This document spawned an entire website. Check it out at: DFIRmadness.com. We have labs, articles and resources like this! See you over there.
"Mastering the basics will make you exceptional."
Master the basics and then specialize to be an invaluable asset to your team.
To start, or level up, a career in Information Security (aka Cyber) Security you need to be proficient in five key areas of technical skills. You don't have to master each one of them, but you need to have a good understanding of them. Whether you want to go offense or defense you will need to be functional in these five areas:
- General Computing
- Computer Networking
- Scripting and Programming
- Linux / MacOS
- Windows
Note: I did not come up with the 5 pillars idea on my own. I believe I heard this originally during a conference call with someone from SANS the CyberStart program. I am not entirely sure of that or if the 5 above are the original 5 laid out. I do remember hearing the 5 areas (or close to these) laid out and it immediately fit into my believe system of mastering the basics to become exceptional. That idea was hammered home during a good butt chewing delivered during Special Forces training where the instructor told us between flutter kicks and sprints, "We look special because we master the basics". I have applied to this every complex task I have learned from flying helicopters to hacking and it has served me well.
Don't be scared! While you won't learn it all over night you only need the fundamentals.
If you want to accel in this industry you must also love learning. While it takes a lot of dedication a healthy balance is key. Make sure your family and friends get time with you, or that you make time to do hobbies you love.
Correct. These are the fundamentals that both defense and offense require! More focused security paths are added to the second section of this document. Build the foundation and then the house.
The cert farms that tell you A+, Net+, Sec+ and CEH in 6 weeks will get you a career are stealing your money. Certs are important and you will need some most likely, but you DO NOT need 5 in 5 weeks or 5 in 5 months.
You do not need a degree in cyber security. You do not need a degree in cyber security. If you just have to get a degree- get it in Computer Science. There are sadly an over whelming amount of people with Cyber Security degrees who do not know their way around a keyboard and only know academic theory... they can only talk the talk without being able to walk the walk. Most degree programs do not provide nearly enough hands on fundamentals to set someone up for sucess.
There is no typical career path currently. Some of the best Cyber Security Pro's were musicians prior! If you have the talent and drive you can work your way in. That said, a good path would be something like this:
IT Help Desk -> Systems Administrator -> Security Admin -> Specialized Security Role
You can absolutely skip right into security but you will have to study hard and practice a lot of labs that ensure you really have the 5 Pillars well cemented.
Before you start: Perhaps Penetration Testing is all that interests you - or "catching bad guys" is the only thing you want in life. Remember that learning both sides of the force will benefit you. The better your understanding of defense the more lethal you can be on offense. There are probably 10 Blue (defense) jobs to Red (offense). There are a lot of fun jobs outside of Penetration Testing. That said, Penetration testing is a blast and is addicting. It is also a lot of work and not simply pwning networks and dropping mic's.
Now on to the document...
This document is a path forward for new, and experienced, cyber professionals to obtaining a concrete foundation of knowledge to enable them for success in the industry. Mastering the basics of each functional area is required to operate on a cyber team (or alone) in a meaningful and effective way. A lack of fundamentals in any one pillar can quickly render a team member ineffective during dynamic and rapidly evolving situations. Conversely, no one person on the team should be, or can be, a cyber unicorn.
Ideally, everyone will have a specialty they excel at in addition to a solid baseline in the fundamentals. It should not be expected that every one completely master each pillar. The intent is to master the fundamentals. The fundamentals are simply primal blocks of knowledge of each topic; somewhere between the absolute basics and intermediate. As an example, a team member should understand: sub-netting, routing, internetworking, OSI model, packet capture, DNS and analysis basics. This does not mean they need to be Cisco network engineer with a CCNA.
Layout of the document (roughly):
- Fundamentals and getting started
- Lab Set Up Advice
- Security Focused Training and Immersion
- Security Career Pathways
whoami
Twitter: @DFIRmadness
- Veteran
- Former pilot
- Senior Information Security Professional
- Perpetual n00b (always learning)
- Adjunct Professor
- Aspiring SANS Instructor
I have seen folks in multiple industries who would be rockstars if they had a solid mastery of all the basics and not simply pigeon holed into one niche of the field.
As you dive into security you should start with good security practices.
- Don't pirate software.
- Always have your Admin Account seperate from your daily driver account.
- Never click a link you didn't ask for.
- Never use a free VPN (OK - except maybe Proton's).
- Always check executables and files from others at virustotal.com.
- Use time based multi-factor on critical accounts like e-mail.
- Use a password manager and have unique passwords for everything.
- Use passphrases when able. Example: 1DeerCloudSubmarine91* XKCD Password Generator.
You do not need a $3000 Gaming Laptop or a Desktop with 2 GPU's and 10 TB SSD. This is completely based on your budget. You can get away with a $500 laptop if needed. I will explain.
| Level | Explaination |
|---|---|
| Good ($500) | A computer capable of web browsing and reading books. Seriously. The trade off is you will need to pay for web accessible labs versus building a small virtualized environment. |
| Better ($1100ish) | A laptop capable of building a small lab of 2-3 Virtual Machines. Something like an i7, 16 Gigs or RAM and 500 Gigs storage. |
| Best | The sky is the limit. Something capable of cracking passwords decently (read a mid tier GPU), i9, 32 Gigs, and 1 TB storage. |
Note: A GPU is mentioned for password cracking. You absolutely DO NOT NEED ONE to learn or level up cyber security. Keep in mind this document is about learning and labs you encounter will be geared towards this anyhow. You get the same training value in cracking a simple password with your CPU as you do with letting a GPU pound on a hash for 2 weeks.
- General Computing
- Computer Networking
- Programming and Scripting
- Windows
- Linux
The following are key skill sets within each pillar. It is not an exhaustive list.
| Pillar aka Functional Area | Skills |
|---|---|
| General Computing (Basic Computer Science) | Hardware Components: Science: |
| Networking | |
| Programming and Scripting | |
| Windows | |
| Linux |
Yes. That is a lot. First, to be good in this industry you will want to be familiar with each of these things and beyond. You will not learn it all over night nor should you try. Just refer back to this often as a guide. Be patient. Enjoy the journey.
The following are goals to shoot for in each area. If you can meet each of these you will be a competent professional ready to shine at interviews and be an asset to any team you join.
| Pillar aka Functional Area | Skills |
|---|---|
| General Computing (Basic Computer Science) | Explain the difference between something being stored in memory vs. something stored on disk. Explain the basics of process injection. Explain the difference between killing a thread and killing a process. |
| Networking | Using all 7 layers of the OSI model explain how a piece of information flows from your computer to google.com and back when you type ping google.com. |
| Programming and Scripting | Be able to write a basic script to automate a simple task; and be able to read and understand the overall idea of what someone else’s script is attempting to do. |
| Windows | Be able to explain the function of the registry, the UAC, and tokens. Be able to maneuver the OS with command line only and look for network connections and their related processes. Possess basic PowerShell (a.k.a PoSh) abilities |
| Linux | Be able to explain sudo, shadow and passwd files, user groups and proper installation and maintenance of software (repos).Be able to maneuver the OS with command line only and look for network connections and their related processes. |
Remember you have to know how things work to exploit them. You have to know what right looks like to find the gaps in security.
These goals above are a good measure of when you are ready to deep dive into a specific security path of learning (and of course have fun and sprinkle in security lessons along the way).
Certifications are a necessity in this industry. They are far more valuable than a college degree. That said, don't be a paper tiger where you have a list of certifications and no idea what you are actually doing. Also- do not fall for the cert farm trap. These companies that promise you a career is only 5 weeks (or even a few months) away, and that for $20K they will get you there by ram rodding you through A+, Net+, Sec+, and CEH. They are practically stealing your money. If you find a place that will teach you essentially the fundamentals laid out here ask to talk to alumni and ensure the instructors are actual industry professionals.
There will be certs listed in this document at times. For general studies understand that most of the certs mentioned are just great bodies of knowledge to get materials from but the cert itself is not necessary.
GSEC or Sec+.
NOT A+. Friends don't let friends actually get the A+ cert.
GSEC or Sec+: If you live around a lot of Department of Defense facilities that are hiring there is a set of requirements known as 8570. You will basically need GSEC or Security + for anyone to touch you during the hiring process. SANS GSEC is the recommended cert here. It is much more expensive to go through the course but well worth it.
CEH: Certified Ethical Hacker does not make you a penetration tester and doesn't go very far outside of DoD circles. For the same price you can get the course material for Penetration Testing with Kali Linux from Offensive Security. Even if you can't pass the OSCP challenge the material and labs are well worth the $800 or so - certainly more so than CEH.
The trick when you are first starting out is to find an employer willing to pay for the certs you need or want. Get it in writing. If you can't then understand than the investment of paying for an initial cert or two to get a job will be an investment that will almost certainly have great returns.
Now may be a good time to think on how you approach learning this mountain of information. How to learn anything...fast by Josh Kaufman.
- Start free and cheap to see if you like it. You may find it isn't for you.
- While studying the five functional areas ensure you are getting hands on keyboard and not just your nose in a book. Do both! Also - sprinkle in security lessons along with your general studies. Also, try and rotate through the five continuously so you are leveling up in them all somewhat evenly. Of course, you can do it in a serial fashion (in order one through five) if you want. However, these skills are perishable. This means if you go through in order and haven't touched networking in 5 months (or 2 books ago) it is going to be rusty and you will have to relearn it!!!
- Try and have fun!
- Keep an eye out for things you think you may be passionate about! You will want to specialize later on.
Hack and Detect: Leveraging the Cyber Kill Chain for Practical Hacking and its Detection via Network Forensics
The book to start with: Hack and Detect ! by Nik Alleyne. This book can be purchased or viewed free with a Kindle Unlimited account. This book can't be recommended enough for beginners and experienced folks alike. It is amazing in its presentation of both offense and defense methodologies with break downs and explanations of each and every command. This is a great book to sprinkle in along with the 5 pillars studies. Consider it the quick start guide into security.
The Cyber Mentor: hands down is one of the first people you should start watching as you build your skill sets. He focuses on Penetration Testing. He, along with the community he has created in discord etc., will be a great place to find motivation, knowledge and support. Even if you want to go blue side / foreniscs etc. you will need an understanding of how people pentrating networks etc. move through the network and he does a superb job of teaching and explaining.
These resources will have materials for all or multiple pillars.
- Safari Books Online Free for military members and families
- Humble Bundle Books They often (every few weeks) have cheap (12 dollars) bundles of books
- packtpub daily free book give away Free IT and Security books given away daily! Some really good ones on occassion.
ITPro.tv is one of the best resources out there if you can afford it. They have tiered pricing models that start as low as $30 bucks a month! That is a crazy cheap investment to get into a career with a potential to get you to between 65K and 100K+ annually. This is the first item on the list that you are required to pay for if you choose to use them. They have current, and constantly updated, video series on everything in the five pillars and beyond. Additionally, they offer virtual labs you can remote into with step by step guides, test question banks and more. Its an amazing resource.
- CBT Nuggets - A direct competitor with ITPro.TV. They have comparable pricing, virtual labs and really good instructional videos. Their video library does not seem as extensive as that of ITPro.tv.
- Professor Messer Another solid instructor that gives A LOT for free. The community there is also a great resource to connected to. He sells "notes" for 10 bucks a piece for each cert that are great overviews and resources to keep in your kit bag.
- Computerphile an epic youtube channel of PhDs explaining computer science and security concepts.
- Twitter Later there will be a list of people to follow but essentially you can get started with #infosec and #dfir and start a daily ingest of what is going on in the community. Immerse yourself!
There are so many more amazing people and channels that I will list later in the Security Specific Section later.
A Quick Table. Certs listed here are only pointers to good sources of learning material. In most cases the first few chapters are probably what you need and then specific topic lookups.
| Pillar | Resources |
|---|---|
| General Computing (Basic Computer Science) | |
| Networking | |
| Programming and Scripting | |
| Windows | |
| Linux | Recommended Linux Distro to Start With is: Ubuntu |
There are two approaches to having a lab environment:
- Local
- Remote
A local lab is built either on your laptop or home built server. Again, budget dependent. Building a local lab is actually pretty easy and the process alone will teach you quite a bit. The world is using a lot of virtualized systems and networks. Any progress in learning you make here will be a win either way.
To build a local lab on your laptop you will need either of the following (yes there are many more but these are the main staples and finding walk throughs and tutorials are easy) pieces of software:
- (Paid) VMware Workstation Pro or VMware Fusion for MacOS
- (Free) VirtualBox
Sadly, you get what you pay for here. While Virtual Box works fine enough it is certainly no VMware. You will save hours of troubleshooting and work arounds with VMWare. It is expensive. Though its probably a legal gray area, you can find keys for cheap on E-Bay. The Cyber Mentors Active Directory Hacking Lab is good crash course on setting up a security lab. There are a ton of youtube walk throughs and blogs on how to do this. More will be added here in the future.
A well outfitted local cyber range that can run on a laptop may look something like this:
| Subnet | Hosts |
|---|---|
| Internal | |
| External |
The Kali machine can be moved into the Internal Subnet for "Internal Pentesting" etc.
Vuln Hub - A collection of vulnerable virtual machines for your home lab given for free and include a lot of awesome walk-through's to learn from.
Vuln Hubs Guide to Building A Lab - A guided tour on building a home pentesting lab.
Another great resource are lab networks set-up and maintained for you to VPN into and go after vulnerable servers or follow along with exercises.
Hack The Box - One of the most popular pentesting lab environments. In addition, they have forensics challenges etc with stand alone files. The community can be very welcoming and educational. You have to hack your way in to get a membership. Just follow their directions and have fun! They have free and paid tier memberships. Paid memberships are something like 12 bucks a month. Their Discord community is top notch.
PenTester Academy - The video quality isn't amazing, but the write-ups, walk throughs and lab environment are great. You can catch great deals on the membership from time to time. The pricing is between $49 and $69 a month depending on when you catch them. Well worth it for the Attack and Defense Labs.
PenTester Labs - These are great labs! They are pentesting focused but they have a lot other skills and labs for building your base knowledge. Once you get a membership you download walkthroughs and an accompanying ISO (a virtual machine image).
Start your immersion immediately!
Once you have a good handle on fundamentals or need some movtivation (or just a break from the more basic stuff)
Vuln Hubs List of Resources - A great list of security specific resources!
SANS! - Hands down the best security training on the planet! Instructors are highly vetted security professionals with time in the trenches in the area of studies that they teach. They are pricey. HINT: If you can't afford $6-8K a course then look up how to become a SANS facilitator. By volunteering your time and efforts to help the classes happen you can get a course for about $1500 which is a steal!
A SANS cert is recognized immediately by members of the industry as truly demonstrating that the beholder really understands the topic and can execute the skills assosciated.
- Live Overflow - This guy breaks down complex hacking concepts into smaller easier concepts. He is a good teacher and entertaining.
- IPPSec - One the best at cracking open boxes on Hack The Box and a great teacher.
- Cyber Mentor - One the best teachers of penetration testing on the internet. He really gears his videos towards beginners with plenty of new tricks for more experienced folks to pick up.
- Pauls Security Weekly - Security Weekly is one the best podcasts to watch. The Friday shows have great tech segments. The entire show is informative and entertaining.
- Brakeing Down Security (BDS) Podcast - The BDS Podcast is one of the best places to stay up with current security trends.
- BDS Videos - Look around here. There are a ton of free training courses and other gems buried through out.
- Tyler Hudak Reverse Engineer Training - A great class that is free! Tyler Hudak is one of the best in the industry and is also a great teacher.
- NahamSec - A very talented and successful bug bounty hunter and hacker who loves to share techniques with his audiences.
No particular order.
- Cyber Mentor (@thecybermentor)
- Jake Williams (@MalwareJake)
- Derek Root (@_r00k_)
- Tyler Hudak (@SecShoggoth)
- Live Overflow (@LiveOverflow)
- Brad from malware traffic (@malware_traffic)
- IPPSec (@ippsec)
- Azeria (@Fox0x01)
- Kody Kinzie (@KodyKinzie)
- Tinker (@TinkerSec)
- Jack Rhysider (@JackRhysider)
- Cyber Gibbons (@cybergibbons)
- Lesley Carhart (@hacks4pancakes)
- Paul Asadoorian (@securityweekly)
- Rob Lee (@robtlee)
- Ed Skoudis (@edskoudis)
- SANS DFIR (@sansforensics)
- MalwareTech (@MalwareTechBlog)
- Malware Unicorn (@malwareunicorn)
- Malware Breakdown (@DynamicAnalysis)
- SANS Institute (@SANSInstitute)
- Ben Sadeghipour (@NahamSec)
There are a ton more I am not recognizing here but this will get you started. Welcome to the community! And it is a community. Most hackers out there are some of the best primates on the planet who are willing to help, teach and share.
- Brakeing Down Security(BDS) - One the best collections of hackers on the planet. This is easily one of the best places to hang out and chat, learn and share. You're never alone with the Internet nearby. You may soon find that your friends and family have little interest in your new passion.
- Cyber Mentor
- Hack the Box
- Darknet Diaries
- Pauls Security Weekly
- Security Now
- Brakeing Down Security
- Brakeing Down Incident Response (It seems dead now but still worth listening to over and over again)
- SANS Internet Storm Center
- The Cyber Wire
- Smashing Security
- Hackable?
- Breach
- Career Paths and Guidance
- Materials for Moving Beyond Foundations (to the Hacking!!)
As you work on the fundamentals you will almost certainly come across various aspects of security that interest you. All of the following are simply a different flavor of hacker. They are all vital for any team to function. A general lay out of the roles in the security field are (no particular order):
- Penetration Tester - They find and validate vulnerabilities in networks and web applications by demonstrating an attack on that vulnerability.
- Exploit Developer - They find vulnerabilities in software and develop exploits to give an attacker unauthorized access to the software or the underlying system.
- Red Team - Similar to Penetration Testers except the aim is to not simply validate a vulnerability, but to emulate a realistic threat to that particular environment. Most likely this means a longer time period for them to operate low and slow to avoid detection and remain in the network for a long(er) period of time.
Note: Offensive teams (white hat and black hat alike) are typically made up of specialists. A rough outline of that looks something like this:
- Entry Team - The initial exploitation to team to get access.
- Developers - The team ready to develop custom malware as needed
- Post Exploitation Team - A collection of folks who are fast at Privilege Escalation and lateral movement.
- Security Operations Center Analyst - They analyze alerts from intrusion detection sensors and find the root cause of the issue to detect if it is an anomaly or a malicious actor.
- Security Engineer - They design and build solutions to support security objectives and requirements.
- Developer - Often just another blend of Engineer or even the same title; they automate defesnse systems and things like forensics triage.
- Forensic Analyst -
- Incident Responder -
- Threat Hunter -
None of this is "law".
Recommended certs below are merely recommendations and in now way should this list be taken as all inclusive or a rule to be followed. It also in no way guaruntees successful employment in the respective fields.
You do not need every cert listed to work in that field!
For the SANS recommended pathway you should see their official guidance. They have a recommended road map.
| Recommendation | List |
|---|---|
| CERTIFICATIONS | |
| SKILLSETS |
| Recommendation | List |
|---|---|
| CERTIFICATIONS | |
| SKILLSETS |
| Recommendation | List |
|---|---|
| CERTIFICATIONS | |
| SKILLSETS |
| Recommendation | List |
|---|---|
| CERTIFICATIONS | |
| SKILLSETS |
| Recommendation | List |
|---|---|
| CERTIFICATIONS | |
| SKILLSETS |
It seems that if you want to become an offensive focused hacker there are a ton of free lab materials and instruction. If you want to focus on the blue team / defensive skillsets it seems to come down to paying a lot of money or reading a lot of books. E-Learn Security has some Blue Team focused courses that look appealing but I have not personally tested them.
- Red
- Blue
| Topic | Links |
|---|---|
| Labs / Vulnerable Machines | |
| WiFi Hacking | . |
| Web Application Hacking | . |
| Scanning | . |
| Using Exploits | . |
| Developiong Exploits | . |
| Privilege Escalation | . |
| Persistence | . |
| Lateral Movement | . |
| Topic | Links |
|---|---|
| Infrastructure Build Out | . |
| SIEM Building | . |
| Logs Analysis | . |
| Threat Intel | . |
| Threat Hunting | . |
| Incident Response | . |