Question of the Day: How do I become a security specialist (ethical hacker, malware researcher, digital forensics, etc.)

First things, do you like solving puzzles, do you like a challenge, can you stare at a screen for many hours, poring through code, logs, etc?

Were you the sort of child that liked to take things apart to understand how they worked, and more importantly could you put them back together again, without having left over pieces, and did the thing still work at least as well as it did before?

Do you look at things and think, well that should work as expected if I follow the logic, but, if I do this instead, it will bypass that logic and let me access another part of the site/code or infrastructure?

Or, maybe when hearing about a new threat, you quickly see how it works and how you can either slow it down, or stop it dead in its tracks using simple techniques or processes, or by using an existing security control in a different way?

If you answered yes to several or more of the above, then you might have the right mindset for a career in cyber security as an ethical hacker, social engineer, malware analyst or in digital forensics and incident response. If you didn’t answer yes to one or more of the above, don’t worry, you can still work very successfully in other areas of cyber security, just probably not as an ethical hacker or in incident response or malware research.

“If you have the right mindset, you can be taught the skills,
but it is very hard to teach a mindset…”

So, if you do have the right mindset, how should you develop the required skills to get into cyber security?

First, decide, do you like technology or the human side of the problem. That will be your first step. If you are lucky you might be able to do both…

The next step is dependant on the answer to the first question. If technology, then you need to become very familiar with as many operating system, applications, programming languages as you can (you don’t have to be proficient in all of them to start off, just pick one or two for starters).

If the human side is more your bag, then learn about cons, social engineering, and psychology in as much depth as you can. Then try some of the techniques on friends and family (without breaking the law).

After that, find a mentor, someone that is skilled in the discipline you want to learn, soak up as much knowledge from them as you can.

Read everything you can on the subjects, if available, go on courses, go to events, conferences, local meets to meet likeminded people, be they newbies like you, or security professionals with a decade or more of real world experience to mine for tips and tricks, etc.

If you are looking at doing malware research, ethical hacking or forensics, you will find lots of CTF and analysis challenges that are freely available, do as many as you can; when you fail (and you will) learn from the failure, it won’t be the last time. Even the best fail often, but they always learn as much (if not more)  from the setbacks ass the successes. Often doing security work is hard and even boring, but when you solve a problem (reverse a malware and understand how it works and how to stop it, or gain access to a system or network, or identify how a bad guy or girl got in, the rush is amazing).

Expect to have to start in a junior role, maybe even working on an IT Helpdesk, doing patching, hardening, server/system builds, etc. We all have to start somewhere.

I started by building and configuring PC’s (building them and installing the OS and applications, configuring them, etc.) Then I moved on to reviewing hardware and software for the same company (doing research, etc.), then I got involved with security (malware at first), worked on the IT Helpdesk, did AIX support (a Unix flavour), and finally I built and ran the Internet Security team (defence, as well as ethical hacking). It takes 5-10 years to become proficient enough with a wide range of operating systems, applications, hardware, networking, security tooling, attack methods, malware analysis, and so on. Be patient, don’t take shortcuts, as it will not help you in the long run.

You don’t need degrees or certificates to do well in this area, you do need the right mindset, be willing to learn and experiment, and work long and odd hours, as the job will not be your usual 9-5 one. I left school at 16 and have no degrees or diplomas and have only been on two cyber security courses in over 31 years of working in this field. (One on advanced hacking and the other on advanced digital forensics, both of which I attended to confirm that what I had learnt and been doing for over 20 years (at that time), being mainly self-taught, was right after all, it was! In fact I taught the course instructors a few things that they didn’t know)

Be very wary of the problem of stress; this is a major risk when working in cyber security, especially in Incident Response. Burn out is quite common, if you don’t manage stress correctly.

One thing I will strongly recommend is to look back in history, see what has happened in the past, both from breaches, attack methods, malware types and tricks, etc. There is very little that is “new”, most of the things you will encounter will build on old (tried and trusted) tricks and methodology; usually just updated to the latest OS versions, applications, etc. or re-used to take advantage of the new victim pool (ones that were not around or didn’t take notice the first, second or third time that technique was used).

If you want to learn about web application testing, then there a several training VMs out there, such as SecurityShepherd that will test your skills in a safe and secure environment quite legally.

On the subject of legality, whatever you do, do not be tempted to step over the line and do something illegal with your skills, as you will constantly be looking over your shoulder waiting for law enforcement to apprehend you. It will also make you less employable in the cyber security world.

You don’t have to be a black hat to be a skilled hacker or to understand how an attack is done or how malware works. As I said earlier in this episode, good ethical hackers may be able to think like a bad guy or girl, they just don’t act like one, in other words you don’t need to break the law to be very skilled in any security field.

After that, expect a lifetime of learning, building on and refining you existing skills, and as things are right now, you will have a long and productive, well paid career helping to counter the bad guys and girls, rather than being one of them…

Anyone that states that you “need to be a thief to catch a thief” or that you “need to be a poacher to be a gamekeeper” or any of the other examples, I say to them, rubbish! There are very few real world cases where being an ex-criminal has made a difference that hasn’t or couldn’t have been made, more effectively by a good researcher that can think like a bad guy or girl, but hasn’t gone over to the dark side to prove their skills.. In fact many of those that were caught, even though the press made them out to be some form of Uber hacker or malware writer, the vast majority had very poor skills, they often used other criminals code/techniques to carry out the attack… what most of us in cyber security would call “script kiddies”…

You can make a difference, be on the right side, help defend and protect those in society that are often the victims of the many cyber crimes that happen each and every minute of every hour or every day…

To quote Del Boy Trotter, from Only Fools and Horses, You know it makes sense, don’t be a plonker

If you think I have missed anything important, or I should add something to this article, please let me know.