If you go to any search engine and type in "breaking into offensive security" or "how to get started in offensive security," you will find pages and pages of results. However, you rarely see articles about improving your skills once you become employed in offensive security. I felt stuck at intermediate for many years. I wasn't a lousy penetration tester, but I lacked some habits and direction that would allow me to advance any further. Over the past few years, I've learned techniques that have greatly improved my personal and professional development. These can also help you balance your life, avoid burnout, and overall help you get more done in less time.
There was a time when I would read any content that contained even one of a long list of words related to offensive security. Consuming this much content became a damaging habit as offensive security became a vast and extensive topic. I realized I was finishing a never-ending list of content while hoarding information I would never use. The bottom line is 95% of what I read was never applied. I was operating in a FIFO (First in, First out) pattern that wasn't helping me improve. The fact that no penetration tester ever wants to miss an issue caused the previously mentioned habit. Therefore constant consumption of new techniques must be the answer, right? Wrong I discovered this was a bad and truly pointless habit. Limiting the scope of what I consumed through blog posts, videos, and Twitter turned out to be the fix.
- 95% of what you consume gets mentally thrown out
- Avoid getting sidetracked by offensive security words
- Understand your brain buffer (First in, First Out)
After limiting the scope to topics I was actively engaged in or needed improvement, I realized I still needed more direction. It's essential to understand the reason why you're studying a topic. Are you meeting an objective? Or just constantly consuming without a goal? To become a more skilled penetration tester, you must be intentional about skills improvement. Solving this problem occurred when I created a study board where each item measures an objective I'm trying to achieve. Sure, I still get sidetracked by exciting topics, but by ensuring at least 80% of your studying has an aim in mind, you can improve significantly faster.
- Plan for objectives; not every possible scenario
- Avoiding endless study cycles
- You can also study topics that interest you
Admittedly this was tricky to achieve because I was very much and still am a generalist. Being a generalist is the direct result of systems administration-type work where you must know a little about many things. However, as time passed, I realized the downfall of context-switching nonstop. 2 - 4 weeks on the same topic allowed me to get the depth I needed. Staying focused allowed me to do hands-on activities to solidify and document my knowledge. Once I got this process down, I could simultaneously study a secondary topic. I'm still exploring how far I can take this process, but I've seen significant improvement in retaining and applying knowledge to my everyday work.
- Focus on the same topic for at least 2-4 weeks
- Avoid rapid context switching
Originally my way of doing practically all studying was constant and unorganized. I was worried I couldn't get enough done if I did not actively study all the time. However, spending a short amount of dedicated time per week on a topic would make me much more proficient. I began studying only a few planned times weekly and discovered I was more effective than when constantly in study mode. How is this possible? Because I could let my mind rest when I wasn't focused and had a clear understanding of my goals when I did plan to study. I could also plan extended breaks without worrying about returning to my never-ending study patterns.
- plan work
- plan breaks etc
In the past few years, offensive security has indeed grown. It's no longer feasible to be knowledgeable in every topic. It's excellent to be the go-to person for one subject and let another person be the go-to person for another matter. Learning this habit was truly difficult for me. However, the more advanced your team becomes, the more this becomes a factor. You must be proficient in at least one topic to advance your career. The one-person army mentality can become a significant hindrance later in your career as you discover you're knowledgeable on many topics but not enough to rely upon 100% for all support in that area.
- Let go of the "one-person army" mentality
- Understand what role you plan to own on your team
It can be a trap to look at all the incredible research you see online and believe that, cumulatively, this is how your career has to go. Letting others' passion drive your direction was a limiting mindset for me early on. I tried many times to fit into the mold the offensive security community set forth. Still, I kept falling short as other paths generated a different amount of passion for me. I discovered the motivation and fulfillment I was looking for when I chose my path. Choosing my path allowed me to decide what I would bring to the offensive security field. Letting go of comparing myself to others and the industry helped me solve this problem.
- Follow your path
- Let go of what you think you need be
- Become who you want to be
There was a time when I had a firm opinion about what I should be doing as a Red Teamer. Rigid beliefs caused me to neglect the opportunities to leverage what was right in front of me for learning purposes. Frequently employed, we have access to technologies, training, and people that will make us much more well-rounded and better penetration testers. While wasting time fighting what I thought shouldn't be part of my job, I missed learning opportunities. My advice is to embrace the learning opportunities right in front of you entirely. Don't let the idea of your perfect job hold you back from learning everything you possibly can from your current role.
- Leverage what's in front of you
I completely underestimated the value of taking a course or reading a book. I have always been a very informal studier. Whenever I wanted to learn a new topic, I searched the internet for every blog post, video, and Tweet I felt would help. However, I came to realize the time savings I could achieve for a small cost. Taking courses also allowed me to plan to study much easier as the information was measured and ordered. It would help if you always balanced the positives and negatives of each, but in most cases, I'm starting to find that with a busy schedule seeking formal content is much more suited for improving myself.
- Having everything collected in one place (formal)
- Collecting the data on your own (Informal)
The next part in this series is Maximum Compromise in your Offensive Security Career