Unlocking the DFIR Job Market: Strategies for Landing Your Dream Role

tl;dr: this blog aims to aggregate what I’ve found to be meaningful while job hunting in my career, and to be a useful resource to anyone interested in a career in DFIR. If you don’t care what I think, skip to the bottom for people who said it better than me.

I’ve been thinking about and talking to a lot of early-career professionals recently and wanted to document some of the discussions we’ve had. A lot of people seem lost; they want a career in cybersecurity but don’t really know where to start.

It can be difficult when there are so many different roles and job titles and little standardisation. The requirements for a role can differ vastly depending on the hiring manager and the HR team (not to call anyone out, it’s a fast moving field and it’s hard to keep up). There’s no shortage of advice like this; I realise of course that a quick Google search brings up a multitude of similar blogs, but if people are still asking ‘where do I start,’ at least having written this I have somewhere to point them for a quick rundown of my thoughts.

A quick word on job opportunities generally before we get into the material proper: I don’t have much experience with the job market in the US or the EU so I can’t comment with authority on the level of demand for cybersecurity professionals, much less which types of cybersecurity professional are most needed. However, cybersecurity is a growing industry and that isn’t going to change: cybersecurity is a global industry and companies everywhere are becoming more aware of the need to protect their assets from adversaries, so the job market will continue to trend up, globally.

Cybersecurity Career Paths

There are so many jobs and job titles in cybersecurity now, separating and filtering them can be challenging. My background is digital forensics and incident response (DFIR), so this’ll be slanted that way. There’ll be overlap in other areas, I’m sure.

DFIR is an area of cybersecurity that focuses on investigating and responding to security breaches and incidents. DFIR professionals use various techniques and tools to identify the source or root cause of a security incident, collect evidence, and prevent future attacks.

DFIR Careers

There are several different types of roles within DFIR, including (in what I think is order of seniority):

Other Career Paths

Outside of DFIR, there are a lot of other really interesting roles as well:

Skills needed for any of these roles

In terms of the particular skills required, it really depends on if you want to be a security generalist, or a specialist. Each of these areas lends itself to certain personality types, traits, and skillsets.

If your interest lies in digital forensics, find learning material online (YouTube is a great place to start, and then Cybrary, Udemy, or any of several other online academies). Alternatively, capture the flag (CTF) type contests that test for and build those skills, and think about taking commercial classes (which I’ll delve into later in the blog).

If you’re interested in incident response, look for materials and exercises that focus on those skills, and understand that you need to be the kind of person who thrives under pressure and is able to stay calm in the face of adversity (from all angles, adversary and client alike). Understand that there are many other specialties, it’s just that these two are mine so I feel comfortable speaking about them.

The day-to-day of DFIR

In addition to the skills needed for any specialty, you’ll likely need other skills (depending on the company you work for). As an incident response consultant, for example, client engagements won’t always be incidents. Sometimes it’ll be proactive stuff like architecture reviews, tabletop exercises, IRP development workshops, etc.

Having a really good grounding in at least one of network, memory, or disk forensics is necessary (our focus at Dragos is network, my background is heavily in disk, but any of the three is useful). If you can program or script, that’s a bonus. Outreach is important, too, so being interested in writing blogs, white papers, and submitting to CFPs is a nice to have, but not a requirement. Besides that it’s all experience and being able to communicate effectively to audiences of different technical ability. If you can help a client go from preparation and detection through to remediation, you’ve probably got the right skillset.

Other roles in cybersecurity (it’s a very broad field)

I’m probably missing someone, but this is a reasonable list of the jobs that are available to you in cybersecurity (excluding risk management and GRC with which I’m not super familiar). If any of these interest you, do your own research to figure out where your skill set matches up, and your personality (e.g. if you work well under pressure and tend to keep calm, incident response might be a good choice, otherwise, maybe not so much). Once you’ve decided which role makes the most sense, it’s time to brush up that resume.

Sell Yourself: Crafting Your Resume

Your resume is your sales pitch. As such, preparing a strong resume is critical when applying for jobs in any field, but definitely DFIR. Here are some tips for creating a standout resume:

Use Google’s ‘X-Y-Z’ Model

This model emphasises results and impact over responsibilities. Rather than listing your job duties or copy-pasting your JD, focus on specific accomplishments and achievements. You have 3 – 5 bullet points to highlight quantifiable results, such as “Reduced incident response time by 50% using automation, resulting in 100% YoY retainer growth” or “Identified and removed over 1,000 instances of malware by implementing new processes for more than 50 clients.”

NB: Obviously these are contrived, but you get the idea: “Achieved x by doing y resulting in z.”

Use Action Words to Describe Your Accomplishments

Starting each bullet point with an action word makes your achievements sound more impactful and engaging. For example, instead of writing “Responsibilities included monitoring network traffic,” write “Monitored network traffic to identify and prevent potential security breaches, resulting in fewer false positives.”

Keep it Concise

Your resume should be no more than 2 pages in length. Be selective about the information you include and focus on the most relevant and impressive achievements. Use a clear and easy-to-read font, and make sure your formatting is consistent throughout.

Use LinkedIn to Supplement Your Resume

LinkedIn is a powerful tool. It enables you to showcase your professional experience and connect with potential employers. Use your LinkedIn profile to provide additional detail on your work experience and accomplishments. Feel free to check out mine to see how I did this: https://www.linkedin.com/in/sethenoka/

Be Prepared to Speak to Anything on Your Resume

If it’s on your resume, you must be prepared to provide more detail if asked. Make sure you can speak confidently about your achievements and answer any questions the interviewer may have. If you find that challenging, maybe consider replacing or removing that item.

Skip the Career Objective and Other Exposition

Career objectives are unnecessary and take up valuable space on your resume (I used to have one, but since reviewing several resumes, I’ve discovered I never read them). Instead, focus on using the limited space to highlight your key strengths and accomplishments, and your tenure in each role (start/end date, at least the year, but the month helps, too).

The main thing is making sure your resume is up to date and tailored for the role for which you’re applying. Tailor your resume to the job you’re applying for because each job posting is unique, so your resume should be tailored to fit the specific requirements of that position. Highlight the skills and experiences that are most relevant to the job description and use similar language to that used in the posting.

A strong resume, in my experience, is results oriented. Remember to keep it concise, use the X-Y-Z Model, and be prepared to speak to anything on your resume during interviews.

For an example of a really not good resume, check out Lesley’s blog: https://tisiphone.net/2016/03/17/the-worst-infosec-resume-ever/

Invest in Your Resume

While it’s certainly possible to create a strong resume on your own, using a professional resume writing service can provide significant benefits. Just like everyone should have a mental health professional, everyone should consider using a professional resume writing service to help them achieve their career goals.

Professional resume writers are skilled in crafting resumes tailored to the specific needs of each client. They know what hiring managers and recruiters are looking for and can help you highlight your strengths and accomplishments in a way that’ll catch their attention.

Admittedly, a good resume writing service isn’t cheap, but it’s a valuable investment in your career. When considering the cost of a resume writing service, it’s important to think about the potential return on investment. If a professional resume can help you land a job with a salary that’s $10,000 higher than your current position, the ROI is significant when that increased remuneration is compounded year after year.

Do your homework: look for a company with a proven track record of success. Check their reviews, testimonials, and samples (where possible) from previous clients to get a sense of their expertise and abilities. Make sure the service includes a consultation with a professional writer, so you can collaborate on creating a resume that reflects your unique skills and experience.

Stand Out: Non-Work Experience

In addition to work experience, there are several other activities that you can pursue to enhance your skills and stand out while job hunting in DFIR. Here are some examples of non-work experience value adds:

Build a Home Lab

Setting up a home lab is a great way to gain hands-on experience with different tools and techniques. There are other articles on this blog to help you do that, or you could look at the book as a guide:

By pursuing these non-work experience value adds, you can demonstrate your passion and commitment to the DFIR field, while also building your skills and network. When interviewing for jobs, be sure to highlight any relevant experience or accomplishments, whether they come from work or non-work activities.

Win Over Interviewers: How Company Research Can Set You Apart

Before attending your interview (possibly even before applying to a company), you have to do your homework and research them. Here’s why:

1. Understand the company’s mission and values. This can help you tailor your responses to align with their goals and culture, e.g. Dragos’ mission Safeguarding Civilisation is something everyone at the company takes very seriously. Knowing that going in, you can tailor your responses to align with that mission (if you believe in it, of course)
2. Familiarise yourself with the company’s products or services. This enables you to demonstrate your interest in their work and provide insight into how you can contribute to their success
3. Researching the company’s recent news or accomplishments can help you identify potential discussion points or areas of mutual interest during the interview
4. Demonstrating your knowledge and interest in the company can set you apart from other candidates and show your commitment to the role
5. Researching the company can also help you prepare targeted questions for the interviewer, demonstrating your interest in learning more about the company and its culture
6. Check out the company’s social media channels and blog to see what they are posting about and what topics they are interested in. This can help you prepare relevant examples and insights to share during the interview
7. Understand the company’s competition and industry trends. This can help you provide thoughtful insights and ideas on how the company can stay ahead of the curve and remain competitive

By doing your homework, you’ll be better equipped to showcase your skills and experience in the context of the company’s needs and goals. You’ll be better prepared for the conversation you’ll have and the questions you’ll likely be asked. If you can, reach out to a few employees ahead of time and ask for their opinions on the company, the role, etc.

Be Prepared: Common Cybersecurity Interview Questions (and How to Respond)

Honestly, if you’ve ever gone to an interview without having some idea of the questions you’ll be asked, what are you even doing searching for a job. My point is: there’s so much information available online (practice questions, interview classes and workshops, flash cards, mentorship programs, the list goes on…) that you should be prepared for at least the most commonly asked questions, at least in a broad sense. I’ve captured a few of those here:

“I don’t know” 🤷

If you don’t know the answer to a question, it’s better to say “I don’t know” than to guess or make something up, in almost all situations, not just interviews. It’s perfectly reasonable not to know something, like the port DNS uses (UDP 53), or whether a decryptor for Lockbit 3.0 exists (it doesn’t as of this writing). Alternatively, make it known that you’re not sure, but you’ll take a stab at it, then reason it out. Using reason and logic to arrive at a conclusion, even if it’s not exactly correct, demonstrates that you have that capacity.

Levels or years of experience

The more years of experience you have, the more information, detail, or depth your interviewer is likely to expect. I don’t expect the same depth or breadth of experience from someone applying for a junior position as I do for something gunning for a principal or director role.

Overall, with the number of resources available to you via a quick Google search, there’s no excuse for being unprepared to articulate your technical skills, experience, and soft skills (e.g. communication and collaboration) during interviews. Additionally, you should be able to provide specific examples and anecdotes that demonstrate your ability to tackle real-world cybersecurity challenges.

Asking questions

You must ask questions at the end of the interview. It’s likely the interviewer(s) will ask you if you have any questions for them. This isn’t the time to be shy. You need to have a couple of questions prepared, otherwise you’ll seem disinterested or unprepared. Here are some that I like to use (again, not for the sake of it, you should be genuinely interested in the answers):

Again, don’t waste your opportunity to ask questions of the hiring team. You might gain intel and insight into the process in the first instance, but it’s also just another opportunity to help them say ‘yes, you are the candidate we want.’

Fundamentals: Key Concepts Every DFIR Professional Should Know

Here’s a selection of the concepts and frameworks that I’d recommend anyone in cybersecurity be familiar with. All models are wrong, but some are useful. I’d count these as useful.

NB: to be fair, Purdue Model and ICS Cyber Kill Chain are kind of niche and specific to ICS/OT. But the original kill chain is worth knowing, so by extension so is the ICS version. Purdue is something that’s just interesting, in my opinion, even if you’re not going to be dealing with industrial environments on a regular basis.

Purdue Model

The Purdue Model is a hierarchical model used to describe the flow of data through an industrial control system. This one’s helpful in identifying potential cybersecurity vulnerabilities or gaps and implementing appropriate architectural or other risk mitigating security measures.

ICS Cyber Kill Chain

A lot of us are familiar with the original Lockheed Martin Cyber Kill Chain, a model designed for IT environments that shows the steps an adversary must pass through to impact an environment and achieve actions on objectives. The ICS version is designed for use in industrial control system environments, outlining the stages of an ICS cyber-attack and providing guidance on how to detect and respond attacks in critical infrastructure.

MITRE ATT&CK

A knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations of cyber attacks. This one provides a comprehensive framework for understanding and categorising the various tactics, techniques, and procedures used by attackers during different stages of an attack.

ATT&CK for ICS is an extension of MITRE ATT&CK specifically designed for ICS/OT environments and aims to provide a similar framework for understanding the threats and risks to industrial systems, and to assist defenders in detecting and mitigating attacks on ICS/OT infrastructure.

Sliding Scale of Cybersecurity

A model used to evaluate an organisation’s (or just a networks) cybersecurity posture, considering the specific risks and threats faced, and providing guidance on how to improve security posture. This one’s primarily used by organisations to protect their networks, but I use it at home, too.

NIST IR Lifecycle/PICERL

The National Institute of Standards and Technology (NIST) Incident Response Lifecycle or PICERL model is a framework for incident response, outlining the steps one should take before, during, and after a cybersecurity incident.

Diamond Model for Intrusion Analysis

A model used for intrusion analysis, incorporating four key elements: threat actor, infrastructure, capability, and victim. By using all four elements, a more detailed understanding of an attack can inform appropriate response measures. This one is frequently used by intel analysts to identify and track threat groups.

Four Types of Threat Detection

A model outlining the four types of threat detection: signature-based (IOCs), anomaly-based (baselines), behaviour-based (threat behaviours analytics), and reputation-based (modelling). The reference provides guidance on which types to use in different scenarios, some are more valuable than others (i.e. Threat Behaviour Analytics).

Additional Resources: People Who Said it Better Than Me

In terms of specific resources that would be helpful to someone wanting to move into cybersecurity, Chris Sanders training is pretty decent, and relatively inexpensive. Besides that, there’s SANS FOR508, FOR500, and SEC504 certifications, though that’s much more expensive. You can mitigate some of that cost by applying for the SANS work-study program: https://www.sans.org/work-study-program/. Additionally, there are so many decent books from No Starch Press as well.

Other than that, these are the things I’d recommend taking a look at:

Training and Education

• https://www.cybrary.it/
• https://www.dfir.training/

Podcasts

• https://securityweekly.com/
• https://darknetdiaries.com/
• https://isc.sans.edu/podcast.html
• https://cybersecurityinterviews.com/

Books

• https://www.appliedincidentresponse.com/
• https://www.goodreads.com/book/show/41436213-sandworm
• https://www.goodreads.com/book/show/18465875-countdown-to-zero-day
• https://www.goodreads.com/book/show/18154.The_Cuckoo_s_Egg
• https://www.goodreads.com/book/show/17255186-the-phoenix-project
• https://www.goodreads.com/book/show/113934.The_Goal
• https://www.goodreads.com/book/show/8309416-malware-analyst-s-cookbook-and-dvd
• https://www.goodreads.com/book/show/10677461-practical-malware-analysis

And lastly, here are some references I’ve found very useful, and still return to from time to time:

https://www.inc-aus.com/bill-murphy-jr/google-recruiters-say-these-5-resume-tips-including-x-y-z-formula-will-improve-your-odds-of-getting-hired-at-google.html

https://www.robertmlee.org/a-collection-of-resources-for-getting-started-in-icsscada-cybersecurity/

https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/

https://tisiphone.net/2020/06/21/so-you-want-to-learn-ics-security/

In Conclusion

If you made it this far, well done and congratulations 🥳 Hopefully you find this useful. Let me know if you have any comments, if your experience has been different to mine, or if you think there are considerations that I forgot to mention. Good luck!