Tuesday, April 27, 2021

Getting into Cybersecurity

A common question hackers or security professionals get asked by others is "how do I learn how to hack" or "how do I get into cyber security". It's a complicated question because everyone has different skills, expectations, goals, motivations, and the field has more than one "right answer". 

I was asked that again recently by a young man who is studying computer science and interested in cryptography and protocols so I gave him a more low-level, technically focused answer. But there are many paths into the field and not everyone does 0-day exploits or zero-trust systems! Hopefully this list is useful to those looking for resources and how to get into the field though.

One thing I'd share for a more general audience, is the number of support groups that exist to help different communities. There are 35+ initiatives to assist women entering the field. Ten organizations centered around diversity in cybersecurity. Teaching kids to code. Resources to train veterans in cybersecurity

My email is below:

It's hard to provide useful advice without context of what you're looking for in security. Given you're a CS major who likes crypto and protocol design, I'll focus my advice on the technical aspect of security (which was my focus.) But many choose to focus on the IT/Devops side, training, analyst, infrastructure, development, etc. I liked the hacking/crypto/reverse engineering/exploit/research portions, and my advice below will be slanted that way:

I'd encourage you to learn as much low level stuff as you can (assembly, exploits, reverse engineering (tools like IDA Pro, Ghidra, and my personal favorite, Binary Ninja), protocol analysis, fuzzing, memory analysis/forensics, etc.) The more of that you know the better equipped you will be to tackle the hardest/most valuable problems in cyber security (and the more interesting/fun/lucrative it is IMHO!) 
For news, I used to get the SANS Newsbites email which was solid. There's a great Twitter account/email I get now called TLDR Security which is mostly focused around vulnerability research and application/cloud security but includes lots of other good content and is well written. There are a number of lists on Twitter for security too by category. (Infosec, appsec, pentesting, etc.) Personally I just started following some people I knew and leaders in the field and seeing who they shared/followed and built it from there. Had to prune (still do) as some of them are jerks or just rant about politics or whatever, but some great ones out there too. Here's a decent starter list, but I'd add a ton (@DinoDaiZovi, @HalvarFlake, @DaveAitel, me (@jsyversen), @ErrataRob, etc.) There are Slack groups set up around particular topics you want to learn about... for example, if you are getting into reverse engineering and using Binary Ninja, they have an excellent Slack that's very active and informational.

Capture the Flag competitions (CTFs) are a great way to learn the offensive/defensive side of the domain, there are a ton of online/virtual ones as well as ones in person you can attend. And of course Blackhat and other conferences (there's probably over a thousand at this point) are good places to learn and meet others in the field. This site claims to offer a spreadsheet listing them, there's 51 listed here.

There are tons of reverse engineering challenges online too. Here's a great site that has puzzles around reverse engineering to solve that you can download and try out, they get progressively harder.

This is a helpful site with information on how to get started in hacking (mindset, resources, places to go, networking, etc.)

This wasn't around when I was learning, but now you can watch Youtube channels or Twitch streams from people talking about hacking:  (Twitch stream example)

Here's a random list of resources on red teaming, lots of good stuff in there.

There's even an entire genre of people now developing games to help teach cybersecurity concepts. 6 games here, 10 games here, and Immersive Labs, but there are many others out there and more coming. My personal favorite is Pwnie Island, which is an FPS you can only beat by learning how to hack the game itself to beat certain challenges that are otherwise unbeatable.

Once you get decent at it, you can start focusing your energy around legally hacking certain products, submitting the bugs you find, and getting paid! Some people make $50-100k+ doing this as a side fun project. Sites that enable you to do that include Hackerone and there's a full list of bug bounty programs from BugCrowd too.

Forbes Global CyberSecurity Spend
Hope this is helpful, let me know if you have other, specific questions. As you get further along I can definitely point you toward more resources as you dig deeper.
There are tons of jobs out there for sharp people who are motivated, they estimate there are supposedly 3.5 million unfilled cybersecurity jobs in 2021 and the field has been growing and is expected to continue doing so for quite a while as shown in the graphic. 
Good luck!

[Edit] I posted this and asked for some feedback. Got some good suggestions I wanted to include below. First, here's another person's approach to answering this same question with more effort spent on the "getting a job" portion. He seems to have more of an IT/sysadmin perspective versus my path/interest (more of the hacker/0-day researcher side) but honestly that's probably more useful for more people. 

Along that line, David Brumley suggested describing ways to engage the community. While this is helpful for building up your reputation/network, you also learn a lot by just doing and helping teach others. Possible ways to get involved range from volunteering to help at a security conference (there are tons and virtually all of them don't make money for the organizers), helping contribute to organizing a CTF, releasing tools you write open source or helping improve other people's tools, mentoring younger people who are earlier in their journey than you are (particularly people from disadvantaged backgrounds!), finding meetups in your area, etc. I'm sure there are tons of other ways!

Erik Cabetas is a big fan of Over The Wire games, as they offer a ton of free online games to teach tools and hacking techniques. He also pointed out there are huge communities of people interested in security on Reddit you can connect to. 

Clint Gibler from TLDR Security (an excellent newsletter you should totally get) had some great career tips in his last one that I thought I'd include below as well:

How To Start Bug Bounty For Beginners
A number of talks and resources by @securibee.

How to land your first job as a bootcamp grad
By Netflix Senior Engineer Scott Moss.

How I Would Get My First Cybersecurity Job If I Had Zero Experience Or Education!
By Cybersecurity Meg.

Remote Hunt
Find remote jobs.

By Tad Whitaker: A deduplicated list of questions asked during security engineer interviews based on Glassdoor.com, covering: encryption and authentication, networking and logging, OWASP Top 10 and AppSec, databases, tools and games, programming and code, and compliance.