Breaking into InfoSec

4chib4ld4chib4ld Member Posts: 25 ■■□□□□□□□□
Good Morning,

As somebody who recently passed the Sec+, I've been extremely interested in getting my foot into InfoSec. Work is having us do a proprietary certification, but as soon as it is complete... I'll be back on the security route.

I found what I believe to be a great article that i think can help others who are trying to make their way into InfoSec.

Apologies if this has already been posted. Hope it helps some other aspiring security fiends!

Source: https://s3ctur.wordpress.com/2017/06/19/breaking-into-infosec-a-beginners-curriculum/

___________________
While perusing /r/netsecstudents, it seems that every other day there is a thread asking for advice on how to break into the InfoSec world, and where to start studying.As helpful as the responses are, they tend to vary widely and are dependent on who can be bothered replying with the same answer each and every time.
Currently, I’m a Senior Security Consultant for a small spear head team in a global corporation. We perform red teaming, phishing training, pentests, breach assessments, and baseline security assessments. I come from a healthcare IT and applications background, and teach people how to go fast on motorbikes on the side.
As such, I thought I’d post up a rough guide for beginning your adventures should you be a newbie looking to move into information security (primarily pentesting, bounty hunting, and red teaming). This is by no means comprehensive, and is simply based off my own experiences. It’s also incredibly video heavy, so that’s something I guess.
Everything you do will be based off networking fundamentals and as much as it sucks, the old adage of “You have to walk before you can run” really does apply.
Feel free to jump around the list. If something is draining your soul, move on and come back. Seriously, until you get to the OSCP stage in this list, it can be crushingly boring, and if your mind starts to wander, you will begin glazing over and miss something pretty important.
The greatest lesson you can take from dealing with the fundamentals is developing patience, and learning to manage frustration. If you cannot learn to control apocalyptic levels of frustration, then it’s probably not advisable to read any further; because this whole industry feeds on frustration. It’s basically a kink.
*Word of caution: Be aware that a large majority of people who move into this industry come with at least 5 years experience in other IT fields, often more; and without being a downer, you’ll probably never out-dance an ex dev. Those dudes turn into raid bosses.
While there are plenty of young guns straight out of uni and some naturally talented freaks in their teens doing this, it is an industry that heavily benefits those with career and life experience. It requires a constant desire to learn, and significant mental fortitude.

Networking Fundamentals:
  • CompTIA Network+ Playlist (see updated list here)
    • 189 videos taking you from an absolute beginner to competent in networking.
    • Set the videos to speed x1.25 or x1.5 to save yourself a lot of time and boredom.
    • Take notes to reference in the future (seriously, do it)
  • CompTIA A+ Playlist
    • 77 videos
    • Feel free to skip to video 47.
    • This is really aimed at younger guys out of uni. If you’ve got any networking background, you can skip it.
Active Directory
This should give you an understanding of how AD works.
  • Introduction to AD infrastructure in Windows Server 2012
  • Installing AD, DNS, and DHCP to Create a Windows Server 2012 Domain Controller
  • Adding Windows Computers to a Windows Server 2012 Domain
Linux Essentials Playlist
An understanding of Linux, and comfort using it is a must. Install a VM or dual boot it; using it every day is the quickest way to learn. It’s pretty alien if all you’ve known is Windows, but boy is it beautifully efficient and simple once you understand it.

Windows SysAdmin Essentials (suggested by LonerVamp)
This is a Lynda course which requires a membership, or you can try it for free. Well worth investing a months sub to go through it.
This course focuses on Server 2012, though it’d be worth browsing other material.
Server 2008 is a common find in the real world, and unfortunately 2003 is all too common as well, so try become familiar with them all. Server environments are different beasts to every day desktops.

Additionally, the Microsoft Video Courses ‘Windows Server Administration’ series are extremely well done, and you feel like you’re watching a sports show.
Security Fundamentals:
  • CompTIA Security+ Playlists
  • CISSP Playlist (For those completely new to security)
  • Computerphile Channel
    • Watch everything from Tom Scott and Dr Mike Pound. They give extremely user friendly explanations of common security concepts.
    • Tom’s SQL Injection Explanation
    • Mike’s SQL Injection Practical Example
Courses:

At this stage, you would be more than comfortable beginning your OSCP (Offensive Security Certified Professional) adventures. If you’re not feeling it, jump down to VulnHub and HackTheBox to get bit more ready for free.
The OSCP is one of, if not the best certifications out there, and is a birth by fire approach. You will receive detailed course material, and VPN access to a virtual lab filled with machines you can learn to hack.
Lab access is from 15 to 90 days, with the ability to extend as much as you want so long as you have the dosh.
At the end is a 24 hour exam.

The OSCP is run by Offensive Security and worth every penny.
In the event you cannot afford to sign up for the OSCP yet, or you just want more stuff, then see below for a DIY approach. Oh, and download Kali Linux here.
Cybrary Courses
Cybrary is a wonderful platform filled with a plethora of courses for the aspiring <insert role>. It’s free, and you can get little certification pictures to put on your LinkedIn. Neat.
  • Ethical Hacking and Penetration Testing with Kali Linux Certification Training Course
  • Web Application Penetration Testing Course
Pentester Academy offers detailed video courses for an affordable subscription fee.
If you have not done the OSCP course work, then I’d recommend completing at a minimum:
  • Pentesting with Metasploit Link
  • Network Pentesting Link
  • Web Application Pentesting Link
  • Python for Pentesters Link
  • Exploiting Simple Buffer Overflows on Win32 Link
Hacksplaining is a free to use site with expertly crafted mini courses on all the fundamentals of web application hacking. You can chew through the whole site in an afternoon, and it will greatly improve your understanding of website attack concepts.
PentesterLab is another site with short self contained lessons, both free, and subscription based. There are badges to complete, which can also be displayed on your LinkedIn.
HackTheBox is a free to use virtual lab where you can practice your hacking skills. The only caveat is you have to hack your own invite code. It’s very reminiscent of the OSCP labs, though you get points for boxes and level up etc.
Be aware that the boxes are hosted in Germany, so you may experience some hefty delays which can cause issues with shell stability and exploits firing. If you suffer this, then look into standing up a Kali box on Digital Ocean or something similar, where it’s based in Frankfurt. Then ssh into your new Kali and VPN to the lab from there.

Practical Pentest Labs is another virtual lab environment to practice hacking. I have not personally played in here yet, but I’ve heard good things so far.
Coding
A lot of people ask what is a good first language to learn, and without a doubt, one of the most handy to have in security is Python.
Practice Python takes you from a complete and utter novice to a hardcore Python programmer. Seriously, I suck at coding and always have. This site was the FIRST thing that has ever got me to understand programming language, and I can even write baby scripts to do things I’m too lazy to do now. I cannot recommend this site highly enough.

PHP is another must have language as it is extremely common when dealing with web content.
VulnHub is a user driven site filled with virtual machines to try and hack. You download them and host them yourself, then battle away. They range from easy to bananas. Check out beginner ones first and definitely look up Metasploitable.
Books
If you enjoy reading or want to start building your collection, then a good start is anything from the list below. Obviously there’s a tremendous (DT) amount of books to recommend, but I can’t remember them all so here’s a few.
  • RTFM – Red Team Field Manual
  • BTFM – Blue Team Field Manual
  • Violent Python
  • Nmap Network Scanning (only for those who chew through books like candy)
  • The Hackers Playbook 2
  • Basic Security Testing with Kali Linux 2
  • Intermediate Security Testing with Kali Linux 2
Podcasts
To play on the train or in your car.
Continued Learning
  • SecurityTube Site
    • It’s YouTube. For security. A never-ending pit of stuff to watch.
I’ll make edits as I receive feedback and think of other things, so check back periodically.

Comments

  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    Grats on Sec+ and good luck moving forward! Just to add a few cents to this excellent post:

    1. I'm not as enamored as others on the RTFM and BTFM books. Personally, I would invert the order as presented, and add near the middle: The Practice of System and Network Administration (Limoncelli). Those two aforementioned books are great references, but they don't teach very well.

    2. Look for more podcasts than just the two mentioned. I love the format of podcasts, since you can be doing something else with your hands and eyes, but yet still listen to some quality content. Most everything else for learning requires more attention.

    3. I suggest getting on a monthly subscription to a general IT (or security) course site. Learning most anything in security means learning general IT as well.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • PC509PC509 Member Posts: 804 ■■■■■■□□□□
    For a good podcast - https://isc.sans.edu/podcast.html. I listen to this daily. I'm a fan, I think I need a SANS ISC T-shirt.
  • scyruckscyruck Member Posts: 2 ■□□□□□□□□□
    Following breaking infosec news and trends across twitter and sites helps too.
  • scyruckscyruck Member Posts: 2 ■□□□□□□□□□
    techwagyu.com is good for news
  • bigdogzbigdogz Member Posts: 881 ■■■■■■■■□□
    Congrats on passing the Sec+.
    It does takes some time to get the experience and knowledge to be good in infosec. YMMV depending on the work you do on a daily basis and the projects you complete at work and labbing.
  • srothmansrothman Member Posts: 82 ■■■■□□□□□□
    I've been wondering about this as well, as someone who doesn't come from a strictly InfoSec background. Granted, I have a lot of experience in BCDR and compliance, but that's just one small part of the overall. 

    As it's been stated many times over, the very breadth of the field makes it impossible (practically) to do "InfoSec", and you will likely need to hone in on the areas within the field that interest you (I'm still figuring that part out). Being a principle cloud solutions architect, I will likely end up in the cloud security space, and likely more advisory than technical. I've been wondering if I'm perhaps getting a bit wise (read old) to start getting into the nuts and bolts at my age.

    To this point, I've actually thought of starting a thread where people can contribute and share some of what their daily/weekly/monthly routine looks like to give others starting out an idea of what to expect in the real world outside of what they see on the TV.
  • baghdaddy19baghdaddy19 Member Posts: 51 ■■■□□□□□□□
    This is amazing op! A great road map.

    Although a few things need to be updated like the play list for A+ and Linux Essentials. But all in all its very solid advice for people who have no idea how to get started.

    Definitely keep up with cyber sec news, i recommend Krebs on Security. 
    2020 Certification Goals
    CompTIA: A+, Net+, Sec+, Cloud Essentials, and Project +
    LPI: Linux Essentials
    AXELOS: ITIL v3
    SANS GAIC: GSEC, GCIH, and GCED
Sign In or Register to comment.