I Want to Be a Hacker...
by Ricki Burke
As an InfoSec recruiter, I speak with many people in the industry and made a good connection in Dawid Balut, an experienced security professional who set up his own boutique security consultancy company called InfoSec Remedy.
After successfully working as an internal security professional (security engineer up to principal security architect/executives board advisor) as well as being a professional freelance penetration tester now, he gets to work with his proven in battle friends and deliver outstanding quality pen-testing and security consultancy services. As LinkedIn connections, we are often sharing info and giving advice to those asking for it, particularly those looking to get into the industry. We have a passion for helping, so we decided to collaborate on an article to help those looking to become professional pen-testers/security researchers/security engineers.
As a recruiter, I speak to the full spectrum of industry from CISO level across to the next generation of security professionals. Unfortunately, I have limited capabilities in helping those looking to get into the security industry. Sometimes the best I can do is provide advice. One of the most sought after roles is being an ethical hacker or penetration tester. For those wanting to get a great job like this, it's probably one of the easiest. Why? Because you can upskill yourself without having an employer.
The problem I see too often is there is a difference between wanting something and being able to offer something to an employer. When you can offer something special, that's when organizations are interested.
We want to offer a list of activities for those looking for jobs in IT security:
1.) There are plenty of ways to learn and develop your skills in InfoSec, like books, blogs or online services like Coursera, Cybrary, SecurityTube, or free computer science lectures published by universities like MIT.
2.) You should learn how real-life software engineering happens by putting your hands on code and learning some stuff from DevOPS world.
3.) It makes sense to become an IT/security generalist and then go deep into a particular subject of interest, so you have big picture POV during a security engagement. Otherwise, if your knowledge is too narrow, you may end up missing critical issues because you were incapable of seeing the whole picture.
4.) Contribute to open-source projects or volunteer to be an intern in start-ups like Peerlyst, where you're not required to produce quality content, you just moderate existing content and do general housekeeping. It'll get you business exposure and you'll learn lots along the way by reading the content you're supposed to redact.
5.) Consume resources coming from OWASP and PTES, but don't jump directly into technical details. Read the prefaces, description of business objectives, and guides on how to be an ethical hacker. SANS and NIST/cyber are your friends here as well.
6.) Consume CIS Benchmarks, DISA STIGS, etc. to learn how systems hardening happens.
7.) Put your hands on resources explaining compliances like ISO 27001, SOC 2, PCI DSS, etc., not necessarily to become an expert auditor, but to know why and how businesses need and follow compliances.
8.) If you want to show-off your knowledge or just have fun, responsibly participate in bug bounties through platforms like HackerOne or Bugcrowd.
9.) Learn from other bug bounty reports and apply the knowledge and, where hacking is concerned, this is actually the thing you're going to be doing almost all the time - gathering and applying the knowledge of people who were there before. "Standing on the shoulders of InfoSec giants" as I call it.
10.) Don't ruin your reputation by reckless reports or public disclosure which puts users at risk.
11.) Participate in CTF contests to make your brain be more creative, to network with great people, and get exposed to new technologies.
12.) You may go for a degree or just learn how to discipline yourself and set your own education path. These years, degree requirement is getting less and less common, so you'll be fine if you decide not to follow Uni path.
13.) Go and get your OSCP certification - that's the most commonly asked for certificate in a pentest role, then look at CREST and OSCE when you're more experienced. Certs don't tell the exact skill level, but these mentioned will make you stand out from the crowd and give you more options.
14.) Don't shy away from publishing vulnerability research and CVE submits.
15.) Write articles for other well known websites can be useful as well. Choose wisely, as not all websites have the same good reputation. For example, submit a PDF of your work (if applicable/relevant) to Exploit Database, Packet Storm Security, etc. If your paper is of a highly scientific nature you can try arXiv.org instead.
16.) Have a security blog that you can regularly post your work on and try to get your work featured elsewhere so you gain more attention. Be reasonable, however, and don't spam people with low-quality content. On your blog you can have anything, but while submitting something to someone bigger, ensure you're giving value.
17.) Publish on your website even if you don't feel like your research is remarkable enough. Even if you've been in the industry for only one month, there are people who are just starting and who can benefit from your one month's experience. And if you feel like you're not good enough, it can actually be a good sign, because as the great H.D. Moore's saying goes, "If you're not feeling like a noob, you're not trying hard enough."
18.) Do you have a GitHub account? If not, get one so you can showcase your develo ment code.
19.) Try developing your own security tools. Even if something has already been created, just do it for the sake of the learning experience. If you have no clue what tool you should write, pick any existing one and try to write the same yourself.
20.) Find mentors and get inspired by many. Not having one can make you cluelessly drift through time without improving on things you personally should. But sticking to only one role model can be as dangerous. Each one of us has different strengths and weaknesses - be aware that a mentor who is religious about a narrow subset of skills may ruin the career for a newbie who's totally into different subjects and could end up crushing his/her learning.
21.) Find people who are what you want to become and do what they've done/do. Follow their path, even if you're not given a chance to have them as your explicit mentors.
22.) Go to conferences if possible and interact with the pen-test vendors. Some conferences offer "sponsorships," i.e., free tickets for students over 18. Don't be afraid to ask if vendors are hiring, and also what they're hiring for (i.e., are they pen-testing and, if so, graduates/juniors with a passion for pen-testing?).
23.) Present at security conferences and also beware of the importance of small and free conferences/meetups because, in your early days, this is the audience where you can contribute and bring value to your audience. If you're in the field for a few months and just learned how to do basic SQL injection, you won't get accepted to present it at DEFCON and the like. Go to meetups organized for programmers/QA and engineers/DevOps and show them how to create secure products and do basic security testing.
24.) Submit interesting Call For Papers (CFP) to conferences. If you get accepted, do your best to make an interesting demo, including a Slide deck (without too much information on the slides - no walls of text) and a lot of preparation. Do a test run of your presentation with colleagues/co-students or friends with the same interest in ethical hacking. Presenting at a decent conference is a good way to get noticed.
25.) Submit an interesting "CFT" ("Call For Tools" - this is not an official term as far as I know) to conferences like Black Hat. Make sure you do a kick-ass demo and that when you present you are friendly, engaged in your topic and community, etc. as Black Hat Arsenal is highly "crowd interactive" and, as such, the presentation style is different if you want to be "interesting" to your viewers/participants.
26.) Social skills for the win. To be effective, you need to know how to work with people, so read some good leadership books to learn how to utilize empathy in your career.
27.) Gain some business knowledge so employers see you as someone who knows that business is there to make money, not so you can have fun. Reading business books will be helpful here.
28.) Focus on the value you can bring, and lower your expectations and know your limitations. It's better to get a low paid job which allows you to put food on the table, learn, and get promoted after six months instead of waiting a few years for that great and ideal opportunity. Micro-speed, macro-patience. Hustle to learn as much as possible, but don't overestimate the results you can make in a given time frame.
29.) And of foremost important - do what you re passionate about and you'll be good at it. Do what makes you tick, because stuff which fires any one of us differs a lot and you should carve out your own path.
The common denominator of all of these examples is that you need to demonstrate your passion, not just talk about it.
At the end of the day, you're in the business to help it make/save money and no one cares if you just talk about "how you're gonna do it." Just do it, and let results speak for themselves.
The truth is that with so high a demand in our industry, it's getting easier and easier to find a job - as long as you're honest with yourself and others that you're dedicated to the field.
In case you just want to find a 9-to-5 job, you're probably better off finding a different career path and, maybe after a few years, switching to the security field once you've gained general knowledge in another discipline. Then you can learn some security, apply it to previous knowledge, and be just fine with 9-5 duty. However, if you want to jump into deep waters, make sure you understand the costs and the price you'll need to pay to be good at what you do.
Given all of the above, there is no excuse for saying that you can't find good resources to learn security. I don't want to be harsh, but if you failed to do solid research and Google stuff, then maybe it's not the right profession for you. Most of the day-to-day work requires lots of research and if you failed at researching a well discussed subject like "starting in InfoSec," it's a sign you're not diligent enough and you'll have a hard time finding complex solutions hidden in a deep web.
Doing the research on your own is one of the most important things in InfoSec and if you still ask a question like "OSCP vs. CEH?" or "How do I get into pen-testing?", you're doing it wrong.
I couldn't write an article about breaking into the pen-testing field without sharing a terrific article from the Corelan Team: www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester and quoting this to close:
"Being a pentester does not mean being good at using tools either. It's about being able to understand how things work, how things are configured, what mistakes people make, and how to find those weaknesses by being creative. Being a pentester is not about launching Metasploit against the Internet."
Amen. We need creative artists who will help organizations secure their business and users. Our industry doesn't need more reckless tools operators.
The InfoSec industry is an exciting one and, if you can prove your willingness to learn and demonstrate passion, you could have a great career ahead.