Tools and Skills to Master as a Security Analyst - Part 2

Show Notes

This episode focuses on essential skills and tools for aspiring cybersecurity analysts, including network monitoring, incident response, and phishing defense. The conversation emphasizes the importance of practical experience and understanding the fundamentals to successfully navigate careers in cybersecurity.

• Importance of network monitoring in identifying suspicious activities 
• Understanding networking fundamentals for cybersecurity roles 
• Tools for capturing and analyzing network traffic 
• Steps to effectively manage and respond to security incidents 
• Strategies for identifying and mitigating phishing threats 
• Role of simulations and drills in training for real-world incidents 
• Need for hands-on experience to enhance cybersecurity skills 
• Insights into preparing employees against phishing attacks 
• Importance of documentation in incident response 
• How to differentiate oneself in a competitive job market

Chapters

• 0:03: Network Monitoring Fundamentals and Tools
• 8:39: Advanced Network Monitoring Techniques
• 17:36: Incident Response and Prioritization in Security
• 26:19: Preparing for Incident Response Challenges
• 36:40: Enhancing Phishing Detection Skills
• 41:19: Enhancing Cybersecurity Skills Through Phishing Education

Transcript

Speaker 1: 0:03

Could you teach me First learn stand, then learn fly. Nature ruled on your son, not the mind.

Speaker 2: 0:12

I know what you're trying to do. I'm trying to free your mind, neo, but I can only show you the door. You're the one that has to walk through it.

Speaker 1: 0:24

What is the most inspiring thing I ever said to you don't be an idiot changed my life. All right, welcome to part two of our podcast here at the Cyber Mentors Podcast, where we will continue the discussion of the six security tools that you should look into, to learn, familiarize yourself with, to help you with a security analyst job or role. All right, so last time we talked about SIM tools, we talked about vulnerability management. We talked about sim tools. We talked about vulnerability management. We talked about endpoint protection. Today, we're going to start off by discussing network monitoring. John, how about you kick us off?

Speaker 2: 1:18

I love network monitoring. Yeah, I do. I talked about the sonar and the submarine. It is a lot like that. Um, it it's, it's, it's got, it's changed over the years, it there's still. There's so much network traffic, there's so much going on, um, but it is essential. It is essential the fundamentals.

Speaker 2: 2:00

You definitely have to back this up with strong or good understanding of TCP, ip and networking, right, so you know how does the rubber hit the road, how do you add the practicality, that, the actual skill that you need to understand to be able to use it as an analyst? So super important. You've got all this stuff that's happening on your network. A lot of it is encrypted, some of it's not encrypted. You know how do you find the needle in the haystack of needles, really, because there's so much data that's this traversing um and find the bumps in in the wire, find the ghosts in the machine, really. So you know there's tools, there's so many tools out there that are available to help you. Um, that, yeah, that I would definitely recommend, and then we'll talk about these. But just to kind of prime, what do we want to see? You know, what are we asking if we were interviewing you? What would we like to understand that. You understand Number one.

Speaker 2: 2:57

Do you understand networking? Do you understand the fundamentals? You don't have to be a network engineer, you don't have to be a CCNA, you don't have to, it wouldn engineer. You don't have to be a CCNA, you don't have to, it wouldn't hurt. It doesn't hurt. But you don't have to be a routing, switching engineer, but it doesn't hurt to have a little bit of that.

Speaker 2: 3:14

But mostly how the Internet works, or how data traverses the Internet, how networks work, how data is routed and switched, not necessarily how to configure a router, but how is it moved across the network? Um, you know, those things are super important. That's like the baseline, fundamental stuff that if you don't understand that stuff it's gonna be tough. It's gonna be tough because we live and breathe every day with IP addresses and suspicious activity and this traffic was doing this and this thing gets blocked by the firewall, and that's another thing.

Speaker 2: 3:51

Understanding how things like network devices work, like firewalls especially that's the security domain. How does a firewall work? What does it do, how does it operate? You don't have to be a firewall expert at all, but understanding how firewalls operate, how they they do detect traffic, and that's changed over the years too, you know, used to just be like, hey, this ip is bad, block this ip. Now there's so much to that. Um, yeah, but but you know you, you should definitely have a good understanding for that. That's like the fundamental. Then, from there, you need to understand tools that we would use to help detect weirdness or investigate weirdness in suspicious activity on the network. So I'll let you talk about that.

Speaker 1: 4:40

Yeah, no, so, yeah. So I would say that's a good definition, right? So what is network monitoring? So network monitoring is? It involves analyzing traffic to detect threats or data exfiltration or just weird things on your network? Right, you are monitoring your network to make sure to see if you find anything weird or suspicious, right? And you know why is that important? Well, it's very important, you know, by monitoring the activity on your network, you're able to maybe set a baseline of all right, on Monday through Friday, on a regular week, regular month this is what our network activity is, when everyone's working, doing what they're supposed to do, whatever it may be. And if you can set that baseline, you know it can kind of help. You set, you know, alerts or just any sort of red flags for anything weird or out of the ordinary that's happening around your network. Now, you know I am simplifying it. There's way more to it than what I'm saying right now, but it's very important.

Speaker 1: 5:46

Network monitoring is very important because it lets you see what's going on in your network, in your organization. And, like John said, if you don't understand the basics of networking, it will be difficult. And you know it's something that, in cybersecurity, is very important to do, especially at the beginning of your career. Most of the positions that you will step into are more technical positions that require you to have a better understanding of networking with a number of other things, so it is important to know what's going on. What's going on, yeah, so I think for me you know some of the interviews that I've been part of it is something that we do, like we.

Speaker 1: 6:34

I say we because in operations in the SOC, it is something that we do put a lot of weight on, because we do want someone to kind of come in and know the basics, know the fundamentals, and honestly, I'd rather them know more networking than security, because I can teach them security and we could also teach them networking. But we're living, breathing security every day, so it's a little easier to teach that, instead of kind of taking a step back and going back through the fundamentals of what networking is and what to do. What's IP? Ip is IPv4, ipv6. And it is. It is a little bit more work for us to do. Would you agree, john, or do you have a different opinion?

Speaker 2: 7:28

you have a different opinion. Yeah, I mean you don't want to show up at an interview and you you don't. Somebody asks you some basic questions about tcp, ip or ip addressing. You know you don't have to do subnet subnetting um, that stuff is a pain and I I've forgotten how to do it, thank goodness. But you do need to understand how those work and you don't have to do a lot Like courses can teach you these things. The good news is that you can get up to speed quickly through courses and books. You don't have to take a whole semester course on networking to be proficient enough to be ready.

Speaker 2: 8:09

So that's the good news, but yeah you definitely want to be as proficient as you can be.

Speaker 1: 8:16

Yeah, absolutely.

Speaker 1: 8:16

And Wireshark I mean there are a number of YouTube videos out there that talk to you about what Wireshark is, how to install it, how to use it, how to run through some packets.

Speaker 1: 8:27

I mean that is the kind of stuff that would be very helpful, very beneficial for you to go through, to get a, to get, to help you get a basic understanding of it. So, yeah, absolutely. So how would a security analyst use network monitoring? So again, we've kind of already talked about some of this, but you can capture and analyze traffic in your organization to help you identify weird, suspicious things. Right, looking through your logs, looking through your network and also ensuring that your network devices are correctly configured and or functioning how they are supposed to. Again kind of also goes back to what we talked about last episode with patch management making sure things are up to date, make sure things are functioning correct firmware, you name it and they are at full force. So are there any additional things, john, that you would say around network monitoring and kind of the? I mean I feel like we've already kind of expressed the importance, but maybe towards like, what would a security analyst, you know, do with network monitoring?

Speaker 2: 9:46

yeah, yeah, I've got some things all right all right, I mean my first, my first um real for foray and learning about how to to do network monitoring was in a gentleman named Mike poor, his class with SANS Um, I think it was SANS 503, and it was a deep dive into TCP IP and but with a security lens on it. It wasn't just hey, here's a TCP IP book, but here's TCP, tcp IP and why you need to understand this as it applies to security and being a security monitor, analyst, right, um, but. But the things we covered were like TCP dump, wire, shark, um, snort and maybe a little bit more than that. But those are the big things and how those tools operate. But how do you use those tools to investigate? And the cool thing is, you know those, those, all those tools I just mentioned are free. Now the the one you mentioned, wireshark. I've never really liked wireshark, you know, and it's okay, you know, I I like zeke and we mentioned zeke in this too.

Speaker 1: 11:00

We're gonna we have some links to.

Speaker 2: 11:02

Zeke. I, I really like Zeke because I wasn't I was rare that I was getting doing a deep dive into the full packet analysis. Now that is great skill to have. It's just, it's most cases that you're investigating. I didn't need to do that full level Now I did use TCP dump, which is the kind of the command line version of Wireshark, um, and it is super beneficial to know how to use those skills.

Speaker 2: 11:30

If you did have a packet that you needed to dig into or you needed to do a packet monitor or monitoring to say like, hey, let's see what's coming in, then using TCP dump slash Wireshark is very, very useful. Then using TCP dump slash wireshark is is very, very useful, um, but a tool like Zeke, which is also a little bit I mean, it's still kind of hanging around and it's still important, um, because I don't know what else feels there are things that fill this gap, but it's a, it's an easy tool to get used to, to learn, at least the way I like it. And the reason I like it more from a network monitoring perspective is it's built to listen through a lot of traffic on the network. I call it the network flight recorder. Right, it's the black box that you want out of the airplane when things happen. It is the network flight recorder and so it's monitoring and sitting there passively and just gathering all this traffic, right, monitoring and sitting there passively and just gathering all this traffic, right.

Speaker 2: 12:24

And if a conversation happens, zeke will just do a nice little recording of this event in a text file that says hey, a talk to B and they talk for this much and this much traffic. And here's some more information about what that was and maybe some a little bit deep dive into that packet to give you a quick, easy way to view that data and also search through that data to find out what happened and how it happened and what they said and what the conversation was about. And there's there's Zeek tutorials. There's also try Zeek, tryzeek. I think we'll link to these. But there's ways you can play with Zeke and and dump a packet in there and have it, analyze it and look at the text files that it that outputs. Um, if you really don't like yourself, you can try installing Zeke from scratch. Um, I did that many, many times and wanted to bang my head against the wall.

Speaker 2: 13:19

It's been a while, so maybe they've made it way easier, but it used to be so bad.

Speaker 1: 13:24

Let's hope so. And yeah, bad, let's hope so. And yeah, let's hope yeah. And those, uh, if anybody from zeke is watching this listening to us, hit us up, hit us up, yeah yeah, yeah, um, on top of that is, uh, security onion, right.

Speaker 2: 13:36

So security onion has zeke baked into it, also has suricata or snort baked into it and there's labs out there. You can go and download and try and install security onion and run it through a vm and it'll run through these, these labs that you can play with. I would highly highly recommend that because you've got a combination of tools that you can use to play around with network monitoring, with bad things. So the good thing about those labs and also there's other packets you can go download out there. Just be careful of like, there's something bad that's happened in this packet in this traffic. Dump it into your tool of choice TCB. Dump wire, sharp, zeke, security onion, snort, syracada, whatever, and walk through and try to identify what's happened. How did that happen? Why did it happen?

Speaker 2: 14:28

Also, in Security Onion it has Elastic on top. So there's another way you can get some sim experiences Use Elastic to search through that packet and the traffic and the alerts and things like that. So that's why this one is a super important one that you can really spend a lot of time getting good at these tools and the traffic analysis for free, like you don't have to have a whatever class to do this. You can do it with what's out there and what's available, and I'm sure there's a billion YouTube videos on these things that you can find. Hey, let me show you how you do this, right?

Speaker 2: 15:06

So it's about reps. You got to get the reps in. Don't complain to me if you ain't got the reps in. I don't want to hear it Like I'm going to get on my soapbox a little bit. But people are like oh, you know, whatever, whatever I did this course, I got this certificate, whatever you got to get the reps in, you got to put the work in. It's not going to be given to you, right, absolutely. But all these things that we're talking about, it's my baby. I love network monitoring came up from the ground up. I got I'm a little bit passionate about it.

Speaker 2: 15:39

Um, because, it's important, you know, and a good. Another last thing I'll say is like zeke is also baked into microsoft tools. Right, they're in there. It may not be the full pat, you know, the full dump of everything you know, but there are, it's baked in so you can go get information out of those as well and learn how. That's another thing that you're adding to your skill set of like. Oh, guess what I could? I could do some analysis on the data that this tool gave me from microsoft, not just its own standalone version.

Speaker 1: 16:08

So that's it I dropped the mic oh, awesome, we can see your passion, john, and I absolutely agree with you. So thank you for that.

Speaker 1: 16:19

And yeah, now I mean now everybody knows network monitoring go to John, he's got you no, but we will be posting links to a lot of the stuff that we've talked about, a lot of the free resources and some may not be free, but still good resources for you to check out, at least in the description of the episode and everything so and again. So this kind of goes back John, you mentioned something and this kind of goes back to what we said in the intro for the last episode. Right, a lot of the things that we're going to talk about, that we've been talking about last episode, in this episode, are things that will help you, you know, kind of get you a step ahead of everybody else who's kind of going down the same path getting into security, getting the security plus getting their Google cert, getting their basic certifications right. And this is now focusing on the toolage, on certain tools that will help you, certain tools that you will see, it may not be the exact same tool, but it's a similar tool that does the similar thing, maybe by a different name, but it's still like. This is what this experience and knowledge is, what will give you that step above the rest of everyone who is not doing this extra putting in the reps, like you said, doing this extra work. So, all right, let's, let's keep going, going, all right.

Speaker 1: 17:36

So the next one we have here is incident response. So what is incident response? So incident response is a process for detecting, analyzing and recovering from a security incident. So you are are in, you're at work, you are sitting in front of your computer and an alert red flag goes off. You run into your investigation and then you discover that you have an incident on your hands, meaning something has happened, something bad has happened, and now you need to figure out what exactly it is. What's going on, how did it start, how much damage has it done? And you need to respond to the incident. John thoughts.

Speaker 2: 18:27

Yeah. So you know, with throwing people through gauntlets of seeing how they deal with logs and an incident, when they've got this and they've identified this is something bad. What we want to know and what you need to be able to work on and work toward is how do you prioritize that incident? An event has become an incident. Now something bad has happened. We know it's something bad, has become an incident. Now something bad has happened. We know it's something bad, but how bad is it and what are the criteria you use to determine how bad it is? And how are you communicating with your team and leadership and your manager, whatever to help prioritize and understand what this incident is?

Speaker 2: 19:15

So some of that would be. You know well what is it and what is the asset. Who is it? Who were they? What data do they have access to? Where are they? You know, is it a system that has sensitive data? Is their data classification high right? Has sensitive data? Is their data classification high Right? These thought processes and the kind of the flow chart of the criticality is the important piece of understanding how to escalate this incident, because I'm sure many, many times it happens in socks around the world where an incident happens and people don't prioritize it as important, and I'll I'll share a quick story.

Speaker 1: 19:58

Yes, please.

Speaker 2: 19:59

Yeah. So I just happened to be sitting in the sock. Um, this was not too long ago and we had one of our uh sock interns. Student interns said hey, you know, we got a notification from somebody that said that they got an email that their paycheck had been modified, their direct deposit had been modified, and that they didn't do it. Well, they're you know, the people that were in there hadn't been there as long as I'd been there and as soon as that happened, I was like, you know, escalate. This is very, very important because it sounds like maybe there's a snafu, Maybe something happened, and they fat fingered something. They didn't know about it, but I was like, no, I've lived and, you know, breathed and got the T-shirt and I've seen this happen before where bad guys are trying to steal paychecks. We need to know not if he didn't do this, we need to know for sure if he did or did not do this Right. So that kind of an escalation.

Speaker 2: 21:01

Now, how do you get that? It's tough, it's not something simple and easy you can get without being and working in an analyst role, but those are the kind of things that you know the thought process of how do you know what's normal again and how do you prioritize it? But I do think you can get to where you understand the process and try to work through what has happened in other situations, that you actually have data on what happened for some big breaches. How did they, you know? You may not know all the details, like living in the sock and what happened, but you may know the timelines of events and maybe working through those and walking through those of like well, what would you do you know and how would you? How would you prioritize it? How would you triage it? Yeah, absolutely.

Speaker 1: 21:51

You know, every organization around the world will face incidents. It's a matter of time. I mean, they will come across an incident and they will need to respond to an incident, and it really comes down to you know. Do you or your organization have a solid incident response plan? Do you know what you are supposed to do if an event is escalated to an incident? Do you know what steps to follow? Do you know who to reach out to? You know, is it just hey, your team lead, your manager? You know, when you reach out to them, what type of information do you need to have already verified and have documented, to help them better familiarize themselves with the incident that they're about to jump in and start helping you work through? So it really comes down to understanding the process. Now you can go online and we'll share a couple of things that just talk very general about. Okay, well, this is what an incident response plan is. Now. Every organization will have their own flavor, their own type.

Speaker 1: 23:03

In general, it's very simple. You know you need to detect something, you need to analyze it and then you need to recover. Once you detect something malicious, you need to investigate it, analyze how bad it is, figure out. You know how bad the damage is, and then you need to recover, meaning you need to fix what went wrong, stop the bleeding, um. So you really need to familiarize yourself with that. Um, you need to organizations, right, don't need to just know, spend hours or, however it is, days, creating this beautiful plan and then stick it in a shelf somewhere and then never practice it. Incident response plan and we are thrown into a scenario where we are testing ourselves, testing our team and making sure that, okay, if shit hits the fan, we're not all just going to sit there in panic and not know what to do, but we're putting those reps in and we know what to do. Okay, this happened. This is an incident. This is a major incident. All right, everybody knows what they need to do, everybody knows their job. We need to work together. Everybody knows the communication, how things go up, who's running the incident, who's doing what you know, and it's just practice, practice, practice, practice makes perfect, so that when something does happen, we're not there sitting there with deer and headlights.

Speaker 1: 24:30

So for you now you may think, well, wow, I mean, that sounds pretty big. That's a big deal. I'm a simple security analyst. My role is going to be minimal Wrong. It all starts with you. Probably you are going to be the first person that sees something and says, hey, this is suspicious, this is fishy, I don't trust this. Let's get a second set third set of eyes on this. Let's let's get a second set third set of eyes on this. Um, but then you don't. You know, in certain organizations you don't just hand that off to someone else, you continue through that, through that investigation, and you are there helping, you're there helping investigate document, whatever it is.

Speaker 1: 25:09

So definitely, um, this is something that you know. It it's very, very valuable to me. You know, if I have, if I'm interviewing somebody and you know whether it's on their resume or they bring up in the interview during conversation about some incidents that they have worked on or some incident response experience, that's good, because now I know, ok, well, this person has some level of experience. They, you know, they've been put in stressful situations, you know, and then we can talk about how things happen and what came out of that. But it is something very, very valuable for us, especially, you know, especially in the SOC, but overall, just general entry level positions, especially if you're a team of three, if it's you entry level, um positions, especially if you were, if you're a team of three, if it's you, another analyst and a manager, I mean you three have to figure it out and you three need to be ready and prepared. So it is very important and, um, yeah, I just you know, that's. That's all I have to say, john, what?

Speaker 2: 26:11

do you think, yeah, that's good. Um, the when I, when I have thrown people into the fire, what am I looking for and what are we looking for? Can you remain calm under pressure? Yep, Can you think through the problem? Can you talk, communicate effectively? Do you work with your team? Are you trying to go go solo? Are you trying to be the hero, right? Are you trying to figure this out and then come back and then you don't know what's happening with everybody else and and then you've got yourself in a hole and you can't get out of it. So you know, this is what you get paid for.

Speaker 2: 26:51

If you are in a analyst role, where you're doing incident response, this is the moment when the bad things happen. This is why you are here. You know, obviously we want to prevent, but we can't prevent everything, and so if bad things are going to happen, this is when the firefighter moment kicks in and you have to be able to work under pressure. And how do you do that? You need to. You need to be able to think clearly, think through the problem, communicate. Don't worry, it's going to be stressful. There's these things happen. You are going to be stressed out, it is going to happen. You may have cold sweats coming down your side, but I've been through. I've been the fire so many times that I like, I like it. I'm like let's go, then we're going to battle. This is what we get paid for. Boys, strap up, put the helmets on. The bad guys are here. We've been talking about these bad guys, we've been dealing with them. Now they're here. They're coming to battle. Let's go, we're going to kick them out, so I get excited about it.

Speaker 2: 27:51

I get excited A little too excited.

Speaker 1: 27:54

You know it's a little worrisome to those listening when your CISO reaches out to you and he's like you know what man. Things have been really quiet.

Speaker 2: 28:04

Like I'm ready for some action, let's go, I'm getting bored.

Speaker 1: 28:08

Yeah, no, no, no, I'm good, I like it quiet, I like it calm. That's good for me. Yeah, I like it quiet.

Speaker 2: 28:14

I like it calm. That's good for me. Yeah, no, I know, I know I'm strange, it's fine. But what I would say for people because it is tough to get this without actually being in a environment is think about. I would look at the M-Trans reports and the Verizon breach reports, right, and they're all similar.

Speaker 2: 28:35

But think, look at what the the initial vectors are. Right, they break these down. They'll tell you, right, and I can tell you most of them right now. Right, it's a phishing attack. It's a password, you know, credential stuffing attack. It's a, um, maybe a password spray. It's a some kind of malware. Right, you look at these initial vectors and from that, look for if you can find logs that help you that are like this has actually happened. Like one place you can go look, at least for the other one I was going to mention was a, a vulnerability we talked about vulnerability management but a vulnerability on an internet facing service. That's one of the top ones. So there are logs out there for that, and ways you can find logs for those are through honey, honey nets or honey ports, right, honey, honey traps, whatever.

Speaker 1: 29:27

Um they're out there honey, honey pots.

Speaker 2: 29:30

Right, they're out there and people will put them out there and capture logs for people that have tried to exploit those. Well, you can get that stuff in, pull it into your test sim you know, splunk, elastic Security Onion, whatever and work it as if it was a real incident. You know what would I do here if I pulled this in and I was triaging this incident and try to get as many of those examples as you can. You know some kind of phishing events, some kind of vulnerability events, some kind of malware events? Right, and work with all these tools, put these in your lab, put these in your thing and work it as if like, okay, here's my incident, this is what's happened. How do I work through the incident? How do I document it right, because documentation is super important yes and how would I um triage it?

Speaker 2: 30:21

how would I mitigate it? It's still. It's getting reps. It's not going to be the real show, but just like a firefighter that works and they climb the tower and they do the thing, and they, they put the fire out, and they do that over and over and over and over again. Why do you think you do that? Because when the real thing happens, you're ready. Muscle memory, muscle memory.

Speaker 1: 30:41

It's muscle memory.

Speaker 2: 30:42

Yeah, the tabletops are, for sure, are good. They're just more usually they're higher level than I would say if you can do the tabletops but also do the hands-on as much as possible if you can do the tabletops, but also do the hands-on as much as possible.

Speaker 1: 30:59

Yeah, yeah, no, I completely agree. And it's, you know, documentation, documentation, documentation, documentation, right, because you never know when an incident will leave your hands. Meaning you need to call the big guns in, right, you need to call someone like Mandiant, or you need to call the big guns in, right, you need to call someone like Mandiant. Or you need to call some third party to come in with some true expertise, some forensics, to kind of help and take over. So you need to document everything that you have found, done, checked, logged, so that you can say, hey, man, look, this is everything we've done so far. You know, and they don't have to start from scratch Now they probably will, just to make sure that you didn't miss anything.

Speaker 1: 31:39

But still, it's a big help. It's very helpful to document that. And then also, you're going to have to well, again, maybe not the security analyst, but the team leader of that team is going to have to go and report to leadership what the heck happened, what went wrong, why you know how bad is the damage. Uh, stop the bleeding. So documenting everything from the very beginning to the end is key. It's a must, um, and it will. It will definitely help you tremendously.

Speaker 2: 32:10

Yeah so in in the interviews I literally would say hey, all you've got a report to the CISO, right, what? What would you tell them? What is your status? And I had them write up a report at the end hey, write me up a report, let me look at it. Put it up on the big screen. You may not get put through the fire like I do, but you should be ready for it.

Speaker 1: 32:35

Right, if you're ready for it, you're good. All I have to say is um, we have nothing but ninjas working for us because they all have to go through. John and everybody here listening can now know the fight, the rings of fire that we have to go through to work here so all I have?

Speaker 2: 32:47

all I have to say is that I had a, a guy who worked at a nuclear power plant telling me this was the hardest interview he's ever been through, and I was like, yes, yeah, okay, awesome.

Speaker 1: 33:03

Well, I mean, I think that sums it up. We are going to try and share a couple things, a couple links for this. Like John said, it is kind of tough to get this level of experience, um, from free resources out there. But you know, we found a couple things that could help um. So yeah, we'll still link those in the description. But yeah, anything else to close this off, john, for this section no, let's see, I said enough all right, all right, well, let's see here.

Speaker 1: 33:32

Last one, last but not least phishing simulation and defense. Phishing emails I hate them, but we get thousands of them every day. We have cybersecurity training that. We have our users and I'm sure a lot of organizations do as well, and sometimes they work. But the attackers, the bad guys, are evolving their technique, they're involving what they do, how they do it and, with the use of AI, things are the things that you could identify the misspelling, the grammar, this and that that's kind of getting harder to pick up because you have ai writing you a dissertation and it's just like man, this is amazing, um, but anyway. So what do I mean by phishing, simulation and defense? So, like john mentioned this a second ago, you know phishing is probably one of the highest like attack vectors, right? A lot of the big incidents that you may come across in an organization is everything started via a phishing email. One of your users got a phishing email for a free Starbucks gift card. They clicked on it, they downloaded some malware and now, boom, incident.

Speaker 1: 34:51

So you know, phishing is a cyber attack where an attacker tries to trick your user a user to share sensitive information like passwords, financial information, you name it and as soon as they are, as soon as they're able to do that, then that is like step 1.1, bad guy zero. You and you're already starting with, you know, with one step behind you. So it's as a security analyst. It's important for you to understand what phishing is. You know how does it work, right. What. What's the objective? Like, what are the bad guys trying to do by phishing is? You know how does it work, right? What? What's the objective? Like what are the bad guys trying to do by phishing your users? Right, be familiar with some of the just simple phishing attacks. You know the different types of phishing attacks, right, because some phishing attacks are specifically just spread across the board. Any, just anyone, any. It doesn't matter who you are, what position you have.

Speaker 1: 35:56

You get a phishing email. Some are targeted, right, they may go on your website and look at your directory and see who the CEO is, the CTO, the whoever may bar, and then they're targeted. Or, you know, they may impersonate you. They may impersonate someone in your organization and ask you to give them tons of money. They may impersonate someone in your organization and ask you to give them tons of money. So it's, you know, just being kind of familiar with that and just knowing the basics in terms of you know what would you do if you come across a phishing email in your organization. How would you investigate it? How would you remediate it? What advice would you give someone who fell for it? What are some of the basic things that you would recommend? Would you agree, john?

Speaker 2: 36:37

Yep, and you're sitting in, you know. Imagine you're sitting in the sock or you know wherever, and you get a user reports a message, a message as phishing, and you lands in your in your phishing inbox and you're triaging that email. What am I looking for? How do I know this is bad? How would I detect that this is a legit email or a phishing email? You may think, oh, it's going to be obvious. Right, it's going to be clear. They're sending it from, you know, whatever, some foreign country.

Speaker 2: 37:09

It's not easy, it's not simple and a lot of times you have to dig into it to find out. You know, some of those things stand out like are they asking for something? Where does the page, where does the link take you? Oh, it's a login page as a copy of our login page, whatever. But ultimately it's social engineering, right? No matter if it's phishing, vishing, whatever, right, it's some kind of attack against the person, which is usually easier than attacking a system. Right, because you have to worry about detections and tools, all these tools we talked about. It's hard to build intrusion detection systems for people, but there's tools that help. Right? They help detect. Like this is weird. Somebody shouldn't send, right? They help detect like. This is weird. Somebody shouldn't send. Nobody sends messages this way, you know. Or this person they're impersonating never uses this language. But it is an arms race. But I do think you know, will you have had all the reps that you can to be able to triage it? Probably not, because you won't be, you won't have worked them, but you will. You'll get a lot of reps in easily, quickly, um, but I think, from a thought perspective, if you were presented messages that were fishing, or you had to determine hey, here's a message, is this fishing? What would you do? How would you do? How would you do that? And how would you determine and triage that message? Um, okay, you've determined it's a phishing message. How do you handle it? Who do you communicate to? How do you? Um, mitigate it? What are some ways to mitigate it?

Speaker 2: 38:46

And there are examples of legit phishing messages that you can go. Look at there's, there's a ton out there. Um, you know you may have to go we weaving through the noise to find them, but there are. They're out there, right, people share. Hey, we got this phishing message. Um, there's one that was looking at earlier that has a bunch of these that you can go zoom in a little bit. They've kind of read redacted information, but you can go, look at some real ones that are out there and think through, like I talked about before, how would you deal with that message? And then how?

Speaker 2: 39:18

What are the tools available to be able to um, to stop these? You know there's, there's tools that we use in many companies. Everybody pretty much now has. What are those tools? Can I get some training or get some hands on, or get some at least some some you know walkthroughs on? Are those tools? Can I get some training or get some hands on, or get some at least some some you know walkthroughs on how those tools operate? What do they do? How do they work right? So the tools themselves how do I get better at those tools?

Speaker 2: 39:44

And then, on the flip side and all these things, if I was a an adversary, I put my red hat, my black hat on and I'm trying to get through and fish somebody. How can I do that? How would I craft an email? What does it look like?

Speaker 2: 40:02

A good example that we did with a course that I help with with students is we, we fish them. We, we fished them. Then this is, but the course started. We fished them and then I taught them about social engineering and the concepts of social engineering. And then midway through the course we fished them again and they did better, but we upped the fish, the sophistication of the fish, midway and then we taught. You know, I taught them some more about these techniques and I actually showed them how I would create a fishing attack, like how would I do that? Right, how would somebody do that? What does that look like? And then at the end we fished them again, right at the end, and um, and it was the hardest one, and you know, just that whole mindset of like, okay, think like an attacker, how does an adversary do this? How would they craft? A phishing message Just changes your perspective on being able to detect. Oh, this is weird. Here's how I might do that if I was the bad guy.

Speaker 1: 41:02

Yeah, yeah, absolutely no, I agree, and that would probably be my recommendation for those of you who are, you know, getting started and just don't have the exposure. You know, go and try some of these, these tools that we will link to, like go fish and others, and create, you know, a simulated fishing campaign. You know, get some emails from your family members, right, shoot them over. You know, create a campaign John's laughing create a campaign and, um, you know, go through that process. You know, like, go through what it really is like to create a template for a phishing email. You know, adding links, whatever it is. Kind of go through that process, get you a couple email addresses to send it out to.

Speaker 2: 41:42

You know, all for educational purposes, right, right be nice, yes, be nice to your family members.

Speaker 1: 41:47

Yes, Don't try to. Don't try to go after your grandma, you know like just be be responsible here.

Speaker 1: 41:55

Don't ask for gift cards use that, um, you know, to kind of help you kind of run through that process. You know, send out those phishing emails, um, you know, and kind of see what happens after if somebody falls for it. And then you kind of go from there and kind of going through that process, kind of you know, gets you, gets you a better understanding of what it's like. So then now if you are working for an organization as security analysts, you may say, well, what kind of stuff would I be doing? Well, you may be simulating phishing campaigns, right, this company organization may have a tool that you use to do some internal phishing on, you know, to your own employees, to kind of help with just security awareness. And then you may analyze phishing emails.

Speaker 1: 42:40

Right, if you are a SOC analyst, you know your company is probably going to get a ton of phishing emails sent to all of their users and people may not know, hey, I need someone with with a set of skills to help me figure out if this is a phishing email or not.

Speaker 1: 42:57

So then they will send it to you and then you have to analyze it, you'll have to review it, you'll have to run through some checks and then you'll have to get back to them and say, hey, this is a phishing email, delete it, don't pay attention to it, or no, this is not a phishing email, this is legitimate, you know.

Speaker 1: 43:12

You know, proceed as as you would, um, but then also help implement anti-phishing measures, right? So, like John was saying, there are security tools out there that are, you know, that you would use or set up configured to help, um, kind of reduce the amount of phishing emails they get through to your end user. So you would be managing those tools, you would be setting those up, making them better. So those are the types of things that someone in a security analyst type of role would be doing. So we'll also link to a couple of those email security tools that could help in the description of these video for you to kind of get an idea and stuff of what that's like. But but yeah, I think that would give you a good idea of what phishing is about by just setting, going through and setting up a campaign, testing it out for educational purposes again and then kind of going through there.

Speaker 2: 44:13

Yeah, I'll. Just the last thing I was thinking about was that happens all the time. Like I get people say, hey, is this fishing, can you tell me? It's a good thing, it's good that they're asking you, um, and not not so much. You know, this is at work. Like I get people send me messages all the time hey, is this, is this fishing? Can you double check this? Is this bad? You know, I just want to, and that's good. They're being suspicious and paranoid, a little bit healthy paranoia, um, but that happens all the time. So if you know that's something to expect for you to get one of those messages and you get to be able to triage it, figure it out.

Speaker 1: 44:49

Absolutely All right, sir, I believe that is it. It. So we've covered in this episode. We've covered network monitoring, we talked about incident response and we finished up with uh phishing so what do you think?

Speaker 2: 45:08

no, it's good. I think these are definitely solid skills and tools that we would expect you to hope that you have, and you know, you're maybe stronger than others.

Speaker 2: 45:21

That's okay. You don't have to be great and everything in a role, a security analyst role, Even if it's something specific, it still would be good if you had these skills and really for the most part, you can definitely work on all of these. You know you maybe will work on more than the others that you need to be in an environment for, but really for the most part you just got to get those reps.

Speaker 1: 45:50

Yeah. So just you know, some free advice here. You know, if you are looking at getting into cybersecurity, you know you've, you are either going through or you've already finished some of the basic certifications that we've talked about Google search, security plus, network plus, whatever it may be and you might already be applying for positions as we speak. Right, but you may.

Speaker 1: 46:15

You don't have some of the some of this experience or some of this knowledge. This is what I would recommend. Like, this is kind of the next step, like if you have completed your security plus and now you're kind of like applying, you're kind of waiting for what's next, sure, you could go and get additional certifications. If that's the route you want to take, absolutely you can do that. But if you are kind of not sure where to go, or you're looking for a SOC position or you're looking for a security analyst position, focusing on this while you apply, or waiting to apply until you get some of these under your belt, that is what I would recommend for you to do, because this, again, like this, the whole kind of thought process behind these two episodes that John and I did was you know, what more can we give people to do to set them apart from the rest of the people who are in the same boat. Right, Cybersecurity is hot, cybersecurity is, you know, continuing to be and it's not going anywhere.

Speaker 1: 47:19

So we do have a lot of people that are either starting, wanting to start a career, or transitioning their career to cybersecurity and, depending on what your background is, you may have a different start. But for the majority of people transitioning over, you will kind of be guided and recommended to go down the same beginning steps. Right, but these two episodes, this is the additional items that we think will set you apart, that will give you that extra, you know, gold star per se. That will set you apart, because these are some of the tools and some of the things that you will be doing day in, day out in a, you know, entry level SOC analyst job, um, you know, security analyst position. So we're kind of just trying to give you that, that, you know, kind of headstart. I mean, would you agree, john?

Speaker 2: 48:08

Yeah, I'll just put it this way Um right, like the certificates. I like certificates. I've had many, many certificates, but don't you know, don't think that that's going to be it. Oh, I got my Google cert. Oh, I got my security plus. Oh, I got my whatever, right, well, think about when you got that certificate. When you got that certificate, it's, I memorized something and I passed the tests most of the time.

Speaker 2: 48:38

Right, what you need this is, if you get in the door and you get to be interviewed, this is what we're going to look for. These are the things we were going to evaluate. So, okay, that just got you in the door. Maybe you got these certs. That's great, that got you in the door. Maybe you got these certs, that's great, that got you in the door.

Speaker 2: 48:55

But how do you set yourself apart when somebody interviews you and wants to know where you are? You get these skills worked up. You get these reps in. Get the reps in. Get the reps in and get that like dang, this person's ready to rock. Yeah, they took their cert, certs, and that's good. That's good knowledge. But they've actually got the reps in the muscle memory built in. That's going to make you stand out. That's going to make you stand out. So do all those things. It's not. It's not bad. I'm not hating on certs. I believe certs are great, but the skills kill. Look, I'm coming up with all these, these keywords. I might have t-shirts out of the wazoo. Look, we need to. Skills kill. Write that down. I'm writing it down right now. Skills kill.

Speaker 1: 49:41

Done. We need to, yes, we need to, but that's what these episodes are about Yep, absolutely no, I completely agree.

Speaker 1: 49:49

And you know it's all about stepping stones. Right, it's all about stepping stones. Certifications are a stepping stone, you know. Getting hands-on with certain tools, that's another stepping stone. So you know it's all going to come together. We're just trying to help you and keep you one step ahead. So, yeah, if you have any questions on any of the material we've covered in this episode or the previous one, please let us know. Jump on our Discord, shoot us some comments on the videos and we'll be happy to talk to you and expand more on some of these items. If you kind of get through the stuff that we've offered or shared with you and you say, hey, I want more, then we can help you with that too. You know, set up a, a mentoring, a free consultation, mentoring call with us. We'd be happy to discuss additional information there. But yeah, that is it for us today, john. Any last words?

Speaker 2: 50:46

Yeah, I would just say, maybe you do want to be put through the gauntlet. I'm looking at you. Maybe you want to go through the gauntlet. I'm looking at you. Maybe you want to go through the gauntlet. Oh man, I mean it's scary. Look it's scary. I'm just going to warn you, it's not for the faint of heart. So, if you do, you want to dive deeper with us? This is it. You want to level up? This is it. Let us know.

Speaker 1: 51:17

Let us know Awesome, perfect. Well, thank you all for listening. This has been another episode and we will see you next time.

Speaker 2: 51:25

See ya. Thanks for tuning into this episode. If you're looking for personalized mentorship, click the link below to sign up for a free consultation with us.

Speaker 1: 51:34

During this session, we'll talk about your goals, your challenges and how we can better help you. This may include reviewing resumes, career advice, setting up action plans that are tailored for your needs.

Speaker 2: 51:46

Yeah, at Cyber Professional Services, we're here to guide you at every state of your cybersecurity journey.

Speaker 1: 51:52

That's right. So keep learning, stay secure and we'll see you next time. Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.

Speaker 2: 52:01

Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

Speaker 1: 52:11

Do you have questions or topics you'd like us to cover, or do you want to share your journey? Join us on Discord at Cybersecurity Mentors Podcast, and follow us on LinkedIn. We'd love to hear from you. Until next time. I'm John Hoyt and I'm Steve Higuretta.

Speaker 2: 52:28

Thank, you for listening.