To start this conversation I wanted to say that this is not a normal discussion for the CyberMe following. The reason I had the idea of discussing this topic is due to the amount content creators who share some GPT generated ‘How To Guide’ to land a job in the industry. I can assure you that this type of content will not be the norm, but I am playing with the idea of doing this every so often to give others a different perspective to get in the door.
Time to crawl
If you the reader are interested in getting a job in cyber security and have zero experience, you will not have much of a chance. Especially in the job market today, the industry is flooded with those who are looking to get a job. Even entry level positions are competitive due to layoffs and hiring freezes of the larger companies. If you are looking at a remote gig, good luck!
With that being said, that does not mean you can not give it your best shot. Just like anything in life, anything worth going after, you will have to put in time. Put in the time and effort to learn this new skill. Become passionate about the industry. Love to learn. I say this because in order to stay relevant in the industry, you will have to commit your life to learning and staying up to date. The position is always changing. With new techniques, tactics, tools, etc… being introduced daily, you have no room to sit there and collect a pay check.
In this stage although you do not know much of anything, there is plenty of resources available to start learning. For example, the Linux operating system. Linux is the golden standard. You must learn how to use Linux in order to take advantage of the many tools available today. How? Take a look at https://overthewire.org/wargames/.
The ‘Bandit’ wargame is something I used when I first started learning years ago. This is an older platform but still very relevant to learn the basics. In the wargame you will use SSH to connect into these remote machines and perform various steps in order to proceed onto the next level. The cool part about this platform is that you have hints on which tools are used in each of the levels. The difficulty does increase throughout, but definitely worth taking a look at when trying to learn Linux.
Another skill I find worthwhile, not only for cyber security folks but also system administrators is PowerShell. Similar to Overthewire, you have Under the Wire (https://underthewire.tech/).
You will connect to these machines again using SSH and complete the various challenges learning alot of the common cmdlets and scripting practices used today. A lot has changed over the years since this was first introduced but still worth your time to understand how PowerShell works. Scripting is a requirement for any professional looking to be efficent in the workplace. Which brings me to my next topic of learning Python.
Python is another standard scripting language you must understand in order to be a skilled hacker. Jokes aside, you do not have to be a script kiddie but Python can save you hours of time. Using Python to pull data from the web or performing blind SQL injections using a built in requests library are just two examples off the top. The resources for learning Python are nearly unlimited. Two books worth mentioning are Linux Basics for Hackers and Python Crash Course, 3rd Edition: A Hands-On, Project-Based Introduction to Programming.
Time to Walk
At this point you understand some of the basics. You learned how to use the Linux system, you developed some scripts, you probably did some reading while going through the challenges. It is time to get a bit more involved. Although these topics I am going to discuss next are related to attacking web applications, it is important to learn regardless if you are going to go blue or red. I say this because how can one know to defend a platform if they do not understand how its going to be attacked. Once you see how the lack of input validation leads to a leaked database, you will change how you defend the applicaiton.
Tons of labs out there today to help you walk through this process. A few worth mentioning though are through OWASP. When looking at web application stuff, OWASP is another reference you must take a look at. I believe it is every three to four years they put out the OWASP Top 10. These 10 vulnerabilities are what is most actively being exploited today. Learn these. To do so you can use something like WebGoat.
WebGoat is just one example. Another would be Damn Vulnerable Web Application. These are vulnerable web applications that you can spin up and attack. The best part, while walking through it you are not left in the dark. You can try and complete the challenges yourself but for these early steps you should reference a guide. You do not know what is possible, until you know. Once you start learning the various techniques used to exploit the various vulnerabilities, you will have a different approach as you progress.
Lab It Up!
The list goes on. I do not want to sit here all day writing about it, although I do plan to do more writing as time goes on. I did want to highlight that you should find labs online and do them yourself. One Lab that we had developed here at CyberMe can be found here. In this playlist we create everything. At the time I wanted to learn more about the backend stuff with regards to PHP, creating a web server and so on. So if you follow this lab you can do exactly that. You can create a simple login web app, manage a SQL database in the backend, create PHP files to interact with the two and then finally attack it.
Closing it out
I hope I did not discourage anyone earlier on in the discussion. I wanted to highlight the fact that you are less likely to get in the field if you are just putting in applications. Stop following the content creators who sell resume’s. Start following the ones who put in the work. Build your experience by building a home lab. Prove your worth, show your passion and get out there.
As Always, Never Stop Learning!