Most of the time I’m binge watching Netflix, Amazon Prime, Hulu, or some other instant gratification media platform. But on the rare occasion that I’m out in these streets and talking to other professionals, the conversation always ends up at “So what do you do?”. I guess this is one of the default topics of conversations because most people “do something” … and its definitely better than awkward silence or talking about traffic.
“I’m a HACKER”
I remember one of my pentester friends response to this was an enthusiastic “I’m a HACKER” … yup the “Hacker” was capitalized when he said it. On the complete other end of the spectrum, I have an actor friend who has a whole process for this. When he is asked he has all sorts of responses and cover identities. I always ask him “what’s the deal and why don’t you just say you’re an actor ….?” “Bro, if you tell them … then there like, what have you been in? Are you that guy from …? Blah BLah BLAH …. Its just so awkward.”
If I’m filling out a customs form then I’m always a computer repair technician. I mean I can certainly repair a computer if put to the task and I have been called upon to look at a computer or two … so … close enough! But otherwise I generally say i’m in Network Security, I feel like it covers all bases. Most people usually say oh that sounds fun and then say something random like “so can you code websites?” or “i’ve been having issues with my internet slowing down, u know what causes that?” Those with some security exposure usually drop the Cyber or IT keywords sometimes even throwing in a hacker or a blackhat in the response. To anyone interested I fill in the gaps by saying that my goal is to find and close the security issues, before they turn really bad … because lets face it, its probably already bad.
Do you use online training sites or just self-study?
The next question usually is one of the following: How did you get into doing that? Where should I start? I see you have a lot of certs. Do you use online training sites or just self-study? And my response is: The great thing about security in general, is there is no defined path. That’s the beauty of it. I personally went the Computer Science -> Software Engineering -> Pentester, with lots of self-study, online and in person training route but that’s by no means the only path. I personally know pentesters that are College dropouts, some started in Network design, Software Development, System Administration, degrees in History, etc. The point is … it doesn’t matter where u start or where your at. You just have to #tryharder.
Figure out and understand your learning style
So how do you become a professional hacker? The first thing you should do is figure out and understand your learning style. To me this is one of the most important aspects of learning. Everyone doesn’t learn the same way. Some are better with structure and being taught in a classroom like environment. While others are better with self-pace and individual research. Figure out which one works better for you and put in the work. The resources are available in every format you can think of. You can buy technical books, watch youtube videos, go to security conferences, theres probably even audiobooks … well … i’m not sure about that last one … But you get the idea.
Sometimes price matters
I think the general consensus on corporate security training would point you to https://www.sans.org/. One thing of note … SANS is expensive. And if you care about the validity of certificates keep in mind these are part of the continuing education model. So be prepared to keep them active by taking more training. SANS has some great teachers and lots of learning paths so you can pick you poison. If your company has a big budget and a use it or lose it policy definitely check them out.
I have taken the training for GWAPT, GXPEN and various other sample tests that were gifted to me (Hint Hint: send them my way if you don’t need them). The courses are always top notch. I took the GWAPT Live and GXPEN using the OnDemand format. OnDemand was perfect for me as I get the most value learning at my own pace, skimming what I have a handle on and spending more time on fuzzy concepts. You have to be disciplined on timing and doing the work, access time goes by quick. But in my opinion SANS prices are only palatable if someone else is paying for it or you need a business development tax write-off.
If you’re just starting out:
- System administration is vital: Enough can’t be said about learning the basics. Learn Windows and Linux administration. The more you know how things work the more you will be able to bypass them.
- Learn a scripting language: PowerShell, python, Perl, Go, Ruby … something.
- I’ve taken their blackhat course and it had some good content.
- They have a lot of offerings and classes are self-paced.
- This is a great resource. Tons of videos with great information.
- This is a subscription service so keep track of it. We all know how quickly we can forget about reoccurring charges
Mid-Level and up
- Can’t say enough about @offsec and @offsectraining
- #OSCP labs are worth it alone. Spend the time and money on this.
- The #OSCP is essentially the pentester industry standard, but dont stop there.
Practice Practice Practice
- Sign up and hack the boxes!
- Another hands-on resource, download the VMs and see how far you can get.
- You can usually find a walk-through online but dont give in, Keep at it.
- Find an exploit and try to recreate it without looking at the details.