Infosec Newbie

[Updated 20/07/2018]

I have recently started a career in Cyber Security / Information Security. My path, somewhat recent might be useful for those just starting out. A few of these guides have cropped up but everyone has a unique path or story. I've met like minded individuals along the way and have swapped numerous tips which might be handy to someone just starting out.

Social Media Community.

I use twitter to keep up to date with the community. Some of the most biggest names in the industry hang out on Twitter and if you need to ask a question Twitter is pretty much the medium to go for.

My Top 50 infosec peeps to follow, from here pivot away depending on your interest. List contains, social engineers, penetration testers, malware researchers, incident responders, hardware/IoT hackers, tool developers, security awareness advocates, investigative reporting journalists, certified infosec instructors, newbies (follow their paths), threat intel analysts and other 'infosec rockstars'.

  1. Kevin Mitnick @kevinmitnick ‏
  2. Darren Kitchen @hak5darren
  3. James Lyne @jameslyne
  4. Rob Fuller @mubix ‏
  5. Hacker Fantastic @hackerfantastic ‏
  6. Robin @digininja ‏
  7. JΞSŦΞR ✪ ΔCŦUAL³³º¹ @th3j35t3r ‏
  8. Mikko Hypponen @mikko ‏
  9. Chris Sanders @chrissanders88 ‏
  10. Bʀʏᴀɴ @Bry_Campbell ‏
  11. briankrebs @briankrebs ‏
  12. Kevin Breen @KevTheHermit ‏
  13. Steve Armstrong @Nebulator ‏
  14. Travis Smith @MrTrav ‏
  15. Ken Munro @TheKenMunroShow ‏
  16. Jason Trost @jason_trost ‏
  17. MalwareTechLab @MalwareTechLab
  18. Florian Roth @cyb3rops ‏
  19. Kevin Beaumont @GossiTheDog ‏
  20. x0rz @x0rz ‏
  21. Eric Zimmerman @EricRZimmerman
  22. Malware Unicorn @malwareunicorn ‏
  23. Matt Bennett @ma77bennett ‏
  24. Will @harmj0y ‏
  25. Liam Randall @Hectaman ‏
  26. Dave Kennedy (ReL1K) @HackingDave ‏
  27. Jack Crook @jackcr ‏
  28. John Lambert @JohnLaTwC ‏
  29. Tavis Ormandy @taviso ‏
  30. linkcabin @LinkCabin ‏
  31. Dan (4n6k) @4n6k ‏
  32. Samy Kamkar @samykamkar ‏
  33. Eric Conrad @eric_conrad ‏
  34. Roberto Rodriguez @Cyb3rWard0g
  35. Sev @sudosev ‏
  36. Troy Hunt @troyhunt ‏
  37. Jess @drjessicabarker ‏
  38. chris doman @chrisdoman ‏
  39. Brad @malware_traffic ‏
  40. John Matherly @achillean ‏
  41. the grugq @thegrugq ‏
  42. SwiftOnSecurity @SwiftOnSecurity ‏
  43. JaysonEStreet @jaysonstreet
  44. Andy | ゼフラフィッシュ @ZephrFish ‏
  45. Mark Russinovich @markrussinovich
  46. Kris McConkey @smoothimpact
  47. Robert M. Lee @RobertMLee ‏
  48. Sean 🔱 @zseano ‏
  49. DEY! @DEYCrypt ‏
  50. Seth Hall @remor
  51. Gary Hoffman @PortUnreachable
  52. Colin Hardy @cybercdh
  53. Nick Carr @ItsReallyNick ‏
  54. Christopher Glyer @cglyer
  55. Casey Smith @subTee
  56. Daniel Bohannon @danielhbohannon ‏
  57. Matthew Dunwoody @matthewdunwoody ‏
  58. ippsec @ippsec ‏
  59. Tyler Hudak @SecShoggoth ‏
  60. [ REDACTED ] @porthunter ‏
  61. Alex Davies @pwndizzle ‏

Another trending platform is Medium, you can sign up with your Twitter account.

This offers a simple blogging platform. Again, follow the same people off Twitter to get a foothold of who posts frequently. Most topics that are discussed on Twitter normally get thrown over to Medium for a technical deep dive, it really depends on who you follow.

Nearly missed adding this gem. https://www.reddit.com/r/netsec/ is an excellence source of community opinions and resources.

Security Conferences.

These keep you on the cutting edge.

They can seem daunting at first but just bite the bullet and go. Everyone is like minded and here for the same reason - a passion for all things security. Maybe start off with the more local conferences and build a network up before attending any of the international or more expensive conferences.

You don’t have to attend even these expensive Blackhat/Defcon/44con conferences. Most post their videos within hours/days onto Youtube. I’d recommend for you to attend Security B-Sides London/Manchester, Steelcon (Sheffield), 44con (London), Passwords (Cambridge), OWASP (local), DEFCON (local) which are all very community driven and most are free or just a small fee. I'm sure there are ones I've missed. Sorry :)

  1. https://www.youtube.com/user/irongeek <- this is awesome!
  2. https://www.youtube.com/user/HackersOnBoard
  3. https://www.youtube.com/user/robtlee73
  4. https://www.youtube.com/user/BlackHatOfficialYT
  5. https://www.youtube.com/user/teamcymru
  6. https://www.youtube.com/user/DEFCONConference
  7. https://www.youtube.com/channel/UCpNGmljppAJbTIA5Msms1Pw/videos
  8. https://www.youtube.com/channel/UCXXNOelGiY_N96a2nfhcaDA
  9. https://www.youtube.com/channel/UCP28F4uf9s2V1_SQwnJST_A
  10. https://www.youtube.com/channel/UCv6i6WVf-KeUeXFmp9oy29w

Blog.

I’d heavily recommend a blog, set yourself a cheap VPS on Vultr / Digital Ocean - great one click blog options available (referal link here with $10 credit) - or just get a free
Medium/
Blogger / LinkedIn account and go from there.

Use this to attempt a few CTF challenges and write them up? Don’t worry about starting with basics. Check out https://www.vulnhub.com/ for examples from other peoples posted ‘walk throughs’ or just post a project you are working on in your home lab environment.

Finally, this can act as your online CV which resonates REALLY well with employees as it’ll give you an edge straight away.

Books.

Still a go to even if they grow old fast.

Digital books. Sign up to No Starch Press as sometimes they have PDF/eBook specials which I’ve used to load up on my Kindle plenty of times before. Humble Book deals are awesome, subscribe and keep an eye out for when they become live to grab a bargain set of eBooks too.

Literally my book shelf (some missing or at work, see list below)

These are the best which I heavily recommended (in no order)

  1. RTFM: Red Team Field Manual
  2. Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder
  3. The Hacker Playbook 2: Practical Guide To Penetration Testing
  4. Black-Hat-Python-Programming-Pentesters
  5. Hacking-Ethical-Hackers-Handbook-Fourth
  6. Violent-Python-Cookbook-Penetration-Engineers
  7. Web-Application-Hackers-Handbook-Exploiting
  8. Nmap-Network-Scanning-Official-Discovery
  9. Art-Memory-Forensics-Detecting-Malware
  10. Malware-Analysts-Cookbook-DVD-Techniques
  11. Practical-Malware-Analysis-Hands-Dissecting-Malicious-Software
  12. Applied Network Security Monitoring: Collection, Detection, and Analysis
  13. Network Security Assessment 3rd Edition

Another useful tip is the digital book collection over at Safari Books Online. If you tweet the account '@safarlbookshelp / @safari' and ask nicely, they might give you a discount for the monthly subscription that is normally ~£30 per month (Thanks @CyberJocko). Although quite expensive, you have some of the best books being constantly updated and can be synchronised across many devices.

Last but not least - The SANS Reading Room is a hidden gem boasting over 2,660 original computer security white papers in 102 different categories and has 75k visitors a month and is completely FREE! A personal favourite. You can submit a Gold Paper once you are GIAC certified (passed any SANS exam) but this is subject to an application and fee around a few hundred dollars (link).

Some other nuggets of information can be found over at NIST and the NCSC - National Cyber Security Centre (UK) Guidance section here.

Podcasts.

Useful source of infosec discussions and daily news when scrolling through RSS feeds and Twitter isn't your cup of tea.

For iPhone I just use the built in player but for Android I paid for the "Podcast & Radio Addict" app. I found myself subscribing to way to many and never got round to listening to them all, these are the ones I frequently go to.

Competitions.

UK focused

Just head over to Cyber Security Challenge UK. They host entry level to 'Masterclass' types of CTF competitions covering a range of infosec areas. Win prizes, build your network and hopefully land a new job! I went to many face to face challenges and secured two Masterclass finals which pretty much jump started my infosec career. Highly recommend!

SANS Cyber Academy / SANS Retraining Academy - A more recent 'boot camp' style offered by SANS Institute that are the leaders in security training. Keep an eye out for their applications to their programmes via Twitter / official site to see what they do each year. I was lucky enough to get sponsored for the Cyber Academy in 2015.

CTFs.

[Capture The Flag/s] (Cyber Security Gamification) A system/s purposely set up to practice or learn new skills by acquiring hidden flags located in one of many places. Normally they're codes which when submitted will grant you points or access to further levels.

Try the below;

Also one to note. These OSCP style 'boot2root' VMs have been favourable from the community;

  1. SickOs 1
  2. SickOS 1.2
  3. Kioptix Level 1
  4. Kioptix Level 2
  5. Kioptrix2014
  6. KioptrixVM3
  7. pWnOS v2.0
  8. Stapler
  9. Tr0ll
  10. Tr0ll2
  11. Vulnix
  12. VulnOSv2
  13. FristiLeaks 1.3
  14. LordOfTheRoot 1.0.1
  15. mrRobot
  16. pwnlab_init
  • Hack The Box Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. Recently come across this and managed to only register at this moment in time. Seems popular with OSCP students.

  • OverTheWire hosts a number of war games ranging from basic Linux use (bandit) through cryptography (Krypton) to binary exploitation (Narnia).

  • picoCTF is a great way to hone your skills in many of the areas listed above and provides a fantastic introduction to these types of challenges.

  • Seasonal challenges. Both are excellent, SANS Holiday Hack Challenge and Hacking Labs Hacky Easter

  • CTF-Time is pretty much where 'professional' CTF teams keep track of their scores but it is also the defacto event listing of most if not all CTFs out there to play.

If you get stuck, you'll have to wait for the write ups but older CTFs might give you hints.

Check out ippsec's @ippsec YouTube channel for HTB videos.

Industry Certificates.

These are not essential to learning but are helpful to get that foot in the door.

OSCP (syllabus here) is very popular within the industry and is known as stated on their website 'world’s first completely hands-on offensive information security certification'. OSCP is roughly $800 / ~£600 and is self-paced training programme with a final 24 hour exam inside a lab/sandpit environment. You must root enough boxes to pass and then provide a report on how you popped each one. See note taking section further down the page. Some more pricing options are below;

  • The cost for this course with 30 days of labs is: 800$ USD
  • The cost for this course with 60 days of labs is: 1000$ USD
  • The cost for this course with 90 days of labs is: 1150$ USD

Some further exam details here;
https://support.offensive-security.com/#!oscp-exam-guide.md
https://support.offensive-security.com/#!pwk-reporting.md
https://www.offensive-security.com/pwk-online/PWK-Example-Report-v1.pdf

Another Offensive Security project is https://kali.training/. They have also just released Kali Revealed 1st Edition - Mastering the Penetration Testing Distribution.

CREST - Quite UK driven but has grown tremendously over the last few years and has gained a lot of industry recognition. These exams are a mix of multiple choice and hands on lab exams. Price range starts at £200 - £1600 so be wary of cost here. One of the best aspects is that CREST provide a detail syllabus for each exam as well as training materials such as recommended books! A popular exam is the CREST CRT - Registered Tester (aka Penetration Tester), which is now obtainable if you pass your OSCP (+ a small fee to CREST) explained here OSCP and CRT Equivalency.

SANS - (Curricula) - are another great training provider but are way expensive to start off. The course instructors are world class when it comes to their field so you know you are being trained by the best hence the price tag. You can possibly self study if you know the right materials for the exam you wish to sit (not normally published) and then you can go attempt an exam (~£1000+). If you choose this method you will need to apply as this is not the normal certification route. SANS is definitely one to consider once you have probably moved into the info sec area but be aware of their Cyber Academy and Cyber Retraining programmes they run annually.

Others. CEH is well known and so is CiSSP. CEH has lost a bit of credibility over the past few years but can be still useful for entry level requirements. CiSSP is a broad certification covering many topics and is normally seen on the trailing end of management and business leader's email signatures. You will need 5yrs+ of related security experience and a reference from another certified member before you are eligable for sitting the 6hr 250+ question exam.

Previous Experience in IT.

Not necessarily security but it helps to have a background in Systems Administration, Networking or Programming. Either will give you the fundamentals that back any security related job. Failing this experience, an IT fundamentals course (CompTIA Network+ Security+ etc..) or University computer degree will help you out here. There are numerous videos on Youtube and places such as PluralSight and Cybrary that can help on the cheap. Understand the basics and then move forward.

Lab Environments.

Best advice.

You must set a lab up or have a PC where you can play around with tools/OS'es. This hands on learning is key to constantly improving your skill set. As discussed above, virtualised environments are heavily used for the lab exams for OSCP and CREST CRT - take note, there is nothing stopping you creating your own lab of vulnerable machines. Check out metasploit-unleashed to quickly set up Kali and Metasploitable v2.

Another great resource is Project Avatar by @da_667. This 586 paged 'Architecting Virtual Machine Labs' guide is very comprehensive and is a great reference tool.

You will see a lot of demos at conferences where speakers will spin up vms to showcase their latest stuff. Do the same with VMware or Virtualbox on your kit at home. Use Microsoft's OneNote (great for screen clipping / diagramming!) / Google Keep / Evernote / CherryTree to document what you're doing and then even convert this into a blog post? Either way, take plenty of notes while you learn for reference later. This is an underestimated skill. Imagine trying to explain how you exploited a vulnerability or how you forensically found out an intrusion in your environment hours after you have resolved or finished your job. Document as you go.

Example of my home IDS project https://sneakymonkey.net/2016/10/30/raspberrypi-nsm/

Conclusion

Just get stuck in. GO.