Author: Richard Harpur
Today’s rapid growth of technology is closely followed by the booming threat of cybercrime, driving demand for more cybersecurity professionals. Without a multi-disciplined cybersecurity team, defending technology assets isn’t just difficult; it may be impossible. One fundamental role on the team is the security analyst.
What to expect from a security analyst role
Security analysts work hands-on to understand the activity occurring within their network and to defend their organization from attack. This may look like investigating security alerts and suspicious activity, establishing and managing threat protection systems or responding to incidents.
Within a Security Operations Center (SOC), security analysts typically work at one of three levels depending on experience. Level 1 is responsible for the majority of triage work. They investigate alerts or suspicious activity to determine priority and urgency. Level 2 analysts should be able to attribute suspicious activity to specific threats. Highly experienced Level 3 analysts undertake detailed analysis and forensic investigation on cyberthreats.
Progressing from a Level 1 to a Level 3 role requires you to master four fundamental skills.
1. Networking
To maximize damage, malware and other cybersecurity threats are heavily dependent on computer networks. It’s rare to have an attack on a system that’s not networked. Even the Stuxnet attack[1], which was launched on highly protected and segregated systems, was made possible because the systems were networked to an extent. For this reason, it’s essential that you’re skilled and comfortable with the fundamentals of networking. This includes understanding the OSI network model and network protocols such as TCP/IP.
Frequently, a security analyst will be given key basic information from network device logs. This will most likely include source and destination IP addresses, protocols used and other common networking information. You need to know what each piece of information means and how it might impact your analysis.
2. Security
Once you’ve developed networking fundamentals, you need to understand security fundamentals. A solid understanding of various cyber threats equips you to know what patterns and behaviors to look for in your analysis. Various patterns exist for launching a cyber attack. Different malware variants may reuse some of these patterns. Patterns such as command and control are common with Ransomware attacks, for instance. As you trawl through log records, you should be able to quickly identify suspicious or dangerous activity, having mastered the security fundamentals.
The importance of this skill was highlighted with the global outbreak of WannaCry. This ransomware incident originated from eastern Europe and spread rapidly across the globe, hitting the United Kingdom particularly hard. Early on, it was reported the malware was searching for a specific domain name. If the malware could access that domain name then it stopped working, thereby containing the spread of infection. It was effectively an electronic kill switch.
In instances like this, a security analyst well versed in security fundamentals would be able to easily identify the computer IP addresses that were trying to contact the so-called kill switch and deduce that these computers were infected with WannaCry. From there the analyst could arrange for infected computers to be removed from the network and cleaned.
3. Incident response and handling
Not all security analysts are involved in incident response, but most are to some degree. The ability to work within a formal incident detection and response process makes the security analyst role that much more valuable to a company.
There are best practices in defending an organization’s digital assets from attack. Frequently, a you’re working in a crime scene, so you need to understand the big picture when it comes to incident response. If you delete or modify data, which was going to be relied upon as digital evidence, it might eliminate the option to prosecute the attackers.
4. Communicating and documenting incidents
Largely considered a soft skill than the technical skills above, competency in communicating is essential during security incidents. Very often, you’ll work as part of a larger team. Incidents will be escalated and passed around, so good communication helps.
Consider identifying a new zero-day vulnerability. You may need to escalate this to Level 3 SOC members, to vendors or to users of the system. Furthermore, any records of activity or actions taken must be properly documented, as they may be used in a legal proceeding.
Skills for a safer tomorrow
Of course, there are many additional skills you will develop over time, such as network packet analysis using tools like Wireshark. Many open-source and community-based tools are used extensively by security analysts. As your experience grows, so, too, will your dependency on tooling.
Trends certainly dictate that we will need more and more security analysts over the coming years to accommodate the rise in cybercrime. Whether you’re looking at your own career and identifying how to get started as a security analyst, or you’re leading a team that needs to add security analyst skills, keep your focus on these four skills to build your essential skillset.
Do you rock your role? Find out. Get your Security Analyst Role IQ.