Getting Into Security
How does one get into security?
I get asked this from time to time. There is no single answer, but here
is a collection of information, mostly culled from others, that can be
used as a starting point.
Advice from Practitioners
If they have been in the industry for a while, most people you ask about
getting a job in security will not have a good answer applicable to you.
That's not to say it won't be an interesting answer, and you should
definitely ask people about their background. However, many have come up
through circuitous means and other than "be curious, try everything, and
just add security to your job description" our advice isn't that
applicable in many cases. For example, you probably do not want to spend
6+ years going to law school, passing the bar exam, and practicing law
before you get started. You could, and there are many practicing and
former attorneys doing security work, but maybe that's not the best way
for you to approach it.
One place to start is the Develop Your CyberSecurity Career Path
book, a part of the CISO Desk Reference series and written by Gary
Hayslip, Christopher Foulon, and Renee Small.
My Advice
In the vein of "advice from practitioners", here is mine:
Do things the hard way
Put differently, "do things a different way than that to which you are
accustomed. At his or her core, a hacker is someone that is curious and
always learning, and the best security professionals share this trait. A
good hiring manager -someone that you'd want to work for- will identify
and value the always-exploring, always-learning trait in you.
This is something you can do, even if you don't have time to take a
bunch of courses or learn a programming language. By getting yourself
out of your comfort zone and then figuring out how to make the
uncomfortable comfortable and workable, you're gaining a valuable
hacker skill.
Building a Foundation
When information/cyber security started to become its own discipline,
the people that gravitated to it were network and system administrators.
These were people with a lot of operational experience and were tired of
having their systems interrupted by malicious parties. In the past 30
years, two primary developments have occurred:
- Computers have become "easier" to administer. By this, I mean a
lot of the low-level configurations have been obfuscated and taken
out of the hands from all but the most core of administrators - An industry has sprung up around cybersecurity, with actual
collegiate curricula developed for people wanting to get into the
space.
These are great advancements, however, in my experience –and more
importantly, in my hiring practices– practical, first-hand knowledge
of the fundamentals is a crucial foundation for anyone looking to get
into cybersecurity. So, what does that mean? What knowledge is important
before one even gets to security concepts?
The following subsections list a few that I think are absolutely
critical for either an IT or cybersecurity career:
DNS
Know how DNS works. A couple tasks that would help.
- Register your own domain name
- Host a site/application for this domain on some infrastructure
(AWS, DigitalOcean, etc) - Create the ability to send & receive mail as this domain
- Host a site/application for this domain on some infrastructure
- Host your own DNS resolvers for your home network
- Run a pi-hole or similar on your home network
DHCP
- Understand how computers obtain an IP address.
- Create a "rogue" DHCP server and see how you can use it to attack
computers in your test environment
TCP/IP
- Three-way handshake. Be able to analyze this using Wireshark.
- Also: learn how to use wireshark
- Learn what tools like
tracerouteandpingdo and how they work.
Docker / Containerization
Use docker. Use it to run some common tools, and know how to construct a
Dockerfile in order to run some arbitrary application or service.
Security Tooling and Practices
Run the Security Onion on your home network. Collect information, dive into the logs, explore the tools. This will provide you with an entire SOC-in-a-box type environment for experimentation.
Researching a job in security
For those that are just starting or looking to move from a completely
different industry, these are some collected resources. They are ordered
so you can get a taste and then go deeper depending upon what you find
interesting. Remember: the security field is big, and there are so
many niche areas where you could dive in and spend the rest of your
working career learning. You have to decide what is of interest to you
and determine your goals.
Initial Reading & research
- Read How to Build a Cybersecurity Career (And a lot of other stuff) from Daniel Miessler's blog
- Read Confessions of an InfoSec has-been by Michael Zalewski (aka: @lcamtuf@infosec.exchange)
- Read How to Get a Job inInfoSec by the RedCanary team
- Read the Tribe of Hackers book
Continuing to look into the field
More stories and information
If the above was interesting and you find that you're interested in
security, follow and use these resources.
- Listen to the Risky Business podcast (but not the product pitches (yet))
- Listen to the Darknet Diaries podcast. "True tales from the dark side of the Internet". This is a must for hacker history and recent adventures.
Build a home network lab
A #homelab is a must for both the experienced and the just-getting-started cybersecurity practitioner.
- Defense: DetectionLab
- Offense: Building a home lab for offensive security basics
- Review the references/links from both of the above guides for
further information and options
Going Deeper
(if you're brave) Follow & engage with InfoSec Twitter
- while it’s still there, I can’t recommend using Twitter since it’s become a cesspool
Learn something about hacking/red-teaming/penetration testing:
- Work through Georgia Wiedman's book: Penetration Testing
- Attain an OSCP certification
- Participate in a CTF, such as Hacker 101
- Join a site like TryHackMe or Hack the Box and do as many exercises as you can.
Social Obligations
Networking (the social kind) is extremely important in any career.
- Find a BSides conference close to you and attend
- Try to attend DEFCON. Meet people, choose
topics in which you're interested and just talk to the experts.
This is a learning and educational event. - Cybersecurity is big these days, try finding a group that has a
shared interest or attribute other than cybersecurity. This could
be a particular area like forensics, a group like Blacks in
Cybersecurity, or a regional
group, like a local 2600 or DEFCON
groups, which are "DC"
followed by the area code, such as DC312 - Get on the Discord and Slack channels for the above and other
security community - Engage with other security professionals on social media. LinkedIn
is an option, however, Mastodon communities such as
infosec.exchange, DEFCON Social, or Hackers town are great communities. (Of course, running your own server and engaging with people from those
servers and the#infosechashtag is a great way to both learn and engage.)