Getting started in IR or threat hunting?

[tanner]

Hey y'all, I'm looking for a bit of advice.

A bit of context about my background: I've been in security for about a year and a half now, and did on-site tech support for a year and a half before that, so I'm obviously pretty early in my career still. I don't currently have a degree but I'm working on one from WGU.

I am currently in OT security at my company, and we're basically building this program from scratch. The problem is that I hate it, to the point that I absolutely would've quit by now if I could afford to. (I could complain a bunch about how I ended up here, but I'll keep that to myself for now...)

I like to get my hands dirty, dig into things, figure out the "whos, whats, wheres, hows", etc. Before this, I did endpoint security stuff at my company. I really did enjoy that, especially when I'd come across stuff that shouldn't be happening in the network. Even though this was never technically part of my job, I would often go through the proxy and firewall logs in Splunk to find suspicious traffic and look at threat events in McAfee.

What I don't like is spending all day in meetings, talking about how each individual company policy relates to SP800-171, or how we plan on communicate a new policy to the rest of the company. As you can probably guess, this is what my day looks like right now. I do realize these will be part of pretty much any job in infosec, but ideally not the entire job.

Anyway. I think I want to get into the threat hunting or IR field. However, I have no idea how. Every "entry-level" job for one of these that I see requires at least a degree, and usually experience in a SOC. The actual entry-level stuff always pays *significantly* less than I'm making now. Like, often times less than I made doing tech support. I have no idea how to actually get started in this area. There seems to be all sorts of resources for red team out there, but not so much for blue.

If anybody has any advice on how to get started in this, I'd really really appreciate it.

Thanks!

Edited November 7, 2022 by tanner

[ChickenKing]

Seems like you have a good background in security, Why not apply? From my experience, working in the field in a meaningful manner will trump a degree, so I think you should be fine. If you're worried about lacking the skillset, I would look at some resources related to Splunk, YARA, snort, and establishing baselines. 

[jubjub]

As @ChickenKing said don't let not having a degree discourage you from applying for basically anything in this field. I actually can't name anyone off the top of my head in infosec that has a degree related to the industry.

[ChickenKing]

7 minutes ago, jubjub said:

 I actually can't name anyone off the top of my head in infosec that has a degree related to the industry.

Allow me to introduce myself I actually have a 4yr in cybersecurity and networking. It definitely helped me in my case, but I totally understand that it won't help everyone. Besides, the big value I got out of the degree was the eligibility for internships, which then helped me land jobs. 

[jubjub]

Just now, ChickenKing said:

Allow me to introduce myself I actually have a 4yr in cybersecurity and networking. It definitely helped me in my case, but I totally understand that it won't help everyone. Besides, the big value I got out of the degree was the eligibility for internships, which then helped me land jobs. 

I dropped out of my cybersecurity degree because I had to spend 2 years doing anything that wasn't computing related in order to actually get to computing papers 😂

[stealyourface]

20 hours ago, ChickenKing said:

Allow me to introduce myself I actually have a 4yr in cybersecurity and networking. It definitely helped me in my case, but I totally understand that it won't help everyone. Besides, the big value I got out of the degree was the eligibility for internships, which then helped me land jobs. 

Right there with you. It was useful in learning to some degree, but more than anything it got me past the HR gatekeepers.

[csec]

Hi

There is a blue team path on tryhackme that will introduce you to alot of the tools that are used in most companies.

Your background in tech support will certainly help in incident response.  Alot of my current colleagues all started doing tech support in their early jobs and it pays dividends now in understanding how the technology works that is being compromised.

I would not be put off by the minimum requirements, just get some hands on experience with the likes of tryhackme and also cyberdefense, and when you go for the interviews, you just need to show your methodology - when you are asked questions.

When we interview people, its not wether they can answer the questions right or wrong, but more about the mindset, how do you find the information if you don't immediately know the answer.  DFIR requires alot of experience and knowledge - you cant know everything, but if you think in a certain way, you can usually find the right answers with the help of your colleagues and some google fu

[tanner]

21 hours ago, ChickenKing said:

Seems like you have a good background in security, Why not apply? From my experience, working in the field in a meaningful manner will trump a degree, so I think you should be fine. If you're worried about lacking the skillset, I would look at some resources related to Splunk, YARA, snort, and establishing baselines. 

Oh I've definitely been applying. I've probably applied to a dozen or so within the last couple months, including a few within my company's sister companies. Either ghosted or rejected without an interview. Tbh I'm kinda guessing my resume is crap, so I might end up biting the bullet and paying somebody to help me with it 😅

 

1 hour ago, stealyourface said:

Right there with you. It was useful in learning to some degree, but more than anything it got me past the HR gatekeepers.

That's kinda where I'm at now too. Fun thing is that when I was converting from a temp contractor to full-time at my current company, they almost withdrew my offer because I don't have a degree. After I had been working the job for six months as a contractor.

 

I appreciate all the tips!

[synackbar]

22 hours ago, tanner said:

I am currently in OT security at my company, and we're basically building this program from scratch. The problem is that I hate it, to the point that I absolutely would've quit by now if I could afford to. (I could complain a bunch about how I ended up here, but I'll keep that to myself for now...)

By OT, I assume you are referring to Operational Technology? If you can get out of the more governance side of that role (which it seems like you are stuck in now) and really get hands on with ICS/OT security, you can pretty much write your ticket at most firms. It is such a niche discipline within InfoSec.... and very very difficult to recruit externally for (i know from first hand experience) you would have almost zero issues getting a gig somewhere else.

[tanner]

1 hour ago, synackbar said:

By OT, I assume you are referring to Operational Technology? If you can get out of the more governance side of that role (which it seems like you are stuck in now) and really get hands on with ICS/OT security, you can pretty much write your ticket at most firms. It is such a niche discipline within InfoSec.... and very very difficult to recruit externally for (i know from first hand experience) you would have almost zero issues getting a gig somewhere else.

Yep! I've been in this role all of six months, so I'm still pretty new in OT overall. The company I'm at is shifting our business' IR to be OT-focused, and the corporate overlords are taking over the IT space. I'm definitely trying to build relationships with folks on that team as well. 

(Our parent company owns four businesses, and then there's corporate itself. It's kinda confusing and I've spent a significant amount of time making diagrams that show all the mergers, acquisitions, and divestures to new people on my team)

[Halcyon]

2 hours ago, tanner said:

Oh I've definitely been applying. I've probably applied to a dozen or so within the last couple months, including a few within my company's sister companies. Either ghosted or rejected without an interview. Tbh I'm kinda guessing my resume is crap, so I might end up biting the bullet and paying somebody to help me with it 😅

 

That's kinda where I'm at now too. Fun thing is that when I was converting from a temp contractor to full-time at my current company, they almost withdrew my offer because I don't have a degree. After I had been working the job for six months as a contractor.

 

I appreciate all the tips!

Definitely review your resume. I've done a fair bit of interviewing, and recently we had a candidate that applied for an IR position but didn't get past HR due to his resume. He reapplied for another role a few months later with a cleaned up resume, got past HR, and was the absolute perfect candidate for the role he had originally applied for. Unfortunately the original role he applied for was already filled and he wasn't the best fit for the one he actually interviewed for, so we weren't able to offer him a position (but I still hold onto his resume and curse HR daily).

While the HR hurdle is an absolute bullshit one to clear, it's important to realize it's there and tailor your resume accordingly. You can still get past it without the degree. Once you clean it up, I'd echo what others have said here and say to keep applying. Show that you're motivated to get into IR/threat hunting by demonstrating learning you've done in your spare time. I've recommended plenty of people without degrees (and/or who started their careers in completely irrelevant fields) for hire because they demonstrate a real passion by doing independent study, projects, CTFs, certs, etc. You have enough relevant background to get hired if you have a well-tailored resume (include independent learning/projects on it!) and can demonstrate your enthusiasm in an interview.

Edited November 8, 2022 by Halcyon

[gnugro]

On 11/7/2022 at 1:55 PM, tanner said:

Hey y'all, I'm looking for a bit of advice.

A bit of context about my background: I've been in security for about a year and a half now, and did on-site tech support for a year and a half before that, so I'm obviously pretty early in my career still. I don't currently have a degree but I'm working on one from WGU.

I am currently in OT security at my company, and we're basically building this program from scratch. The problem is that I hate it, to the point that I absolutely would've quit by now if I could afford to. (I could complain a bunch about how I ended up here, but I'll keep that to myself for now...)

I like to get my hands dirty, dig into things, figure out the "whos, whats, wheres, hows", etc. Before this, I did endpoint security stuff at my company. I really did enjoy that, especially when I'd come across stuff that shouldn't be happening in the network. Even though this was never technically part of my job, I would often go through the proxy and firewall logs in Splunk to find suspicious traffic and look at threat events in McAfee.

What I don't like is spending all day in meetings, talking about how each individual company policy relates to SP800-171, or how we plan on communicate a new policy to the rest of the company. As you can probably guess, this is what my day looks like right now. I do realize these will be part of pretty much any job in infosec, but ideally not the entire job.

Anyway. I think I want to get into the threat hunting or IR field. However, I have no idea how. Every "entry-level" job for one of these that I see requires at least a degree, and usually experience in a SOC. The actual entry-level stuff always pays *significantly* less than I'm making now. Like, often times less than I made doing tech support. I have no idea how to actually get started in this area. There seems to be all sorts of resources for red team out there, but not so much for blue.

If anybody has any advice on how to get started in this, I'd really really appreciate it.

Thanks!

Here are some resources for training:

Two of my former students demonstrated how to use Velociraptor and OSQuery for threat hunting:

https://blaise-notter.gitbook.io/velociraptor-training/

https://rich-nadeau.gitbook.io/osquery-training/info/what-is-osquery

I'm a big fan and student of the Mossé training institute.  With either of the trainings below, you'll be able to apply the same code and exercises to where you work the same day you start the training - though be careful in an OT environment. 🙂  $450 and all your submissions are graded by an instructor.  Since you record each submission, you can create a video portfolio so you can stand out with demonstrable skills and peer review from industry experts when you apply for threat hunting jobs.

Threat Hunter

https://www.mosse-institute.com/certifications/mth-certified-threat-hunter.html

Blue Team

https://www.mosse-institute.com/certifications/mbt-certified-blue-teamer.html

Digital Forensics and Incident response

https://www.mosse-institute.com/certifications/mdfir-certified-dfir-specialist.html