Breaking into Infosec: First steps

“So you wanna be an “Infosec Rockstar”? And live large. Find zero days, have fast cars? Charge large?”

Sorry, but chances are thats not going to happen here. In fact, it’s probably never going to happen full-stop, and thats a good thing. Information Security isn’t an incredibly glamours life, nor is it one for someone who thinks they can play the lone hero or heroine. However, with consideration and determination, study and hard work, it can be an exceptionally rewarding career path, both intellectually and financially.

But seriously, most people are here as they want to, as the title suggests, “break” into InfoSec, either from a standing start via college, a different industry stack, or via a pre-existing IT career. So, whats the “trick”? The truth is that theres no golden bullet for this, but there are multiple entry paths, and an almost unbelievable wealth of information and resources out there to leverage before you have to spend a dime on education or cross-training.

Before you do anything, you need to do a baseline of your current knowledge levels in the fundamentals, do a gap analysis to identify any/all shortcomings, and bridge those gaps.

First and foremost: how is your basic IT fundamentals? This shouldn’t need saying, but InfoSec is not exactly the usual entry point for someone breaking into general IT, so make sure you know general networking, systems and programming first.

First off: I strongly suggest having learned the contents of, and if financially possible, sat and passed the CompTIA A+, Network+ and Security+ certifications. Remember, at this level having the knowledge is more valuable than having passed the exams, so just focus on building up and security your basics and gaining proficiency, you can worry about actually spending money later down the line, be it on books, exams or full online courses. Learn the TCP/IP stack intimately, learn to use Wireshark through these two tutorials from Lcuportal & Hackingloops, and then some more advanced Wireshark revolving around decrypting HTTPS Traffic.

Second thing: Have an understanding of basic Windows,Linux and Mac OSX operating systems. Some basic Helpdesk or System Admin experience will help here a lot. (Its how I broke in!). You’re going to need to know about user access and rights, the overall structure of the operating system and where all the major important stuff for each is located. If you’re unsure of how you stand, review the CompTIA A+ course content for free via the wonderful Professor Messer. Here is a lovely 30 minute introduction into how Operating Systems work.

Try to have some understanding of a basic scripting language, it’ll help at the start but will be a massive hinderance later if you don’t have it, as you won’t be able to write nifty scripts to automate repetitive tasks. Heres a free major course on Python from the good folks at Cisco.

One thing that people look for when interviewing for junior / early career Infosec jobs is PASSION. . . the willingness to stay-up all night learning the new thing, to keep up and head of the curve. A lot of the tech can be taught, but the passion has to be already there. You want to be able to demonstrate that pre-existing passion.

Mindset is everything. Shed any biases and presumptions you may be bringing in from previous roles or industries, and be willing to reorient yourself. In most cases, security is meant to be an enabler for the business or organisation to conduct it’s core work successfully and as securely as possible.

Don’t know what mindset to adopt, or how you even feel about certain aspects? Thats TOTALLY OK. Personally, I’d suggest finding some established “thought leaders” in the field you’re interested in, and finding out what they thing is awesome, and what they think sucks. Pro tip: examine what they think sucks and see how you can make it suck a little less! For me, I trawled through infosec convention talks for looking for people talking about the bigger picture of InfoSec, the pressing areas that were of most concern and could make a big difference. Who spoke to me the most were people like Jayson E Street and Josh Corman who identified fundamental gaps in what we were addressing vs what we SHOULD be addressing (enduser empowerment and community building, keeping humanity secure vs just protecting against pickpockets) and how legacy attitudes to whats *really* important vs whats profitable was really holding us back as a community, as a profession, and as a force of good. People like Katie Moussouris who champions responsible security research and disclosure, people like Dr. Jessica Barker who champions the human side of the industry, and taught me that it’s ok to feel overwhelmed and to drive on regardless, confident that though I might feel like an imposter now, this too shall pass.

Knowledge is power. Leverage blogs, twitter and other services to keep finger on the pulse of whats new in InfoSec, and to endure you’re going in the right direction

Heres a superb write up by Lesley Carhart on Starting an Infosec Career, and cybersecurity journalist Brian Krebs has this advice if youre Thinking of Cybersecurity Career, where as Meg who has a fantastic video about how to go about securing your FIRST cybersecurity role.

Create a twitter account *solely* for InfoSec related content. Add the key players, see what they’re reporting or retweeting. Put your slant, reach out and talk to them. (Mine is @2wiredSecurity, and its enabled me to talk to my heroes, and helped me land my first job in IT Security. Several years later, I still can’t recommend this technique enough, though for sure I’ve begun using the account more and more for non-tech stuff.)

Ok, so, you’re hooked up with the latest news, from some of the bigger mover and shakers. You’re firing up your passion… now what? Time to roll up your sleeves and get to it!

Blue Team? Red Team? What area suits me right now? The short answer is: whatever leverages your existing skills and interests. If you already know the underlying tech or foundations, learning the new stuff will be easier. If it sparks a flame in your heart, you won’t even notice those hours spent turning pages and booting up virtual machines fly by. So get out there and whet your appetite!

Blue Team (Defence)

Have a go at the OLEDUMP project to start yourself off on the Blue team (defence) here by analysing malicious documents: https://dfir.it/blog/2015/06/17/analysts-handbook-analyzing-weaponized-documents/

Learn the basics of a scanner like Nessus to discover vulnerabilities on your network. There are numerous free training resources for this tool

Or maybe just kick things off by getting to grips with OSSEC host intrusion detection system (HIDS)

Many thanks to the wonderful @malwareunicorn for this impressive guide to malware analysis and reverse engineering, a must read.

Red Team (Attack)

Start but ensuring your foundations are solid, theres a nice breakdown of skillsets to have at least started.

Next, progress into some web application security testing by learning to use Burp Suite, which is great for application security testing, and BEEF, aka The Browser Exploitation Framework.

Once you have these two under your belt, have then a little go at the SQL injection course.

Eventually you’re going to want to aim for the OSCP or at least to be proficient enough to be at that level, in which case you’re going to want to take a long look at these links:

https://github.com/adon90/pentest_compilation

https://github.com/sojamo/oscp5

https://github.com/burntmybagel/OSCP-Prep

https://github.com/slyth11907/Cheatsheets

https://github.com/foobarto/redteam-notebook

Books:

Here are some of the “bibles” you need to get acquainted with for a generalist InfoSec role. Please note thse are affiliate links, marked, which link to the best books I have found on various hacking-related topics. Should you choose to buy the books via the below links, I may receive a small gratutity.

I) Wireshark 101: Essential Skills for Network Analysis ¹: This covers the first tool you’ll go to when you need to monitor network traffic, but it is so much more powerful than that alone. This second edition comes with superb labs to walk you through the capabilities of Wireshark, and will see you viewing packets in a whole new light.

II) The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory ¹: From the creators of the Volatility Framework, “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory” is a must have for all Incident Responders and anyone interested in modern digital forensics.

III) Practical Malware Analysis ¹: The Hands-On Guide to Dissecting Malicious Software: Basically THE de facto bible of malware analysis, an absolute must have for anyone leaning towards malware analysis and reverse engineering

IV) The Practice of Network Security Monitoring ¹: Understanding Incident Detection and Response: Old but gold, this should still be a cornerstone of your practical InfoSec education

Finally, there’s an incredibly well maintained and comprehensive list of books in the Palo Alto “Cybersecurity Canon” in which you can filter by role, area of expertise, level of knowledge and so on.

[[If you have any more that you feel should be here, please please list them in the comments and I’ll be delighted to add once I’ve read over them.]]

Certification

Ok, this is possibly the most controversial section. Some people will say:

- “certs don’t mean anything, they can be basically bought by forking out a few thousand dollars, attending a bootcamp and passing the exam on the last day.”
- “the proof of in the pudding is in the eating, and that it doesn’t matter how many certifications you have if you’ve no real world experience.”
- “In an ideal world, your experience should be all that people need to check”

My argument is that, simply we don’t live in an ideal world. Your application is a response to a job vacancy written up by a HR staffer, if you’re lucky, or a 3rd party recruiter with little to no understanding of what that role requires. Hence you see roles like “Junior Analyst required, must have CISSP”. Thing is, you need 4–5 years of direct InfoSec experience before you can fully achieve the CISSP. . . . its like asking for someone with “Windows 10 Admin with 15+ years experience”…

Right, rant over. Heres the realities, as I see it.

Certifications offer a standardised way recruiters, HR interns and automated CV scanning software gauge if you’re qualified to get an interview. After that point, its all about what you actually know, can do, and how you communicate. But lets concentrate on getting you to that point, and worry about the rest afterwards!

Remember, this is in no way a comprehensive list, nor is it listed in order of importance, difficulty or cost.

Beginner (Technically orientated)

• CompTIA Network+
• CompTIA Security+
• CompTIA CySA+
• CompTIA PenTest+
• Cisco CyberOps
• GIAC GSEC (GIAC Security Essentials Certification)
• ISC2 SSCP (Security Systems Certified Professional)
• eLearnSecurity eJPT
• Mile2 C)PTE — Certified Penetration Testing Engineer

Intermediate /Advanced (Technically orientated)

• Cisco CCNP Security
• Palo Alto (various)
• Juniper (various)
• Offensive Security OSCP (Penetration Testing using Kali Linux)
• GIAC GWAPT (Web Application and Penetration Testing)
• GIAC GCFA (Certified Forensic Analyst)
• GIAC GREM (Reverse Malware Engineer)

Advanced (Management orientated)

• CompTIA CASP (CompTIA Advanced Security Practitioner)
• ISACA CRSIC (Certified in Risk and Information Systems Control)
• ISACA CISA (Certified Information Systems Auditor)
• ISACA CISM (Certified Information Systems Manager)
• ISC2 CISSP (Certified Information Systems Security Professional)
• ISC2 CCSP (Cloud Security Professional)

Here are two “certification path” guides, issued by two major certification issuers, CompTIA and SANS. Bear in mind that both of these are highly biased, as each is in the business of delivering training materials and certifications for profit, so read between the lines, and use the suggested skill-sets to roughly gauge your intended direction. There are far more certs out there than those listed here, and some are more difficult / popular / valuable than suggested, others are far far less. As the Romans used to say: “Caveat emptor!”

SANS / GIAC exam roadmap:
https://www.sans.org/media/security-training/roadmap.php

CompTIA certification roadmap:
https://certification.comptia.org/why-certify/roadmap

CV / Interview

Getting that first InfoSec interview.

“But hey”, you might ask, “how can I get a job when I’ve no experience? I can’t get the experience because I’ve not already had an infosec job. I’m snookered! Its Catch 22! We’re all DOOOOOOMED!”

Sorry to burst your defeatist bubble, but thats not the case. Transitioning from one role type or industry stack to another is difficult, but never impossible. What you need to do is
a) be proactive
b) be focused
c) be creative
d) be proactive

Yes I said proactive twice. You know why? Because your CV is a story being told. Its up to you to write one in a way that, just like any good story, reaches out and touches the recruitment manager, the technical manager, the CISO. Set up the protagonist, (you!), empower yourself with the skills necessary and then totally hijack the plot. Its relatively easy to make yourself the hero when you’re the one writing the story. If in doubt, just check with every victor ever.

Here’s my formula for success. Feel free to suggest other steps, etc. Not every step needs to be taken. It doesn’t have to be in this order. The important thing is that you try:

1. Buy a cheap older server on ebay (or even a desktop with a load of cheap RAM) and setup a home lab. Leverage free tools like oraclebox to practice setting up servers and networks, both attacking and defending. Leverage REMnux, SIFT, FLARE and Kali for your toolsets, and webgoat or Metasploitable as your vuln web application environment to test, and you can easily download malware samples via VirusTotal to tear apart using PEstudio, PEview, Dependency Walker, and other static analysis tools, before moving onto the likes of Procmon, Wireshark and Cuckoo sandbox for dynamic analysis.
Document, practice, learn. You’ve now secured a better skillset, and a good 15 minutes of your interview for you to hijack the conversation and wax lyrical about how much you love working on your home lab. Leverage youtube and cybrary[.]it on how to use each tool.
Learn to use Shodan and Maltego (demo/community versions).

Congratulations, you’re now a InfoSec researcher as well as a student of your chosen profession.

Test stuff, document stuff, write a “how to” to remind you next time. Make these into pretty slides. You’ve now created the slide deck for your first infosec talk for your local DefCon / OWASP group.

2. Attend local DefCon and OWASP groups. Go several times in a row. You’ve two ears and one mouth. Use that ratio.

Eventually, participate. Look back over your notes. Improve them, learn from past speakers on what works and what doesn’t. Practice on your spouse or housemates. Don’t know what to present on? Give a talk on a tool you’ve been playing with. Learn the first 4 chapters of a book on a subject (eg: Practical Malware Analysis) and do an “Introduction to…” talk. It doesn’t matter. What matters is that you actually stand up and do it. Build on your experience and try to increase the complexity of your talk each time.

Congratulations, you’re now a Infosec Speaker. You can now secure 5 minutes of interview time that you can hijack and use a prepared breakdown of the experience to control several minutes of your interview.

3. Volunteer with your local DefCon / OWASP group, turn up a half hour before the talks and help set it up, harass the speakers to upload their slides, run the FB page, literally anything that can get you on the committee. After a while, I’m sure they’ll be happy to have the extra hands.

Congratulations, you now co-run a InfoSec community group.

You now have secured 5 minutes of your interview as one of the people interviewing you will talk about how they used to be the same.

4. Start visiting nearby InfoSec conventions. Theres a few hugely expensive ones like Blackhat, they’re for securing multimillion dollar sales deals and stuff. Not them. Cons like B-Sides. Free or under $100 ticket ones. Attend. Take notes. Remain mostly sober. Don’t flirt with people, engage with them. Take notes. Add people on LinkedIn and Twitter. Msg them and thank them for their talk. List the conferences you’ve attended in your CV. Theres a 99% chance at least one person interviewing you will have been to each of the conventions you’ve listed. Maybe even the same year as you.

You’ve dominated the interview with prepared stories and anecdotes of your successes and failures (from which you’ve learned learned learned). You’ve gotten at least one interviewer all nostalgic.

You’re now practically best friends with the technical hiring manager.

****** GROUPS TO BECOME INVOLVED IN ******
Join / Start a local DefCon group, or OWASP chapter. Attend every meeting. You have two ears, and one mouth, so listen, and learn.

Defcon Groups: https://defcongroups.org/

OWASP Groups: https://www.owasp.org/index.php/OWASP_Chapter

After 3–4 meetings, and within 6 months submit and give your own talk. Within a year, volunteer to help run it. I now co-run a DefCon group.

*****************************************************

This final blog by “Professor” Messer himself wraps up the process neatly

The long and short of it is that there’s an overwhelming amount of free materials and good folks in the industry through which you can succeed, once you’re willing to put the time and effort into it. There as officially zero unemployment worldwide in this profession, and demand continues to outstrip available talent.

The global pandemic has proven that people can work productively from home, and this means that those hundreds of thousands of unfilled information security roles are no longer necessarily defined by their geographical location, meaning this career will be one of the few seeing job security for years to come.

If you like this article, please click the “follow” button above, and check out my other articles. You can also leave up to 50 “claps”, which greatly increase my visiblity to other viewers, and, I’m not going to lie, is the ego boost I need to write more.

About this article: Stemming from a pinned post in the Facebook group “Breaking Into Infosec” a version of this was initially published on Peerlyst where it received almost 10,000 page views.

About the author: Jack has been in IT for a few years now, and in InfoSec for a few more. He is involved in his local DefCon group Cork|Sec and OWASP chapter, runs the Facebook group Breaking Into InfoSec, where he helps over 7 thousand members try and secure their transition into cybersecurity and beyond. Please feel free to join, its a great place to learn more and interact with like minded people. He is passionate about helping others transition into information security and working towards a more secure future.
Feel free to reach out via Twitter: @2wiredSecurity

¹ Please note that this article also includes some affiliate links, marked LikedThis¹, which link to the best books I have found on various hacking-related topics.