Getting Into Cyber Security (by Someone Who Hasn't Made It In Yet)
A post about being excited about stuff
(This post has been edited and updated)
Getting into Cyber Security.
I’ve been looking at Cyber Security on and off for a good amount of time now. And I’ve seen loads of people popping up asking how to get into Cyber Security. Often what they are looking for is strictly professional advice. What certs to get, who to talk to, what to learn, etc. Almost always there will be someone who responds with a quick list of certs and then a 200 word essay on the reality of it all.
Now, I haven’t landed a job in cyber security yet, but I can summarize the advice I’ve been given. This is my 200 word essay.
First off, certifications will not (always) get you a job. Just take a look on twitter or reddit. Loads of folks with certs trying to find jobs and are having a hard time while equal amounts of articles are written about a lack of talent in the community from the folks looking to hire.
So, you probably get that talent doesn’t mean you took a test and did well and that’s it. It means you know stuff back and forth and you’re willing to keep learning and taking tests and going to conferences and be part of something. The killer names in the community made it to where they are by loving something about it and often becoming part of the culture to be around other’s who love something about it. Just like getting into sports or scrapbooking or Taylor Swift.
Immediately you think to yourself
“I will never like Cyber Security as much as I like Taylor Swift” This doesn’t have to be true, isn’t true, or wouldn’t be true if you were exposed to the good stuff.
BTW. Here are three words that will make your day - ‘Swift on Security.’
The starting point is a boring place
You picked this field for a reason. Hopefully it wasn’t money. Hopefully something about it feels tingly and awesome. Chances are that it has nothing to do with subnetting or Cisco IOS commands. Also I wouldn’t be making a far off guess to say that you go to class and not have any of that awesome that got you there in the first place resulting in the ‘I don’t know if this is for me’ that happens to so many people.
Unfortunately, Cisco IOS commands are important. Even if you’re trying to be an amazing malware analysis expert or you’re trying to be the infamous black hat hacker that ever lived. Gotta do it. This stuff isn’t easy and is the biggest onion of a topic I’ve ever seen, so it takes all of that awesome to keep you energized and moving.
Where to find and maintain the awesome?
This is the part of this post that matters. I’m not going to give you a concrete answer, because everyone’s answer is different. But I’m going to list some junk that has helped me feel awesome through all this.
Find ways to be entertained by it.
Start with a single book - like Hacking the Hacker by Roger A Grimes.(Ask me for it, I’ll let you borrow my copy) Or hopping on Twitter and finding the who is who. This will be the tell tell. If you don’t find something in a book, or a youtube channel, or podcast, at least one thing that makes you feel awesome, your job doing network security analysis isn’t going to feel good. I’ll say that my start in all of this was from getting excited about the smart IT dudes and dudettes in movies. Judge me.
Seeing things get broken and bypassed seemed like magic tricks. Cracking a password seemed like shuffling a deck 8 times and fanning out the cards in perfect order, each suite separated. That sort of mysticism made me want to learn if it was possible to even do what they did, and if it was possible to be like them. Living in the time of the Googles, I found stuff. Things like Hackthissite.org or Hak5’s Youtube. Come to find out, you can in fact do some of the stuff they do, and it pays. And it’s in crazy demand. And it’s sort of like a superpower. And there isn’t an end to learning it. That should be exciting right?
Seriously, really pay attention to how this stuff makes you feel.
The goal is to find what makes you feel like this fella and run towards it.
Work from the right starting place.
I want to write sweet networking scripts and be really awesome at CTFs and real world pentesting. But, last time I tried jumping right into it, I got mad overwhelmed man. Like. Sad city. But it was only because I felt hopeless and lost. You have to get a foothold on what you know and work your way up.
The issue is that most infosec media that is exciting is also a bit intimidating. If you don’t know where your starting place is, google something you already know about. You’ll find something else there that you don’t know yet. Move towards that.
“If watching someone do something seemingly impossible it can make it seem like magic. Just remember what it felt like when you realized the coin wasn’t behind your ear, it was just between your uncle’s fingers”
-Some guy once said this.
This stuff isn’t hard. You just need to be exposed to it.
Reading an article about how WannaCry worked or even watching a video of someone popping a reverse shell can be overwhelming if you’re new. That doesn’t mean you shouldn’t do it. Watch those videos. Get excited when you see the windows prompt show up on that dude’s linux box. And when you hear them say something you don’t understand. Write it down. It’s a clue to where you need to start.
Google, read, reduce confusion.
When you do that, you’re removing that point of tension that will continue to come up for you. You may never use it. But demystifying the topic will make it less scary. Again, it will pass through your brain and you won’t feel a thing. More room for the awesome. Also spend more time Goolging to reduce confusion, than trying to learn something with confusing parts. Only learn it when you think you can manage it.
Exposure vs studying
This stuff has it’s own lingo and vocab and deep deep rabbit holes. Don’t worry about all of it right now. Just keep reading and listening. Each time you hear someone say a term you don’t know, you’ll be more comfortable with it. Again, the discomfort will go away. Get on Twitter. Seriously. That is where the community is. See what they are talking about.
When WannaCry hit, Twitter was popping. Everyone was working together to reverse engineer that mess. People were like:
Just made a honeypot for anyone to use
Just found you can register the domain and it’s a killswitch
The guy who just figured out the killswitch is now all over the news
Oh he just got arrested for developing and selling some malware a few years back
He just moved in with that other famous infosec person on twitter.
OH HELL. EQIFAX….
Things that could maybe get you mad excited.
And lastly, if you’re not feeling motivated to find what excites you and do all the stuff I said above. Here is some stuff you can google to get you started. Just watch a video of people doing this stuff. It’s amazing.
Reverse Shells & Kali
Injection (in this case the old shellshock bug)
Cracking Wifi Passwords
Bash Script
WarDriving
Meterpreter
Capture the Flags (hacking/pentesting games)
Red Team Pentesting (in this case - Breaking into an electrical grid
Thanks. I hope this post wasn’t too long. If you’ve read this far down, you’re good quality human. This isn’t new stuff. You’ve all heard you have to love what you do to make it, I hope this helps you find your way of loving it and stuff.
Cheers, Zack