Starting an InfoSec Career – The Megamix – Chapter 6

[You can find the previous chapters in this continuing blog series here:
Starting an InfoSec Career – The Megamix – Chapters 1-3
Starting an InfoSec Career – The Megamix – Chapters 4-5]

Chapter 6: Self-Study Options

In the previous chapters, I’ve discussed potential career paths, education and certification options, and the fundamental knowledge needed to become a successful InfoSec professional. Unfortunately, college degrees and certification courses aren’t financially or logistically an option for everyone, nor do they provide all of the skills and practical experience needed to become a desirable candidate for an entry level position. Without further ado, let’s delve into some options for improving InfoSec knowledge individually.

==== Home Labs ====

Building a home practice lab is an integral part of improving skill at any area of blue team or red team information security. Since most of us (hopefully) don’t want to break the law and get arrested while learning how to hack, conduct forensic investigations, or reverse engineer systems, we’re obliged to create our own self-contained network environments to practice and learn within. This will also improve network and systems administration skills, which as I noted in Chapter 1 are absolutely fundamental for being a well-rounded InfoSec professional.

A decade ago, a home lab looked significantly different. It almost certainly included multiple computers, and likely a network rack complete with switches, power supplies, KVM, and cabling. While this is still a great option, a rack of computer equipment is noisy, hot, and power consuming. Today, we have the tremendous luxury of virtualization. A single reasonably spec’ed ESXi host server can act as most of our practice environment. While we might still opt for some physical network hardware, we have virtualized network lab environments available for use, as well. I really prefer the virtualized option because as we exploit, infect, and otherwise destroy our hosts, we can simply revert them to an earlier snapshot and start over.

Regarding purchasing the physical equipment or host machine(s), we can get as creative as our budget requires. A great way to purchase server grade computer hardware is via federal and state government auctions. These auctions are fairly underutilized next to commercial sites like eBay, and can offer some great deals during regular equipment replacement schedules. Remember that local businesses, hospitals, and municipal services often replace their hardware and sell the older equipment for a fraction of the original price. For virtualization, we’ll want a decent server grade processor, a lot of memory, and enough disk space for all the operating systems we are interested in using to grow as expected. Everything else is fairly negotiable. Many folks buy a few old servers of the same model, pull all of the memory, NICs, and hard drives out, and put them into one chassis.

The hosts we install in our lab environment shall vary quite a bit based upon our area of interest and what we’re currently trying to accomplish. For instance, in my forensics lab, I selected SIFT and Windows 8 hosts which I use to conduct analysis, and an array of primarily client OSes which I conduct analysis upon. My network monitoring and incident response environment is very different, because network services, network IPS, and firewalls are in play in a more realistic network environment. A penetration testing environment will look different still. Before you purchase equipment or begin the lengthy process of building your lab, consider what you want to learn, and what hosts and services you will need to accomplish this goal.

I’m not going to delve much further into the technical details of building out a lab, as a lot of people have done great writing on this subject already. I recommend looking at Carlos Perez, Matt Barrett, and Adrian Crenshaw’s informative blogs.

==== Self-Study Materials ====

Every person has a different learning style. Some of us are more comfortable learning new skills by watching a video; others need hands on practice or reading materials to understand new concepts best. Fortunately, at this point people who wish to learn InfoSec skills have a plethora of freely available options to fit any learning styles.

For the Visual Learner:

Years of talks at information security conferences have been recorded and are freely available on YouTube. I’d avoid watching Joe from ACME computer shop explaining how to use Kali, but there are more hours of recorded talks on from reputable conferences than anyone will ever have time to watch. Archive.org hosts an immense number of conference talks. Adrian Crenshaw has recorded talks at conferences for years, and has a prolific archive of these videos on his channel. SecurityTube is also a great resource, (although some of their materials are paywalled by PenTester Academy, which may or may not be in your budget).

For the Auditory Learner:

Check out the amazing range of InfoSec podcasts available for free. There are so many more great podcasts than I could discuss in a blog of their own, but some highlights are PaulDotCom, Southern Fried Security Podcast, Security Now, ISC Stormcast, Defensive Security, Liquidmatrix, and Braeking Down.

For the Reading Learner:

There are two major resources you should investigate – textbooks, and blogs. This will, of course, vary quite a bit based your area of interest. My personal ‘essential reading list’ for Information Security professionals would include the following:

There are an immense number of amazing security blogs out there, but a very short list of my favorites includes Dark Reading,  Krebs on Security,  McGrew Security, Graham Cluley, Naked Security, Lenny Zeltser, Troy HuntAndrew Hay,  Threatpost,  and Andy Ellis.

For the Kinesthetic Learner:

As we previously discussed, a home lab is a great option, followed by Capture the Flag exercises and Challenges, which I discuss in the next section.

==== Capture the Flag and Challenges ====

Once you feel ready to leave the safety of your own home lab and delve into another network, a great option is Capture the Flag events, and similar challenges. A large percentage of hacking conferences provide some kind of CTF event, which will pit your skills against challenges they’ve designed as well as other participants, in a structured, legal environment. The challenges usually vary from simple to extremely difficult, and points are awarded to participants as they find or reach ‘flags’ hidden in the challenges. Don’t be daunted; most CTF events are rarely restricted by skill level, and they’re a great way to test what you’ve learned. You’re competing against yourself as much as other teams or participants.

CTFs and challenges are not restricted to red team penetration testers. There are plenty of open and paid practice challenges in many areas available now, both in person and online. DFIR challenges test investigation and forensics skills, while malware challenges test participants’ ability to reverse and analyze malicious code. Check out the great list of online challenges at captf.com.

==== Conferences ====

There are no substitutes for in-person networking or training events. I strongly recommend attending InfoSec / hacking conferences, but I also encourage you to choose the right ones for you. Regrettably, the events with the biggest budgets often get the most hype. That does not translate to them being the best environments to learn in. Cost is often a factor that bears consideration, as well. Tickets to InfoSec conferences range from free (or nearly free) to thousands of dollars. Hotel and airfare costs vary by venue. All these factors should weigh into your decisions, but there’s a conference for everybody.

Hacking conference size and content vary a lot, but there are some commonalities. There are normally one or more tracks of speaker talks, selected by the organizers from outside call-for-paper submissions. Capture the Flag type events are fairly ubiquitous. It’s also not uncommon to see an option for longer, hands-on training classes for an additional fee. You’re likely to see some vendors, as well as hobbyist groups such as locksport organizations or makerspaces sharing their expertise. Evening parties sponsored by the conferences or vendors can provide an opportunity to network and have fun.

Let’s discuss a few popular conferences. A couple caveats. Firstly, I’m quite certain I am going to offend one conference or another by not listing them here – for this list I selected some better known representative examples and it is by no means comprehensive. Secondly, I’m based in the US, so my examples are primarily in North America. Hacking/InfoSec conferences are a global phenomenon, and the types of conferences I list have equivalents in Asia, Europe, Africa, and South America. Please feel free to ask me for assistance in finding ones in other locations as needed.

DEF CON – Las Vegas, NV, USA

One of the oldest, most famous, and largest hacking conventions in the world, DEF CON is held in August on the Las Vegas strip. The attendees are a mix of everybody from the most dubious black hats to corporate security professionals, from journalists to Generals, from researchers to federal agents. Events and talks run the full gambit in every sense of the word. The parties are wild and so are the attendees. DEF CON tickets current cost $230, (cash only!).

>> Pros: This is where you’ll see some of the most cutting edge research released, and meet many top notch pros. Everybody should DEF CON at least once, for the sheer experience.

>> Cons: Over-the-top parties, crowds, and hangovers can overwhelm actual learning and networking. If this is your first hacking conference, or you’re not reasonably cautious, you may be targeted for pranks (or worse).

BLACK HAT– Las Vegas, NV, USA

Black Hat (USA) occurs the week prior to DEF CON, and offers more structured training opportunities on a variety of topics. There’s a heavy vendor presence. Black Hat is more targeted towards security professionals and executives, and offers organized networking events and a bevy of courses and high profile speakers. The talks are well vetted. This doesn’t come cheap; regular tickets are currently $2195. Training courses cost significantly more. If money is a factor, I certainly wouldn’t recommend paying your own way to Black Hat unless there is a course you desperately want to take that isn’t offered anywhere else. Wait for a scholarship or corporate sponsor.

DERBYCON – Louisville, KY, USA

DerbyCon is a relatively new but very popular conference, and acts a bit like a more community and family-friendly alternative to DEF CON. It occurs in September in the heart of downtown Louisville. While it’s not as big of a conference, DerbyCon offers five simultaneous talk tracks, as well as hosting a few special interest working groups and CTF. DerbyCon tickets are $175, and given the reasonable cost of living in Lousiville, this can be a pretty economical conference, without quite as much of the shock value. Although there are bad apples at any hacking conference and basic precautions should always be taken by attendees, DerbyCon is policed pretty well and is a very safe bet for a first con.

SHMOOCON – Washington DC, USA

Shmoocon was founded by a husband and wife team to become a relatively small, friendly, community and education focused conference. It occurs in January, and costs $150, making it the most affordable of the ‘big name con’ admissions. Due to its location and educational reputation, it’s popular with federal government, military, and federal contractors, and the networking, vendors, and talks can reflect this a bit. The downside is that Shmoocon has grown much more popular than its size allows, and tickets sell out quickly – very quickly – a matter of seconds, making attendance a bit of a lottery. If you plan to attend Shmoocon, (I do recommend it), read up on the ticket purchase process well ahead of time.

RSA CONFERENCE – San Francisco, CA, USA

If you missed that RSA occurs in February, you’re not tuned into information security news. I can draw a lot of parallels between RSA Conf and BlackHat, but personally favor Black Hat as an event. They’re both targeted at executives and professionals, throw star-studded vendor parties, come with a hefty price tag (standard RSA tickets are currently $2,295), and get plenty of press. They have the biggest vendor expos, and often boast high profile speakers. I don’t recommend RSA to entry level infosec folks, even if the price tag is in your budget. For the money, I’d attend a course at Black Hat or REcon. The glitz and glamour do not make this the best environment to learn fundamentals or network, and despite some very good speakers, in my opinion RSA Conf continually commits public security faux pas to the ire of hackers and security professionals.

RECON – Montreal, QB, Canada

If reverse engineering malware, hardware, or software is your cup of tea, there’s no better conference to learn more than REcon, which focuses exclusively on sophisticated reversing. Ticket prices for RECon increase through the year leading up to the event, currently starting at 700 CAD and culminating in 1200 CAD in June. Student tickets are discounted. The ticket price is hefty, but includes snacks and lunches. The available hands-on training courses will run you around 2000 – 5000 CAD, so once again, you may want to wait until you’re eligible for some sort of sponsorship for this one. I have not had the pleasure of attending this conference myself, but I’ve heard nothing but glowing reviews from my colleagues in this space.

CIRCLE CITY CON – Indianapolis, IN, USA

Circle City Con is newer than Shmoocon and DerbyCon, but fills the same educational / community friendly conference niche. Circle City Con occurs in June, near the Indianapolis Convention Center. Tickets are currently $150 and include optional training classes, aside from any required materials. Circle City Con is another safe bet for a first conference, and for family participation.

HOPE – NYC, NY, USA

Hackers On Planet Earth is still a bit of a ‘hidden gem’. Although it’s one of the oldest annual hacking cons, it remains reasonably small and attended by industry greats. HOPE occurs in July, and tickets are currently $150. HOPE offers some of the most unique and varied events of any conference outside DEF CON, and boasts film festivals, art, and robotics along with the usual offerings. It’s a bit more eclectic and nuanced than other conferences. HOPE is worth serious consideration, especially for East Coast folks.

GRRCON – Grand Rapids, MI, USA

GrrCON specifically states their goal of avoiding elitism, and as a result they’ve earned a reputation as a positive and friendly environment which is heavily geared towards great networking and security education. GrrCON occurs in October and regular tickets are currently $150. Another location with very reasonable room and board, it would be a great choice for a first con. GrrCON also offers opportunities for family participation.

BSIDES EVENTS (Global)

Perhaps you looked at this long list of conferences, and balked at the locations, travel costs, and ticket prices. All is not lost. Seek out your local BSides event, which occur in many metropolitan areas. BSides events tend to be organized by local hacker groups, and most are one or occasionally two days. BSides also tend to be smaller and less expensive, with tickets usually ranging from $0-50. There’s rarely a good excuse to miss your local BSides – it’s a great opportunity to network with security folks in your area for a nominal fee. BSides events also make a great excuse to travel to cities on your bucket list across the world, learn about hacking, network with people, while enjoying the local culture, sights, and cuisine.

I’d be remiss if I did not briefly discuss hacking conference safety and preparedness. As I’ve mentioned above, the level of ‘threat’ at conferences varies and exists everywhere, but regardless of the event you should take common sense precautions. (All of these precautions should translate into everyday life, because bad gals and bad guys are everywhere!)

  • Consider whether it is necessary for you to even bring a laptop to the conference if you’re not attending a course that requires one. Given insecure networks full of hackers, safely using a laptop adds an extra layer of preparation required and gives you another bulky, expensive item to carry and keep track of.
  • If you must bring a laptop, I highly recommend using a new hard drive with a clean OS image, full disk encryption, and as little personal data as possible that you only use for the conference(s). Ensure you have a standard array of vetted security tools if you plan to connect to any network, including VPN. Ensure wireless and Bluetooth are fully disabled when not in use. Use common sense about what you log into.
  •  It’s hard to function today without a smartphone, but consider ways to make your phone more secure. Burner phones or faraday bags are popular options. At the very least, ensure wireless and Bluetooth are off, and that the phone itself is encrypted. VPN if possible. Do not connect to WIFI. Do not borrow phone chargers.
  • Bring cash for as many purchases as possible. Bring as few credit/debit cards as absolutely necessary, and ensure they’re in a vetted RFID safe wallet (but certainly don’t expect those to be foolproof). Don’t bring unnecessary stuff in your wallet or purse such as your work ID, social security card, or passport. Do not use an ATM within an easy walk of the event. I have rarely been to a conference where the hotel ATM wasn’t obviously and amusingly hacked by the end of the first day.
  • Don’t leave valuables unattended at the bar or in your hotel room, in a hotel full of hackers who can trivially open (any) hotel doors. Double lock your room when you’re inside.
  • Know who you can contact and how to reach them if there’s a security or medical issue at the conference – most hacking cons have a staff of security ‘goons’ who are always present and reachable. Any large event can have its share of bad apples, rowdiness, alcohol overuse, and drugs, and they’re there to keep things from getting out of hand. That being said, hacking conferences should not be treated like Mos Eisley cantina. Look out for the safety and well being of your friends and the people around you, and get them help if needed.

==== Local Hacking Meet-ups ====

Aside from organized conferences, many metropolitan and regional areas have formed hacking meet-ups of varying structure and activeness. I recommend finding your local group as soon as possible and participating as much as you can, as it’s a really important way to network with local hiring managers and security teams. Name recognition in this community is absolutely invaluable when applying for jobs.

There were ways that hackers met two decades ago that still work, but they’ve been  impacted by Web 2.0 and social media as much as anything else. So, I’ll both discuss the more traditional ways to find your local hacker and InfoSec folk, as well as newer options.

The Old Ways

  • DEF CON local groups: They’re named by area code, globally. Unfortunately, in my experience, some are now defunct or inactive. (Check and make sure before showing up.)
  •  2600 : 2600 meetings occur in public spaces to be inclusive to everybody, but be cognizant that they are more ‘hacker’ meetings than ‘information security’ meetings. Their active group list is maintained pretty well.
  • CitySec meetups: A more ‘security professional’ focused set of informal meetings in many global metropolitan areas.

The New Ways

  • Meetup.com: I’ve seen quite a few various information security organizations start posting their meetings through this site over the last few years. It’s always worth a look.
  • ISSA: A formal professional organization with chapters around the world.
  • Twitter – Plenty of these organizations post their scheduled events.
  • LinkedIn – Plenty of these organizations are listed as LinkedIn Groups.