CH3: The Skills Inventory – Mapping Your Arsenal

Introduction

One of the most terrifying moments for an entry-level cybersecurity candidate is the technical interview. You sit across from a hiring manager or a senior analyst, and they ask, "How comfortable are you with packet analysis?" or "Walk me through your experience with SIEM tools."

At that moment, vague answers like "I think I used it once in a lab" are fatal.

The goal is to move beyond simply passing classes and towards understanding your professional value proposition. A skills inventory is not just a list of buzzwords; it is a confidence check. It forces you to map every tool, concept, and framework you have encountered during your academic career to a specific level of competency.

By the end of this chapter, you will understand the specific toolsets required for the four major domains of cybersecurity—Security Operations, Digital Forensics, Penetration Testing, and GRC—and how to honestly assess your proficiency in them so you never list a skill on your resume that you cannot defend.

1. Security Operations (Blue Team)

The Security Operations Center (SOC) is the frontline of defense. Blue Team professionals are the digital first responders, responsible for monitoring, detecting, and triaging threats as they happen. If you are targeting a role as a SOC Analyst or Security Engineer, your skills inventory must demonstrate the ability to see and understand network traffic and system logs.

Core Competencies & Tools

In the SOC, "Theory" is less important than "Visibility." Employers want to know if you can spot an anomaly amidst the noise.

A. Security Information and Event Management (SIEM)

The SIEM is the heartbeat of the SOC. It aggregates logs from thousands of sources to find patterns.

The Standard: Splunk. It is the market leader. You need to know the Search Processing Language (SPL).
The Alternatives: Elastic Stack (ELK) and Microsoft Sentinel.
Competency Check: Can you write a query to find failed login attempts from a specific IP address over the last 24 hours? Can you create a dashboard alert?

B. Network Traffic Analysis

Packets don't lie. When logs are deleted by an attacker, the network traffic capture (PCAP) remains the source of truth.

The Standard: Wireshark. You must know how to filter traffic, follow TCP streams, and identify cleartext credentials or command-and-control (C2) beacons.
The Alternatives: tcpdump (command line) and Zeek (network security monitoring).
Competency Check: Can you identify a SYN Scan in a packet capture? Can you extract a file that was transferred over SMB or HTTP?

C. Endpoint Detection & Response (EDR)

Modern encryption (HTTPS) blinds network tools. This shifts the battle to the Endpoint (laptops/servers).

The Tools: Sysmon (System Monitor), CrowdStrike, SentinelOne, or Carbon Black.
Competency Check: Do you understand parent-child process relationships? (e.g., Why is PowerShell being spawned by Microsoft Word?). Can you identify a malicious registry key modification?

D. Cyber Threat Intelligence (CTI)

A modern SOC analyst does not just wait for alerts; they proactively look for threats based on outside information. This is where Intelligence meets Operations.

The Framework: MITRE ATT&CK. This is the periodic table of hacker behavior. You must understand how to map an alert to a specific Tactic (e.g., "Persistence") and Technique (e.g., "Scheduled Task").
The Source: OSINT (Open Source Intelligence). Using public information to track threat actors.
Competency Check: Can you take a hash of a malicious file and look it up in VirusTotal or Any.Run to see who else has seen it? Can you use the MITRE ATT&CK Navigator to visualize a threat actor's capabilities?

The "Blue Team" Mindset

A strong Blue Teamer is curious and paranoid. They do not dismiss an alert as a "glitch" until they have proven it is benign. When building your inventory for this domain, focus on your ability to investigate rather than just configure.

2. Digital Forensics & Incident Response (DFIR)

While the SOC identifies the fire, the DFIR team investigates the arson. This domain is rigorous, scientific, and legalistic. Your work here must stand up in a court of law.

Core Competencies & Tools

Accuracy is paramount. You must understand how to handle evidence without altering it.

A. Incident Response Frameworks

You cannot handle an incident by guessing. You must follow a structured lifecycle to ensure the threat is truly gone.

NIST SP 800-61: The government standard for the Incident Response Life Cycle:
1. Preparation: Getting tools and policies ready.
2. Detection & Analysis: Confirming the breach.
3. Containment, Eradication, & Recovery: Stopping the bleeding and restoring systems.
4. Post-Incident Activity: Lessons learned.
The Cyber Kill Chain: Developed by Lockheed Martin. You should understand the stages of an attack (Reconnaissance -> Weaponization -> Delivery -> Exploitation -> Installation -> C2 -> Actions on Objectives).
Competency Check: Can you explain why "Containment" must happen before "Eradication"? (Hint: If you delete the malware before blocking the attacker's access, they will just re-infect you).

B. Disk Forensics & Imaging

You cannot analyze a live machine without risking data corruption. You work on forensic images.

The Standard: FTK Imager (for acquisition) and Autopsy (for analysis).
Competency Check: Do you understand the difference between a Physical Image (bit-for-bit) and a Logical Image? Can you verify the integrity of an image using MD5/SHA1 hashes?

C. Memory Forensics & Artifact Analysis

Advanced malware lives in RAM or leaves breadcrumbs (artifacts) behind.

The Tools: Volatility Framework (RAM) and Registry Explorer.
Competency Check: Can you capture a RAM dump? Can you find the "ShimCache" or "Amcache" to prove a program was executed?

D. Documentation & Reporting (The "Police Report")

In DFIR, if you didn't write it down, it didn't happen. Your report is the primary deliverable.

Chain of Custody: A legal document tracking who held the evidence and when. A break in this chain means the evidence is thrown out of court.
The Technical Report: You must document your findings without opinion. "The user clicked the file at 10:00 AM" (Fact), not "The user stupidly opened the file" (Opinion).
Competency Check: Can you write a timeline of events that is accurate to the millisecond?

The "DFIR" Mindset

A forensic analyst is methodical. You must document every step you take. If you cannot explain how you found the evidence, the evidence is worthless.

3. Penetration Testing (Red Team)

This is the "offensive" side of security. Red Teamers simulate attacks to find vulnerabilities before the bad guys do. While often the most "glamorized" role, it requires a deep understanding of how systems are built in order to break them.

Core Competencies & Tools

This domain is about enumeration and exploitation.

A. Reconnaissance & Scanning

You cannot hack what you cannot find.

The Standard: Nmap (Network Mapper).
Competency Check: Do you know the difference between a TCP Connect Scan (-sT) and a SYN Stealth Scan (-sS)? Can you use Nmap scripts (NSE) to check for specific vulnerabilities?

B. Exploitation Frameworks

Once a vulnerability is found, you need a payload to exploit it.

The Standard: Metasploit Framework.
Competency Check: Can you search for an exploit, configure the RHOST and LHOST, select a payload (e.g., meterpreter), and launch an attack against a test machine?

C. Web Application Security

The web browser is the new attack surface.

The Standard: Burp Suite and OWASP ZAP.
Competency Check: Can you intercept a web request and modify the parameters? Do you understand the OWASP Top 10 (SQL Injection, Cross-Site Scripting)?

D. Operating Systems

The Standard: Kali Linux or Parrot OS.
Competency Check: Are you comfortable in the Linux terminal? Can you write a basic Bash or Python script to automate a task?

The "Red Team" Mindset

A penetration tester is persistent. You will fail 99 times to succeed once. Your inventory should reflect not just the tools you know, but the methodologies you follow (e.g., PTES - Penetration Testing Execution Standard).

4. Governance, Risk & Compliance (GRC)

If the Red Team are the breakers and the Blue Team are the fixers, the GRC team are the architects and auditors. They ensure the organization follows the rules, laws, and best practices. This is often the fastest path to management and requires excellent writing skills.

Core Competencies & Tools

Tools in GRC are often documents, spreadsheets, and frameworks rather than command-line utilities.

A. Frameworks & Standards

You must speak the language of regulation.

The Standards: NIST CSF (Cybersecurity Framework), ISO 27001, HIPAA (Health), PCI-DSS (Credit Cards).
Competency Check: Can you explain the five functions of NIST CSF (Identify, Protect, Detect, Respond, Recover)? Can you map a specific security control (like MFA) to a regulatory requirement?

B. Risk Assessment

Not all vulnerabilities need to be fixed immediately. GRC analysts calculate risk to business operations.

The Tool: Risk Matrix (Likelihood vs. Impact).
Competency Check: Can you perform a quantitative risk assessment (calculating SLE/ALE) versus a qualitative one (High/Medium/Low)?

C. Policy Writing

Security does not exist without policy. A GRC analyst must be able to draft documents that govern the organization.

The Output: Acceptable Use Policy (AUP), Incident Response Plans, Vendor Risk Assessments.
Competency Check: Can you write a policy that is legally defensible but readable by a non-technical employee? Can you draft a "Remediation Plan" that tells IT exactly how to fix a vulnerability?

The "GRC" Mindset

A GRC analyst is strategic. They view security through the lens of business value and ROI (Return on Investment). They are the bridge between the server room and the boardroom.

5. Soft Skills: The "Human" Operating System

Critical Soft Skills for Cyber Professionals

Written Communication (The Executive Summary): Unlike the forensic report (which is about facts), this skill is about persuasion. Can you write an email to a CFO explaining why they need to spend $50,000 on a firewall without using the word "packet"?
Verbal Communication: The ability to present complex data simply. You will practice this during your "Elevator Pitch" in Week 7.
Problem Solving & Critical Thinking: The ability to look at a log file and ask, "What is missing?" rather than just "What is here?" To go on to correlate multiple logs to tell a bigger story and identify incident timelines.
Ethics & Integrity: In this field, you have access to sensitive data (passwords, health records, emails). Integrity is non-negotiable. If you lose trust, you lose your career.
Stress Management: Burnout is real in the SOC. Developing healthy boundaries and the ability to disconnect is a professional skill, not just a personal preference.

The Growth Mindset

The most critical entry in your skills inventory is Adaptability. The tools listed in this chapter (Splunk, Wireshark, Metasploit) might be obsolete in five years. The specific syntax changes, but the concepts remain.

The Rule of the "Gap Analysis": In Week 2, you performed a Gap Analysis on job descriptions. You likely found many tools you have never touched.

Fixed Mindset: "I don't know Docker, so I can't apply for this job."
Growth Mindset: "I don't know Docker yet. I will spend this weekend on a home lab to learn the basics so I can discuss it intelligently."

Continuous Learning

Security is a lifestyle of continuous education.

News: Follow sources like BleepingComputer, The Hacker News, CyberWire Daily, or CISA Alerts.
Labs: Utilize platforms like TryHackMe or HackTheBox to keep your edge sharp.
Community: Engage with local groups or alumni. The "Hidden Job Market" is navigated through networking, not just applying online.