A Former Bankers' Perspective
Ever since I was a little kid I've always had a interest in technology and computers. I remember fondly of the days I spent with a childhood friend trying to install a jet fighter game, and the name I cannot recall, that was only able to be done through DOS. As a kid, I don't think I truly grasped what I was doing in DOS and how to use it but I remember the headaches we had dealing with it just for this one game. We had our fair share of problems and then we would try to find solutions.
Later on it was also with this same friend that I played a computer game called Counter-Strike and I remember one day he approached me and mentioned that he found some aimbot cheats and was winning all his games. Being a dumb kid, I was naturally interested to see what it was like and he provided the software to me and mentions he 'randomly' found it online and downloaded it through Limewire. As you can likely guess the outcome; this ended up with both our computers being infected and in a endless BSOD. Our parents were not happy and neither of us were allowed near any computers for quite some time. It was an interesting lesson but I believe those days with my buddy - unbeknown to me - sparked the interest in this field and the experience of problem solving our way (thanks google) through software and hardware issues throughout our youth and the arrogance that lead to those issues.
Discovering Penetration Testing was completely by chance and it wasn't until after I was already an adult and already had numerous years invested in another career. It is a point that I wish I could've jumped into this a lot earlier in life but regardless - I didn't want to give this opportunity up by saying "it's too late".
You don't know what you don't know and it was the same for me as I found out more about the profession (pentesting) through a completely random spec of curiosity while browsing through an internal directory of staff and their positions.
I didn't realise that the interests that I held for such a large part of my life were so closely aligned with this career path. I knew about computer science and programming but I didn't really think anything of it or that there was a whole career on the offensive cyber security side of things.
This lead to blogging about my experiences, the journey and interests in order to inspire others that are likely on the fence about taking their own risks.
I can finally say that I have hit my goal and I am now employed as a Penetration Tester.
How Can You Break Into The Industry
The examples and recommendations will be specific for offensive security however the principles apply for any industry you are trying to tackle. These are just some obvious topics that you knew about but likely need a reality check if you are trying to enter the industry. The focus I'd like to extend is the perspective for person who are trying to enter the industry without the formal education or university pathway.
Networking Is Vital
You're biggest investment when you are trying to get a job - and this is the same for the cybersecurity industry - is to network and mingle with colleagues or potential colleagues. Speak directly with people in the industry in order to know them and for them to get to know you and your goals.
You never know as one day they might extend an opportunity for you based purely on seeing your initiative, personality and drive for your goals.
For example if you are already working with a fairly large corporation - enough so that you know they have an in-house security team - then you need to take the uncomfortable steps of reaching out or cold-calling the managers and team leads, within the security space, in order to get yourself in front of people who can provide you with industry advice. This isn't about asking for a job; it is about networking and learning more about the profession, the space and the team members - and also showing them your interest, goals and experience in the industry.
The reason networking is your biggest investment is because it can provide you with opportunities and creates connections with people directly in the industry that you want to join. They have their own network to call on if they want to provide you with opportunities and as you know - referrals are powerful. It doesn't guarantee a job but it does provide you with great opportunities that you may not have received otherwise.
The job market for entering the industry is insanely competitive with very difficult requirements, and differentiating your resume/CV for each application has always been the recommendation in order to get past HR but again the reality is that you are competing with 100s of other applicants and it still relies on the 5-10 seconds that HR has to screen your resume before deciding which pile to put it into. Networking on the other hand is more direct with the hiring manager or team members of the hiring manager as well as more personal with your connections.
I know some don't like it but do it! Networking will give you fantastic opportunities.
We simply are not in the decade/timeline where "hard work will reward itself" and it is not the only method. Every industry and every manager has had their set of "optimisations" in order to make everything efficient and thereby it means their jobs have changed and their focus is more on pulling in the most amount of results or returns on their investment. They simply don't have the time to keep their eyes on all their staff at all times and then differentiate the hard workers from the not-as-hard-workers.
For that reason I believe you need to be loud with your achievements, your goals and your ambitions. You need to speak about yourself - even when you don't want to - and highlight the things you are have done, what you are currently doing and what you will be doing in the future.
Don't sit back and expect all your silent hard work is going to be appreciated because unless it is documented; then likely by the time it is your annual review or out-of-cycle review - the silent hard-work has already been forgotten.
Be loud and celebrate your achievements.
Get The Skills Then Display The Skills
You need passion. If you're not passionate then you will be left behind and burn out very quickly in the industry. The first few weeks on the job and the number one thing that I noticed was that my colleagues and peers are involved with the industry outside of work and enjoy the learning aspect that comes with the job. They are learning and developing both during work and outside of work - they are still focusing on goals related to their talents.
The following is a rough guideline to take your step towards cyber security. Although not comprehesive; I believe there is enough structure here so that you can tailor it to your own experience and knowledge levels.
01 - Find your favourite podcast for cyber news
Goes without saying but listening to podcasts are great ways to catch up on recent events but also to develop your cyber "language". You will quickly notice that there is a lot of lingo that you don't completely understand but you need to get use to it. Don't expect to know everything but just familiarise with how the industry provides their news and the language that is used along with all the abbreviations and code-speak.
- SANS Storm Cast ( 5-8 minutes, daily digest)
- CyberWire Daily (30-50 minutes, ranges between news and industry focused talks)
- RiskyBiz (40 - 60 Minutes, ranges between news and industry focused talks)
- Darknet Diaries (50+ minutes, theme-based indepth talks and interviews regarding current events - think investigative journalism)
- Brakeing Down Security (40 - 60 Minutes, ranges between news and industry focused talks)
02 - Pick your programming language
There is a range of different languages and you can choose any that you are interested in however make it a point to include this in your study 'program' while doing your penetration testing journey. While you may not need to do much scripting at the start for some of the easy machines on all the platforms - being able to program and script becomes increasingly more important as you transition to being job ready and being able to tackle custom challenges.
This will also benefit your future OSCP adventures however I firmly believe having a good grasp on programming and being able to read code is vital for problem solving when you first start progressing.
Pick at least 1 programming language and focus on the competency in that language and that will make being able to learn and understand numerous other languages much easier.
- and so forth..
In the event that you choose python, the following are some recommendations to begin with:
- Book: Automate The Boring Stuff
- Course (Free): edx Introduction to Computer Science and Programming Using Python
- Course (Free): edx CS50's Introduction to Programming with Python
03 - Understand some fundamental Computer Science
It is recommended and highly encouraged to develop your acumen in computer science. Learning about how protocols communicate to each other as well as understanding the OSI model will help you in being able to understand the type of technology you are dealing with and at what levels of the OSI model you might hit trouble, roadblocks and so forth. Understanding IPv4, IPv6, networking and subnets as well as packets, datagrams and frames will allow you to have a better understanding overall with the methods used while performing a pentest.
04 - First recommendation for certification: eJPT
Get your eJPT (Reminder that this is personal opinion). the eLearnSecurity Junior Penetration Tester course & certification is a great way to learning some very fundamental and basic content for both computer science fundamentals and penetration testing that also results in a certificate that will pad your resume/future job prospects. The content is quite simple and basic - which is to be expected for this level of certification - but also has content regarding some basic penetration testing skills and starts getting you interested in going further with your goals. I highly recommend diving into this to learn and also add to your resume as the course and exam is relatively cheap.
05 - Head on over to the training grounds!
You are now a penetration tester. You may not have the professional experience yet but you are already performing activities that is related to being a penetration tester and now you are also joining in with your development on the training platforms.
Head on over to TryHackMe and sign up. TryHackMe does a fantastic job of holding your hand and introducing concepts to you. Make notes as you learn and try to tackle the information in a structured way. Don't dive straight into the Intermediate topics because if you are a person coming from a bare-bones background then the fundamentals are vital for your success! The courses end with completion certificates and could be great to signal to your potential employer of your ability to learn and understand fundamentals. These certifications don't hold much weight other than a display of your passion and a reflection on your personal development. This is worth it if you want to attempt getting your first position.
See below for a outline on all the learning paths available:
06 - Second recommendation for certification: eCPPT (Optional: Straight to OSCP)
You've now broadened your horizons and have gotten more experience as a penetration tester while also studying your chosen programming language. You have the option of jumping into OSCP (The course is enough and contains everything needed to learn and pass the OSCP) but I would recommend actually going for your eCPPT exam first.
The eLearn Certified Professional Penetration Tester course & exam is actually very good and not only will it prepare you for the OSCP course; it will also give you a great experience of what a realistic penetration test might look like and for that reason - it is different to the OSCP certification due to feeling like a real pentest.
You can read my review of the course & exam here but in summary; it is more realistic than the OSCP and it teaches you more about the document requirements and report writing that is involved with being a professional. This particular test is a 7-day exam that gives you a generous amount of time and allows you to get experience with security exams as well as how they function. The stress won't be as terrible as the OSCP however it will give you experience with recon, exploitation, post-exploitation and then report writing.
07 - You are job ready (maybe..)
I would argue you are already job ready however it depends on the area in the world that you are applying in and what you might be expecting as a first job. You have the necessary skills to be able to start a position in cyber security albeit it depends on where - A good recommendation is always somewhere in a SOC as an analyst or heading for help-desk --> sysadmin.
These certifications should be able to assist with demonstrating your passion and knowledge as well as assist with convincing HR for the first interview. The first position likely won't be directly into a penetration tester however your main goal is experience in the industry whether that is help-desk, SOC analyst or otherwise. Potentially another certification that could assist is Sec+ however I don't have experience with this certification but I have seen it as a recommendation for this certificate if their goal was specifically to become a SOC Analyst.
The following is some recommendations and resources that have helped me and others when going for their first job search and/or job interview:
- Hack your LinkedIn - At this stage you may need to pimp out your linked-in and update your resume. This resource has been great in being able to update my own LinkedIn and avoiding pitfalls when you are trying to establish yourself. There is two parts to it and roughly 3 hours worth of advice and insight into being able to better represent yourself on LinkedIn to potential recruiters
- Penetration Testing Questions - Interview questions that may appear when going for the technical roles. These collection resource was great in reviewing my own knowledge gaps but also to prepare for future interviews I might have
- Some Interview Videos & Junior Questions to get an idea of what the interview may appear like
If your goal is OSCP then read on.
08 - Try Harder: The OSCP Story
You are at the stage where you are hardened and experienced when looking back at where you first started. Now your eyesight is on the OSCP course and the difficult challenge that follows it.
You can review my writeup of the course itself to understand if it is worth it for you and your development. You can further read my review of the exam itself and see some helpful hints.
In summary the course is complete and provides you with everything needed in order to succeed in the OSCP exam. The first thing you may need to understand is that the OSCP is a 24 hour exam and the challenge is developed in order to test how well you excel under stress and effective time management. The course is not going to prepare you mentally for that 24 hour exam but it will prepare you for how to problem solve - and for that reason you need good note taking and a hardened methodology.
If you followed the above path in a "somewhat kind-of" way then at this point you should have developed and obtained fantastic skills under your belt; you have experience with exams, exploitation methods, pivoted between networks and you have experienced report writing - This is great because when you combine these skills with what the OSCP course is trying to teach then the exam is not some monumental wall that appears impossible to climb. You starting realising that your name could be on this certificate....
09 - What's after Mount Everest?
After your OSCP, you now have a stack of certifications and have just dominated one of the industries most demonized entry certification. It powers up your resume considerably but also puts you in a great position to show potential employers that you have the ability to work under time constraints, stress and then produce professional results. At this point you should be heavily focused on networking/reaching out to recruiters and applying for jobs.
From there, it will be a matter of choosing your adventure but the first job is definitely the hardest and I believe you can do it too!
Get The Jobs
This will all come down to your own individual regions and markets with respect to the demand for people with your skills but at this point you have a beefy resume and need to start applying yourself.
You are not guaranteed to get a job. This is only going to open doors that was previously shut but still rely on your ability to continuously improve and your desire to get a new job.
This is the harsh reality of it is; being an OSCP opens an enormous amount of doors but does not mean you are 'guaranteed a job'. It only means you've demonstrated your ability with a well known, and difficult, certification. You've turned that mountain into a hill. At this point your focus should be to reach out to your network and people you've met along the way. Let them know you are looking for a position.
You will need to message recruiters, managers and people in the industry to start up conversations and get to know them as well as allow the opportunity for them to get to know you. Ask about their organisation, the job requirements and potentially about a call or grabbing a coffee to speak further. Your focus should be to speak with anyone within the industry and thereby increase your chances of an opportunity presenting itself.
You will need to be involved in community activities; going to meetups and conferences so that people can get to know you. Networking boils down to this and again it is all about chasing any opportunity and stretching your network.
It goes without saying but sending out your resume and applying to jobs is how you get your stuff in front of a HR Recruiter. While this is likely what people spend the most time on - I feel this focus is misplaced and that it provides the least potential for opportunities because you are sending your resume to be vetted against 50, 100 or more other candidates. It relies entirely on the 5-10 seconds that the Recruiter spends with a quick look at your resume before they flick it into a yes/no pile based on what they saw. Not to mention the algorithms involved with checking for keywords and phrases that also vets terrible resumes but otherwise great professionals.
It is good to have a properly formatted resume and to have the correct details but one of the biggest hints that professionals in the industry provide is that their most common number of opportunities have come from their network through either word-of-mouth, while working with peers or through social media such as LinkedIn and through Meetups & Conferences whereby their resume was passed on directly to the hiring manager and skipping the whole HR vetting process.
I believe that you need to strike a balance between just throwing your resume at anything that moves and networking with professionals in the industry. Sounds hard? You just smashed through the OSCP; this should be a cakewalk.
After You Get The Job
Personally, I subscribe to the idea that you don't get to the top of the mountain and proceed to just stare at yourself.
Look to the other people who are following in your footsteps that are also working to get up there.
Contribute to your community and involve yourself so that you can be a role model for your demographic, region, group of people and so forth. Remember where you came from and how you were able to get help with your own development - take that same view and uplift those around you.
Regardless of how you might see it; at this point you've made it. Good job mate!