How I got started in Cyber Security | Getting my first job and How you can too..

“Hello friend, hello friend..? that’s lame.”

I recently got my first job as an Information Security Analyst. The path I took was a long and weary one. I believe everything I did can be done by anyone else who is interested, enthusiastic and passionate about cyber security. If you are still here, continue reading on.

Since I was a kid I thought “hacking” was those green letters flying on the screen, the hackers can take anyone’s money, be anyone and cause harm to institutions with just a few clicks on their keyboard. I wanted to be like them but it seemed that being a wizard was no ordinary man’s game, so I didn’t even try. I had this image till 2021, when suddenly I discovered a series called “Mr. Robot”. This depicted hacking at it’s truest and purest form. Only thing fictional about this show was how quickly he was able to hack anyone he wanted to. But from a TV series perspective it was understandable. Apart from this, all the tools, commands, methodology and even the mindset shown in this series was true and it really spoke to me. I remember searching on Google “How to be like Mr. Robot?”. I read lots of article since then, saw tons of YouTube videos and came to understand what I need to learn in order to get started. Let me explain everything I learned and how you can get started in Cyber Security from scratch.

1. Networking

— — — — — — — — — —

From understanding how all electrical devices communicate to being able to modify and harden your home router is the kind of knowledge you are looking for. You need to know all about the OSI Layer and how data is transmitted from one device to the next. Learn how IP addresses get assigned, how DHCP functions, how DNS is the phone book for the internet, what is HTTP and what are its different methods, request/response headers and status codes, etc. If you are passionate enough to search for resources, there are tons of them you can get online. Just pick any path and see that you finish it. Networking is one prerequisite that can not be skipped. You need to be confident in this that you can crack a medium level networking interview. Step 1 is done.

2. Operating System

— — — — — — — — — — — — — — —

Now this part is tricky. I didn’t learn all the theoretical concepts about OS (Even though I think it’s good to know). From my researches I learnt that Linux is a must have for hacking, so I removed my mental blockage and fear of screwing up my pc, completely wiped Windows and installed Ubuntu. This OS is quite good to get the feel of Linux and is also user friendly for beginners. Hands on was always welcome. I screwed up the pc many times, then learned how to fix the problem. My plan was to use this OS until I am good at it, then install Parrot OS or Kali Linux. Since 2021, I have been using Linux and while there are still many things to learn, I am confident enough to be a System Admin. You need to learn how to do everything from the Terminal. While it might look overwhelming at the beginning, it is really friendly after a few screw ups and some tutorials. I recommend reading a book, or you can also read/watch online lessons in Linux. Learn little bit of Bash scripting. Once you are comfortable moving through and getting your work done in Linux, you are good to go to the next step.

3. Programming

—— — — — — — — — — — —

Many people will claim that you don’t need to know coding in order to hack, but I think it is a bit misleading. While there are lots of different areas of hacking, I believe having programming knowledge is very important if you are serious about your journey. You don’t need to know all languages and write big complex codes in them, you just need to know one programming language by heart. Maybe two. Python is very good for scripting and making new tools and is also a great language for beginners as it is very high level, almost like the English language. Next you need to learn JavaScript (If Web Application hacking is your goal). If you are comfortable and want to learn more about languages, choose a compiling language (C, C++, GoLang, etc). This will help you to read other people’s code and make your own tools when you need them.

If you have already completed the above prerequisites, congratulations, you are one step closer. It took me some months finishing the above and in the meantime I got demotivated (a lot) thinking I still can’t “hack”. However, I didn’t know then that how much important these subjects are to get into cyber security.

Now, the next thing I did was build a dynamic Web Application. Full with account registration, image upload, comments, login/logout feature, etc; This helped me think like a developer and actually understand how web apps work. I said this was optional because many people might have different interests, like

1. Hardware Hacking
2. IoT Hacking
3. Android/IOS Hacking
4. Web Application Hacking
5. Network Hacking
6. Malware Development/Reverse Engineering
7. Forensics, Blue Teaming, etc

So you get that there are many fields to go into. I chose Web Application as the starting point as it is supposed to be the easiest among the others. Also, if you know web app hacking, android/ios hacking is also quite similar.

If you chose Web App hacking, I would recommend building a web application and deploying it (many free services are offered like Heroku, Netlify, etc). This will give you confidence in yourself, and also while learning and searching for cyber security jobs, you can get a job as a Web Developer. Completing this project will also help you apply all the knowledge you have been gathering so far. Learning how to make the app will also help you break the app.

“We’re building it up, to break it back down..”

Now you have everything you need to finally see some real action. I waited so long to get started and do hands-on, but it felt like learning the prerequisites phase will never end, but believe me it will; Only if you are passionate enough…

Another challenge I faced was that I always thought I don’t know enough to start hacking yet, I need to learn more. But this mindset just pushed me back a few months. Understand we are not supposed to know everything about everything. We must start with the knowledge we have so far and gain more as we go on.

Considering you also want to start Web Application Pentesting, here’s what you should do next.

1. Read the Web Application Hacker’s Handbook (2nd edition)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

This book is more than a decade old but after reading it I understand why it is known as the “Bible of Web Application Hacking”. Written by the awesome creators of PortSwigger (they also created the legendary tool BurpSuite). They have immense knowledge in this field and will explain each and every thing used in web applications and how and where to find bugs in them in a very beginner friendly way. This book is little bit costly so you can download the pdf version for free, just search in google:

web application hacker’s handbook 2nd edition filetype:pdf

Once you get the pdf, you can either read directly from it, or print it (which I did because I love to read books) and it will save you lots of money. Once the book starts explaining each vulnerability types, I recommend you go to their website which is completely free web security academy and start digging deeper in each bug types. They also have online labs which you should complete.

2. Read the OWASP Testing Guide

— — — — — — — — — — — — — — — — — — —

Just search for the same in Google and read whichever is the latest one. At the time of writing they have finished writing v4.2. This book is not so beginner friendly so I would recommend you start this after reading the Web Application Hackers Handbook and completing some online PortSwigger Labs. Despite being a little bit hard to read, this book is written by OWASP, whom if you don’t know,

The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security.

They also release the OWASP Top 10 vulnerabilities which is also a must know for every cyber security enthusiast out there. Coming back to our topic, this book will equip you with knowledge required to test some latest technologies and will also give you a methodology (cheat-sheet) of what to do step by step when you get a Web App to hack.

3. Enough is enough, now start playing CTFs

— — — — — — — — — — — — — — — — — — — — — — — — —

This is it. Before getting a job in this field, or starting bug bounty, you should play CTFs to master all the bug types and actually start hacking applications and owning machines online. Here are the list of websites that offer CTFs and I suggest you complete them in the order they appear:

1. Over The Wire: This CTFs are focused on solving problems in Linux machines and is a good starting point to test your Linux SysAdmin skills.
2. TryHackMe: This is a great online resource to read, learn, and apply your skills in CTFs. I recommend completing the rooms in order. First target the “Informational” rooms, then go to “Easy”, then “Medium” and so on.
3. HackTheBox: They offer a more realistic approach to hacking and labs are a bit tougher to solve. You usually get very little help from them while solving which mimics the real world. I absolutely love playing CTFs in HackTheBox and rooting machines and it has helped me a lot in learning more and has deepened my knowledge in cyber security. They also have an Academy section with tons of good resources.
4. Watch IppSec (YouTube): He is a genius when it comes to hacking. You can watch him play CTFs and solve problems, debug exploits and making every box his own. I absolutely love to listen to him and I learned a great great deal from him. His mindset, his methodologies, techniques and resources are all the thing you should completely absorb in order to be successful. Some other channels which helped me learn more are Farah Hawa, John Hammond, NahamSec.

Keep in mind, you also need to keep making notes throughout your journey. While reading books, playing CTFs, or even watching YouTube you are learning, and you need to write these down to retain these valuable knowledge and get back to them whenever you need. A note taking application I use is “CherryTree”. You can use any other application if you like.

It took me 3 years to finally land a job in my dream domain. I now hack Web Applications, do Network Penetration Testing, and Endpoint Audit for our clients and secure their infrastructure. It was a long journey (kind of like this article) but now everything I learned is finally paying off. You don’t need to practice this all for 3 years, just be consistent and start from today. Learn something new everyday and keep sharing knowledge.

Hope you liked it :)

Office