tl;dr: this blog aims to aggregate what I’ve found to be meaningful while job hunting in my career, and to be a useful resource to anyone interested in a career in DFIR. If you don’t care what I think, skip to the bottom for people who said it better than me.
I’ve been thinking about and talking to a lot of early-career professionals recently and wanted to document some of the discussions we’ve had. A lot of people seem lost; they want a career in cybersecurity but don’t really know where to start.
It can be difficult when there are so many different roles and job titles and little standardisation. The requirements for a role can differ vastly depending on the hiring manager and the HR team (not to call anyone out, it’s a fast moving field and it’s hard to keep up). There’s no shortage of advice like this; I realise of course that a quick Google search brings up a multitude of similar blogs, but if people are still asking ‘where do I start,’ at least having written this I have somewhere to point them for a quick rundown of my thoughts.
A quick word on job opportunities generally before we get into the material proper: I don’t have much experience with the job market in the US or the EU so I can’t comment with authority on the level of demand for cybersecurity professionals, much less which types of cybersecurity professional are most needed. However, cybersecurity is a growing industry and that isn’t going to change: cybersecurity is a global industry and companies everywhere are becoming more aware of the need to protect their assets from adversaries, so the job market will continue to trend up, globally.
Cybersecurity Career Paths
There are so many jobs and job titles in cybersecurity now, separating and filtering them can be challenging. My background is digital forensics and incident response (DFIR), so this’ll be slanted that way. There’ll be overlap in other areas, I’m sure.
DFIR is an area of cybersecurity that focuses on investigating and responding to security breaches and incidents. DFIR professionals use various techniques and tools to identify the source or root cause of a security incident, collect evidence, and prevent future attacks.
There are several different types of roles within DFIR, including (in what I think is order of seniority):
- Network and Systems Administrator (where I started)
- These are the people responsible for the day-to-day operations of a network and its endpoints. They design, install, configure, and maintain networks and systems, and then monitor, troubleshoot, and optimise network performance, ensuring high availability and security
- SOC Analyst
- Monitor network traffic and security logs to identify potential security incidents, then investigate and respond to security events, performing analysis and providing recommendations for remediation. The SOC can also perform vulnerability assessments and manage security systems, like firewalls, IDS/IPS, and SIEM. In most cases, the SOC will hand off to a specialist incident response team when things get too sophisticated
- Forensic Examiner
- Responsible for conducting investigations into cybercrime, meaning this title is usually used by Law Enforcement, and less so in the broader community (in my experience). They collect and analyse digital evidence, prepare reports, and present findings in court
- Digital Forensic Analyst
- Responsible for identifying and collecting digital evidence related to a security incident. Must have a deep understanding of computer systems, networks, and digital storage media. The difference here is that digital forensic analysts are usually outside of Law Enforcement, working for consultancies or internal forensics teams at large organisations
- Incident Responder
- Responsible for responding to and managing security incidents as they occur. Must be able to quickly identify the nature of an incident, contain it, and develop a plan to mitigate the damage. Can be part of a SOC, or a managed SOC. Usually part of a consultancy or more mature large organisation
Other Career Paths
Outside of DFIR, there are a lot of other really interesting roles as well:
- Malware Analyst
- Responsible for identifying and then analysing malware in an environment. Must be able to reverse engineer malware to understand how it works and develop tools to defend against it
- Penetration Tester
- Conduct controlled, sanctioned attacks on systems, networks, and applications to identify vulnerabilities and weaknesses so they can document findings and provide recommendations for remediation to stakeholders, closing gaps in security
- Threat Intelligence Analyst
- Monitor and analyse threats to identify potential security incidents or risks. Threat intel teams collect and analyse threat intelligence data from multiple sources to develop and maintain threat intelligence reports, providing recommendations to stakeholders. Examples of the threats an analyst might be interested in are available on the Dragos website: https://www.dragos.com/threat-groups/
Skills needed for any of these roles
In terms of the particular skills required, it really depends on if you want to be a security generalist, or a specialist. Each of these areas lends itself to certain personality types, traits, and skillsets.
If your interest lies in digital forensics, find learning material online (YouTube is a great place to start, and then Cybrary, Udemy, or any of several other online academies). Alternatively, capture the flag (CTF) type contests that test for and build those skills, and think about taking commercial classes (which I’ll delve into later in the blog).
If you’re interested in incident response, look for materials and exercises that focus on those skills, and understand that you need to be the kind of person who thrives under pressure and is able to stay calm in the face of adversity (from all angles, adversary and client alike). Understand that there are many other specialties, it’s just that these two are mine so I feel comfortable speaking about them.
The day-to-day of DFIR
In addition to the skills needed for any specialty, you’ll likely need other skills (depending on the company you work for). As an incident response consultant, for example, client engagements won’t always be incidents. Sometimes it’ll be proactive stuff like architecture reviews, tabletop exercises, IRP development workshops, etc.
Having a really good grounding in at least one of network, memory, or disk forensics is necessary (our focus at Dragos is network, my background is heavily in disk, but any of the three is useful). If you can program or script, that’s a bonus. Outreach is important, too, so being interested in writing blogs, white papers, and submitting to CFPs is a nice to have, but not a requirement. Besides that it’s all experience and being able to communicate effectively to audiences of different technical ability. If you can help a client go from preparation and detection through to remediation, you’ve probably got the right skillset.
Other roles in cybersecurity (it’s a very broad field)
I’m probably missing someone, but this is a reasonable list of the jobs that are available to you in cybersecurity (excluding risk management and GRC with which I’m not super familiar). If any of these interest you, do your own research to figure out where your skill set matches up, and your personality (e.g. if you work well under pressure and tend to keep calm, incident response might be a good choice, otherwise, maybe not so much). Once you’ve decided which role makes the most sense, it’s time to brush up that resume.
Sell Yourself: Crafting Your Resume
Your resume is your sales pitch. As such, preparing a strong resume is critical when applying for jobs in any field, but definitely DFIR. Here are some tips for creating a standout resume:
Use Google’s ‘X-Y-Z’ Model
This model emphasises results and impact over responsibilities. Rather than listing your job duties or copy-pasting your JD, focus on specific accomplishments and achievements. You have 3 – 5 bullet points to highlight quantifiable results, such as “Reduced incident response time by 50% using automation, resulting in 100% YoY retainer growth” or “Identified and removed over 1,000 instances of malware by implementing new processes for more than 50 clients.”
NB: Obviously these are contrived, but you get the idea: “Achieved x by doing y resulting in z.”
Use Action Words to Describe Your Accomplishments
Starting each bullet point with an action word makes your achievements sound more impactful and engaging. For example, instead of writing “Responsibilities included monitoring network traffic,” write “Monitored network traffic to identify and prevent potential security breaches, resulting in fewer false positives.”
Keep it Concise
Your resume should be no more than 2 pages in length. Be selective about the information you include and focus on the most relevant and impressive achievements. Use a clear and easy-to-read font, and make sure your formatting is consistent throughout.
Use LinkedIn to Supplement Your Resume
LinkedIn is a powerful tool. It enables you to showcase your professional experience and connect with potential employers. Use your LinkedIn profile to provide additional detail on your work experience and accomplishments. Feel free to check out mine to see how I did this: https://www.linkedin.com/in/sethenoka/
Be Prepared to Speak to Anything on Your Resume
If it’s on your resume, you must be prepared to provide more detail if asked. Make sure you can speak confidently about your achievements and answer any questions the interviewer may have. If you find that challenging, maybe consider replacing or removing that item.
Skip the Career Objective and Other Exposition
Career objectives are unnecessary and take up valuable space on your resume (I used to have one, but since reviewing several resumes, I’ve discovered I never read them). Instead, focus on using the limited space to highlight your key strengths and accomplishments, and your tenure in each role (start/end date, at least the year, but the month helps, too).
The main thing is making sure your resume is up to date and tailored for the role for which you’re applying. Tailor your resume to the job you’re applying for because each job posting is unique, so your resume should be tailored to fit the specific requirements of that position. Highlight the skills and experiences that are most relevant to the job description and use similar language to that used in the posting.
A strong resume, in my experience, is results oriented. Remember to keep it concise, use the X-Y-Z Model, and be prepared to speak to anything on your resume during interviews.
For an example of a really not good resume, check out Lesley’s blog: https://tisiphone.net/2016/03/17/the-worst-infosec-resume-ever/
Invest in Your Resume
While it’s certainly possible to create a strong resume on your own, using a professional resume writing service can provide significant benefits. Just like everyone should have a mental health professional, everyone should consider using a professional resume writing service to help them achieve their career goals.
Professional resume writers are skilled in crafting resumes tailored to the specific needs of each client. They know what hiring managers and recruiters are looking for and can help you highlight your strengths and accomplishments in a way that’ll catch their attention.
Admittedly, a good resume writing service isn’t cheap, but it’s a valuable investment in your career. When considering the cost of a resume writing service, it’s important to think about the potential return on investment. If a professional resume can help you land a job with a salary that’s $10,000 higher than your current position, the ROI is significant when that increased remuneration is compounded year after year.
Do your homework: look for a company with a proven track record of success. Check their reviews, testimonials, and samples (where possible) from previous clients to get a sense of their expertise and abilities. Make sure the service includes a consultation with a professional writer, so you can collaborate on creating a resume that reflects your unique skills and experience.
Stand Out: Non-Work Experience
In addition to work experience, there are several other activities that you can pursue to enhance your skills and stand out while job hunting in DFIR. Here are some examples of non-work experience value adds:
Build a Home Lab
Setting up a home lab is a great way to gain hands-on experience with different tools and techniques. There are other articles on this blog to help you do that, or you could look at the book as a guide:
Collaboration on Git and Open-Source Projects
Creating and working on your own or collaborating with others on open-source projects via platforms like GitHub can also help you build your network and demonstrate your skills to potential employers.
Write Your Own Security Research Blog
Writing a blog focused on security research can be a great way to showcase your expertise and insights. By sharing your research and analysis with others, you can build your personal brand and establish yourself as a thought leader in the field. I might cover this in a later blog, but it’s not necessary to generate novel research (that’s a bonus); it’s perfectly reasonable to cover research that’s been done before and approach it from a new angle or perspective. This isn’t just for employment opportunities, but for your own reference as well. A good way to approach it if you struggle for ideas like me is to participate in or complete CTFs and then write up your process and findings.
Complete Training and Get Certified
There are so many training programs and certifications available in DFIR, and obtaining these creds can demonstrate your commitment to continuous learning and professional development. Examples of popular certs include the GIAC Certified Incident Handler (GCIH) from SANS, and the Certified Computer Forensic Examiner (CFCE) from IACIS. If SANS is of interest to you, check out my other blog on getting SANS certified: https://sethenoka.com/a-roadmap-to-earning-your-first-or-next-sans-certification/
In my experience, certifications are most helpful for job hunters who have little experience in the field. If you’re a person who has 3 – 5+ years’ experience, there’s a law of diminishing returns that applies after a certain point, and getting more certs isn’t as helpful anymore. GIAC/SANS are the certifications that most hiring managers now focus on in cybersecurity, although certifications like the OSCP, CISSP, and others are also looked upon favourably.
NB: CISSP is favoured more by HR than by practitioners, more as a gatekeeping mechanism; the cert itself provides little practical value, in my opinion.
Community Outreach: Engagement via Presentations and CFPs
Getting involved in the DFIR community can help you build your network and establish yourself as a leader in the field. Consider submitting proposals to speak at conferences or events, or volunteering to lead a workshop or training session. This can help you build your reputation and gain valuable experience in public speaking and community outreach.
By pursuing these non-work experience value adds, you can demonstrate your passion and commitment to the DFIR field, while also building your skills and network. When interviewing for jobs, be sure to highlight any relevant experience or accomplishments, whether they come from work or non-work activities.
Win Over Interviewers: How Company Research Can Set You Apart
Before attending your interview (possibly even before applying to a company), you have to do your homework and research them. Here’s why:
- Understand the company’s mission and values. This can help you tailor your responses to align with their goals and culture, e.g. Dragos’ mission Safeguarding Civilisation is something everyone at the company takes very seriously. Knowing that going in, you can tailor your responses to align with that mission (if you believe in it, of course)
- Familiarise yourself with the company’s products or services. This enables you to demonstrate your interest in their work and provide insight into how you can contribute to their success
- Researching the company’s recent news or accomplishments can help you identify potential discussion points or areas of mutual interest during the interview
- Demonstrating your knowledge and interest in the company can set you apart from other candidates and show your commitment to the role
- Researching the company can also help you prepare targeted questions for the interviewer, demonstrating your interest in learning more about the company and its culture
- Check out the company’s social media channels and blog to see what they are posting about and what topics they are interested in. This can help you prepare relevant examples and insights to share during the interview
- Understand the company’s competition and industry trends. This can help you provide thoughtful insights and ideas on how the company can stay ahead of the curve and remain competitive
For example, when I applied to Dragos, I looked at all the material I could to get a leg up. Luckily, they put out a lot, so there was plenty available. I was able to watch their YouTube videos to get an understanding of how they worked, what they were interested in, which frameworks they referred to. I got an understanding of the company culture. I was able to reference their blogs and white papers during the interview process. All of which added to my eventual pitch for myself as a potential hire.
By doing your homework, you’ll be better equipped to showcase your skills and experience in the context of the company’s needs and goals. You’ll be better prepared for the conversation you’ll have and the questions you’ll likely be asked. If you can, reach out to a few employees ahead of time and ask for their opinions on the company, the role, etc.
Be Prepared: Common Cybersecurity Interview Questions (and How to Respond)
Honestly, if you’ve ever gone to an interview without having some idea of the questions you’ll be asked, what are you even doing searching for a job. My point is: there’s so much information available online (practice questions, interview classes and workshops, flash cards, mentorship programs, the list goes on…) that you should be prepared for at least the most commonly asked questions, at least in a broad sense. I’ve captured a few of those here:
- Tell me about yourself
- This open-ended question often catches candidates off guard, and it really shouldn’t because it’s almost always the first question you’ll be asked. This is an opportunity to sell yourself. Focus on your experience, your strengths and your passion for cybersecurity. Don’t go all the way back to the beginning of time; it’s usually best to focus on the last ~10 years, with the most focus being on the last 3 – 5 years of your career
- What inspired you to pursue a career in cybersecurity?
- This is designed to test your motivation and enthusiasm for the field. It sounds a bit trite, but it’s a common question. Be honest, show some personality, and highlight any personal experiences that sparked your interest in cybersecurity
- Alternative: What is your understanding of cybersecurity, and why do you want to work in this field?
- This question tests your knowledge of the field and your motivation for pursuing a career in cybersecurity. A good answer would highlight your understanding of the importance of cybersecurity in today’s digital age and your passion for protecting organisations and individuals from cyber threats. Even better if you can name and talk about a specific breach or incident
- What are your strengths and weaknesses?
- Be honest but focus on your strengths, and explain how you’re working to improve any weaknesses. Avoid any statement like “I work too hard, I care too much,” trying to use strengths as weaknesses will not win you any points, but can count against you, depending on your interviewer. Chances are they’ve heard it all before, so just be honest
- What are your favourite cybersecurity tools?
- This is one of those times you’ll be speaking about the things on your resume. Be prepared to discuss your experience with common cybersecurity tools and explain why you prefer them. For example, I prefer X-Ways over Encase, it’s objectively superior for several reasons, but mostly because the functionality is greater in several ways. If you’re interviewing at an Encase shop, make sure you have facts to back up your arguments. Also, if you list KAPE, FTK, Velociraptor, Elastic Stack, any specific tool on your resume, be prepared to discuss it in depth
- Alternative: What tools and technologies are you familiar with in the cybersecurity space?
- Again, tests your knowledge of cybersecurity tools and technologies and your experience using them. A strong answer would demonstrate familiarity with common cybersecurity tools such as SIEMs, firewalls, forensic suites like SIFT, TheSleuthKit, AXIOM, X-Ways, and vulnerability scanners and highlight your experience using them to identify and mitigate threats
- Tell me about a time you faced a challenging client and how you overcame it.
- Designed to figure out how you handle pressure and challenging situations. If you had a client make the active choice to accept the risk and not mitigate and remediate an incident, this is the time to pull out that story. If you’ve not had that experience, but you’ve heard of someone who has, you can also tell their story, but modify it by following up with how you’d handle that situation. Use the STAR method (Situation, Task, Action, Result) to structure your response, and focus on the steps you took – or would take – to resolve the issue
- Alternative: Tell me about a time you failed and how you recovered or turned that into something positive.
- This question is supposed to test your resilience and problem-solving skills. Everyone’s failed at some point, don’t pretend you haven’t. Make sure you have this story in your back pocket. Own it and explain how you learned from it and turned it into a positive outcome, even if it wasn’t positive in the moment and it was only later that you saw the good in the situation and improved
- What are the different types of cyber-attacks, and how would you defend against them?
- This question assesses your technical knowledge of cybersecurity and your ability to articulate your understanding of various cyber-attacks and relevant defence mechanisms. A strong answer would demonstrate your knowledge of different types of attacks, e.g. phishing, malware, and denial of service (DoS), and provide examples of how you would defend against them. Bonus points if you can reference a well-known breach or incident in your answer
- Can you walk me through a recent security incident/case/engagement you worked on and how you resolved it?
- Evaluates your real-world experience in cybersecurity and your ability to troubleshoot and solve problems. An effective answer would describe a specific incident you were a part of and the steps you took to identify and remediate the issue, highlighting your technical skills and ability to work under pressure
- How do you stay up to date on the latest cybersecurity threats and trends?
- This question assesses your commitment to professional development and your ability to stay current in a constantly evolving field. A good answer would highlight your involvement in industry associations, attendance at conferences and webinars, and engagement with relevant blogs and podcasts.
- How do you prioritise cybersecurity risks within an organisation?
- Evaluates your ability to think strategically and prioritise risks based on potential impact, likelihood, and consequences. An effective answer would describe a risk assessment process and how you might weigh various factors such as data sensitivity, attack surface, number of users or customers impacted, and regulatory compliance to determine risk priority
- Can you describe your experience working with cross-functional teams on cybersecurity initiatives?
- This question tests your ability to collaborate with other teams and stakeholders to implement cybersecurity best practices. A strong answer would highlight specific projects or initiatives where you worked closely with other departments, e.g. IT, legal, or compliance, to ensure alignment and buy-in
Just for fun, here’s a quote from Lesley Carhart on the professional curiosity and passion piece:
“What divides an ‘okay’ information security candidate from a great one is the motivation to learn more about the field outside work, every week,” she said. “What this looks like depends on by niche — perhaps working in a home lab or reading new computer legislation.” … “Regardless, people who have no interest in the field outside of business hours will quickly find themselves at a disadvantage in the market,” she said.https://www.zdnet.com/article/security-experts-explain-how-to-make-it-in-infosec/
“I don’t know” 🤷
If you don’t know the answer to a question, it’s better to say “I don’t know” than to guess or make something up, in almost all situations, not just interviews. It’s perfectly reasonable not to know something, like the port DNS uses (UDP 53), or whether a decryptor for Lockbit 3.0 exists (it doesn’t as of this writing). Alternatively, make it known that you’re not sure, but you’ll take a stab at it, then reason it out. Using reason and logic to arrive at a conclusion, even if it’s not exactly correct, demonstrates that you have that capacity.
Levels or years of experience
The more years of experience you have, the more information, detail, or depth your interviewer is likely to expect. I don’t expect the same depth or breadth of experience from someone applying for a junior position as I do for something gunning for a principal or director role.
Overall, with the number of resources available to you via a quick Google search, there’s no excuse for being unprepared to articulate your technical skills, experience, and soft skills (e.g. communication and collaboration) during interviews. Additionally, you should be able to provide specific examples and anecdotes that demonstrate your ability to tackle real-world cybersecurity challenges.
You must ask questions at the end of the interview. It’s likely the interviewer(s) will ask you if you have any questions for them. This isn’t the time to be shy. You need to have a couple of questions prepared, otherwise you’ll seem disinterested or unprepared. Here are some that I like to use (again, not for the sake of it, you should be genuinely interested in the answers):
- What qualities do successful employees in this team/role need to have?
- Asking this question shows you’re interested in understanding what the company values and what kind of employees they’re looking for. It can also give you insight into the company culture and whether you’d be a good fit for the role and vice-versa (this interview goes both ways)
- What do you see as the most challenging aspect of this position?
- Demonstrates you’re willing to tackle challenges and are interested in understanding what the role entails. It can also help you prepare for potential difficulties you may encounter in the position, or raise red flags early in the process so you can bow out if necessary
- What are the opportunities for professional development within the company?
- This one can be tricky, you may need to read the room. This question shows you’re interested in advancing your skills and career. It also gives you an idea of what kind of growth potential exists within the company. Beware though: you run the risk of sounding like you’re only interested in the perks of the position. On the plus side, in most cases, if the interviewer takes it that way, you probably don’t want to work there anyway
- What do you like best about working for this company? (Or: Why do you work here?)
- I’ve caught people off guard with this one before, which wasn’t by design, but it does get them to let their guard down when that happens. Asking this question can help you get a sense of the company culture and what employees enjoy about working there. It can also give you insight into the interviewer’s experience with the company, and whether that’s been positive overall, or not
- What’s the next step in the interview process?
- Always good to know where you stand, and you might get some idea if there will be a next step. Asking this demonstrates you’re eager to move forward in the process and want to ensure that you’re aware of what to expect
Again, don’t waste your opportunity to ask questions of the hiring team. You might gain intel and insight into the process in the first instance, but it’s also just another opportunity to help them say ‘yes, you are the candidate we want.’
Fundamentals: Key Concepts Every DFIR Professional Should Know
Here’s a selection of the concepts and frameworks that I’d recommend anyone in cybersecurity be familiar with. All models are wrong, but some are useful. I’d count these as useful.
NB: to be fair, Purdue Model and ICS Cyber Kill Chain are kind of niche and specific to ICS/OT. But the original kill chain is worth knowing, so by extension so is the ICS version. Purdue is something that’s just interesting, in my opinion, even if you’re not going to be dealing with industrial environments on a regular basis.
The Purdue Model is a hierarchical model used to describe the flow of data through an industrial control system. This one’s helpful in identifying potential cybersecurity vulnerabilities or gaps and implementing appropriate architectural or other risk mitigating security measures.
ICS Cyber Kill Chain
A lot of us are familiar with the original Lockheed Martin Cyber Kill Chain, a model designed for IT environments that shows the steps an adversary must pass through to impact an environment and achieve actions on objectives. The ICS version is designed for use in industrial control system environments, outlining the stages of an ICS cyber-attack and providing guidance on how to detect and respond attacks in critical infrastructure.
A knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations of cyber attacks. This one provides a comprehensive framework for understanding and categorising the various tactics, techniques, and procedures used by attackers during different stages of an attack.
ATT&CK for ICS is an extension of MITRE ATT&CK specifically designed for ICS/OT environments and aims to provide a similar framework for understanding the threats and risks to industrial systems, and to assist defenders in detecting and mitigating attacks on ICS/OT infrastructure.
Sliding Scale of Cybersecurity
A model used to evaluate an organisation’s (or just a networks) cybersecurity posture, considering the specific risks and threats faced, and providing guidance on how to improve security posture. This one’s primarily used by organisations to protect their networks, but I use it at home, too.
NIST IR Lifecycle/PICERL
The National Institute of Standards and Technology (NIST) Incident Response Lifecycle or PICERL model is a framework for incident response, outlining the steps one should take before, during, and after a cybersecurity incident.
Diamond Model for Intrusion Analysis
A model used for intrusion analysis, incorporating four key elements: threat actor, infrastructure, capability, and victim. By using all four elements, a more detailed understanding of an attack can inform appropriate response measures. This one is frequently used by intel analysts to identify and track threat groups.
Four Types of Threat Detection
A model outlining the four types of threat detection: signature-based (IOCs), anomaly-based (baselines), behaviour-based (threat behaviours analytics), and reputation-based (modelling). The reference provides guidance on which types to use in different scenarios, some are more valuable than others (i.e. Threat Behaviour Analytics).
Additional Resources: People Who Said it Better Than Me
In terms of specific resources that would be helpful to someone wanting to move into cybersecurity, Chris Sanders training is pretty decent, and relatively inexpensive. Besides that, there’s SANS FOR508, FOR500, and SEC504 certifications, though that’s much more expensive. You can mitigate some of that cost by applying for the SANS work-study program: https://www.sans.org/work-study-program/. Additionally, there are so many decent books from No Starch Press as well.
Other than that, these are the things I’d recommend taking a look at:
Training and Education
And lastly, here are some references I’ve found very useful, and still return to from time to time:
If you made it this far, well done and congratulations 🥳 Hopefully you find this useful. Let me know if you have any comments, if your experience has been different to mine, or if you think there are considerations that I forgot to mention. Good luck!