October was Cyber Security Awareness month, and as a follow-up, I thought it would be good to talk about careers in Information (or Cyber) Security.
I have often been asked about the best way for getting into the industry, and it always ends up with a many hours of conversation accompanied by many coffees (or beers depending on the time of day). This is a very close subject to me. I have taken the long path to be able to work in an area that I’m passionate about, and I wouldn’t change the journey for anything.
Cyber security is a challenging yet rewarding industry. There’s plenty of job security and opportunities out there for the right candidates (at least until the AI overlords make us obsolete, that is). Until then, however, we will continue to evolve our skills and grow our passions. Indeed, alongside persistence and patience, passion is one of my three principles of making a successful career in cyber security.
Three Ps of Making it in Cybersecurity
While you may have a job in the industry, a career takes time and dedication. Every day there is something new, whether that is a new vulnerability, piece of malware, a new breach report, or the latest “sophisticated” group on the block. We must adapt a lot in this industry, whether you are a defender, investigator, or a red team. I saw something recently that said you don’t pay me for the 30 minutes it takes to do the job, you pay me for the years it took me to do that job in 30 minutes. This is something I’m sure a lot of us live by.
In my experience, work-life commitments, like an 8 hour day and study after-hours (such as in the evening and on the weekend) threatens our ability to evolve. But with a little bit of perseverance and determination, putting in these extra hours will benefit you personally and professionally.
So, you want a career in the industry. While there are many paths to choose from, there are also some foundational skills that will always set you in good stead. When I officially made my entrance to the industry, I started on first line support/ticket logging for security and networking appliance support issues. This was quite eye-opening and the amount of information that was required to correctly diagnose an issue always seemed daunting. Over time you soon see that there are common techniques that recur no matter what device or processes you deal with. The ability to read a packet capture, for example, is something that has followed me throughout my career: From troubleshooting connectivity issues for a customer to grabbing plaintext credentials off the wire during a security assessment.
Recommended Foundational Security Skills
There’s a lot of debate about which skills or qualifications are most valuable for entry-level candidates. Obviously there are many routes into information security but, from my experience, here are some areas I would recommend honing your skills around.
- Packet Captures
Being able to take and read packet captures, get familiar with multiple tools for taking a full capture: What you will quickly discover is that, not all devices and systems will have your packet capture tool of choice available. While Tcpdump is fairly common there are other tools such as Tshark and Wireshark that are valuable tools to be familiar with. I have used many tools over the years for capturing traffic, but I always come back to good ol’ trusty Wireshark for reviewing the captures, or perhaps some Python if I am extracting information.
- DNS / Routing / NAT
You can spend a few months doing the Cisco Certified Network Associate (CCNA), which is a common certification as an entry level into networking and, if you have the time and resources, this is a good option. There are some great pieces of foundational knowledge to be gained from CCNA, such as the basics of routing, switching, network address translation, along with Cisco device configuration. However there’s also a lot of vendor specific terminology too, which will likely be irrelevant outside of the exams.If I could do this over, I would focus on the foundations of networking first.
What is DNS, and how does it work?
Why do we use NAT and how does it change the traffic?
How does traffic get from point A to point Z?
These are just a couple of the basics, but gaining an understanding of them will help you effectively troubleshoot issues or understand the flow of a packet capture.
2. Virtual Machines and Hypervisors
Unless you’re extremely lucky to have a couple 48U racks loaded with various pieces of tin where you can deploy and test all the platforms of your choosing, you are likely going to need to be familiar with Virtual Machines and various hypervisors.
Taking a spare piece of tin and installing VMware ESXi or Proxmox will give you a great starting point for a little lab environment where you can spin up, clone, and build new instances of whatever device you are testing. You can also create virtual networks to better understand the basics of networking in practice.
3. Compare Tools and Adapt
We all have our favorite tools that have followed us through the years. I still like to occasionally throw a pcap into Network Miner as an example of old school methods. One of the things in the industry we can see a lot is people avoiding testing the newest tools and techniques to see how they compare to others they currently use or have used in the past. I have seen and heard of so many people in the industry who become very set in their ways with tool usage and process. Being comfortable with your process is ok, but you need to be able to adapt to a situation. Maybe one tool doesn’t support multithreading, or you updated your machine and now you have Ruby dependency issues. You still have a job to do, so knowing alternatives and having an arsenal for backup or the situations where you are forced to adapt is key.
Whether you are an offensive tester, incident responder, defender or other, we all have our tools of the trade, but learn to adapt and push yourself out of your comfort zone.
4. Operating Systems
So, you are a Linux person and you like to curse the dreaded Windows users… That’s fair enough, Windows has had its issues in the past. But there are many situations where your work will benefit from having a detailed understanding on various operating systems, and how these are deployed, administered, and secured. I started the industry on the Windows side of the fence, and then I was soon forced to adapt into the world of *Nix. Now I use Linux environments for most things, whether that is a little bit of dev work, or some enumeration. If you want to be able to defend or attack an operating system effectively, you need to know how it works. Having deployed and gone through the process of securing it, you will get a much better understanding.
There are a lot of certification paths out there, depending on your career path. As I mentioned above, with the foundational areas such as Operating Systems, Networking, Virtualization, etc. you could spend your life just doing exams. I spent the first part of my career doing mountains of vendor certifications, and they do have their place. However, you can’t rely on them alone, and achieving a certification doesn’t mean you have all the skills required for a role.
Purely for introductory purposes, CompTIA certifications are not that bad, they give some good direction to learning non-vendor specific material. I wouldn’t expect to gain a job off the back of a CompTIA certification alone, but it’s definitely a step in the right direction.
One certification that is highly recommended, especially for any role looking for offensive skills, is OSCP (Offensive Security Certified Professional). The course can be tricky – even for someone with plenty of experience. A lot of dedication and commitment are needed to pursue this certification. This can be difficult with the mad hustle of life, but they do give you the option to extend you lab time and to “try harder”.
The common Offensive Security courses and certifications are considered your go-to if you are trying to get into pentesting/red teaming or anything related to offensive security. These are also great for defensive roles.
One of the biggest challenges for giving cyber security career advice is that it varies so much depending on what you want to focus on:
- Do you want to defend networks?
- Do you want to do incident response?
- Do you want to write code and create tools and prototypes?
- Do you want to do security testing, pentesting/red teaming/purple teams?
The list is endless, and some people don’t understand the extent of the industry. You only have to look on social media to see ads for “Cyber Security and ethical hacking” certs claiming huge salaries. While these may attract people who have a keen interest in the dark cyber arts, it also attracts people who think the career will be like it is shown by Hollywood. What they also don’t show you is the days spent camping out on the floor of a freezing datacenter, with Cat 5 and console cables wrapped around your legs like a boa constrictor.
One thing I have learnt is this industry has become less certificate, degree or higher education driven. If you can show dedication, passion and eagerness to learn, you are on the right track.
Expectations vs reality
If you get into Red/Purple or any other form of security assessment work, yes you will have some fun and may be able to practice your celebratory dance when you achieve your goal, or even gain a privileged foothold.
No? Just me then?
Well, now your assessment is over and you have a weeks’ worth of reporting to do. Reading glasses are on and the headache tablets come out while you are sifting through your assessment data. It gets even more fun if you are doing the report and have received data from multiple other consultants. You can learn a lot from reviewing others’ results and processes, but it can also be difficult trying to combine work into a single report.
The media and Hollywood shows a lot of the glamour of cyber security, especially around offensive hacking work. But what they don’t highlight is the reporting, triage, knowledge handovers and everything else that goes with it. I’m not saying these are negatives to having a career in cyber security, just that they can be a steep learning curve on their own, and that it is not all popping shells.
Keeping up with the latest gossip
Whether you are defensive, offensive, an incident responder or other, there is a constant stream of information at our fingertips. There is always a new breach report, vulnerability, patch Tuesday release or some kind of dumpster fire going on in the world of cyber security. One source that I have become reliant on is Twitter. By following the right people you can get a good insight into what’s relevant and what’s not.
There’s certainly a lot of filtering required with any publication or tweet: We see this most often with vulnerability disclosures, something I’ve touched on a few times before. The media will often interview the wrong people, who will blow an issue out of proportion, or attempt to interpret the issue themselves, leading to a lot of hype and confusion, like we have seen with cases like the recent Sudo vulnerability – CVE-2019-14287 and many others, just because there is a vulnerability doesn’t mean it is always exploitable under real world conditions.
Understanding where to get your information is a key part of a good security professional. I would highly recommend Twitter as a feed for current and relevant news. Podcasts, blogs and whitepapers are also a great way to get a high level overview or even a deep dive into some of the more recent news stories and research. On our very own ShadowTalk podcast and our blogs & research publications for example we regularly cover both technical and non technical aspects of the recent infosec related news, as well as our own research. There are plenty of other threat intelligence podcasts and organizations out there who regularly publish great work. One of our team’s favorite podcasts is Risky Business these guys always deliver great information, and the SANS Stormcast for a 5 minute overview everyday.
Degree or not to degree that is the question
There is often the debate about degrees versus no degree routes. When I first started trying to get into the industry, it was difficult to get a break without having a degree. You certainly couldn’t jump straight into a technical role back then unless you had a heap of vendor-related certificates, a degree, or 10 years’ experience.
I took the University of Life route, and it was a long and challenging journey, but one I would not change for anything. This is something that everyone must decide for themselves. A Bachelors/Masters/PhD will likely get you into your desired field sooner, where you can begin to build out the skills required for you to level up.
As with any path, there are a lot of challenges, one is not becoming too comfortable. It can be difficult to find the right motivation and aspirations if you find a position early on in your career that doesn’t challenge you. This can lead to you settling too early, which can then lead to becoming stagnant, and not evolving your skills and becoming the cyber guru you always wanted to be. For me this was a difficult piece to overcome. Doing the same work repeatedly becomes second nature and easy, but not challenging. This is where having the drive and passion comes into play, having that need to push yourself, to continue learning, and to find the next challenge.
I have worked with people with Bachelors, Masters, and PhDs who are very talented and passionate about what they do. I have also worked with people who have also done PhDs and Masters, who are happy and comfortable and are just looking for that 9 to 5 and nothing more. Everyone has their own goals and priorities.
No matter which path you take, it is the perseverance and passion that will get you through in this industry. Finding mentors and colleagues who you look up to and can be inspired by can keep you focused, and keep your ambition going through the more challenging times. I have had the pleasure to work with a lot of very talented people in the industry, and have managed to keep the passion going.
Remember every day is a school day, there is always something new to learn.
To keep up on the latest threat intelligence, you can subscribe for our email newsletter below.