People

Getting Started in Information Security

I volunteer with i.c.stars, an internship program designed to get promising candidates into the technology field. Most of these candidates were not afforded the opportunity to go to or complete college, yet they are all driven and excited by technology. The i.c.stars curriculum is intensive, involving 12-hour days for four months where the interns learn full-stack development and its application in the modern business environment, including the creation of actual applications for sponsors. Last year i.c.stars held its first information security focused cycle, and even in the return to the traditional application-development focus of the current cycle, many participants have asked me, “How do I get into doing information security work?” This blog post is going to look at the best place for someone to start in information security, what you don’t need to get started, and what you do need: interest; smarts; and knowledge about attacks, systems and networks, and tools. Finally, we’ll look at where to go from there.

Tier-1 SOC Analyst: Your foot in the door

The normal entry spot for most people into information security is as an Tier-1 (Entry-level, Level-1, or Junior) Security Operations Center (SOC) Analyst. There are many, many roles in an information security department. While there are certainly other ways one might come in — for example someone with development experience may transition into an Application Security role — for someone new to technology, a Tier-1 SOC Analyst is the most common path. The role of a tier-1 analyst tends to be very tedious. In some organizations, tier-1 is essentially a help desk, answering phone calls from employees who are concerned they may have clicked on something “bad”, and routing tickets. In most, they perform basic triage on a flood of security alerts. Many experienced practitioners have advocated “inverting the triangle” in that a SOC is best served by automating away most of the tier-1 functions and more heavily staffing tier-3 for proactive threat hunting. Nevertheless, there will remain a heavy demand for tier-1 analysts as more organizations try to stand up SOCs (even when they would be better served by a MSSP) and are unable to attract the senior analysts one needs to invert the triangle. Hence, for the foreseeable future, a Tier-1 SOC Analyst position is the best way to get your foot in the door.

What you don’t need

The two things you do not need when you start this journey is a college degree or certifications. Having either or both of those may help you in the job search, particularly to get by “check the box” HR departments or if all other things are equal, the offer could go to the candidate with one of those. In practice though, if your skills are just as good, a thrifty employer (as most are) will opt for the person who is just as capable, and whom they can hire for a couple K less. We’ll look at both of these briefly.

For the college degree, frankly, most colleges do a terrible job at teaching information security — even the ones that are NSA/DHS Centers of Academic Excellence. As an academic myself, I should be more supportive of pursuing higher education, but it’s not necessary to get started: once you have a paying job (preferably with tuition reimbursement), I would encourage anyone to pursue their bachelors and even masters. As with most academics — especially in the computer sciences — they are more theoretical than practical, and in information security there seems to be a greater divide between the two than in most disciplines. You can get most of what you’ll retain from Matt Bishop’s Computer Security: Art and Science (disclaimer: Matt was my PhD Adviser) — if you find that too hard to follow, you can get a good summary from his Introduction to Computer Security. This is not to say that a college education isn’t valuable, but their value is in providing a broad base and theoretical background that will ensure that you continue to grow throughout your career; to that end, I am a big believer in traditional liberal arts programs — particularly when paired with a masters in a technical discipline. At the same time, college costs have spiraled out of control and — particularly in information security — one will be better served by four years of intensive self-study, at a fraction of the cost. If you need a bit more guidance than you get from the self-study tips below, a bootcamp is almost certainly a better value than a traditional four-year program.

Certificates — such as the GIAC and (ISC)2 certs — are also not necessary when starting off. Some certification programs are downright terrible and stand the danger of teaching you incorrect information (I’m looking at you, CEH). Most are at least useful in establishing that you have a certain baseline of knowledge. At the same time, I have seen too many candidates who cram for the exam and then cannot recall it in a job interview. That said, many employers have certification requirements, particularly for their SOC analysts, such as GIAC Certified Incident Handler (GCIH) and GIAC Certified Incident Analyst (GCIA). This does not mean that you necessarily have to have those going in, just that you will be expected to obtain them soon after starting. To the extent you can explain that you’re prepared to sit for those exams — especially if you do not need to take the associated classes — that can give you an advantage over the competition. Finally, if you are evaluating college versus certificates (given that one can obtain four certifications for the cost of one term at many universities), certifications definitely provide more value when starting out.

What you do need

So what do you need to make it in information security? Interest, smarts and security knowledge. Let’s look at each in turn.

Interest in information security is one of the most important things that employers look for. This is largely owing to the fact that employers accept they’ll have to do much of the training for entry-level analysts. Analysts that enjoy the work will be more engaged, and frankly will often spend their own time improving their skill set. Be prepared to demonstrate how you are interested however, by talking about what sort of self-study you’ve done, exploits you’ve tried on your test network, books and articles you’ve read, and so forth. Hopefully you’ve done so much it’s difficult to summarize, but you can focus on the elements that really excited you, like the first time you successfully ran a buffer overflow attack. This will differentiate you from the throngs of candidates who claim to be interested about information security, but said interest only seems to extend to the fact the paycheck will be good.

Information security demands a different sort of smarts than most fields. It does require the ability to remember information and be able to recall it at the appropriate time, but it also requires the ability to apply that knowledge in unusual ways. You need to be able to think like an attacker. When you are doing analysis, you need to be able to think, “What would an attacker do here?” so you know what to look for. Unlike most of the computer sciences, you are no longer thinking about how to make something work, but how it might not work in novel ways. This is something that many traditionally smart people can’t do, yet something that people who might not have fit into the traditional “smart” mold may excel at.

Last, and certainly not least, we have knowledge: the actual skills, facts, and know how that interest you and that your smarts can apply. This is something you can only pick up from studying, so we look at that next.

How to get what you need

Building your information security knowledge can largely be broken down into three areas of study: Attacks, networks and systems, and tools. We will look at each in turn.

Understanding attacks

While computers have long had a military purpose, the earliest recorded attacks were done principally for curiosity — just to see what was possible. Much information about this culture is available in the Jargon File. The movie Wargames contains a fairly accurate depiction of hacking for fun, where special attention should be paid to the research Lightman conducted on his target. Around that time, real attacks started appearing, best captured in Clifford Stoll’s non-fiction book The Cuckoo’s Egg. By the time Stoll’s account was published, the Morris Worm had occurred, which underscored the need for information security research and practice. Shortly after, the movie Sneakers — much like Wargames — gave a glimpse at this burgeoning industry with accurate depictions of attacks, especially in the social engineering realm.

In recent years, attack methodologies have become more formalized. The Lockheed Martin Kill Chain applied a traditional military doctrine to the information security realm with the idea that by enumerating the phases of an attack, the defender should be able to stop it at any one of those steps. This becomes beneficial to the student, as it allows you to look at each phase and see if you understand what the attacker is doing at that stage, how you would detect that activity, and how you could stop it. For example, one part of Reconnaissance may be the download of your organizations entire website, which could be identified by looking at the web server logs for spidering activity, particularly when it does not appear to come from a known web search engine. You can actually test out this analysis process for yourself with a couple of virtual machines: set up a webserver with a bunch of pages on one, and use another to do reconnaissance on it, then see if you can pick out that activity in the logs (especially if it is mixed with regular user browsing from another machine). Next, see if you can stop the undesired activity on the web server side. Repeat this for the different steps of the kill chain, and in the process look at detection and analysis tools such as tcpdump, Wireshark, and Snort.

The MITRE ATT&CK Framework has extended the kill chain and provided much more detail on both the tactics and techniques. Once you are generally comfortable with an end-to-end attack from the kill chain perspective, you can expand into all the information in the ATT&CK matrix. There’s a lot there: don’t expect that you’re going to be able to try every one of those attacks and test your detection abilities. The more familiar you are with the attacks and how to detect them, however, the better off you will be.

Understanding networks and systems

In order to truly understand the details of attacks, you will need to understand the networks and systems they are attacking. As one looks at the ATT&CK matrix, you will see things like Windows Management Instrumentation or Kerberoasting, which require one to understand the underlying system (Windows, in both of these cases) to really understand how the attack works. Windows, as the dominate desktop system today, is critical to be familiar with. Linux as the dominate server system today is also critical to be familiar with. Other Unix systems should follow naturally. OS X continues to grow in popularity, and of course mobile systems (Android and iOS) are increasingly the targets of attacks.

For many SOCs, the network is their primary source of visibility, so understanding how network protocols like IP, TCP, UDP, ICMP, DNS, HTTP, TLS (which replaced but still frequently called SSL), and BGP operate is fundamental to being able to look at network traces in Wireshark or similar tools and determining if anything is amiss. This skill is so fundamental that you should expect questions on protocol operation when you interview for an analyst position, such as, “How does the TCP/IP three way handshake work?” or “What sort of headers should I expect to see in typical HTTP traffic?”

Understanding tools

Finally, you should have an understanding of the tools used by both security professionals as well as attackers. Much of the above will have already filled in many of these for you. SSH, PGP/GPG, nmap, p0f, Burp SuiteMetasploit, OpenVAS, and netcat are a few of the major ones everyone in the field should be familiar with. Along the way you might want to pick up some Python and Bash scripting. One thing to keep in mind with these tools is that most are dual purpose: they can be used for both offense and defense; for example, nmap may be used by an attacker for reconnaissance, but it may also be used by a defender to map the attack surface of their network. In fact, just grab Kali Linux and work through the free Kali Linux Revealed Book — this can do a good job of prepping you for the Offensive Security Certified Professional (OSCP) certification, although as noted above, you should not feel compelled to get any certs before you land your first job. Kali comes pretty much preloaded with all the tools that someone new to the field should be expected to know, and is great to use as you try to understand attacks, as well as the Linux side to systems. In an interview, be prepared to explain how encryption works, particularly the difference between private key and public key crypto; also be ready to discuss how these tools work: any reasonable interviewer won’t care (even if they might ask) if you don’t know the flags for a SYN-scan versus an ACK-scan in nmap if you can explain conceptually what the difference is and when you might use each.

Next Steps

Once you have your foot in the door, keep studying, and show value at your job. One can spend years studying everything laid out here. As suggested above, you could do all this instead of a four-year degree and have deeper practical knowledge. Most entry level analysts only know a small fraction of this material. Show your aptitude and what you’ve learned so far to get your foot in the door at an organization. That will give you a real-world environment to expand your skills. As Eric Cole suggests in this podcast, spend an extra hour a day at work to hunt for threats in your organization, and you will quickly be climbing your way up the ranks.

Conclusion

I really wish the world did not need all the information security help that it does, but it is interesting and rewarding work. The easiest way into the field is as Tier-1 SOC Analyst. One does not need a college degree or certificates to get started. What you do need is interest, smarts, and knowledge about attacks, systems and networks, and security tools. That will get you in the door and you can grow from there!

One thought on “Getting Started in Information Security

  1. A few additional thoughts, based largely on an Anita Borg talk by Michelle Duquette:
    – CyberSeek.org is a great resource covering infosec careers and the different pathways to getting into different roles, including covering a few other entry-level roles, such as “Cybersecurity Specialist / Technician”, and “IT Auditor”, the latter of which is a great entry point for folks with a non-technical business degree.
    – Capture The Flag (CTF) competitions are a great way to meet people and demonstrate your interest for the field, even if you don’t place well.
    – Meetups on meetup.com are a great, low-cost way to meet people and learn things
    – Professional Organizations like OWASP and ISACA are also a great way to meet people and learn things — they often have very low-cost student membership rates and allow non-members to talks (which are often posted on meetup.com)
    – Conferences can be a higher cost, especially if you have to travel, but offer a very high information and networking concentration in space-time. Blackhat, DefCon, B-sides, Derbycon are a few of the big names. Many conferences will post videos of their talks online afterwards, and speakers will tend to preview or reprise their talks for local meetups.

Leave a Reply

Your email address will not be published. Required fields are marked *