Post-Course Review 1

The Security Analyst Introductory Course concluded its 2nd run on the 14th of March 2025. We designed this course to cater to non-cybersecurity practitioners, aimed at imparting the skills to allow them to analyse the cybersecurity layout of an organisation from a Blue Team's perspective and from a threat actor's perspective. Nearly all of the participants were not from technical backgrounds, but were working with cybersecurity professionals to perform cybersecurity evaluations.

Overview of the Course

To achieve this, participants performed a cybersecurity audit of a fictitious organisation, Roundtable Inc, evaluating their security posture, their security SOPs and readiness, which culminated in a simple Red Team "engagement" of this organisation. counterShell created this fictitious organisation, providing cybersecurity-related documentation, network diagrams, inventory lists, and other scraps of information that a cybersecurity auditor might face. Together with the documents, we created Roundtable's AD and the internal network components - essentially a cyber range - to allow the participants to validate their assessments and to close gaps in their analysis with a hands-on Red Teaming exercise.

We wanted participants to realise that:

1. Cybersecurity in real-life involves many human-driven moving parts, not just from users, but also in terms of inter and intra team coordination. People in charge of writing SOPs for sysadmin and cybersecurity must account for human behaviour.

2. A security audit, especially when a broad scope, live red-teaming (or an actual threat) is involved, goes beyond checking for vulnerabilities in computer systems - it involves checking for vulnerabilities in the organisation's whole ecosystem. Security analysts therefore need to be more creative and identify a variety of routes a threat actor might use and wargame or test them out against the organisation's cybersecurity setup.

3. An organisation's network and cybersecurity setup is never static - it is always evolving due to business needs and "lessons learnt". Data is patchy and occasionally contradictory, hence the need to "reduce uncertainty" and identify outstanding information gaps. The course is intended to develop analytical ability as well as impart technical knowledge.

As we were developing the course and the website, we opted to use something that looked like a "tree" for the course iconography - something that starts from a single point, and branches into several possible outcomes or conclusions based on analysis from this single start point. And similar to a living tree, analysis is "alive" - it continues to be updated as new information is received.

Outcomes

counterShell believes that the course has met its objectives based on observations of the trainees, and the feedback obtained. We are proud to have certified a total of 19 participants so far, as counterShell Certified Analysts, at the Practitioner level.

The good news for us is that, quantitatively, our participants found our simulation approach very useful in helping them  absorb both the technical and the "theory-based" content. This reflects the method that we have opted for: a solid simulation or case study, facilitated by an experienced instructor.

The not-so-good news is that most of our participants felt that the course was too short and pitched at a higher-than-expected level of an "introductory" course. To address this, for the subsequent runs we will include some pre-reading material, curated from open-source content to form a simple baseline for future participants. We want all our participants to acquire the skills, knowledge and thought processes required of a cybersecurity analyst, and we will facilitate this accordingly.

Future plans for SAIC and beyond

Besides adding a "pre-course" primer, we will also "double down" on the value of the simulation by providing additional options for the participants. As it stands now, Roundtable Inc has 2 different approaches for the Red Team. We will create an additional approach for the subsequent course runs, which may be taken depending on how the participants analyse the provided simulation material.

Also, as a "teaser", counterShell is also working on content for the Adversary Simulation, Detection and Counteraction (ASDC) series of courses. Perhaps Roundtable Inc might also be featured? More updates when things start to materialise :)