I regularly get asked the best path toward a job in infosec, specifically in pentesting or security-assessment type work. What follows is a collection of my personal thoughts on the topic.
Caveats of this advice:
This is being written in mid 2019, and will may be less relevant as time ticks on and things change - part of the reason I wrote it is because a lot of advice on the internet is stuck in a previous decade.
Whilst hopefully this is written generally enough for most folks, it’s strongly biased toward english-speaking developed nations, my personal experience having lived in Australia, New Zealand, the UK and the US.
I’m hoping you want to do better than just get any old job at any old shop who’ll throw you on some tools and churn out high volumes of reports full of CVSS ratings without fundamentally understanding the nature of the vulnerabilities. This advice is all in line with that; getting a position at a fairly reputable firm where you’ll be happy digging a little deeper and trying to have a postitive impact.
Further, I’ve spent nearly a decade in consulting, so this may be a little tailored toward consulting pentesting as opposed to internal teams. Further still, I’m more biased toward AppSec than network penetration testing.
I’ve broken it down into the technical and the non-technical skills, each having a fair importance to your path foward.
The technical skills
A difficult balance in such an exciting field is deciding what to focus deeply on, and what areas you should have a broad knowledge. In my personal opinion, you’re better off picking one of the major fields of pentesting such as WebApp security or Network/Infrastructure security and working tirelessly to prove yourself in that domain, before you delve into a second area.
The most important message of this whole post: You need to aim to have actual real-world experience exploiting these things and understanding how and why they work. Being able to recite a high-level understanding of these things is insufficient. No security company will hire you because you can explain CSRF at a high level; they will hire you because you can find it in a previously unseen application, exploit it, write a proof-of-concept, and thoroughly explain it to stakeholders.
WebApp hacking: the golden goose
- The Web Application Hackers Handbook is pretty outdated these days, but still a solid introduction to web application security
- JP Aumasson’s Serious Crypto
- Owasp Juice shop
- The Art of Software Security Assessment. The bible on appsec. Largely C-focused, but there’s a ton to learn from this book. It’s huge, take your time.
Things you should know:
- SQLi: again, understand the theory and how to actually pop boxes using SQLi.
- Mass assignment
- CSRF: how to exploit it, how to defend against the attack
- Command injection
- Same site request forgery. Why is this fun in cloud environments?
- Path traversal
- File includes
- Logic flaws/IDOR
- Generally how HTTP works
- CORS abuse
- JSONP hijacking
- High-level understanding of TLS; cipher suites, protocols, overall
- How to read code for a lot of common languages and at least make a guess as to what it does
Infrastructure and netpens
- Exploitable VM’s
- Nmapping the internet
- Set up a windows + linux network, attack the DC
Things to know:
- How to do practical discovery/scanning using Nmap
- TCP/IP fundamentals
- Metasploit basics
- Understanding AD, accounts, permissions, hashes
- Practical AD: enumeration
- Responder, mimikatz, hash replaying, tools that scale these style of attacks up
- Service identification and enumeration
- Password cracking; wordlists, tools, rainbowtables
- SSH techniques like port forwarding
- Service credential brute-forcing
- How to shell a vulnerable web application
Other necessary skills
- Learn to code eventually. Python or Go would be my first choices, but choose whatever you enjoy coding in.
- Learn git and a favourite text editor, vim is a solid choice.
The non-technical aspects
Certificates are valuable for two things: demonstrating a basic competence to an HR department (or an eventual client), and forcing you to focus and learn a given skillset. I don’t think certificates are essential at all, and generally offer marginal value for the time and cost put in. Furthermore, people do begin to rest on their certification as proof of competence, which is generally toxic.
The question you have to ask yourself is whether the time and money you’re putting in is going to reap rewards, and from my experience it generally won’t. Most certificates teach fairly outdated information, given that courses and tests take time to create and are often behind the times before they’re even published.
If you’re finding that you want a certificate because jobs seem to require it, I’d question why that organization wants to a see a certificate. If your hiring manager needs it because they can’t distinguish between a great candidate and a dud, that’s the team you’re going to be working with.
If you must get a cert, I believe the OSCP is probably the most technically rigorous and valuable. But if you’re wanting real-world skills, you’re better off setting up a windows domain in Azure and reading every blog you can on how to attack AD, in my opinion.
Meetups, Conferences, Twitter, Chat
Community is a huge aspect of the hacker world as much as it is the grown up infosec and penetration testing world.
You should probably:
- Go along to local meetups or groups
- Try to attend good quality conferences.
- Ask people questions at meetups and conferences; most folks are happy to be considered enough of an “expert” that you’re asking them.
- Get a twitter account and follow people who post interesting things, share things you learn or see of interest, and chat with folks.
- See if there are any worthwhile slack or IRC channels you should join. Ask around, google for good freenode channels.
You probably shouldn’t:
- Worry too much if conferences aren’t your scene, or particular cons aren’t. It’s not going to make or break your career
- Try to fit in too much. You don’t have to wear black. You don’t have to drink excessively or at all. You don’t have to do anything you’re not comfortable with.
- Try to be a high-profile twitter thoughtlord. I don’t care that someone has 8500 followers on twitter, that’s not a hirable quality. You want to know how to become a great hacker with twitter? logout and go hack something.
Do bug bounties. Do CTFs
Companies want to hire you to do one thing: hack stuff. The best way to show you’re a good fit for the job then, is to show you’ve hacked stuff. Good quality bug bounty findings and write-ups from CTFs show you can actually do the thing you’re hoping to be paid to do. Furthermore, they show you’re actually interested in this field beyond just wanting a paid job; people who have some kind of passion for this industry are more likely to survive and thrive in the constantly changing learning environment.
Web bug bounties are the best demonstration you have real-world competency to hack web stuff. CTFs show deep skills and interest in whatever type of CTF you choose to do: they may not be as directly transferable, but will not hurt.
CV Writing tips
A CV should be one page unless you have an extraordinary amount of very relevant experience, in which case you should consider distilling it down; I’ve never seen a CV which has more than one page of relevant points.
Try not to list tools: this shows you know what the tools are and possibly even how to use them, but nobody hires a builder whose experince is listed as “hammers, nails, circular saws”. List things you have done, and things you can do.
Be careful listing languages you “know”. If you studied Java for two semesters at college/university, you don’t know it - you have exposure to it. Likewise you probably shouldn’t list 9 languages. Highly experienced developers will rarely state they’re really solid in that many languages. But maybe you are that good?
Well done, you made it this far! We’re hiring, send me a DM on twitter.