Breaking in....to Infosec

Something I am often asked about is how to get started with Pentesting, or in Infosec in general. Many people dream of the sexy viewpoint shown in the movies; a hacker sitting behind a number of monitors in a black hoodie furiously typing in commands to break into a sensitive computer system. Usually it ends up looking totally different than what a real penetration test or red team engagement actually looks like.

My own path to Penetration Tester/Red Teamer is different than others, and everyone has their own path in. There is no "right" way. This write-up will hopefully help answer some questions and provide links to information which can help you on your path. 

My Path

I started in IT becoming a Systems Enginner/Administrator, working on Windows networks. After years of consulting, then moving internal at a company, I migrated to "security" by managing a government contractor facility and lab environment. My passion was for computer security and hacking, so when a challenge came up, I jumped in, got a little lucky, worked hard, and got invited to a program called CyberAces. This provided me with 5 SANS courses and a 1 year "cohort" with 11 other individuals trying to get into infosec and some top industry professionals. This is when it was my chance, and I took it for all it was worth. (Which was a TON!) After completing the program, I had 5 GIAC certifications and started looking for a job, ended up landing a position as a penetration tester, and the rest is history, but this is not where I stopped. 

While getting a job in the industry is an important step, it is not the last step, and still requires a great deal of effort and time to continuously improve and bring value. So back to the original question I get asked often: "How do I get into Penetration Testing?". My response is usually not just a single line. It takes dedication, hard work, persistence, and perseverance. It is not a "job" but rather a lifestyle and a passion. So what is the first step?

Learning

You start by learning. Read as much as you can. Watch YouTube videos on Infosec topics. Learn not just how to run tools, but how the tools work. Be curious. Remember that if you start to look at everything all at the same time, you will be overwhelmed and likely give up. Instead, take on things in small chunks. Learn a specific area (starting with the basics and gradually getting more complicated), take good notes, and PRACTICE! 

Labs

There are tons of free vulnerable lab setups to test with, most with write-ups on how to solve the challenges if you get stuck (just don't look at the solution right away).

Understand

I think that being a Systems Administrator, and learning the defensive side of the field, has helped me greatly in my career path. I understand how the systems work, how to manage systems, and most of all, I understand the mistakes I used to make so I can use that information to help others not make those mistakes.

Meet Others

Another thing to do is to meet people. This was probably one of the hardest things for me as an introvert, but the rewards are worth the risk. Get to conferences if you can. In many areas there are local meetups or smaller conferences, such as BSides. Many of these are free or a small fee to attend. Go to talks, but don't forget about villages and hallway-con. Talk to people you meet, see what they are working on, let them know you are trying to get started and what you are doing on your time to learn. If you aren't ready to meet others at a conference, start with following people on Social Media and interacting there. There are a ton of people willing to help in any way they can.

Like I said previously, there is no "right" way to get into infosec. The steps you take are what will help ensure you are successful though. If you put in time and effort you should have no problem landing a great job in the industry.

Other "getting started" blogs:

https://www.endgame.com/blog/technical-blog/getting-started-information-security

https://gist.github.com/mubix/5737a066c8845d25721ec4bf3139fd31

https://www.gracefulsecurity.com/becoming-a-penetration-tester/

Learning Resources:

Codecademy

• Learn the Command Line
• Lean Python (Language doesn't matter, More important to learn how programming works, then choose a language to learn)

Virtualization (https://www.youtube.com/watch?v=GeXwR32GCOw)

• Install Virtualbox (https://www.virtualbox.org/)
• Download a Kali ISO (Kali Linux 64 Bit) - https://www.kali.org/downloads/
• Create your first VM (make sure you understand your hardware. Safe to go with 1 CPU, 2GB of RAM, 30 GB disk) - https://gordonlesti.com/create-kali-linux-virtualbox-image/
• Install VM tools (this allows you to do things like copy and paste from your host to your VM) - https://docs.kali.org/general-use/kali-linux-virtual-box-guest

Pentesterlab (Start with easier images first!):

• https://pentesterlab.com/exercises?dir=asc&only=free&sort=difficulty
• Start here: https://pentesterlab.com/exercises/web_for_pentester
• Course materials are under https://pentesterlab.com/exercises/web_for_pentester/course

Methodologies:

• http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines#Vulnerability_Analysis
• https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
• https://www.offensive-security.com/metasploit-unleashed/requirements/
• https://www.owasp.org/index.php/OWASP_Testing_Project 

 

Community and News:

• reddit.com/r/netsecstudents
• reddit.com/r/netsec
• twitter.com
• twitter.com/l0gan54k (take a look at some of those I follow)
• http://www.securitybsides.com

Books:

• Hacker Playbook 1
• Hacker Playbook 2
• Hacker Playbook 3
• Hacking: The Art of Exploitation, 2nd edition
• Red Team Field Manual
• Blue Team Field Manual

Certifications:

• OSCP
• SecurityTube(http://www.securitytube-training.com/online-courses/index.html)
• SANS/GIAC (GSEC, GCIH, GPEN, GWAPT)