People ask me how I started with my career and what was my path to become what I am now. With this article I aim to help new starters to become good professionals in Cyber Security. I make a difference between Cyber and Information Security. Although they both address security on a certain level in one organization, there are major differences. Becoming a Cyber Security professional can be a daunting task, you need to be careful for underwater stones that can sink your boat. Surround yourself with people who support and approve your quest. Ask yourself why you want to pursue a career in Cyber Security and be honest. Is it because it is a hot topic and must-have in your CV or you really want to learn the trades of the craft? Mentally prepare yourself that you‘re committing for a lifelong learning curve - this is not a game for short-term money-makers. Good money will come at some point, but this must not be your goal when you commit to that business. And here we go, point number one:
1. Find a good mentor and make a plan
The first and most important task is to find a good mentor who will invest time in you and disciple you. I use the word “disciple”, because the good mentor will invest time in you transferring his knowledge, experience and skills. That requires a clear rules of engagement and commitment from both sides. Part of the qualities of a good mentor are:
- Respected professional with years of experience in the industry
- Expert in his domain
- Approachable and outgoing person
- Lifelong learner, committed to learn new things
- Able to motivate you and provide constructive feedback
- Track record of successful mentoring
Once you discover your mentor and he agrees to engage and invest in that relationship, going forward would be fairly easy. I had to figure out most of the things by myself as there was no one by that time in my country to mentor me.
I recommend you follow industry leaders on Twitter like:
If you jam your hand into a closing elevator to reopen it, I won't feel bad if you lose it...
Don‘t focus on their and other people’s success, but focus on your development. Focus on how can you make a difference today and be better tomorrow.
2. Select your area of specialization
Nowadays Cyber Security is much more mature than 10-15 years ago. Professions like Cyber Threat Intelligence Analyst, Reverse Engineer, Malware Analyst, Purple Team Analyst, Incident Response Analyst were non-existent or at best exotic. Whatever path you choose, it is important to specialize by starting from the basics, learning the trades of the craft making no compromise. There is a logic behind that - don‘t be a double-clicker script kiddie. At a certain point in time, machines will replace efforts that can be automated, but people with deep technical understanding will keep their jobs no matter what. Manual work will be always expensive and hard to do. I‘ll give you an example - we can partially automate 1st line Incident Response by using automated playbooks, reduce false-positive alerts, use machine-learning algorithms to take guided decisions. We can‘t remove human factor in malware reverse-engineering and Digital Forensics because of the advanced anti-reversing techniques used by the malware. Same is with Purple Teaming and classical Penetration Testing. Right now there are tools that can automate vulnerability scanning to a big percentage, but individuals with both offensive and defensive skills are scarce. I remember times where Support Desk and Sys Admin jobs were a hot topic, right now machines does most of their tasks (e.g. chat bots, play books, cloud automation). My advice is to choose one of the following fields/professions which I believe are future proof:
- Reverse Engineer
- Digital Forensics & Incident Response
- Red or Purple Teaming
- Threat Analytics (Threat Hunting)
- Penetration Testing
- Security Developer
- DevSecOps
- Security Architect
- Application Security
3. Setup a home lab to experiment
Experimenting on your own and learning by doing is the best way to progress faster. There are labs out there that you can hire and hosting services. But, there is nothing that can bring you a true lasting contentment like setting up the lab on your own. Your lab will be your baby. You can change it the way you want and tailor it to your needs. Start small and add when you have more juice to invest. I‘ll give you my formula of creating a budget lab:
-
Register cheap domain for your C2(Command & Control) server.
-
Get a switch - there are cheap 5-8 ports ones.
-
Use virtualization software - initially you can use VirtualBox. I would suggest that you use VMware Workstation Pro or ESXi server (community edition) because of enhanced functionality you‘ll get with enterprise class software. You can find cheap licenses for a good deal of software on eBay.de. If you have a decent laptop with at least 16GB of RAM and dual core CPU, you can stick to VirtualBox in the beginning.
-
Get a decent monitor or two, as you‘ll be spending most of your time staring at the screen. You need something to spare your eyes.
-
Raspberry Pi - always comes handy and you can even install web proxy by using SquidGuard
-
Get your tools ready - download and deploy the tools you need. For start you can use the tooling list below:
- Offensive
- Kali Linux
- PowerSploit
- BloodHound
- Nishang PS framework
- Empire Powershell Framework
- Cobalt Strike (free trial 21 days, but incorporates the EICAR into the beacon)
- Veil
- Detection and analysis tools
- Splunk free
- Security Onion
- Excel
- SIFT workstation
- REMniux
- SysInternals suite
- Passive DNS
- Maltego
- SOF-ELK
- Wireshark
… and many more. Focus on tools relevant for you now.
- Firewall - get a decent home firewall. I would suggest that you go with Sophos XG as it has a free home use license for up to 50 users. You can buy Barebone Nano from Amazon for roughly 200 EUR and deploy Sophos XG on it. This setup will give you the network segmentation and visibility you need to inspect traffic. Also, you can configure a span port to dump traffic and then analyze it with your favorite tools.
4. Read books, a lot of books
I enjoy reading books and believe one of the best ways to gather good knowledge on a certain topic is to read a book. The way I got excited about Cyber Sec is reading Kevin Mitnick‘s books The Art Of Deception & The Art Of Intrusion. He is an excellent writer and a good hacker who is specializing in social engineering. My Top Ten of hacker books and real-world stories are:
- The Art Of Deception - Kevin Mitnick
- The Art Of Intrusion - Kevin Mitnick
- Hacking Exposed 7 - Michael Kurz, Stuart McCure, Joel Scambray
- Windows Internals 6 - Mark Russinovich, David A Solomon, Alex Ionescu
- Practical Malware Analysis - Michael Sikorski
- Schneier On Security - Bruce Schneier
- Black Hat Python - Justin Seitz
- The Best Of 2600 Magazine - Emmanuel Goldstein
- Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground - Kevin Poulsen
- File System Forensic Analysis - Brian Carrier
5. Get industry recognized certifications
Certifications can get you to your 1st interview, your skills, character and assertiveness will get you the dream job. The benefits of you being certified in your area of development is simply because you validate your minimum capabilities. That way, recruiters will have a brisk idea of who they are dealing with. My small piece of advice is when you take your certs, please do not put them against your name on your LinkedIn profile. Hristiyan Lazarov, CISSP, CASP, GCFA, GREM etc. may seem impressive but it tells also something else - you are openly bragging with your certs and that is not humble. Here are some most recognized certs in Cyber Security (this is not an exhaustive list of certs and training): Penetration Testing:
- Offensive Security Certified Professional
- Offensive Security Certified Expert
- Offensive Security Wireless Professional
- Penetration Testing Professional (eLearn Security)
- Penetration Testing Professional eXtreme (eLearn Security)
- SANS GPEN
- SANS GXPN
- SANS SEC760 - excellent training, but no certification exam
- Digital Forensics & Incident Response:
- GIAC Security Expert (GSE)
- SANS GCFE
- SANS GCFA
- SANS GREM
Know of certification organizations and programs like EC Council and their infamous CEH cert. Hackers defaced EC Council website multiple times. That organization lost credibility in the security community, because of poor security practices and impractical content in CEH curricula (prove me wrong).
6. Learn to code
Software development is a skill that if you still don‘t have, now is the time to gain it. It‘s unnecessary that you become a total champion in development, however it‘s good to know a language or two to help you develop your own tools. I highly recommend that you observe the TIOBE website to choose the right language for you. If you‘re new to coding, you can start with something that‘s easy to pick up like Golang, Python or PowerShell. Different languages have different applications, thus don‘t limit yourself only to one, but make sure you master at least one general purpose language. Going forward I would recommend that you try Golang as it is multi-platform and multi-purpose. The benefit of Golang is that it’s garbage collected and there is only one style of coding. You can also try C/C++ as people develop most of the tools out there using C/C++. Similar with malware - the good malware made by state sponsored groups or commodity malware are in C/C++. Earning such skills takes time, so plan carefully and make sure you stick to the plan you have discussed with your mentor (that’s why is so criticla to have a good mentor). I would recommend the following websites you can use to learn to code for free:
- https://www.tutorialspoint.com/
- https://www.learncpp.com/
- https://www.w3schools.com/
- https://www.learnpython.org/
- https://www.codecademy.com/
7. Give back to the community
Once you reach a certain level of proficiency, you find that the community is full with people like you who also started from somewhere. The beauty of cyber security community is that most of us love to help and share experience. There are unlimited ways to give back and support new starters, people looking for the next step, need for tools and code.
Some of the ways you can give back:
- Get involved into open-source projects to contribute code
- Donate time and money
- Share your skills and knowledge with others
- Help and mentor new starters
- Go to security conferences
- Speak on security conferences
Path to success is hard in this industry, but not impossible. Wish you best of luck and do reach out to me either through here or some of the social networks.
I‘ll keep updating this article as a golden source for new starters.