Anyone else here move from 5+ years "general" IT (helpdesk/network configurator/sysadmin) to Cyber Security (specifically Incident Response)?
I have my first big "true" Cyber Security / DFIR job interview coming up at a bank since I got a CISSP a few months back - curious if anyone else has done similar, and what the interview process is like.
I have a gist from Google searches, but that only tells me so much.
If you have the CISSP certification, you're probably going to know enough to hit the ground running. A lot of the kidiots I've worked with come out of school with degrees in CS, but they don't know how to do anything. This is why you can get someone with a pulse, send them to a bootcamp for 12 weeks, teach them how to write CRUD apps and use valuable skills like how to use JIRA, and they wind up making like $55k a year to start.
Similarly, most of the people I know who have degrees in cyber security can't do anything practical, have never gone through an actual code review, have no idea how enterprise level code should look, yet simultaneously have terrible attitudes because they think their education makes them more employable. In fact, most of the people I've seen trying to bridge into security just have a sec+. With the CISSP you know enough practical shit that you can be taught.
Cool, thanks for the insight.
To keep my skills sharp I just knocked out eJPT (simple pen test lab), do HackTheBox and am going for my OSCP as well this year.
For the record, I'm working on a masters in cyber security and already have recruiters at google blowing up my inbox. It's such an in demand field that people are doing anything to hire these guys. If you're willing to learn and grow, you'll do fine.
That's awesome! I was a bit stunned; I had an initial phone screen and they told me they were sending my straight to final on-prem next week.
I did my cyber security education kind of in a silo - I've always been interested in it, I didn't even know it was its own field. I was doing shit just like this in 2009 as a sysadmin for an ISP, just thought like an attacker might. My jaw dropped when I found out cybersecurity was its own field (I took a several year hiatus from IT to grow an electronics company).
While working my current IT job (general IT), as soon as I got the offer 2 years ago I made an excel list of the most common CS certs I saw and quietly got 5 of them.
Ah, you were a sysadmin for an ISP, can you a question?
My dad and I were debating this the other day, but how much information do they keep on their users and the sites they visit? More importantly, do they pay closer attention to you / keep a list / notice if you use tor? I know you were working a while ago and things might have changed, but my dad and I were trying to figure this out in a car ride once (I think he's convinced your ISP can't even tell if you're using it).
I'm in a similar boat. My dad was a network engineer so I grew up doing this stuff most of my life. He does like management now and his tech skills are kind of lax.
Funny you should ask this, this was part of my duties, and I was chosen specifically because of my investigative ability (and that's part of why the switch to cyber security feels natural to me)
In short, yes, absolutely - we had a separate "watchlist" of customer IDs and watched for abuse patterns. More than once I had to liaison with law enforcement to turn over logs.
You wouldn't last a month.
A slut will most likely get you fired for sexual harassment accusations.
Soooo many questions.
So wait, what constitutes an "abuse" pattern? Just using tor? Using it regularly?
Are there general timelines involved? Like, how long between using it would it take law enforcement to get involved or whatever?
I remember because there was this hot debate in my actual CISSP class over whether or not TOR was even worth using because it ostensibly draws a lot of attention to you from your ISP.
1. how old are you?
2. where do you live?
3. what is your current occupation?
4. list your top 5 skills
5. post timestamp
6. DO IT FAGGOT!!!
Sorry, I was speaking in generalities, not specifically TOR.
Patterns of abuse // things that triggered watching were stuff like
1) "anomalous" traffic changes from normal profile
2) attempting to map or bruteforce our infra
3) things like setting up a mail server on "residential" lines (we could see the traffic types, some would flag an alert..)
4) same with personal webhosting (ok to a point, but after certain bandwidth it becomes an automated alert)
Basically Terms of Use / Terms of Service things mostly.
On TOR - couldn't directly see WHAT you were seeing.
Snowden's "PRISM" release showed organizations (some of which I handed connection data to) had their own secret tap, doing a shadow copy of all network traffic. We didn't know it at the time, and had no way of knowing.
Our retention wasn't like that (think more "connection logs"). 7 days unflagged, up to 90 flagged.
I'm in appsec, but looking at what the IR people around me do, the majority of the job is about defining processes, performing these processes, aggregating data from tools, threat hunting, and appeasing the needs of the people doing the SOC reports. Not so much hard technical skills but doing things in a methodical way.
I bet that if you can demonstrate the level of knowledge you need to have earned CISSP then your tech skill is fine, and you'll mostly want to be showing how you can think about security as a function of the business.
I'm sitting around today working on HTB shit, hoping to go for my OSWE later this year. Good luck on OSCP!
Super informative. Thanks for this information bro.
I always feel like ISPs are black boxes when it comes to privacy. You never know how much they know about you.
I feel like those "abuses" are weird. When you were talking about abuses, I was thinking more of like people buying drugs online or something. I'm not sure why setting up a mail server or personal webhosting would be an issue.
What constitutes "anomalous" traffic?
Will keep this stuff in my mind on my on-prem this week. I'm to the point where I'm sick of reading about theory and passing exams; I get it. Frankly, CISSP felt "low" tech.
I'm hungry to work in this field! The goal is to eventually be a pentester, but I will take just about any CS job to get started.
>>I feel like those "abuses" are weird.
I get you, but it's not, especially when you think about the business first. Always.
>>What constitutes "anomalous" traffic?
Broad subject.
Most were significant pattern changes - traffic goes from 70mb a week, (think grandparents with email) to 3gb a day (non holiday).
I forget - there were 3 or 4 big alert types, but change in daily (metered) use not fitting a longstanding pattern was the most common. I think modem uncapping was another big one.
If you're still around, do you feel the "talent shortage" is a myth? or changing? I almost feel like I got into my field "too late" because I was developing another company (developing embedded firmware, learned it on the fly lolz) and therefore had tunnel vision.
I understand it takes a pretty tall skill set in IT to do some of this stuff - I have Windows Server administration, Linux administration, and maybe not a lot of guys in their early 30s have done what I have. I get imposter syndrome pretty easily (I know how to do this so everyone does, etc)
I even contributed kexts to hackintosh (that's actually more how I learned Linux more deeply), and was doing HTTP / directory / FTP traversals when I was a teenager (though I didn't consider that "hacking").
It's good to be in infosec right now. Everyone is hiring. It's a highly in demand skill set. I think pivoting to security from a background in IT should be a pretty smooth transition.
Again, my experience is in appsec, which is a less well developed area in security and it feels like recruiters are beating down my door.
I moved from just being a dev to appsec within the last few years. I don't regret the move.
Sorry I can't speak more directly to the IT side of things, but I believe that the talent shortage is real based on the number of cold calls I get for jobs with big name orgs.
Well i do Cyber Security but i work for the government so...
Same, but I'm not a TS/SCI worker. Gov contractor doing network/desktop config/deploy and MIS (management information systems)
Excellent. Glad for the insight. Like I said, I kinda silo'd myself off (after a bad breakup) and just kept.. focusing on credentials to break in. I literally walked out from a Pearson Vue testing center, got on my phone, and scheduled the next exam.
I didn't even make a LinkedIn or go on Indeed. I've been selectively sending out my resume to organizations. Maybe it's time to change that.
Here's another insight OP.
I started in Infosec but pivoted quickly into Cloud, got certs in AWS, Azure, and GCP, and with my Cybersecurity exp and background, do you know how many recruiters I deal with weekly as a Cloud Security Engineer? 80% of my day is defining role based policy and ensuring VPCs have the right kind of connectivity they need for the apps inside. It gets kinda boring but its stupid pay for the amount of effort doing this kinda work.
Glad to help. Good luck. It's a fun area of IT, and I thank my lucky stars that I get to get paid to sit around reading about exploits so I can tell the developers to not do that shit.
Right on -- I am actually planning on an AWS cert this year along with my OSCP.
I moved some of our info to AWS GovCloud and from a previous sysadmin standpoint, AWS is very familiar and straightforward..
Since you're going down the Security route I highly suggest the AWS Security Specialty cert. Oh yeah and like 70% of the exam is on Whizlabs for like 15 bucks.
Bookmarked, will purchase tonight.
Kudos to you, user!