of room for non-passionate to easily score high and still make a dent on their organization & move up the ladder.
This is a draft, a Google beta, a work in progress gif from Geocities, and an invitation to comments… If you see anything missing, please let me know.
The file can be downloaded from here.