What I learned after a year of being a cybersecurity techwriter

I’ve now worked as a techwriter in a cybersecurity company for a little bit over a year. Coming into the job, my background was basically a couple of years of Python practice, some frontend tutorials, a decent understanding of networking and several pwned boxes on Hack the Box. This was all me learning stuff on the side while working as a translator.

So, what did I learn after a year?

APIs

• OpenAPI specification, including tools used to build API documentation. Also more thorough understanding of how APIs work, and how they should work, but don’t necessarily in practice.
• More on how HTTP requests work. I came with a solid understanding of computer networking, but I still had a couple of dark spots on my map. Frequently interacting with APIs made me understand stuff much better. For example, what goes in the headers, what query parameters are, etc. I still remember the days when I’d post giant, enormous links on social media. No more.

• What a schema is. I wasn’t aware of how important it was to document hierarchical data structures (like a JSON response) and list types of data inside (array, int, string, …).

Programming languages

• More Python. I automated repetitive stuff, e.g. inserting text into a reStructuredText table so that it keeps alphabetical order, or combining 60+ YAML files into a single one etc. I think I understand the basics much better now. (Incidentally, this is my general goal: I don’t try to learn a lot of advanced stuff, as there are diminishing returns on time investment, but I try to really, really master the basics.)
• Solidity. In my free time I started to dabble with smart contracts on the Ethereum blockchain. This doesn’t have much to do with my job, but it’s something I’ve taken up as an interest.
• C. I read a couple of chapters of The C Programming Language and did a couple of exercises. It really made me appreciate how much stuff there is going on behind the scenes when I write some Python script.
• More Bash. I’ve learned to make command line tools that display a help message and that accept flags. I’m also regularly replacing text across entire directories using sed.

Technical writing

• ReStructuredText. I still prefer Markdown - I find it much easier to read and to write.
• Sphinx, for building beautiful documentation out of reStructuredText.
• Static site generators. I use Hugo, but I tried Jekyll as well and it was really good.

Cyber

• The threat landscape. I didn’t know how prevalent ransomware was. Before this job, I understood ransomware as one part of cyber, but it’s more like 99% of it.

• Supply chain security. I don’t know the precise ratio, but my intuition is that most attacks aren’t attacking companies directly, but several levels down in the supply chain:
  • If you’re making an app which uses open-source components A, B, and C, and each of those use other components, and so on, the attack is against some random, small component, like a logging tool, which is used in a larger tool (like a search platform), which, finally, is used in your app.
  • If you’re e.g. a bookkeeping company, you have some IT infrastructure that’s probably managed by another company. That company doesn’t develop its own tools, but uses software made by a third company. Someone breaches the third company, the third company unknowingly packages ransomware in an update; they send the update to your IT service provider; the IT service provider installs the update on your system; after a couple of hours or days, all your computers are encrypted and you can’t access any of the files. You haven’t been backing up the most recent data, so you lose all the invoices from the last month, as well as all reports, everything. (Or you pay some BTC or XMR to an address, and you can unlock your files.)
• Ransomware without encryption. The latest development in the ransomware world is not encrypting systems, but threats of leaking confidential information. I don’t know why exactly this happens, but it does seem possible that ransomware gangs don’t want to poke America too much.

Computer internals

• Reverse engineering and how file formats work. Since the company I’m working for is primarily a static analysis company, I learned a lot about:
  • files, and how they are recognized (headers vs. extension)
  • packing and obfuscation, and how to detect it
  • the difference between static and dynamic linking
  • the Windows API
  • the basics of IDA for reversing binaries
  • some x86 assembly, to figure out what’s going on with the registers
• CPU, RAM, and computer internals. I previously didn’t have a good mental model for how a CPU works, but I think I understand it much better now. I learned what registers are, what the difference between 32-bit and 64-bit systems is, as well as stuff that I previously never heard about, like the concept of endianness. I also learned about how the operating system interacts with memory, what stacks and heaps are.
• YARA rules and how they’re used when looking for threats. I wasn’t even aware of YARA before this job. But it actually makes perfect sense, and is a great, shareable solution: you write down some strings (text, or binary, or regex) and some rules (contains all of these strings, or at least one of these strings etc.), and then you check files. If a file matches your rule - bingo, that’s a threat.

Computer infrastructure

• AD, LDAP, and other authentication/authorization systems. I don’t yet know Active Directory - just the basics - but I learned how prevalent it was in IT infrastructure of almost every company (and also how big of a deal it is for cyber attacks).
• Logs. Logs are basically the backbone of all IT work. You need a ton of them, and you also need a way to sift through the info, and you need the logs to be well written. I previously didn’t have any idea about the sophistication of log work. I just knew that there are logs, and that I should go to /var/log/ to read them, but that’s it. Two particular things I learned about were syslog and CEF.
• SNMP. I learned that this protocol exists, and I also learned that I didn’t like it and that I don’t want to have anything to do with it. This decision didn’t work out for me, as I was forced to learn about MIBs and traps. As it stands, I’ll have to learn even more.
• The importance of Windows in security work. I previously thought that Linux was for haXXors and Windows was for non-technical users, but boy was I wrong. Learning Windows pays off immensely. Actually, that’s incorrect, learning Windows is indispensable¹. Stuff like how the registry works, the intricacies around the Windows API, or Powershell. I still have to learn a lot, but I’m slowly going through Practical Malware Analysis and abusing a Windows XP VM.

Becoming a better superuser

• Useful Linux commands:
  • Ctrl + r in the terminal to start a search of previously executed commands.
  • Ctrl + w in the terminal to delete an entire word before (usually Ctrl + Backspace in text editors). This also works for Insert mode in Vim!
  • sh + start typing the name of an .sh file, then Tab to autocomplete. I mean, you can also use ./ and then the name of the file, but I prefer sh.
  • aliases used in a .bashrc file. Now I type ajde and I change directories, run Docker, run a particular NPM build process, change directory to where the output is, move a couple of files, and open the output in the browser… all with one command.
  • xdg-open (ideally aliased to something shorter) to open stuff from the command line in their application. E.g. I type open index.html and the local file index.html opens in Chrome.
  • sudo !!: runs the previous command as sudo
• Git. Previously I knew only how to git clone a repository, and that was it. I have since learned to fetch, pull, add -u, commit -m (and how to write good commit messages), as well as to rebase, to update submodules, to resolve merge conflicts, and more.
• More Vim (❤️). My day-to-day editor. I watched some good videos by Luke Smith, which is where I’ve learned most of what I use. Some nice commands I use daily:
  • Ctrl + v to select blocks, followed by Shift + i to insert something in several rows at once
  • J to join newlines; g and then j or k to move up and down according to visual (not actual) newlines
  • :noh to stop highlighting
  • ciw to change an entire word, even if the cursor is in the middle of it
  • t or f and then some character, to go to the next instance of that character
  • r to replace a single character, x to delete it
  • Ctrl + w in insert mode, to delete the previous word without exiting insert mode
  • how to exit Vim

Misc

• CTF formats. I got acquainted with how CTFs work, and got some experience in playing them.
• Taking initiative/ownership. Since I was a freelancer before this job, I was my own boss. This meant that there was no mechanism where I could fit myself in as a cog, which meant that I had to think about what made the most sense to do. Getting employed felt… different. There’s a subtle pull towards waiting to be told what to do. You’re inexperienced, you’re trying to figure things out, so out of insecurity, you kinda… wait to be told what makes sense to do. For some this may be tempting! But I think it’s ultimately a bad choice. Being proactive, thinking about what needs to be done, and then doing it, is much better. Pushing for changes is better. Advocating for how you’d do things is better. Almost everything is better than waiting to be told what to do.

Anyways, there’s probably more that I missed, but I think these are the main ones. Overall, I’m glad. This was a good year for me in terms of learning. I’ve got my hopes up that next year’s gonna be even better.