“I want to get into Cybersecurity, where do I start?”

With an estimated One Million job openings in Cybersecurity in 2017 and a shortage of talent it is easy to see why so many people are drawn to the field. I myself made the switch from traditional IT to the Cybersecurity field within the last year, and when I started to consider making the switch I had the same questions that most job seekers have today. Where do I start? What are my options? Why does the same job have over 5 different titles? A year later as I am digging myself out of the not so figurative mountain of training material that I am engaged in, I find that now I am the one being asked those very same questions by friends and graduates trying to break into the field. In this article I will attempt to not only answer these questions, but to also provide guidance to those looking to gain entry to the field and grow their career.

Introduction to the Security Field

As anyone who works in security knows, the field itself is extremely broad and we often need to have knowledge of facets outside of our immediate domain. For example, it is helpful for someone running a Vulnerability Management program on their company’s Blue Team to have an understanding of how a Red Team member might exploit this vulnerability, and the impact that would pose. Red Team and Blue Team are two phrases that you will run into often, what they refer to is Offensive and Defensive Security.

Red Team members, traditionally consisting of Penetration Testers and Security Auditors, are the folks who are hired to break into your company’s network and expose the security flaws that company has. This is the “Offensive Security” team; the Ethical Hackers. This is the team that tends to draw the media spotlight and that most people gravitate towards because it seems to be the most fun.

Blue Team members, in contrast, are those tasked with the job of Defensive Security. These team members include Security Analysts, Engineers, Forensics Specialists and Incident Handlers. These are the team members that are on the company’s front lines helping to defend it from Cyber Attack and monitor the system logs trying to catch potential intrusions and prevent Malware outbreaks. This is the side of the field that I reside on, for the most part.

How do I choose?

As far as where to start in Cybersecurity I recommend getting a baseline in the foundational skills as you pursue an entry level position in the field that appeals to you the most. My advice is that you ask yourself which team appeals to you the most, and then narrow down your choice from there. My second piece of advice is not to limit yourself to one particular area, as often is the case you will find yourself wearing multiple hats anyway. For example, after doing countless hours of research on the internet I decided that I wanted to pursue a career as an analyst. But what kind? Malware analyst, network security analyst, incident response analyst, security operations analyst, the list goes on. I decided to start off looking at a security operations center role, as I was familiar with operations teams and enjoy working collaboratively with others in a group.

Foundational Skills and Learning References:

As with anything you want to succeed at in life, mastering the basics is crucial. Before you can become a Professional MMA fighter you first need to learn how to take a proper stance and throw a proper punch. In security, that means gaining a basic understanding of the broad spectrum of security. Do you know what Buffer Overflows, Firewalls, and Host Intrusion Detection Systems are? How about Botnets, Malware, Root Kits, Vulnerabilities, Exploits, and Command and Control Traffic? Encryption, Authentication, and Hashing? How about TCP/IP?

In order to build a strong foundation I always recommend anyone to start off their journey by pursuing the CompTIA Security + certification. As the study material is basically taken from the CISSP exam and watered down, covering a wide variety of basic security concepts that you will need to have fluency over no matter which career path you pursue. Note that it is also possible to start off with the CISSP Associate level exam, and in most cases would be more worthwhile than pursuing the Security+ certification; be aware that the test however is much more advanced and will require multiple months of dedicated studying.These will help you get past the initial HR resume filter if you don’t have prior experience, or a Bachelor’s Degree in Computer Science or Cybersecurity. Additionally, these certifications meet the Department of Defense Directive 8140 requirement for entry level positions, and are well worth the investment either path you take.

It is also helpful to have a background in basic scripting or programming. Even if you are like me and cringe at the thought of having to write code, it is a necessary part of any security professional’s toolkit. The language that you choose doesn’t matter as much as the ability itself, as the syntax of a new language can quickly be picked up. The key point of the matter is that it will be useful to script tasks for automation. My recommendation is Python, Perl or Bash. It will also help to have a basic understanding of Unix/Linux and command line interfaces.

• CompTIA Security + Study Material:

  • CompTIA Security + Study Course

  • CompTIA Security + Study Book

• Scripting:

  • Code Academy

  • Python

Red Team Jobs and Learning References:

I’ve put together my own explanation of what each field entails, and a few low cost references that will aide you on your journey into the specialization. I encourage you to research the fields that interest you further in order to construct a fuller picture. The job of an Offensive Security Team Member often entails many different aspects of hacking; traditional computers, IOT Devices, Mobile Devices, Web Applications, etc. While there are many branches to this Team, the core skills lie in traditional Penetration Testing and Web Application Hacking, and as an entry level tester that is where you (in my opinion, others may take a difference stance) should focus your learning efforts.

Additionally, once you have a good foundation in the field I highly encourage you to take the Offensive Security Certified Practitioner (OSCP) course from the company “Offensive Security” and take the certification. It totals around $1,000 and is hands on and challenging, but is considered a Gold Standard in Penetration Testing and it is arguable the best course out there to learn Penetration Testing. The reason that I encourage you to build up a solid foundation before pursuing this course is in order to make your life easier. I know a few people who started off in Penetration Testing by taking the OSCP course and succeeded; though these people already had multiple years of experience in a different branch of security. I myself intend to take this course and certification in the near future, even though I reside on the Blue Team.

• Penetration Tester / Ethical Hacker:

  These are security consultants that are hired to break into and exploit networks and systems. Additionally, these are the professionals that are hired in the Government sector for Cyber Warfare and Intelligence. Also, hoodies are mandatory.

  • Red Team Field Manual

  • The Hacker Playbook

  • Introduction to Metasploit

  • Post Exploitation Hacking

  • Vulnhub

• Web Application Hacker / Penetration Tester:

  (Often overlaps with the traditional Pen Tester). These are the security consultants that are hired to find bugs and flaws with web applications. Or are part of a Pen Test team that uses Web Applications as an avenue of getting system level access on a server.

  • Web Application Hackers Handbook

  • Web Hacking 101

  • Bug Bounty Forum

Blue Team Jobs and Learning References:

What is the difference between an Analyst and an Engineer? To put it simply, an engineer will build out, deploy, and support the infrastructure that will help support the company and keep the users and data safe. An Analyst on the other hand will monitor the network and endpoint logs, and use tools in order to analyze data and correlate threats. Per the SANS motto “Know Abnormal…Find Evil!”

Note that any of the below jobs can pop up as “IT Security xxx”, “Cybersecurity xxx”, “Security xxx”, “Security Operations xxx” or some other strange variation. This is on a large part due to a lack of standards in the industry. Due to the large variations in job titles, I’ve tried to group the core aspects of Defensive Security down into a few fields. I’ve put together my own explanation of what each field entails, and a few low cost references that will aide you on your journey into the specialization. I encourage you to research the fields that interest you further in order to construct a fuller picture.

• Network Security / Threat Analyst:

  Reviews logs and network traffic in order to correlate data into potential threats. Uses IOC’s from threats in order to discover if they exist in the network or not. Monitors the security tools and runs vulnerability remediation.

  • Applied Network Security Monitoring

  • Intro to Threat Intelligence

  • The Practice of Network Security Monitoring

• Forensics / Incident Response:

  First responders in the event of a breach. These are the teams that will take forensic images of compromise hosts, review the threat vector used (Malware, PowerShell, etc.) and construct a timeline.

  • Computer Forensics Course

  • Incident Response and Handling Course

  • Memory Forensics

• Malware Analyst:

  Analyzes Malware and Suspect Malware found on the network in order to determine Indicators of Compromise (IOC’s).

  • Introduction to Malware Analysis

  • Malware Analysts Cookbook

  • Practical Malware Analysis

Is there overlap?

Of course! Most organizations, especially in a Security programs early stages, will have their employees wearing multiple hats. And that’s a good thing. The more you do the more exposure you get, and the less likely you are to become burnt out. For example, I work in all categories of the Blue Team, and I get to do some Red Team work on the side.

How do I stay up to date?

Staying up to date in the field is often the most overlooked aspect for most career fields in general. In this field you need to stay up to date not only with additional training, but with additional tools as well. As a Blue Team member you need to be familiar with all tools at your disposal, and all tools that you would be interested in purchasing/using in the future. Including but not limited to, email gateway, antivirus, next-gen antivirus, application white listing tools, vulnerability scanners, firewalls, threat intelligence aggregation systems, and honeypots. As a Red Team member, you need to be familiar with these tools as well; in order to figure out how to bypass them. Below I’ve listed a few blogs and podcasts that I follow. In addition I recommend following the leading specialists for your chosen field on Twitter.

• Blogs and News:

  • Krebs on Security

  • Reddit netsec

  • Hackread

  • Ars Technica

  • Security Week

  • Dark Reading

  • Recorded Future Cyber Daily - Emails

• Podcasts:

  • Recorded Future “Inside Threat Intelligence”

  • Risky Business

  • The CyberWire

  • SANS Internet Stormcast