1.1 Introduction to TestOut CyberDefense Pro

Section 1.1 Introduction to TestOut CyberDefense Pro

This course is designed to prepare you to pass the TestOut CyberDefense Pro exam and the CompTIA CySA+ certification exam. This certification measures not just what you know, but what you can do to evaluate a system's security and give recommendations that make the system more secure.

This section introduction covers the following topics:

Course purpose
Course prerequisites
Certifications

Course Purpose

The purpose of this course is to allow students and IT professionals to move into the cybersecurity field. The course covers knowledge and skills such as:

Threats and vulnerabilities: use proactive threat intelligence to manage organizational security and vulnerability activities.
Software and systems: employ security solutions to manage infrastructure and understand software and hardware assurance best practices.
Compliance and assessment: apply security concepts for risk mitigation and learn the importance of frameworks, policies, procedures, and controls.
Security operations and monitoring: analyze security monitoring data and apply configuration changes to existing controls as a way to improve security.
Incident response: use the appropriate procedures, check potential indicators of compromise, and apply basic digital forensics techniques.

Course Prerequisites

We've created this course with the expectation that you already know the following:

What a network is
How a network functions
IP addressing
Subnetting
TCP/IP networking protocols
DNS and DHCP
Basic security practices

Certifications

This course meets the specifications for two industry certification programs:

Certification	Definition
CompTIA CySA+ CS0-003	The CySA+ certification is a qualification obtained from CompTIA. A cybersecurity analyst is an IT professional who applies behavioral analytics to networks and devices to prevent, detect, and combat cybersecurity threats through continuous security monitoring. The changes to the CySA+ exam help to define the skillset that students will need to be successful in the cybersecurity field. Included is a greater emphasis on the security considerations of system and network architecture, programming and scripting languages, additional detail on threat hunting, and the importance of vulnerability management and incident response reporting and communications. The code for the current CySA+ exam is CS0-003. To take the exam, a candidate must have four years of hands-on experience in a technical cybersecurity job role as well as the Security+ and Network+ certifications or equivalent knowledge and experience. For the latest requirements, cost, and more information, check the CompTIA website at comptia.org.
TestOut CyberDefense Pro	The TestOut CyberDefense Pro exam measures how much you know and what you can do. The CyberDefense Pro exam validates that you have the equivalent knowledge of four years of work experience in the cybersecurity field. The exam focuses on the skills and knowledge needed to become a security analyst. It also helps the student become aware of network attack strategies and common countermeasures. It prepares students to use various testing tools to analyze networks for vulnerabilities. Knowledge of these vulnerabilities also helps students understand how to counter them and improve security. The TestOut CyberDefense Pro 2.0 course has been updated to include the latest security threats that students will encounter in the ever-changing cybersecurity field. This update also adds focus to the topics covered as cybersecurity roles become more defined and industry focus shifts to a more specific set of skills.

Certification

Definition

CompTIA CySA+ CS0-003

The CySA+ certification is a qualification obtained from CompTIA. A cybersecurity analyst is an IT professional who applies behavioral analytics to networks and devices to prevent, detect, and combat cybersecurity threats through continuous security monitoring. The changes to the CySA+ exam help to define the skillset that students will need to be successful in the cybersecurity field. Included is a greater emphasis on the security considerations of system and network architecture, programming and scripting languages, additional detail on threat hunting, and the importance of vulnerability management and incident response reporting and communications.

The code for the current CySA+ exam is CS0-003. To take the exam, a candidate must have four years of hands-on experience in a technical cybersecurity job role as well as the Security+ and Network+ certifications or equivalent knowledge and experience. For the latest requirements, cost, and more information, check the CompTIA website at comptia.org.

TestOut CyberDefense Pro

The TestOut CyberDefense Pro exam measures how much you know and what you can do. The CyberDefense Pro exam validates that you have the equivalent knowledge of four years of work experience in the cybersecurity field. The exam focuses on the skills and knowledge needed to become a security analyst. It also helps the student become aware of network attack strategies and common countermeasures. It prepares students to use various testing tools to analyze networks for vulnerabilities. Knowledge of these vulnerabilities also helps students understand how to counter them and improve security.

The TestOut CyberDefense Pro 2.0 course has been updated to include the latest security threats that students will encounter in the ever-changing cybersecurity field. This update also adds focus to the topics covered as cybersecurity roles become more defined and industry focus shifts to a more specific set of skills.

1.1.1 TestOut CyberDefense Pro Overview

TestOut CyberDefense Pro Overview 00:00-00:28

Welcome to the CyberDefense Pro course! In this course, we're going to cover all the information included in the TestOut CyberDefense Pro Exam and the CompTIA CySA+ Exam.

Here are your instructors for this course: Katie, Traci, Alex, and Spencer. We're going to help you build your skills and learn the tools that incident responders, threat intelligence analysts, and cybersecurity specialists need in their work. With our help, you'll be more confident in implementing a cyber defense plan to secure and monitor your network.

Course Audience and Prerequisites 00:28-00:46

Before we go any further, it's important that you understand the prerequisites for this course. We've created this course with the expectation that you already know a few things. First, you should know what a network is and how it functions. You should also understand IP addressing, subnetting, TCP/IP networking protocols, and basic security practices.

Knowledge and Skills 00:46-01:31

That's because we're going to jump right in to vulnerability management so that you can gain an understanding of regulations, control types, and frameworks. Then we'll get into threat intelligence and hunting. We'll cover different types of intelligence sources as well as researching and finding possible threats.

The next portion will be about systems and network architecture and different operating systems, trust models, and virtualization. We'll show you some common tools and commands. We'll then perform vulnerability assessments using a variety of methodologies. The next area will take a deeper look at network- and host-based attacks and defensive methods. This will be followed by security management topics to help with the burden of monitoring the various assets that you'll inevitably have to oversee. Finally, we'll cover incident response plans to prepare for when an attack happens.

Practice Exams 01:31-02:04

At the end of the course, you'll find both the TestOut CyberDefense Pro Practice Exam and the CompTIA CySA+ Certification Practice Exams. These tests help you prepare for certification. Consider using them as pre-tests at the beginning of the course to determine how much you already know. Then, as post-tests, retake them at the end of the course to see how much you've learned. You can also test your knowledge by taking the domain exams. These exams divide test questions according to the domain objectives in the certification exams. It's another way to practice and reinforce cyber defense concepts.

Certifications 02:04-02:34

Now let's talk about your certification because that's really the goal of the course. Certification is important in two ways if you plan on having a career in the cybersecurity industry. First, it gives employers the critical information they need to make hiring decisions. Second, it gives you as an applicant an edge in the job market. Employers look for workers who are certified. And this course meets the specifications for two different industry certification programs: the TestOut CyberDefense Pro Exam and the CompTIA CySA+ Certification.

Education, Experience, and Certification: The Golden Triangle 02:34-03:38

Education, experience, and certification are what we call the golden triangle. All three are important if you plan on pursuing a career in the IT industry. Why? Because, again, they provide employers with the critical information they need when making hiring decisions.

When an employer goes through a stack of resumes trying to decide on who to hire for an open position, they want to quickly be able to tell if an applicant has the education, experience, and certifications they feel are necessary to complete the job successfully. If your resume has all three, you're in much better shape. If it's missing any of them, you may have difficulty getting companies to take you seriously.

Taking time to earn certifications demonstrates to a prospective employer that you've achieved a certain benchmark of knowledge and skills. Focusing on certification, along with education and experience, will help you become extremely valuable in the marketplace—helping you land your dream job! Each TestOut course delivers an outstanding education, empowers you to build critical hands-on skills through real-world simulations, and helps prepare you to achieve industry certification.

TestOut CyberDefense Pro Exam 03:38-04:21

The TestOut CyberDefense Pro Exam measures how much you know and what you can do. It validates that you have the equivalent knowledge of four years of work or training experience in the field of cybersecurity. TestOut CyberDefense Pro focuses on the skills needed to become a security analyst. It also helps you as the student to be aware of network attack strategies and common countermeasures. It prepares you to use various testing tools to analyze networks for vulnerabilities. Knowledge of these vulnerabilities also helps with understanding how to counter them and improve network security.

In addition, The TestOut CyberDefense Pro Exam takes things a step further by emphasizing real-world job skills. You'll be performing real-world tasks in a simulated environment.

CompTIA CySA+ 04:21-05:08

The CySA+ is a qualification obtained from CompTIA. It states that a cybersecurity analyst is an IT professional who applies behavioral analytics to networks and devices in order to prevent, detect, and combat cybersecurity threats through continuous security monitoring.

This knowledge is assessed by answering multiple-choice and performance-based questions regarding various cyber defense techniques and tools. The code for the current CySA+ Exam is CS0-003. To take the exam, a candidate should have at least four years of hands-on experience in a technical cybersecurity job role and one of three education options: the Security+ and Network+ certifications; the TestOut Security Pro and Network Pro exams; or the equivalent knowledge and experience.

Summary 05:08-05:12

With that in mind, it's time to start learning about cyber defense!

1.1.2 Use the Simulator

Click one of the buttons to take you to that part of the video.

Use the Simulator 00:04-00:15 TestOut's lab activities are key to your training. In this demonstration, I'm going to show you the components of the lab simulator so that you can successfully complete the lab activities in this course.

Scenario Window 00:15-00:47 The lab has four main areas. Over here, on the left, is the Scenario window. The Scenario window is very important. The Scenario describes the task you're required to perform during the lab activity. Typically, the items in this bullet list provide you with all the tasks that you're going to be evaluated on. Therefore, you'll be expected to perform these tasks correctly as you go through the lab. If you need more space while you're working, you can hide the Scenario window by clicking this button right here, and you can click it a second time to bring it back.

Workspace Area 00:47-00:55 The main area where you're going to do most of your work is called the Workspace. It includes all the items you'll work with and configure.

Shelf Area 00:55-01:06 In addition to the Scenario and the Workspace, we also have the Shelf. The Shelf holds pieces of equipment organized by category. Right now, we have cables and monitors.

Read the Scenario 01:06-01:18 Now, let's go through the process of completing a lab. The first thing you need to do is read the Scenario. Read it very carefully because when you're done, you're evaluated on whether you did everything it asked you to.

Review Objects in the Workspace 01:18-02:59 Then you need to examine the objects within the Workspace. You can use this slider to zoom in and out if you need to. You can also use the zoom out and zoom in buttons or the drop-down list here.

Before we go any further, I need to point out that each object within the Workspace occupies a certain amount of space, which is denoted by the outline that's around each object. For example, this is the area for the power strip, this is the area for the computer, this is the area for the keyboard, this is the area for the mouse, and this is the area for the wall plates. Within each of these windows, there are several buttons that allow us to change the perspective of the view for that object.

I'm currently looking at the front of the computer. But let's suppose I need to do some work on the back of the computer. I can come up here and click the Back button. And when I do, I can see all the various connectors that are implemented on the back of the computer. If I need to see the front of the computer again, say, to power it on, I can click the Front button. You'll notice that not all of the objects have multiple views. The computer does, but the keyboard only has one view, the top view.

You're not stuck with this layout within the Workspace. You can rearrange the objects in the Workspace to make them more convenient to work with. For example, I could grab the keyboard and move it to the other side of the computer. Let's move the mouse as well. There are some objects that you cannot move within the Workspace. For example, I can't move this wall plate because, well, it's a wall plate. It's mounted to the wall to replicate a real wall plate. But you can move objects around the fixed items. For example, I could move the computer to the other side of the wall plate.

Find Objects on the Shelf 02:59-04:30 So, once you've familiarized yourself with the items within the Workspace, you need to go over here, to the Shelf, and use the categories displayed to find the objects required to complete the Scenario.

If you're looking at an item on the Shelf and you're not really sure what it is, or you need a better idea of how it functions, you can click on the Details link for that object. For example, I can click the Details link for the video cable here. When I do, an overview of the cable is displayed. Notice, for this particular object, we can see the cable itself. We can see each connector, and I can look at the front, back, and top of the connector. Also, notice that when I click an item on the Shelf, it's displayed down here, in the Selected Component window, and we can access the same information using the Details links down here. Being able to view the details of a particular object on the Shelf is very useful because it helps you verify the object you've selected is actually the correct object for the particular requirements of the Scenario.

And I should point out here that, with some objects, when you view their details, you'll see an additional tab called the Specifications tab, which opens a window that provides more information. Right now, we don't have an object on the Shelf or in the Workspace that has a specification tab, but some do (for example, a motherboard will have a specifications tab). The information in the Specifications tab is similar to what you might find in a user manual for that particular item. Go ahead and close this window.

Add Items to the Workspace 04:30-05:29 Before we can work with an object within the Workspace, we have to add it to the Workspace or connect it to an item that's already there. For example, to add this monitor to the Workspace, we'll expand Monitors and then and drag it over here. Notice, when I do this, you can see yellow lines appear that tell me where I can drop the monitor in relation to the other objects that are already within the Workspace. So, in this case, I want to add the monitor to the Workspace right next to the PC system itself, so I'm going to drop it right here. And now that object is added to the Workspace.

Once the object is in the Workspace, I can manipulate it to accomplish the tasks in the Scenario. In this example, I need to look at the back of the monitor, and I need to use cables to connect this monitor to the computer system and the power outlet. Let's look at the back of the computer as well as the monitor. By doing this, I can see the various connectors that are implemented on the monitor and on the PC system.

Connect Devices 05:29-08:11 With this done, now I need to use the appropriate cables to connect these two devices together and connect the monitor to the power outlet. Let's go over here and expand Cables, and let's connect the monitor to the computer system using a video cable. I can click on the video cable so that it appears down here, in the Selected Components window. Let's grab each connector and add it to the appropriate port on the back of the computer and on the back of the monitor. Let's drag this connector to the monitor.

Notice here that there are three different ports available on the monitor, and as I hover over each port, it's outlined in blue. That blue rectangle tells me that this is a potential place where you could connect this particular device. It doesn't mean it's the right connector--it just means that it's an option you could use. In this case, I'm dealing with an HDMI connector, so I need to make sure that I drag and drop it onto an HDMI port, right here. I'll release the mouse, and now, one end of the connector is connected to the monitor. If we look at the status of the connector down here, you can see that one end is now connected to the monitor. The other is still unconnected. And notice when I did that, the partial connections window is displayed. You'll always see this partial connection window when one end of a cable is connected, but the other end isn't connected to anything.

Now, we need to connect the other end of the cable to the PC system. So, I'm going to click and drag. And just like with the other end of the cable, I need to pick the right port to connect it to, and now it's connected. Once again, the status of the cable is updated down here, in the Selected Components window. One end is connected to the computer, the other to the monitor.

Now, you might be wondering, what happens if I drop this connector on an incompatible connector? When you do, an error is displayed down here, saying, "Hey you can't connect that there." Let's go ahead and put it back on the correct port. So, that's one way you can connect devices together using an item from the Shelf.

There's another way to do it as well, and that's to drag the cable directly from the Shelf and then drop it on the appropriate connector. In this case, I'm going to drag the power connector, and I'm going to drop it on the power socket on the monitor. Now, notice that this cable has two different connectors; we have a female connector and a male connector. The simulator doesn't know which end of that cable I want to connect to this particular connector on the monitor. It brings up a list of possibilities, and I have to tell it which one I want to use. Let's go ahead and use the AC power female connector. And that end is now connected to the monitor itself, and let's plug the other end into the power strip.

Turn on the Computer 08:11-08:43 So, at this point, we've applied power to the monitor, and we've connected it to the PC. Now, let's go ahead and switch to the front view of the monitor and the front view of the PC. And just like in real life, before I can use either of these components, I have to turn them on. Let's turn on the monitor. If you hover over the Power button, you'll notice that it's highlighted in blue. I'm going to click it to turn the monitor on. Let's go over to the computer and power it on as well. When I do, the system comes on, and we switch into the operating system view of the computer.

Operating System View 08:43-09:57 And as you can see, we have a full simulated Windows environment. It's not a real Windows system--it's a simulated Windows desktop. However, it does function in pretty much the same way a real Windows desktop would. For example, I could come over here, to the Start button, and click on it. When I do, all of the things that you would expect to see in the Start menu are displayed. For example, I have my Settings. I can view a list of the installed applications on the system. And I have my tiles over here. I can come down and search for Control Panel and go up and click on it. When I do, Control Panel is displayed, just like it would be on a real Windows system. And using the various links in the Control Panel, I can go ahead and configure this simulated workstation. For example, I could go down here, to Hardware and Sound, and I could use this link, right here, to add a new printer to the system. The steps that you need to take within the simulation are exactly the same ones that you would need to take on a real Windows system.

Now, I do need to point out that as you go through the lab exercise, you'll see that not everything in the Windows interface is going to be enabled. If a feature isn't necessary for a lab, it's not enabled. The components you do need to complete the Scenario will be enabled.

Workspace / Other Views 09:57-10:08 Now, while the computer is on and running, you can switch back to the Workspace and view the hardware by clicking on the Hardware button for the particular device. This will switch you between the different views.

Move Objects to the Shelf 10:08-11:43 Now, in addition to moving objects from the Shelf into the Workspace, I can do just the opposite. I can take an object that's currently in the Workspace and return it back to the Shelf. To do this, all you have to do is click on the object, like the monitor here, and then drag it over to the Shelf and drop it. Notice that when I do this, an error message is displayed. It's basically telling us, "Hey, I can't be moved back to the Shelf because I'm still plugged in." It's connected to the power cable, and it's also connected to the DVI cable. And it's warning us that if we fail to unplug all these cables, we can't put it back on the Shelf. This is also simulating real life. You wouldn't grab a monitor that still had a power cable and video cable connected to it and drop it on a shelf, right? Before we can put this item back on the Shelf, we've got to unplug everything. Click OK here. To unplug a cable, simply click on it, drag it off, and drop it somewhere within the Workspace. For example, if I unplug the power cable from the back of the monitor, we see that its status changes to Unconnected. We have to do the same thing with the video cable. I'll click it, drag it off, and drop it, and its status changes to Unconnected as well.

At this point, there are no more connections to the monitor, so I can drop it back over here, on the Shelf. And please be aware that there are some items that you can't move to the Shelf. A good example would be the wall plate connectors. Just as in real life, you couldn't grab a wall plate connector, rip it out of the wall, and put it on the Shelf (at least, not very easily). You can't do that in the simulation either.

Evaluate the Lab 11:43-13:41 Now, once you've completed all the tasks in the Scenario, you're ready to submit the lab for evaluation. However, I recommend that before you do this, you go back over to your Scenario and quickly review all the tasks that you're expected to complete and double check to make sure that everything's done as required. Once you've identified that you've done everything that was required, go up here and click on Score Lab. When you do, it's going to evaluate whether or not you did everything correctly.

Notice here, we have a list of tasks that I was required to perform by the scenario, and it's listed here, under Task Summary. Over here, we have an icon that tells me whether or not I did each one. If I didn't do a particular task, I see a red X. If I did complete a task, it would be denoted with a green icon. Now notice, in this scenario, I didn't do everything that was required. I initially had the monitor on the Workspace, but I took it off, so it evaluated as incorrect. And because I unplugged the monitor's video cable and power cable, I got those wrong, as well.

Now, this last task is actually a multi-item task, meaning I had to complete several different sub-tasks in order to get this task correct. To see what those sub-tasks are, I click on Show Details, and it tells me I needed to turn on the computer. I did that--notice the green icon. But I'm also supposed to turn on the monitor. I got that wrong. Why? Because I originally had it on, but then I turned it off and put it back on the Shelf. And, as a result, I didn't get it right.

Now, down here under, the task summary, is the explanation. The explanation part of the lab report provides step-by-step instructions for actually completing the tasks in the Scenario. There are, of course, many ways to complete some of these tasks. The steps listed here provide just one suggested way.

Go ahead and click Done.

Now I'm going to pause the recording while I restart the lab.

All right.

Change Locations 13:41-14:47 Before we end this demonstration, there's one more thing I want to show you. Come over here in the Scenario. It tells us that once we've completed the tasks in the Scenario, feel free to explore the hardware and operating system interfaces within the lab. You can click Floor 1 Overview to review the rest of the office network, right here. Understand that this computer is just one system within an entire office complex.

If you want to view the other systems within the office, you can click on the Floor 1 Overview. When I do, I see a floor plan of the organization, and each room in the floor plan has a name. I'm currently in IT administration. I know that because the name of the room is in orange. Within each room, there's a list of the hardware and operating systems running in that office. For example, in Office 1, we have a computer. It's running Windows, and the name of the system is Office1. Over here, in the Networking Closet, we have a server running, and its name is CorpServer. I can use all of these icons to switch to either the hardware or the operating system view for the computer equipment in these different locations.

Summary 14:47-14:56 That's it for this demonstration. In this demo, we looked at the TestOut lab simulator.

1.1.3 Job Roles

Click one of the buttons to take you to that part of the video.

Job Roles 00:00-07:57 James Stanger: When it comes to security analytics, there are so many different job roles involved that kinda use that skill set. To tell us more about those different job roles, we've got Brian Calkin. Brian, how you doing?

Brian Calkin: James, I'm great. How are you doing?

James Stanger: Yeah, doing great, man, doing great. You know, Brian, you started out as a security, as a SOC analyst a while back, right, how long ago?

Brian Calkin: It's been about 20 years ago I started off as a SOC analyst, yeah. It's been a long time.

James Stanger: Alright, so tell us what you're doing now and then we'll go back and tell us a bit about what prepared you to be a SOC analyst and then we'll talk about some additional job roles.

Brian Calkin: Yeah, sure. So, right today, I'm a Chief Technology Officer for a company called CyberWa. We primarily offer cyber bodyguard services to high net worth individuals as well as celebrities.

James Stanger: You know, when it comes to being a SOC analyst, right, I think to some people, it means that it's a hyper advanced kind of activity. To other folks, it's like, well, no, it's a beginner role and the answer is, there's really kind of the SOC 1 and the SOC 2 analyst, right? Let's talk about what a SOC 1 analyst does versus a SOC 2 analyst.

Brian Calkin: Yeah, sure. I think, you know, and so I'm very familiar with the SOC 1 and SOC 2, sort of concept. You know, we use it as a way to promote SOC analysts. But anyway, you know, I think a level 1 analyst, you can think of maybe as somebody with, like myself coming in. I didn't have any cyber security expertise at a college. There wasn't any cyber security courses available so I came in with a strong network administration and systems administration background.

So I would be, you know, I think a prime level 1 analyst, meaning I've got good technical shops but maybe not so much in the cyber security space yet. I think then as you are on the job, getting certifications, working through various problems you're trying to solve, you're able to elevate and go up to, you know, sort of a level 2 and you have more of a, sort of a cyber security mindset that you're applying to, you know, certain fundamentals.

James Stanger: Makes perfect sense. You know, you mentioned that you had a strong background from your college experience in networking. We have a mutual friend of ours, Mike Geraghty, the CISO over at the State of New Jersey. He has a great phrase, you can't secure a network or analyze a network unless you know how the network works. What are some of the things that you brought to the table from that experience that really helped you? And maybe folks who wanna become a SOC analyst can learn the same things.

Brian Calkin: Yeah, sure. So, you know, from undergraduate work, getting my Bachelor's degree, I was focused on trying to build networks. Building them so they are resilient and functional and doing all the things that every one needs to do. So, I understood really well how a properly functioning network should work and how to keep it working.

And so that helped me exponentially understand, you know, when someone is trying to attack a network or trying to compromise a system, what that looks like and why, and how to kinda pick that out amongst the sort of normal day to day, and figure, and look at something and say, well that doesn't look quite right. That shouldn't be behaving this way and be able to call that out as an anomaly.

James Stanger: And you also knew what happens when a network's not functioning properly, things like that, right?

Brian Calkin: Exactly. Yeah, exactly.

James Stanger: So the different types of protocols that you had to learn, for example, right, DNS, DHCP, the three-way handshake, TCP three-way handshake, stuff like that, right?

Brian Calkin: Yeah. You have to understand how that stuff works because if you, again, if you understand what it should be doing, you can understand when you're seeing something it shouldn't be doing. These are great questions by the way that we always ask prospective SOC analysts. You know, tell me the steps in the TCP three-way handshake.

You know, what is TCP port 53 used for? You know, what's the difference between TCP versus UDP and that's not necessarily cyber security related, it's 100% network related. But again, it's very applicable to cyber security. If you understand how things work, you can understand why they're not working.

James Stanger: No question. Then understanding things like, the TLS handshake and HTTPS, all those fun things, 'cause it's, hackers like to live where the applications are, right?

Brian Calkin: Yes, they absolutely do.

James Stanger: There's so many different other job roles in addition to SOC analysts. There's, for example, an incident responder where you've done a lot of work in incident response. What's the difference between that a SOC analyst, for example?

Brian Calkin: Yeah, generally, we tend to promote a lot of SOC analysts up into incident response roles and I think the reason for that, again, I think the SOC role is fantastic experience to get the base level understanding of all things cyber security; whereas like, an incident responder, we might take somebody who really likes to help out in times of a crisis, kind of react and respond as an attack is ongoing currently.

And also too, you know, kind of spend time understanding how an attack occurred, you know, why it occurred, how to prevent it from recurring again in the future and kind of work through all that with an organization.

James Stanger: Threat intelligence is another big topic, but it's certainly related to what a security analyst does. Tell us a bit more about what a threat intelligence analyst might be doing.

Brian Calkin: Yeah, sure. So threat intel analysts are super useful as we're looking to build a profile on a threat for instance. And so we're seeing a particular type of attack occurring across multiple organizations, we're gathering information on the tactics that are being used and then we're trying to map them back to a particular threat actor or adversary.

Maybe it's for, you know, generating additional signatures to detect that type of activity across other organizations or in some cases, you know, we've been part, in prior roles of mine, we've been part of teams of people that have gone after the threat actors themselves and working with law enforcement and Federal Government to help take these folks down.

James Stanger: Thank you so much for that. There's one last job role you hear about a lot; the threat hunter. Kind of a combination of the Pen Tester, Red Teamer and the Blue Teamer. Tell me a bit more about what a threat hunter does.

Brian Calkin: Yeah, so a threat hunter, I think, you know, I talked a lot about identifying the sort of things that look like anomalies amongst what's normal; I think the threat hunter is that, sort of on steroids, if you will. They're the type of person that is looking, you know, across log files from different sources.

I think a great source is like, endpoint, data, like EDR-type data and so they're looking at things like running processes on a system for instance and so I think the greatest [UNSURE OF WORD] to use is, you know, if you're seeing 25 processes running across 100 systems but you know, these couple of systems have 27 processes running, you know, why is that? If they're all supposed to be uniform and have the same software deployed in them, same patches, all these things, but you've got a couple of boxes that are running additional software potentially on it, you know, why is that? Is that legitimate software or should it be something that should be identified and digged into a little bit further? And so those are the types of things that a threat hunter is looking for.

James Stanger: So you kinda look for those different indicators of attack or indicators of compromise and the pivot points, how those things got there, all that fun stuff?

Brian Calkin: Yeah, exactly. It's actually a really fun role. It's a lotta fun 'cause you're the person finding that needle in the haystack and I think it's a great role for someone who likes puzzles and likes to kinda, you know, get to the root cause.

James Stanger: Kind of the detective as it were.

Brian Calkin: Yeah, exactly.

James Stanger: Brian, thanks so much, man. I appreciate you giving us an overview of the different types of job roles, kinda revolving around security analytics. Sure appreciate it, man.

Brian Calkin: Yeah, thanks, James. Thanks for the opportunity.