I have completed my 2nd SANS course (SEC504), and passed the GIAC Certified Incident Handler (GCIH) certification exam! Whew! That was not easy. It was a very tool & lab-intensive course. Every section was followed by a hands-on lab utilizing tool to demonstrate the vulnerability discussed. It was a deeper dive on PowerShell and Linux (way deeper) and using a variety of penetration testing/hacking tools. Very light on GUI applications. Very heavy on Metasploit, etc.
The certification exam was tough. There were 95 multiple choice questions that covered everything in the text books. Then there were 11 “live lab” questions that utilized a virtual machine to have you demonstrate your hands-on ability to solve the challenge. Unlike the labs from the coursework, when you are in the test environment there is not any guidance about what tools to use, so you have to know which tool would be the best to solve the challenge. And what commands you need to run what exploit.
No question I learned a lot from this course! Each chapter would show what hackers would attempt, and at the end there was a focus on what vulnerability management or proactive defenses you could employ to prevent or mitigate the attacks. Really good, practical guidance.
But the most important thing I learned is that this is not the part of cybersecurity that excites me. I had several classmates who were in their element. They have been building home labs for years. They participate in CTF events all the time. This is their jam! It is not mine.
Even the instructor kept hammering home the point that penetration testing is the act of constantly trying things. You try to run this tool or command, you fail. You tweak it and try again. You fail. You change it up and try again. Over and over. And over. I know people live for this, but it bored me to tears.
So now what? Well, I spent the majority of the second half of the course trying to figure out what I wanted to take for my 3rd and final course – the elective. I spoke to anyone who would speak to me. I read a ton of blogs, job descriptions, articles and watched loads of videos. All trying to see what might spark my interest and make me think “This is it!”
I had a lot of conversations with people in the industry, asking them what they did and how did they get where they are. I gathered a lot of insights on that, and I’ll probably make a separate post just about those conversations. But, for now I’ll concentrate on how I was trying to line up my elective options with possible pathways. Everyone I spoke to definitely had an opinion! But less important than their opinion was the underlying issue – did I want to do what they did? You don’t really know what a role is based on title. So by speaking to people and understanding what they did, I was able to try and see if it might be something I was interested in doing myself.
Some of the conversations were surprising. Some were fascinating, and some were quite frankly, disappointing. I managed to get time with the manager of the Vulnerability Management team at my company. Ever since I had decided that I wanted to move to cybersecurity, I had thought that was where I wanted to be. I had done some research about it, and it sounded like it might match up better with my natural strengths. I knew I wasn’t interested in Incident Response (putting out fires, working on call – the stress and unpredictability combined with lack of work/life balance did not appeal.) But VM sounded more like it was taking issues identified by others (pen testers, actual attacks, CVEs) and working to fix or mitigate them. Sounded interesting. But as the manager described how they actively pursued the issues, they did the pen testing, they did the technical deep dives to find them, I realized it wasn’t what I thought it was. It was red teaming/ethical hacker territory. Not for me after all.
Another conversation surprised me too. I reached out to a person on LinkedIn who had completed the same SANS program I’m in a couple of years ago. I wanted to talk to her about what happened when she completed the program and how she found a role. I didn’t know if I’d be interested in her job, but I did want to know how it worked out for someone who did this same program. But, I was pleasantly surprised to realize that I WAS interested in her career. She had taken the Cloud Security Essentials (SEC488) and the GIAC GCLD cert. She got a role as a junior cloud security engineer, worked there for a while and had recently taken a promotion to cloud security engineer at another company. She talked about what she did, and I was fascinated. She was also very honest and real with me – she did not get a job right away after completing the program. She had the certifications, but no experience. Doors did not swing automatically open to flood her with offers. She actually continued learning, gaining her AWS certifications. She worked on a portfolio to share on her resume to show she had hands-on experience even if it wasn’t paid. Eventually, she landed the first entry-level jobs. It wasn’t easy, but she did it!
I was inspired. I started reading about and researching cloud security roles. SANS lets you do a preview of some of their courses. I watched the previews for the cloud course as well as a few of the others. It didn’t take long for me to decide that the cloud course was the one for me. I did have a last-minute wobble, just as the decision was due, that maybe I should take the forensics course instead. Maybe it would be less limiting and open a few more doors. But in the end I went with my heart and signed up for SEC488.
I’m now on week #2. So far, I am loving it! It’s a little scary, setting up the AWS and Azure environments and launching the resources. I keep remembering all the horror stories I’ve read about people accidentally racking up $20k in bills in a month…. But so far, so good.
I now have several things I need to achieve to make this dream a reality. My employer offered AWS Cloud Practitioner training, so I was able to complete that (while on the clock!) this past month. Now I just need to study up and take the certification exam for that. I will definitely need to do the AWS Security Architect cert as well, probably next month. Then I think I will also need to consider the CCSK too once I’m done with my SANS training. Included in the SANS course is Cloud Wars, which is their hands-on lab work. For something outside of the class to show employers, I need to look at something like Cloud Guru to set up something for projects. There is so much to do! But at least I feel like I’m heading in the right direction. Finally.
Robbi Clafton 