Page cover image

Prepare Beforehand For Your First Blue/Red Team Job

0.0 Preface

Last week I was invited to give a speech to fresh IT students, to give advice on things they should know earlier in order to help them get their first IT job. As someone who was sitting in the same classroom a couple of years ago, I really wish someone would have told me that much during my first year so my life could have been easier!

Therefore I have written this article together with help from my colleague Rob Parker. We wanted to make this article as a reference point to help people become better prepared and impressing during their first interview with their future employers.

This article will include recommendations for both red and blue team, and are fully based on our personal experience. Hopefully you will not see this as a guide-to-success because that is a really big question mark, something that worked for us might not work for you.

0.1 About Us

https://nz.linkedin.com/in/rob-parker-9337ab223nz.linkedin.com
https://www.linkedin.com/in/tiger-fu-954917246/
LogoTiger FuUniversal College of Learning

1.0 Non-Technical Resources

For people without experience, an internship is an ideal start where you can learn from actual real-life work and get familiar with the office environment in the industry. In fact, some people get hired after the internship if they provide value to the company so this can set up you very well in terms of starting your career.

And we believe for people who do a lot of self-study to prepare themselves would have enough technical skills to start work on a basic real-life investigation or do simple penetration testing. They just need to get familiar with the professional work environment, the enterprise versions of applications that companies use, and to expose/prove themselves to a potential employer which could land them a job once the internship ends.

Summer of Tech is a fantastic resource to get paid internships if you're based in New Zealand, and a large number of big vendors will be attending the event looking for interns:

LogoSummer of Tech - empowering New Zealand to hire the next generation of tech talentSummer of Tech

I believe every major city has local tech meet ups and for Palmerston North ManawaTech is your friend. Potential opportunities for jobs or internships (likely unpaid) may exist here:

LogoManawaTech: MeetupsManawaTech

Conferences are also great for networking as well as well as providing learning content from different talks. One of the best we have been to was the Christchurch Hacker Conference which we recommend participating in:

Christchurch Hacker Conference

Kawaiicon is something we have heard about and trust it is awesome, but we have not been to it yet. If they start running these events again then that would absolutely be worth going to:

https://www.linkedin.com/company/kiwicon-kawaiicon/?originalSubdomain=nzwww.linkedin.com

Staying up to date with the daily news in cyber security is also important, and we recommend the following sources for all the latest nerdy news:

1.1 Technical Resources

It is important and beneficial for cyber security professionals to have knowledge of both the red team side as well as the blue team, and depending on your job, one will carry more weight more than the other.

To have a university-course type of training at a fraction of the cost, we highly recommend HackTheBox Academy.

LogoHTB Academy : Cyber Security Training

From a technical point of view, it has the best quality for training and pricing plans. The following job pathways are recommended and they are around $150.00 NZD each:

  • SOC Analyst - for Blue team content

  • Bug Bounty Hunter - for Red team content

  • Penetration Tester - for Red team content

For red team content, the following resources are free and high quality, you just need to make your own study plan and do a lot of research on your own:

LogoWSTG - Stable | OWASP Foundation
LogoWeb Security Academy: Free Online Training from PortSwiggerWebSecAcademy

Unfortunately, there's no quality free course-like training content for blue team activities out there that we are aware of at the time writing this article.

However, when it comes to the blue team, reading incident case studies, threat hunting detection rules and looking into actual malware activity can improve your investigation skills too. Again, you just need to make your own study plan and do research at any point where you are unsure or feeling lost. The following resources are great for this purpose.

Studying malware activity:

Incident / Threat Hunting articles:

For red teamers, we also recommend to read writeups, Proof of Concepts (PoCs), as well as articles published by other researchers to help you understand how certain attacks work, where vulnerabilities might exist, and to also gain more motivation by looking at successful hacks. The following links are great resources for this purpose:

Online Capture The Flag (CTF) training labs can help you upskill your practical skills, with larger companies occasionally hosting competitive events with prizes to be won. Practical skills are more valuable when compared to theory and therefore should be emphasised.

Red Team:

Blue Team:

Real-life practice is great for gaining practical experience and you can potentially put these on your CV. Therefore things like bug bounties come into play, but they are absolutely NOT beginner friendly and you might get overwhelmed with the amount of information required to attempt these.

But this is where you can put your skills into practice on a real-life environment without getting hired, and having this type of experience is generally a plus at every interview you have in the future.

The following platforms are popular for bug bounties:

For a red team bug bounty, if you would like to avoid heavy competition from experts targeting well-known platforms, you can simply search on Google for "vulnerability disclosure program" or do a bit of Google Dorking magic on anything related to "vulnerability disclosure program" if you want to be more specific.

There are companies out there that publish their own bug bounty programs on their website. Chances are they are unpaid, however it really doesn't matter about money. In all honesty the chances of beginners having an actual income from bug bounties is low due to a lack of experience, therefore the main objective of doing these is to gain said experience.

For more information when it comes to preparing for a red team job, the Getting Started as a Penetration Tester in NZ series of posts made by Simon Howard are amazing and we do strongly recommend you read those as well:

LogoGetting Started as a Penetration Tester in NZ (2023 Edition)LinkedInEditors

Keep in mind that practical skills are what is more important in the industry when compared to theoretical ones. Certifications that focus on multi-choice questions rather than practical exercises are not going to benefit you anywhere near as much.

Even though we have been training ourselves significantly on the red team side, our main professional positions are as security analysts. Therefore we have the following advice for people who want to get into a blue team role, as well as for junior blue teamers who want to upskill:

1.1.0 Advice for people looking for a junior blue team job:

  • Don't spend all of your time on study, go out and try land an internship as well as have a life --- No one hires a junior with the expectation they can start doing incident response in their first year, unless there's something wrong with them or you are a cybersecurity prodigy. So you don't need to have the technical skills equal to someone who has been working in the industry for three years to find an entry level job. And just to clarify that this doesn't mean give up on studying as this will be part of your life for as long as you are in the industry, but rather balance it with your life outside of cybersecurity and looking for internships. Again, internships are the best showcase of experience which your future employers would love to see on your CV for your first blue team job.

  • Qualifications are great, but don't burn your wallet for them --- Having qualifications from companies like CompTIA look great on your CV, but they are 100% not necessary. Don't burn your own wallet for them unless you really want to give it a go.

  • Prepare yourself to have enough skill to smash all those easy-level investigation labs --- Even though they are CTF-like, they are still technical investigations and if you can complete all easy-level of investigation labs without struggling you will most likely be fine for an entry level job.

  • Prepare as early as possible --- With so many intelligent people out there trying to get into a desirable industry, don't leave it too late and only start thinking about your future when you are close to graduating. You need to begin preparing early.

  • Go beyond school work --- Honestly speaking, a lot of school courses are bare bones, too simple for todays requirements and useless for actual jobs. At a minimum, everybody is trained the same so your ceilings are the same. Going above and beyond what school teaches will make you stand out. Try not to skip classes, they offer social experience and improve upon your soft skills which you could miss out on.

  • Logs, logs, logs and more logs --- No matter what role you hold in cybersecurity, chances are you need to be adept at reading and interpreting different logs. Analysts use these for investigating alerts, engineers use them to troubleshoot problems, consultants need to think about how logs are seen and stored and so on. Get your hands on as many different log sources as you can to comb through, teach yourself how to understand them and once again research anything you don't understand. This will make transitioning into the industry a lot easier with a solid foundation of log reading.

  • Work hard on your soft skills --- What will go a long way in this industry is an emphasis on soft skills such as communication, teamwork and adaptability. While these may be more difficult to improve outside of a work environment when compared to practical skills, they will go a long way in a corporate environment. Being able to be a competent part of a team and communicate effectively within that team or to possible clients is a must and it can set you apart from other candidates.

1.1.1 Advice for juniors to upskill:

  • Stay hungry for knowledge and take action --- There's always things to learn and that will never stop. When you see things that makes you think "I don't know what this terminology means", "I can't see a connection between A and B", "Why is it doing this?", then that is a great sign that there is a gap in your knowledge. The worst decision for this type of situation is to skip it and move on, you should spend time researching it and take action as quick as possible. It is only a pain when you are wrestling inside your head about whether or not you should start researching this new avenue, once you start that pain will go away and over time it will become second nature.

  • Study what other people do and brainstorm by yourself --- One thing that helped me get prepared is to read and understand other people's detection rules and threat hunting queries. Understanding why people are searching for certain things to hunt a particular threat also helps you understand how this type of threat works. After gaining an understanding from both sides (red and blue) of things, you can brainstorm the impact of a threat and the response actions you would take as if you are seeing this threat in a complex network environment and debate with yourself. Then if you can, find someone to ask if your thinking is correct.

  • Hunt for patterns and not IOCs --- You rarely need to hunt IOCs in your environment since modern EDRs and SIEMs are good at covering these via constantly updating threat feeds. You should be looking at patterns when it comes to threat hunting. For example, instead of looking at "outbound Github traffic made by C:\users\admin\Music\example.exe", looking at "outbound Github traffic sent from the \Music\ folder by whoever the user is" would be a better idea. We want to look at unusual behaviours rather than very specific files or IPs.

  • Vulnerabilities need to be taken care of, you can improve a client's security posture from all angles --- It is not only malware and hands-on-keyboard threats that are true positives, all operational vulnerabilities should also be treated as one. For example, if you see a web server has an RDP port open to the public it is likely to be smashed by brute force traffic. This is indeed a risk since it is unfortunately common to see passwords that are extremely basic and easy to brute force. Keep in mind you are trying to make your clients/organisation more secure, and not only to be a hero finding malware and hackers already in the network. A good rule of thumb is if a machine is accessible to the internet, you can assume external parties will be probing it looking for vulnerabilities.

  • Focus on something that you are good at, and if you can, at the same time learn at least a little of everything --- It is not uncommon for you to be tasked with something to do beyond your actual title, especially in a smaller team. This is actually an advantage you should grab with both hands rather than be scared of it. It helps you grow faster and gives you exposure to things you might not get a chance to do again.

  • Treat every job seriously even if they look small and boring --- It is impossible to have everything you do at work be fun and exciting. Some tasks are comparatively smaller to others but those are still being paid for by the clients/your organisation, just keep in mind you are not here to show how great you are by constantly accomplishing difficult jobs. Smaller jobs can have large consequences if not done properly.

  • Every service should be considered as potential visibility during investigations --- When getting alerts, don't just check within the platform that created the alert itself. Check what other applications exist that provide other logs to enable you to gain further visibility and help you investigate from all possible angles.

  • Attacks are generally patterned, don't jump into rabbit hole --- When carrying out an investigation, follow the timeline and the activities step by step. And don't overthink it when you do, attacks are often more "simple" from a defender's point of view than you think it may be. Reference attack phases in your head (initial access, persistence, lateral movement, etc.) and if you don't see something that you suspect should be there (e.g. missing persistence techniques and no clear indication of the threat was stopped by EDR immediately), start to do more customised threat hunting investigating other avenues.

  • Be self aware and honest --- You will never reach a point where you know everything there is to know related to the job. Recognise when you have reached your limits and involve other colleagues for their input, as in cybersecurity getting it wrong can have major consequences. But don't be content with handing it off, follow up to see what they did or go off and research it on your own to fill gaps in your knowledge.

2.0 Summary

  • Aim for an internship as this provides the greatest amount of learning and gives exposure to a work environment

  • Never stop learning and bettering yourself which goes hand in hand with recognising your own knowledge gaps

  • Network with others in the industry when possible

  • Utilise the resources listed above to improve yourself

  • Build up PRACTICAL technical skills rather than theoretical ones

  • Build up SOFT skills to set you apart from others

Last updated