SOC Jitsu - Preparing for day one

Well, T-$(several days) until I start my new job. I am having some doubts about my skillset, and in this post I will try to describe my doubts, the way I intend to tackle them, and maybe a way to boost anyone’s self confidence who is trying to jump from red to blue or vice versa.

My doubt number 1: I’ll get bored

This one has been going through my mind for the last month. Blue-team work is better paid and more steady, that’s without a doubt. It’s less like being a pirate, plundering a ship and then moving on to the next one, and more like being a gardener. You till the soil/environment, plant your seeds (set up sensors), label everything (map the network), and then you watch little plot grow. That’s what I see SOC life like.

In my previous job as a SOC analyst, it was less gardening and more like being a scarecrow. You come to an established garden, get a list of the response plans, and then it’s all just “see a crow, smack it with a broom.” That work is exciting at first, but in a room of (sometimes) undriven people, it can be discouraging. This job will be different, I’m sure: I am not just a responder, I will be responsible for actually setting up the rules. That will require more in-depth knowledge than just “This is a brute force attack, all right,” there will be a time for me to dissect a new attack and create rules from scratch, but I digress.

The reason I got bored in SOC in the first place was the fact that I felt replacable. Everything was prepared for me, and I was only meant to follow the rules. It was the same thing, day in, day out. By the end of year one, I knew the rulebooks backwards, and the process of adding to them was so complex that I couldn’t really make things better. I seriously hope this will not happen here, and there is supposed to be an expansion to other capabilities in the future, so there may be a shift to a more action-packed niche in the future.

Doubt number 2: I won’t be good enough

This doubt goes through everyone’s mind, but I guess by shifting from red to blue, I am afraid my skillset will not be a big enough starting point, or that my current thinking patterns will be limiting me. I’m used to thinking like an attacker, it worked well in the red side of the aisle, but I’m wondering how deeply set I am in my ways and if I’ll be able to change it quickly enough.

My current goal is to take the ECIH, and then continue developing my skills for something where deep knowledge of the ways a system works are beneficial. The better I know how to get around a system, the better I can diagnose what is going on and if something is wrong, you can estimate what the goal was. That’s what I loved about the interview for this job, the guy set me down in front of a laptop, told me an intro, gave me the user’s password and said “Do what you need to do, find what’s gone wrong.”

I will do my best to git gud, but there will be growth pains. The funny thing? I’m looking forward to that.

Next, I’ll look at my strengths, put them on paper, and maybe you’ll see yourself in some of them. (I hope not, I am going to rant a lot and you can’t be a dick like me)

Strength number 1: Thinking outside the box

I know I mentioned this several times before, but I will try to hammer out the most I can out of this fact. As I will be responsible for setting up new defenses, I might as well say what will be the best bang for the company’s buck and it will be much faster to test if I can actually do the test myself.

I will try to milk this, and as part of that, I also mean the following: Just because I’m in defense doesn’t mean I will not be honing attacker skills. HackTheBox and TryHackMe may no longer be my daily go-to, but truth be told, they are fun as hell and I’d be an idiot to give these resources up. Best case scenario, I’ll pick up some new ones! I already am, as a matter of fact, websites which provide PCAP files, memory dumps and other snapshots which I can use to practice my DFIR skills!

As a consultant, I had to learn stuff, and learn it quickly enough to be useful on any project. This included one book, which I love to read and re-read all the time: Cyberjutsu by Ben McCarty. It’s truly an amazing book, and it appeals to me in two ways:

  • It describes things in a way that makes sense to me, great parables and explanations
  • It uses a great overarching analogy of a “castle you need to protect.”
  • Hello, it’s samurai and ninjas and shóguns and shit!

This book has shown me how I can be useful, what defense-in-depth can be, and it’s been so nicely tied together with my other hobbies that I can’t but love it.

Strength Nummer 2: Experience and communication skills

I have worked with numerous clients, and I have had to adapt to fit their needs. Not every company can or should have to afford a full-blown SOC team. The company I’ll be working for is starting this out as a “internal-only” offering and they’re already ingesting hundreds of gigs of data per day! I will try to treat this as any external project: Come in, be awesome, make shit work, and then… well, that’s where the project part ends, but I can cycle through. It’s going to be like the pentest cycle, where you do recon, then find an exploit, attack, and then it’s all 40 GOTO 10. I will use this to my advantage, try not to get stuck in a routine, and work in the cycles I’m familiar with, only difference being that these cycles may take months. But hey, APTs do it the same way.

One thing I hope I won’t lose in the new setting is my communication skills. When I started consulting, I realized that talking to adults is very much like teaching children. When you come into the room, you cannot have any presuppositions about what the other people know and what they may already be familiar with. Whoever it is, I cannot assume they know what I’m talking about, so breaking things down and “explain like I’m 5” will hopefully come in handy. Anything can be taught if you start easy and progress through the material. I sure as hell hope I’m not going to be able to use (and learn more) languages while I’m there. Although it’s a local company, they seem to be active in a few other countries I can get around in, and truth be told, IT is a field where English is the lingua franca, so I’m going to bet I’ll use English, even if it’s only occasionally.

Bonus strength (and my weakness): Certificates are still my equivalent of crack cocaine

This one will be short, but imagine a donkey. You want to make it run forward, so you take a stick, tie a carrot to it and dangle it in front of the animal. Well, I’m the same way, only with certificates. If you tell me “At this point in time, you can pick XYZ certificate,” you know I’m going for it. My reasons are not altruistic in the slightest. I just like them. I like the exams, the new stuff to learn, and the more hands-on it is, the better I feel about even attempting it. OSCP kicked me in the nuts, but truth be told, it’s a nut-kick I’ll want to repeat in the future.

In closing: I’m excited, but I’ll pace myself.

It’s going to be fun. At first, there will be a lot to be learned, for sure, but I guess that will take me a few months at most. After that, anything interesting that comes (or any change, for better or worse) will be a thing I can get excited about.

To be honest, I feel like a dropout at the moment, but that didn’t stop teaching me from going into infosec, and it sure as shit isn’t going to stop me. Security is security, and any knowledge from any part of the field is useful, even if it’s not apparent at first. This is what I want to be, a knowledge sponge, and god damn if I’m not going to make it.