I feel a lot of advice about breaking into offensive security is broken. Based on my experiences, my advice has changed drastically over the years. I entered this industry without a degree, certifications, or on-paper experience. Additionally, this post is the result of my mentoring countless people.
Broken advice comes in all types, but some are more counterintuitive to the person receiving the advice.
Here is a list of things I don't think you should do:
- Overwhelm people with a gigantic list of resources and books
- Forgetting to ask which topic someone wants to focus on within offensive security
- Failing to find out what learning style and path works best for them
- Telling people to learn everything there is to know back to 199x
At this point in the timeline of security careers, it's essential to separate the advice given to an individual wanting to break into security and offensive security. The necessary steps, skills, and motivations can be vastly different. Security is a vast topic, and offensive security applies specifically to breaking into computers, networks, and applications using hacking techniques to report the issues.
One of the first questions I get asked is whether or not certifications or degrees are necessary. The answer to "are they necessary?" is no, with myself as proof. However, focusing on the goal is more important than the paper you receive.
There's a wide range of goals in offensive security, such as:
- Compromising computer systems, networks, and applications
- Bypassing security measures put in place to stop attackers
- Evading detections from software and active threat hunters
- Reaching objectives that are meaningful to the overall testing
It would help if you thought about the experiences you will have and how the certification, training, or education will help you reach your goals and obtain your desired job.
Let's break down each one.
Certifications
Many jobs require certification for the position. These can be helpful when attempting to get past HR screening. Understanding the types of jobs that will require these certifications is necessary. Only some certifications will provide valuable experiences to go along with the piece of paper and letters you receive after your name. These types of certificates are few and far between. Most certifications will only teach you conceptual knowledge. An example of a certification that will give you practical hands-on skills is the OSCP (Offensive Security Certified Professional).
Degree
Degrees can be similarly helpful in getting past HR screening and, in some job scenarios, required. Understanding what types of jobs require a degree and determining whether or not these are the types of jobs you want will help you with this decision. More importantly, it helps to focus on the skills you will receive while attaining a degree. An example of such a degree is a bachelor's in computer science. I notice many people with this degree who understand computer programming well.
Alphabet Soup
The definition of Alphabet Soup is a person with many certificates and qualifications after their name or in their social media bio. There is a way to achieve all these certifications while being unqualified to work in offensive security. It would be best if you focused on something other than the number of credentials and qualifications you have but on the amount of hands-on related skills you can bring to the job. Also, I've never met someone who thought having all these certifications after their name was important and was an excellent offensive security candidate.
The critical takeaway is to choose the combination of educational paths to help you reach your goal. You will be the one required to have the skills necessary to succeed.
Below are a few scenarios with specific examples:
Scenario 1 - Certification/s
You have a few years of experience in operations (systems administration) and would like to transition to offensive security. You decide to take a certification like the OSCP that will give you the practical hands-on experience necessary to perform penetration testing. You will combine this with your many years of experience in networking and Active Directory.
Scenario 2 - Degree
You need to gain experience and want structured learning. You decide a degree in computer science will lead to discovering your specialty area, and it will also provide you with a solid background in programming. You will supplement with personal research about offensive security and do hands-on labs as you get your degree.
Scenario 3 - None
You do not like structured learning or classroom environments. However, you have taught yourself how to do Hackthebox challenges. You're willing to try to find a job that will accept your learning style. You decide that building personal projects and posting content publicly will demonstrate the skills necessary to get a job.
Scenario 4 - Alphabet Soup
You have decided that having as many letters after your name as possible is essential to your success. You take all the expensive practice tests and nail the multiple choice exams that differ from the work you will do in offensive security. You've done it <insert_name> CISSP, CISM, Security+, Network+...You know what? Throw "Security Expert" in there...you've earned it. You make sure your terminal has matrix green text, and you can't figure out why everybody keeps calling you Joey.
Dev vs. Ops background is the biggest differentiator in offensive security. Many people start doing this job with a dev background, while others begin with an operations (systems administration) background. I find a much higher success rate with individuals who have been successful for several years in either Development or Operations. It is also possible to start without experience, but it makes the journey much harder. Beginning with no knowledge leaves you grasping for straws with some of the most fundamental concepts.
It's entirely possible to prepare yourself for a job in offensive security with no prior technical experience. However, working harder to grasp basic technical concepts and apply them quickly to offensive security will be necessary. I recommend spending the first 3-6 months building a foundation in the technical concepts required to achieve the goals of your planned study path. For example, if you plan to be a network penetration tester, you should spend this time familiarizing yourself with networking, protocols, and setting up networks.
I can't ever leave out meetups because I got my first job on a Red Team by meeting my previous boss at a meetup. Also, attending conferences has allowed me to meet many interesting people. At first, I highly recommended going to conferences; now, I learn very little from them. My experiences are a factor here, but I can't recommend this as an essential part of your strategy. You should, however, get out and meet people. You can certainly be much more successful than me at learning from conferences. If you want to work in offensive security, focus on the more technical conferences.
Balancing these two can be very important in the early stages of learning. You will fall short if you can perform hands-on tasks but need help with conceptual understanding. Even worse is having too much conceptual knowledge but only a little time with your hands on the keyboard. I have experienced people who can hack through networks but need to learn how to create a user in Active Directory. I have also known people who can use Burp Suite to test the heck out of web apps but need help understanding the three-way TCP handshake. It's best to dive into practical hands-on skills as soon as possible. Then when you get to the point where you're having trouble understanding the topic, seek more of the conceptual understanding necessary to see the bigger picture. Repeat this process to expand on topics you need clarification or lack knowledge about.
Immersing yourself can be one of the essential parts of breaking into offensive security. Immersion is frequently putting yourself in a position to take in concepts, terms, and ideas related to the topic. You can achieve this by listening to podcasts, watching videos, and reading chat logs. Over time this will build up your understanding of the topic as you both affirm knowledge and get introduced to a diverse set of ideas about the topic.
At this point, it's far too overwhelming to expect a new person attempting to migrate into offensive security to have all the historical knowledge. At one point, probably up until 2008, this may have been possible if you furiously studied to catch up. I have seen many individuals far more successful by picking single topics and sticking to them. Of course, along the way, it's still important to learn something outside of your area of expertise. If somebody asked me where to start, I would consider what you want to specialize in. Focusing on one topic will help you avoid getting overwhelmed and enable you to review your options in bite-sized pieces you can reasonably handle.
Once you have decided to break into offensive security, you may ask, "is it necessary to have a public profile?". You may see others with Twitter accounts with 50k followers and think that's important.
Let's break this down.
It is advantageous to work on your brand. However, it's not necessary. I suggest having fun if you choose to do this. If you want a hacker alias with a neat bio picture, by all means, do it. If this isn't your thing, don't do it. Last but not least, you should always be yourself.
Projects are an excellent way for you to display your abilities. For example, having Github projects shows you know how to use Github while also displaying your ability to program in one or many languages. Posting on a blog can show you have technical writing skills and demonstrate your ability to do various things related to offensive security. These are great for interviews and separate you from other candidates regarding your level of passion for offensive security.
You don't need to have social media to break into offensive security. Some of the best offensive security people I know avoid it altogether. If you decide to do social media, I recommend you seek genuine interactions, not followers. Share what interests you and steer clear of the drama if possible. You can make great friends by being active on platforms like Twitter. However, participating in social media can be a huge distraction to your goals, so keep it in check.
Consulting vs. Corporate is another one of the dividers I believe needs to be talked about more. These represent two very different types of jobs in offensive security.
Let me break down some of the key differences:
Consulting:
- Tends to involve traveling
- You may be subject to working alone more frequently
- I have seen more research time in these roles
- Expected to create public content on behalf of the company
- Shorter time frames to get work done in some cases
Corporate
- Typically, less travel
- Ability to work in teams more frequently
- Often asked to show "impact."
- Harder to publish public content on behalf of your company
- More direct/constant interaction with your customers
- Do you want to work in offensive security? If yes proceed
- Choose your educational path:
- Take into consideration your background and years of experience
- Make sure to always consider your goals
- Always use the path you feel works best for your learning style
- Find local meetups or conferences in your area (Optional)
- Listen to podcasts, watch videos, or read chat logs daily for immersion
- Choose a specialty and give yourself 1-2 weeks on that topic to verify that you enjoy it
- Make sure your plan matches the type of job you're seeking
- Choose the level of public interaction that makes you comfortable
- Projects are the highest priority
- Have fun and be yourself on social media
- Seek friends, not followers
The next part in this series is Privilege Escalation in your Offensive Security Career