Where to Start in CyberSecurity

Where to Start in CyberSecurity

I've had a number of people ask me what skills they should focus on developing in order to build a career in CyberSecurity as a lot of the degree programs and certificates are failing to help them find jobs.

I have some specific experience that allows me to provide some insight in this area:

  • I've worked in cyber security for over 20 years, across nearly all aspects of the field.
  • I've been a guest lecturer at New Mexico Tech and UNM.
  • Developed and delivered training courses for Blackhat.
  • Spoken at SANS and the Santa Fe Institute.
  • I've mentored and trained over a dozen students and individuals.

The first thing to think about is what are of Cyber Security? It as a vast field and while fundamentals will be useful across all areas, each area has its own particular skillsets. Below is an outline of a sort of curriculum one could pursue to be able to provide value to potential employers. I will try to tie the skills to as open source tools that can be leveraged for practice:

Operating System Internals - Get the Windows Sysinternals Books and work through every exercise. Pickup a linux kernel / linux system programming book and work through it. The books aren't free, but cheap enough.

Wireshark, tcpdump, & tshark - Especially focus on searching for things in the packets. Make a simple web app and server on a VM, interact with it using your browser while capturing the packets. Try to understand what's happening. All three of those tools are free.

Python - There are other scripting languages but python is probably the most ubiquitous. You don't have to be the best coder but being able to modify existing tools, build quick POCs, and hack together automation is highly valuable. Python is free. Try using an IDE like VS Code (free) or PyCharm (if you can afford it)

Virtualization - Working with VMs is key to learning all these various areas. You can get a limited copy of esxi for free, proxmox is free, as is VirtualBox. You can play with things like AWS EC2 and Azure as well. Especially focus on access and network controls, isolation, etc.

Signatures - Learn how signatures work, what they are, and how to build them. From file checksums like md5 or sha256, how do anti-virus work (matching hex bytes), IDS signatures for packets. Snort is a free tool you can experiment with.

Inventory - Learn how to identify what is on a network. This can be by looking at network packets, using inventory tools, using a scanner like NMAP. Get used to identifying devices by their services, protocols, MAC addresses, etc.

File Formats - PE, ELF, MachO, PDF, JAVA, Office. There is freely available documentation on these file formats. Try writing a parser for one or more of these formats. There is the PEFile library for python which can help you parse .exe and .dll files and see what's inside them. readelf, objdump, and other free linux tools exist to help with ELF files, etc.

WebApp Testing- Learn BurpSuite, there is a community edition that's free. Understanding how web apps communicate and how to manipulate these connections is key. There are other tools but Burp is probably the main standard.

Standards - Look at the NIST 800 documents, NIST CSF, PTES, PCI, etc. Trying to understand these will give you hints about roles, skills to target, what companies are looking for, etc. Some people have entire careers helping companies implement these standards.

Soft Skills - Learn to write, especially business formal reports. Learn to build presentations (powerpoint). If you didn't document it, you didn't do it. Learn to speak, both publicly and in one on one or small group interactions. Knowing how to listen and ask well constructed questions is a critical skill. I should do a whole post just on this skill alone.

Development Debugging / Instrumentation - Developers have a whole suite of tools and techniques for making their code work. These are incredibly useful tools for security. Learn to monitor network connections, file system modifications, processes, memory, registry changes, watching API calls, etc. Lots of free tools for this: WinDBG, x64dbg, gdb, Sysinternals Suite, Auditd, IDEs like Visual Studio, Android Studio, etc.

Logs - Learn to read all sorts of log formats such as windows event logs, syslogs, apache logs, DNS logs, proxy logs, etc. Write scripts for parsing the logs, for example pull out all of the unique IPs from apache access logs, Learn SEIMs, There is a limited free splunk, ELK, if you can get access to things like Sentinel or Crowdstrike that's useful as well but outside of "free".

How to Investigate - How to let evidence drive rather than your hypothesis. Download attack tool samples, build and instrument and isolated VM network, run them, and go through all the data to see what you can see. Read IR investigations. Watch what attackers do and learn from it.

DevOps - This is how software is built and where vulnerabilities are born. Learn Git, Jira, Jenkins, Confluence, KanBan Boards, sprints, how access control is handled, scan repos with tools like trufflehog to find hard coded secrets. You can build some version of most of this for free on your VM infrastructure and test all the aspects. You can apply these skills in your work (I use KanBan to track pentest or IR tasks, confluence to share notes and document, Git to store inhouse written tools, scripts, and exploits, etc.

Cloud - Its worth learning the big systems like AWS and Azure. Read up and practice locking down S3 buckets, how to access EC2 instances, maybe try to setup an Active Directory, etc. Learn Kubernetes which you can setup and attack on your own VMs.

Planning - This simple skill is fundamental in being most effective, and is surprisingly lacking in a lot of situations.

  • Narrow down the goal.
  • Brainstorm the steps to get there, then refine.
  • Identify risks, where things could go wrong, mitigations, and contingencies.
  • Document the whole thing and present it. Get buy in.

I can't tell you how many consulting projects I've done where the customer didn't really know exactly what they wanted done, what their crown jewels were, risk tolerance, internal assets, etc. The first step there was to figure all of that out, build a plan, and help them understand and decide.

This is high level, and missing a lot, but if you develop a strong skillset in the above items you will be able to provide value in many cyber security roles.

Thanks for listening,