How To Start Your InfoSec Career

How to Start Your InfoSec
Career

Build | Protect | Learn
Agenda
2
• ~$ whoami
• Overview
• Platforms for Information
• Tips For Skill Development
• Find a Mentor
• Education
• Certifications
• DoD 8570 Requirements
• DoD vs. Commercial
• Professional Networking
• Networking, Linux, and Python
• Life of a Pentester (Offense) + Example
• Life of a Security Analyst (Defense) + Example
• Practice
• Recap
• Useful Links

~$ whoami
• Founded in 2015 to deliver effective and sustainable cyber solutions
• Currently provides technical services to the Federal Government and commercial sectors
• Prides itself on leveraging technology advancements to solve our clients’ most critical cyber challenges
General
Major Service Areas
• We embrace a “Geeky” company culture.
• Engage with security community (Blog, Twitter, Exploit-db, Github, Conferences, etc.).
• Large focus put on learning and sharing knowledge.
• Company CTFs and other technical challenges to improve skills.
Company Culture
• Cybersecurity Assessments
• Defensive Cyber Operations
• Research and Development
• Cybersecurity Training
3

Overview
4
• Let's get you started!
• The goal of this presentation is to share our teams knowledge and lessons learned
while working in the industry.
• The keys to success in infosec can link to a continuous effort of knowing your
environment and improving knowledge/skills.
• Our industry requires not only knowledge of terms and topics, but also hands on the
keyboard skills to succeed.
• Ultimately being able to keep yourself up to date is a key component to being an
InfoSec Professional.

Platforms for Information
• One of the best resources for keeping yourself current is Twitter.
• Often people will report news via a tweet before it’s even blogged.
• Build Your Network! Follow various infosec professionals, vendors and companies.
Twitter
Blogs
RSS Feeds
• Learning from blogs can lead to lessons learned and discovery of new topics.
• Blogs are a great way to share ideas and thoughts among the community.
• Bookmark some of your favorite blogs and podcasts to check regularly for new interesting content.
• If you want a combination of twitter and blogs consider an RSS reader (i.e. digg, feedly, etc)
• A RSS Feed can help keep track of blogs and news items
5

Build | Protect | Learn 6
Tips for Skill Development
• Technical skills require hands-on practice.
• Labs can be simple: Your computer + VirtualBox or VMware + VMs
Build a Lab
Capture-the-Flag Exercises
• If you want to acquire and/or maintain technical skills then you should participate in a CTF
• Many online CTFs available: vulnhub.com
• Good resource for learning how to excel in CPT events:
https://trailofbits.github.io/ctf/vulnerabilities/source.html
Free Training and Online Resources
• You can also find most conference talks online: (Irongeek YouTube)
• Loads of free training resources: Cybray, OffSec, etc.

Find a Mentor

Education
• If in doubt go Computer Science.
Programming skills are always in high demand.
Learning to write your own scripts and tools will separate you from the pack.
You do not need a CS degree to be able to write code.
• Some jobs require it, others do not it is really a mixed bag.
• Can be a good way to show you are worth investing in.
• Can help you potentially skip lower-level IT roles (Help Desk and System Administrator)
roles.
You still need hands-on skills with the technology.
• College is really what you make of it, challenge yourself to learn things beyond the scope of
the class requirements.

Certifications
• Offers many entry-level certifications (Security+, Linux+, etc.).
• Multiple-choice exam usually a couple hundred questions.
CompTIA
Offensive Security
• Offers hands-on technical certifications (OSWP, OSCP, OSCE, etc.).
• Skills-based exam (24 hours to break into 5 VMs and provide detailed penetration test report).
SANS/GIAC
• Offers a wide variety of technical and policy focused certifications (GSEC, GPEN, GCIA, GCIH, etc.)
• Multiple-choice exam usually 75-150 questions and vary with passing percentage minimum.
ISC2 and Others
• Many other certifications that can help your career: CISSP, SSCP, Microsoft, Cisco, etc.
• Depends highly on your specific career goals.

DoD 8570

DoD vs. Commercial
• Mixture of Government (CIV) and Contractors employees working together
• A lot of policy in place and separation of information (Unclassified/Classified)
• Often requires a clearance or public trust
• Compliance is a huge focus
• Has Infrastructure that is on the Internet and on separate Govt Networks (NIPR, DODIN, etc)
• Most contractor work will have to be bid upon before the government awards it.
DoD/Govt.
Commercial
• Hired to work as an employee under a company or organization
• Has regulations of compliance enforced (PCI, HIPPA, FISMA, etc)
• Potential work with big businesses and small businesses
• Has less policy enforcement (depends more upon the company's enforcement)
• Often times will not require any clearance but may have company policy in place to protect information.

Professional Networking
• Helps build online professional profile “Google your Name”
LinkedIn
Twitter
• Most active in the security community are on twitter.
Personal Blog
• Great way to share knowledge, showcase skills, and research.
Opensource Projects (Github, Sourceforge, etc.)
• Contributing or creating an open source project is a great way to get noticed by companies.
LinkedIn
Conferences
• Expand your TTP's and knowledge in person.

Understand Basic Networking
13

Linux - Use It!
14

Python - Learn It!
15

Life of a Pentester (Offense)
16
• Lots of failure:
Pentesting is all about failing over and over again.
• Lots of research:
Facing a new type of technology will force you to do a lot of research on the fly.
• Lots of skill development:
I find I have to spend a lot of time to sharpen skills.
Staying up to date on vulnerabilities and attacks.
• Consistently thinking like an attacker:
Thinking how to misuse technology in creative ways?
• Scripting:
Normally this required for senior roles
• Tools: Metasploit, Burp Suite, Nmap, Masscan, Recon-ng, Linux/Windows, Nessus,
Acunetix, WebInspect, Mimikatz, Python, and many other tools in Kali Linux.

The World Needs Bad Men….
17

Offensive Example: debug.php
18
• Step 1: Started out with a company name -> enumerate domains, and CIDRs.

19
• Step 2: Leverage Python/Shodan API to quickly enumerate external footprint

20
• Step 3: Systems/Ports/Systems are validated from Shodan results using Masscan
and Nmap. Then web technology footprint enumerated with whatweb.
* Linux utilities were used to build input files/parse output files (sed, grep, awk, egrep,
sort, uniq)

21
• Step 4: Enumerate an unlinked resource "debug.php" that gives an HTTP 200 OK
and blank screen. This is where automated tools stop.

22
• Step 5: Parameters are fuzzed in an attempt to enumerate inputs "page=" gives back
a different response "Failed opening 'test' for inclusion".

23
• Step 6: Attempt to point the page parameter to local and remote resources and
attempt to execute code on the server.

24
• Step 7: PHP was running as SYSTEM on the vulnerable application. An attacker
could dump password hashes and pivot throughout the organization with admin
privileges.

Life of a Security Analyst (Defense)
25
• Attention to Detail:
Digging through logs, pcap, alerts, etc. requires a lot of attention to detail.
• Hunting:
Often going through large amounts of “normal” data to find what is “odd”.
• Desire to Improve:
Most Defensive jobs are what you make it, you can sit on facebook and check the
box, or you can dig and go beyond alerts.
• Scripting:
Normally required for senior technical roles.
• Lots of Research:
It can often be hard to explain a network event using only pcap as a resource.
Staying up to date on the latest attacks and vulnerabilities is important.
• Tools: Tcpdump, Wireshark, Bro, Snort, SIEM Tools, Python, Windows/Linux, etc.

Hunt for the needle in the haystack...
26

When you first look at pcap...
27

Defensive Example: PCAP
28
• You leverage some tcpdump/bash Kung Fu to quickly summarize DNS.
• You notice a domain that looks legit, but is misspelled! Can you see it?

Defensive Example: PCAP
29
• You investigate this further and notice some odd parameters in the corresponding
HTTP traffic. What is interesting about the HTTP GET request below?

Practice
● We’ve created a CTF VM + Question and Answer guide to help expose you to
various hands-on security challenges.
30

Recap
● Stay up to date with latest news and trends (Twitter, RSS Feeds, Blogs, etc.)
● Build a lab
● Learn Python!
● Use Linux
● Research and participate in Capture the Flag (CTF) events / Vulnerable VMs
● Be aware of the free online resources for technical training
● Find a mentor
● Learn about job requirements for target job (skills, certifications, education, etc.)
● Develop a professional/InfoSec network (Twitter, LinkedIn, etc.)
● Start a personal blog
● Consider contributing to or starting an open source project
● Attend conferences or watch conference talks on YouTube
Find your passion...you’ll always go further if you really love the subject matter.
Some really enjoy hunting through pcap, others by getting shells. Figure out what
you like and sharpen those skills.
31

Useful Links
32
• Cybrary.it
• OWASP
• Pentesting Execution Standard (PTES)
• SANS ISC
• Vulnhub
• Pentester Lab
• Metasploit Unleashed
• IronGeek YouTube channel
• SecurityTube
• Jason Haddix How to Shot Web Talk
• How to be an InfoSec Geek Talk
• Pcap Resources:
http://www.netresec.com/?page=PcapFiles
http://contagiodump.blogspot.com/2013/08/deepend-research-list-of-malware-pcaps.html
• Malwr.com
• Dump of common InfoSec interview questions (isdpodcast)

Connect with Us
www.breakpoint-labs.com
info@breakpoint-labs.com
@0xcc_labs
33

How To Start Your InfoSec Career

More Related Content

What's hot

Similar to How To Start Your InfoSec Career

Recently uploaded

How To Start Your InfoSec Career