Infosec career progression

What are the technical requirements to progress in your career in cybersecurity? How do you move from an entry level analyst position into a senior analyst position?

Starting from the defensive side of the house, an L1 SOC analyst usually starts with no experience in cybersecurity. The job role is very defined, analysts are usually allocated to look at either network security appliances, or host based artefacts. As such, analysts do not need much training before starting operational work. There are also usually playbooks with very clear step by step instructions for analysts to follow for each different type of alert that may be triggered.

To progress to an L2 position, you will need to broaden your knowledge. If you have been looking at network protocols, netflow and DNS data, now is the time to be introduced to processes, persistency mechanisms, integrity levels. Vice versa. It is important to understand the linkages between the different artefacts, i.e. what happens when processes open network connections, when processes make DNS queries? You would also need a deeper understanding of the various concepts such as detection, containment and recovery. This will allow you to look at the playbooks in a new light, you will be able to understand the rationale behind each of the step by step instructions that you have been taught to follow. This will prepare you for L2 work which is more unstructured. At times, certain artefacts might be unavailable or certain actions cannot be taken due to business reasons, as such, L2 analysts will need to find alternative means to achieve the goal of detection, containment or recovery.

Looking at the offensive side, junior penetration testers have a similarly defined job role. They are often tasked to run automated tools which spit out reports when the scans are completed. Similarly, they do not need much training before starting work.

To progress to a more senior role, you will first need to understand the findings in the automated report. What is the vulnerability and why is it considered a vulnerability? Next, you will need to be able to manually reproduce the exploit, which will further solidify your understanding. Lastly, it is important to look at the big picture and identify patterns in the vulnerabilities you find. Certain types of applications and certain features tend to be more prone to certain types of vulnerabilities. For example, the password field in the form may have a SQL injection vulnerability because all password input on any website needs to be compared to the correct password or hash in a database. However, it is almost impossible to find a cross site scripting (XSS) vulnerability in the password field because passwords are almost never ever displayed back to the user in plaintext. Such understanding will help you identify areas more prone to vulnerabilities where more manual effort can be focused to pick up on vulnerabilities not detected by automated tools.

In summary, senior level jobs often have more unstructured tasks which require experience and an understanding of concepts to guide you towards the next step to take. Often, there is no single correct answer and it will take quite a bit of brain cells to come up with an optimal decision. After all, this is why you are paid the big bucks right? If you are just following simple instructions blindly, the company would have saved money by hiring an entry level analyst to do the job. So, go out there and level up your knowledge.