I spent more than a decade practicing information security, and I often get asked about how I can get into infosec? hopefully, this guide can answer all your questions.I aim to make it as comprehensive and as practical as I can, and I hope you to enjoy reading it.
Table Of Contents
For the most part, I highly recommend Eric Raymond's how to become a hacker article, so if by any chance you still haven't read that go and read it first. Even though Eric's article core concepts are still pretty relevant, yet it's a classic, this post is going to be a modern and practical guide for anyone who wants to get into information security in the modern era. Hopefully, it can be a one-stop reference for anyone interested to get into infosec. We start with the general knowledge you need, and then we review the issues, events, books, tools, free resources, and careers that appeared in the infosec industry during the past decade.As a beginner, resources mentioned here are all you need to start, and if you are a professional hopefully it helps you think about what's next and shaping the future of the industry, this article only focuses on the offensive side of information security as I'm not qualified in other information security domains. I find offensive security more fun and challenging; for instance, you can write a a couple of lines of code which potentially break millions of lines of it. As an information security professional, there is some pre-required general knowledge you have to gain.
Required knowledge - learning time: ~ 6-12 months
Now if you have the requiered knowledge, it's time to talk about things that matter in today's industry. As a matter of fact its quite hard to not miss some information here but I'll give you my best shot.
We start with the primary issues. These issues are the primary ways both ethical hackers and malicious actors use to break into a system; You need to be familiar with the basics of all primary issues then depend on your favorite, deep dive into one or primary core concepts.
Primary Security Issues - learning time: ~ 2-6 months each
As we mentioned during the past decade, various researchers and malicious actors discovered enormous ways to attack systems. You may think about why the list has only a few items? Well, any other attack is just a subset or combination of these primary issues; these issues can be combined to introduce more dangerous and new attack vectors. For each primary issue, you can find related tools and resources right under it; instead of throwing random tools and resources, I handpicked the most notable ones. I don't explain how exactly each tool works because it's authors can explain it better. So without future ado Let's dive into the first primary issues.
Human errors are reasonably the hardest issue to counter and defense; it only takes an administrator or HR to forget his/her morning coffee clicking on a wrong link which can result in the compromise of a whole organization. The idea behind this concept is deceiving someone inside an organization to let the attacker or tester inside. Moreover, it still works Just like Netflix movies. Defensive guys tried to counter this issue by creating the security awareness concept. From the intruder perspective, it's still the cheapest and most effective attack vector. Malicious actors, in most cases, use this vector for the initial compromise. Phishing is the most noticeable and practical technique here.
Technically speaking most of the remote software attacks are a subset network attacks (remember the OSI model ?) but here we only care about network and data link layer (layer 3 and layer 2) ARP, MAC, DHCP, spoofing and VLAN hoppings are the most known techniques here. Testers usually combine these issues with cryptography attacks to make it more dangerous.
This one is not about gaining unauthorized access to the system but disturbing users from using a service. It can happen via traffic flooding or software errors. It gets a lot more dangerous when a service is making money per minute or second (banks, for example) think about how much a bank can lose when they are down for hours or even days. In some cases, actors use DoS just for a distraction.
This one is about attacking the application layer (layer 7), primarily HTTP(s) and protocol. Web attacks are the bug bounty hunters favorite. Modern websites crafted dynamically; they handle many inputs from the user, which causes many security issues. The most known techniques here are Injections, XSS, XXE, Authentication, Authorization, Server-side request forgery, Cross-site request forgery, File inclusion, and the most recently insecure deserialization. The vulnerabilities usually discovered using web-security scanners, source code auditing, and manual testings.
When it comes to mobile security, the issues in this category are usually just a subset or combination of other primary issues. Generally speaking, a lot of mobile apps are just a UI for a restful API, so in that case web attacks can be leveraged. Insecure backend, reversing, and insecure data storage/transmission are the most misused techniques here. Additionally, note that the mobile operating systems like Android (Rooting) and IOS (Jailbreaking) and the mobile network itself also can be targeted and compromised as well.
Well, code injections have its dedicated category because it's broader than just web and mobile apps for instant SQL Injection, is the most known subset of code injection (not to be confused with command injection) which attackers inject SQL code (or query) into databases either to gain more information or even wipe the database entirely . Code injections most often found in SQL, LDAP, NoSQL, XPath, and both backend and frontend programming languages.
This issue root into a design issue of older programming languages like C/C++ these languages by design let you manage memory unsafely. In (over)simplified terms, attackers abuse this design feature by reading/writing, the memory they shouldn't and many times end up controlling CPU registers, The most notable being instruction pointer register (IP/EIP/RIP). Buffer Overflow, (heap/stack) Dangling pointer (use-after-free), pointer arithmetic, Type confusion, format strings, are the most known issues and return-oriented-programming, Heap spraying/grooming, data-overwrite, and return-to-libc most used exploitation techniques here. The vulnerabilities within this category are usually discovered using fuzzing, source code auditing.
When it comes to IoT and smart devices, we showed the world we can take a significant step backward in security and make them vulnerable as f*ck. They are usually created using various components such as minimal *nix OS and a web interface, so both memory attacks and web attacks from previous categories are relevant here except they don't usually include late protections. The other main difference is the architecture they mostly use MIPS and ARM. Default credentials and backdoors are still a thing when it comes to IoT.
Sensitive data like passwords shouldn't store in plaintext (we still do); that's why we hash and encrypt data, but the encryption algorithm or the way its implemented can be vulnerable. The most noticeable techniques here are Brute force, weak algorithm, downgrade attack, padding oracle, and password cracking. During the past years, researchers found various ways like using GPUs to speed up the cracking process.
Malware is a massive problem from the beginning of computers simply because there is no way we can limit a programming language from being abused. They use an enormous amount of techniques to evade modern and classic endpoint protections. Anti-virus companies, besides their incredible efforts, failed miserably to protect users, and that's why they know its time to create a new generation of their product. The most known types are worms, spyware, ransomware, bots, keylogger, rootkit, bootkit, backdoor, and rat. As an infosec professional, you shouldn't write malware! However, you should be familiar with their techniques. The most known techniques are persistent, process injection, obfuscation, anti-analysis, process hollowing, and environment detections.
Another massive issue which is about the ways malicious actors and cybercriminals make money. Again besides marvelous efforts; we failed miserably to protect users. However, unlike anti-virus software, the issue with this one root in the monopoly of payment gateways by major banks, credit card companies, and financial giants and monopoly of other services like personal e-mail by tech giants. These issues can't get fixed by technical guys alone, and it needs fundamental changes. As an information security professional, you usually shouldn't involve with this category, but again you should be familiar with terms the most known techniques here are, faking social data, click fraud, blackhat SEO, mass mailing, identity theft, carding, and skimming,
but you may ask if it's that simple why we didn't eliminate it yet? Because it's easier said than done. the codebase of a lot of existing software backs to ages ago. re-designing and re-writing all the existing software in the world is quite challenging. So defensive guys tackled this issue by adding various mitigations(firewalls, memory protections, sandboxes, WAFs and ...) which increases the attack costs dramatically, but the core issue remains, and that's why attacks and techniques from a decade ago still actually work. I believe at least for the next few years inadequate data validation remains as the primary way to attack various software systems unless we find a fast and generic layer to validate all data's in all software without re-writing them. :)
#Learning Resources - Learn smarter not harder
Now you might be wondering how and where you can learn more about primary issues? Well, you have to read a lot and practice a lot. This section will help you to find the best books, tools, and websites that you may use for your daily tasks.
As a professional, it's good to get familiar with all the primary issues but deep dive and focus only into one or two areas at a time or except to fail just like anti-viruses, IoT security, and fraud protection ;)
These books are carefully picked and categorized, There are hundreds of related books out there, but these are the origin of primary issues and their concepts.
one of the best things that happened in the industry is the infosec conferences, which you can learn about trends and recent developments in techniques and industry. The moost notable (offensive) ones are: Usenix, Blackhat, Defcon, CanSecWest, Hack In The box, ZeroNights, DeepSec, Burcon, Ekoparty, Power Of Community, Infiltrate Con, Nullcon.
The good thing is; usually, they release the materials very fast. Some even post them during the event, and therefore if you can't attend, you still can read the materials for free. Awesome! But on the other hand, in my opinion, they are less novel and technical, and more commercial each year, so the concepts are being repetitive. As an infosec professional, you should track and follow the trends in your favorite area.
Free tools and websites.
Just like books, there are hundreds (if not thousands) of tools and websites out there, and we already linked essential resources and tools related to each primary issue. So here, I try to list multi-purpose sites and tools which you can still use no matter which specialized career path you choose.
|Phrack.org||the origin of many original ideas. I wish it continues forever.|
|Twitter.com||the most solid infosec community|
|OWASP.org||the best web security resource|
|CVE.mitre.org||common vulnerabilities and exposures|
|Packetstormsecurity.com||global security resource|
|Python||if there is no tool for your need, build it yourself in a few lines.|
|Kali Linux||all in one linux distro for infosec professionals|
|Metasploit||General-purpose security framework.|
|Burpsuite||Web security swiff army.|
|IDA free||one-stop reverse engineering suite|
|NMAP||The network scanner.|
|Wireshark||When there is a packet there is Wireshark|
|Bettercap||Network security swiss army knife.|
Careers - Build your future
Last but not least, let's talk about careers. In the end, if you are not making a living out of it, you can't be considered as a professional. We are going to talk about career paths you may consider also relate each job to its primary security issues and resources. Please note we only list offensive related occupations here. In the modern tech world, just like any other job have options. You can work as an employee or a freelancer or even an entrepreneur. (my wish!) I can't tell you which one is the best because there is no best. It's all about your preferences and personality and also how good you are at what you do. So if you are excellent in any area, you can expect to make more than enough money.
Before jumping into career paths, there is one last thing I like to talk about, bug bounty and vulnerability acquisition programs. Historically speaking, as far as I'm aware it started by iDefense and followed up by Mozilla Firefox bug bounty, Facebook, the Zero Day Initiative (Pwn2Own), Chrome, SSD-disclosure, Vupen, Hackerone, Synack, Zerodium, Bugcrowd, Apple, Microsoft, Coseinc and Crowdfense. The initial idea behind all of them is merely outsourcing vulnerability research, just like freelance development. Researchers find security issues (and write exploits) and sell them to the vendor (best case) or a third party (worse case) to patch and protect (or exploit!) users. Notably, Google project zero researchers have had a significant impact on today's zero-day-market.
In recent years bounty payout looks definitely more appropriate, but when selling exploits to third party vendors, there is a huge ethical dilemma you need to consider. Think about what will happen to your exploit after you sell it to a third party before vendors get a chance to patch it. Will it be used to catch a criminal or just a poor soul with a different ideology? You shall never know.
Currently, the most popular areas in terms of market demands are web and mobile apps, and the good news is that they have a smoother learning curve compared to other categories like binary exploitation and malware reversing. So once you choose a primary issue to work on, jump into its related book section, buy the book and start reading it. Don't worry about some books being old or outdated as I mentioned, for the time being. The core concepts are still relevant. (#IC) = Issue category. (#BC) = book category.
Bug bounty hunter path
Responsibility: you spend most of your time finding external assets and testing web applications, APIs, and mobile apps. You report any issue you found right after it. You get paid per valid/unique issue you've reported.
Pros: #NoMoreFreeBugs. You don't work (shouldn't) for free for multi-billion dollar companies. You have the freedom to work from anywhere at any time, and you can focus on any target you like. Another very positive point is that you can practice your newly learned skills without breaking any laws.
Cons: Just like any other freelancing work, there are risks involved, especially at the beginning, you may not make enough money to live. Just like other freelancing jobs, you have to compete with a lot of other players. But in bug bounties, unlike freelance programming, there is no job guaranteed, and there are also duplicates. It means the first reporter gets paid and you get, well in the most cases NOTHING!
Penetration tester/red teamer path
Responsibility: you test assets within your targets or target organization daily. You have to spend a massive chunk of your time writing reports. You get paid monthly or per project.
Pros: stable job and so many jobs available. I recommend this path if you are lading your first job because you can learn various skills.
Cons: it might get annoying if you have to test some assets over and over again.
Employers: startups, any company with an internal security team,
Vulnerability researcher, exploit developer path
Responsibility: You setup/write fuzzers and also reversing and auditing your target code. Once you found a crash/bug, you validate it as a security vulnerability and later try to write an exploit for it. You get paid per bug/exploit or monthly. In some cases, you might get asked to develop an exploit for existing vulnerabilities, also known as one-day exploits.
Employer: Governments, offensive security companies, yourself.
Pros: You look 1337 and payouts in case of enterprise software are big.
Malware analyst path
Responsibility: You spend most of your time inside debuggers, disassemblers, and virtual machines. You may end up marring to IDA Pro. Crafting signatures, reversing new malware variations, improving detection, and writing reports is part of your daily job. You most likely get paid monthly, but you may also get paid case by case.
Pros: You are directly fighting with bad guys and criminals.
Cons: fewer job availability and steep learning curve.
Employer: Anti-Virus companies, enterprises with malware incident teams.
Fruad analyst path
Responsibility: your job is mainly to track and monitor transactions to identify fraudulent transactions and flag them. Another duty is updating your fraud detection systems. You get paid monthly.
Pros: just like malware you are fighting against thieves and criminals, and you have to investigate people and transactions just like sherlock holmes.
Cons: fewer job availability and steep learning curve due to a variety of internet frauds.
Employer: Banks, financial sectors, payment gateways.
Note that these jobs are not the only possibilities. Also, different companies may need different skillset or combination of these skillsets, which in that case, make sure they pay you generously.
Conslusion - Now it's your turn
Nowadays information security is considered as one of the world's best careers which unfortunately made some of us arrogant douchebags instead of being thankful for the luxury the community and technology bring to us yet, I still couldn't find any other community with this amount of love, enthuse, intelligence, and creativity, that's why I love infosec! I spent days preparing this for you, so if you find this useful, you may consider sharing it or buying me a coffee. Also if you have any questions do not hesitate to contact me or comment below.
That's it, folks.