Underrated Cybersecurity Skills - Note Taking
Taking good notes might not sound like a cybersecurity professional’s super power. It might not even sound fancy or technical enough to be truly useful in a cybersecurity job. Well …
It’s a crucial skill to have in just about any role within cybersecurity. Being able to capture important details, data points, evidence, takeaway action items, and more, will help you keep up and excel in your work. Here are a just a few simple example scenarios where effective note taking comes into play:
Red Team or Penetration Testing activities: There’s a need to note which systems and devices are being tested in simulated attacks - hostnames, IP addresses; tactics/techniques/procedures (TTPs) tried against them, where did we succeed in getting past our security controls, and how; where did we get caught/detected, and more
Threat Detection: When working in a SOC, or threat hunting via a SIEM or specific logs, we are looking for anomalies, seeking out what is not normal activity or behavior - depending on the scenario, we may want to be noting usernames, login events, changes in admin groups membership, time stamps, geolocation, specific processes running, commands issued, and more
Cyber Risk Assessment: There are many parts of cyber risk assessment where we are looking to take notes - from interviews with staff to physical walk throughs in offices and field locations; from documentation reviews to spot checks of individual computers and systems to see whether documented polices are being adhered to; from gaps discovered in vulnerability scanning to threat intel on adversaries targeting our industry sector; and plenty more
Team Meetings: In meetings with our team within the cybersecurity department, or with the whole cybersecurity team, we are often noting details on current efforts by our colleagues that we’re not directly involved in, but need to be aware of; project deadlines and upcoming projects, action items assigned to us, and more.
It doesn’t matter how we capture our notes; we just need them to be in a form that we can make sense of an hour, day, or year later, and to be able to share them when needed with our team in a format that’s easy for all to read and work with. You can take notes on your phone or tablet, your laptop or desktop computer, with a voice recording app, or good ‘ol pen and paper - whatever works best for you.
I have found over the course of many years working in IT and cybersecurity, that the best note-taking tool for me is my smartphone. I have somehow become incredibly fast at swipe typing on my phones and I also use voice-to-text a lot.
One more quick thing on taking notes in cybersecurity roles: the concept of fast notes and smart notes. While thinking about writing this post I was trying to remember where I came across this idea. I think it was via the Practical Threat Hunting course I mentioned above. In any case, the idea that when we’re in the midst of an investigation or a fast moving activity, we need to be capturing things, jotting things down very quickly, in order to be able to keep up with actually doing the thing we’re doing. Those are our fast notes. Later, when we’re not in the heat of battle, so to speak, we take some time and convert those fast notes into smart notes. This might just mean turning small phrases into sentences to give them context. Or turning a string of text that is a set of data points into a bulleted list for easier reading. These efforts can support the idea of making our notes clearer and easier to understand, for ourselves and others.
I’d love to hear your thoughts on note taking - what your approach is and which tools you use.