Before I entered the field, I always wanted to know what a typical day was like for a Security Professional. Researching my future career path was something I did often and as part of this, I loved reading about what a day would, or could entail for me.
In this post, I aim to give an insight into just one of the many varied days working in cyber security.
Morning:
8:30am – Tea. This is without a doubt the most important part of my day (and is also the first of many). Everyone has their morning vice and for me it’s a nice cup of English breakfast tea before even sitting down at my desk.
9am – Morning huddle with the team. This is a brief meeting where we discuss the agenda for the day. It’s a great opportunity for us to understand each other’s work load and pick up any security alerts or problems that have arisen overnight. It is also the perfect time for anyone in the team to highlight anything they need assistance with, be it for technical understanding or just a sense check as we can all appreciate a second set of eyes.
9:30 – Email and news catch up. You need to have your finger on the pulse all the time in cyber security. Keeping up to date with the latest cyber news, data breaches and latest vulnerabilities is a must do for any security professional.
10:00 – Security Alert: Malware Detected. The endpoint security system has alerted for a malicious file that has been detected on a user’s machine. This alert required log analysis to determine a number of things:
- Had the malicious file been blocked, or do we still have a problem?
- What do we know about the file, what was it trying to do?
- Where did the file come from? What was the user doing to cause this file to end up on their machine?
There are several ways a file can end up on an end point, like being downloaded via a URL visited, from email, or from external media, i.e external hard disk or USB flash device.
Some browsers warn the user when they are about to visit a malicious URL.
Each one of these vectors has, or should have, their own set of security logging.
Investigation of these logs had revealed that the malicious file in question had been sent to the user via email – This alert was the result of a phishing attempt.
The outstanding question here is – why wasn’t this particular phishing email picked up by the email security appliance?
What began as a malicious file alert has actually escalated to a full phishing incident which has identified a security control failure.
This failure was addressed and definitions were updated but this wouldn’t have been possible without the appropriate level of critical thinking.
It would have been all too easy to stop looking into this alert when it was understood that the threat had been handled. We spoke in episode one of the HackableYou podcast about the attacker mindset and about critical thinking.
Without piecing together multiple items of information and having a good understanding of how attackers deliver malware and understanding the attacker mindset, vital steps in this investigation would have been missed.
Afternoon:
12:00 – Security Alert: Web Server Attack Traffic identified. One of the network security perimeter defences has detected incoming web server attack traffic. Log analysis reveals that an attacker with an IP based in the Netherlands is attempting a Directory Traversal attack. From the initial logs, it is not clear if this attack has been successful or not.
The granularity of log data available will depend on the type of logging an organisation has set up. In this instance, logs from the web server are not directly available to the Security Operations team. It is necessary to liaise with another internal team. Information on attack activity is confidential and it will not always be necessary to divulge every aspect of your security investigation.
The logs are requested and it is time for lunch.
13:00 – Lunchtime! It is so easy to just have lunch at your desk, especially during a busy day. Today I make the effort to get out and get some air. I took a walk to Pret, grabbed a baguette and took a walk round the block.
14:00 – Knowledge transfer. The logs I requested before lunch are back so this is an opportunity to analyse them and with a junior member of the team and share some knowledge. I walk through the attack and explain the different outcomes and different web application attack types. Knowledge sharing is an extremely important part of the role – I always take the time to explain the steps in an investigation thoroughly.
An example of web application attack traffic
15:00 – Security Alert: Potential Phishing Attack. A user has reported a strange email has landed in their inbox. They usually communicate with the sender but this email appears to be sending a file which is unusual behaviour.
Analysing the email headers and body of the email concludes that this is a phishing email. It directs the user to a webmail sign in page which is harvesting credentials.
An example of a phishing email that would be reported to the Security Operations Centre.
I thank the user for reporting this. Maintaining a good relationship between an organisation’s user base and its security team is extremely important. Had the user not known where to report this, or had not felt comfortable doing so, it is possible a phishing attack would have been missed.
16:00 – Self learning. As part of my research into the latest cyber security happenings I have come across a particularly interesting vulnerability. I take some time to teach myself how this works from a technical point of view. I also want to ensure I understand the potential impact this could have if exploited. Looking at this from both an attacker and a defender point of view helps me to understand how an attacker would use it, and how I can defend against it.
16:30 – Daily handover. Another team will continue after I have left the office. It is important to give them a detailed overview of all the incidents that have occurred during the day. They should know where to find all the investigation notes of all incidents, and know who to contact should they require further assistance out of hours.
17:00 – Home time! (on some days). I finalise some emails and then close my laptop for the day. I use my journey home to reflect on my day and then it’s time for beer!
Hopefully, this has given you a little insight into the world of a cyber security professional. Two days are rarely the same. There will be busier periods and you may experience seasonal peaks. For example, retail may experience more cyber attacks around Christmas and Black Friday, and this is when they are likely to cause a huge business impact.
For all the things that can change about my role, one thing stays the same, and that is the high level of enjoyment and satisfaction I receive.
Thinking of getting into the field? There’s no time like the present.