Hey man,
I'm 26 and I just started as well.
The past few months I had the same question -- HOW DO I START.
I was more than lucky to find the following: https://www.amazon.com/Pentester-BluePrint-Your-Guide-Being/dp/1119684307/ref=sr_1_1?dchild=1&keywords=the+pentester+blueprint&qid=1610568253&sr=8-1
I HIGHLY recommend buying this dude. It really gave me confidence and gave me what I needed -- guidance. I was so hyped to read it.
I'm also going for the CEH in March -- I'll give you an update on that in the future.
But some things I had to figure out:
-Find websites to practice. Although a lot of people say to try OverTheWire.com and try the Bandit Wargame, I highly recommend using TryHackMe.com. It's giving me a great tutorial on the tools. Eventually, work your way to HackTheBox.com and VulnHub.com (I'm not there yet lol)
-TEXTBOOKS! I know it sucks to read but I already have 20+ ethical hacking textbooks ready to read. Already read through about 3.
-Udemy.com has some great courses for Ethical Hacking.
-Google, Google, Google. Look up "how to start as an ethical hacker", "pentesting frameworks", "ethical hacking tools", etc. and just get some knowledge around the field.
-When you're ready, download VMWare Player (I personally like it better than VirtualBox, but your choice) and set up images for Kali Linux, Parrot OS, and Metasploitable2. This is (to my understanding) the best place to start.
Hope I was able to help. Trying to pass along the knowledge I was asking for a few months ago :)
take a look at these links:
Pen Tester Blueprint book: https://www.amazon.com/Pentester-BluePrint-Your-Guide-Being/dp/1119684307
OSCP-like machines: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159
I've been compiling resources for a while, here's a list i added to a post in a different sub a while back:
This post has a ton of great resources for more general infosec knowledge, but a lot that applies to offensive security and can help with OSCP prep:
And there's a decent blog post with links to a combination of free and paid resources here:
https://niiconsulting.com/checkmate/2017/06/a-detail-guide-on-oscp-preparation-from-newbie-to-oscp/
Infosec folks tend to be jacks of all trades. It's difficult to say what language or technology you should learn, but easy to say "if they don't know x, they're probably not a very good pen tester." They need to be able to understand the mechanical details of how things work so they can see how to manipulate things in unintended ways.
So like, if you don't know programming very well, you'll want to pick up some experience. And if you don't know how websites work, or linux or windows works, you should probably learn those too. But knowing those things themselves doesn't make you an infosec person.
There's not really a super established college degree path - though there are some schools that do offer it as a degree. Instead, the focus is on getting that foundational knowledge, and then intense preparation for some infosec-specific certifications.
The two big certifications are the Certified Ethical Hacker certificate, which I would consider the first step, and the OSCP, which I would consider the intermediate step and real entryway into actually working in the field without fretting about the resume anymore. Having an OSCP generally equates to a job.
​
There's actually a pretty good book that just came out that walks you through how to really get into computer security: The Pentester BluePrint: Starting a Career as an Ethical Hacker. It's $25 and a really quick read, and is where I'd start building your plan to break into it.
Item | Current | Lowest | Reviews |
---|---|---|---|
The Pentester BluePrint: Starting a Career as an… | - | - | 4.5/5.0 |
^Item Info | Bot Info | Trigger
Item | Current | Lowest | Reviews |
---|---|---|---|
The Pentester BluePrint: Starting a Career as an… | - | - | 4.5/5.0 |
^Item Info | Bot Info | Trigger
Item | Current | Lowest | Reviews |
---|---|---|---|
The Pentester BluePrint: Starting a Career as an… | - | - | 4.5/5.0 |
^Item Info | Bot Info | Trigger
check out NIST's site for the NICE framework, there's a lot to consider: https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center
Working in security - even at entry level - will generally require familiarity (not expert-level knowledge) with the following:
- Communication (moved to the top after typing the rest of this out since it's so commonly overlooked and so critical, but basically you need to be able to present leadership with the insights they need to understand the intent of your communications. Remember that we collect data from direct and indirect sources, correlate/transform/clean data to build information, and then analyze that information within the context of the organization and current events/needs to determine insights. Be able to speak to data and information, but primarily present insights)
- Risk (not the generic "high-medium-low" and heatmap type of risk, but a more meaningful understanding of what different scenarios mean to the organization and how to translate those considerations into something decision makers can understand. Consider this blog post as one starting point: https://embracethered.com/blog/posts/2020/red-teaming-and-monte-carlo-simulations/)
- Core networking (routing, switching, firewalls, VLANs, DHCP, DNS, WiFi, etc. When you can clearly describe the differences between collision domain segmentation, broadcast domain segmentation, and security segmentation AND describe the importance of netflow/sflow and DNS data for proactive monitoring and incident response, you're on a good path)
- Statutory/Regulatory/Industry/Best Practice Frameworks (as applicable to the organization you're supporting, e.g., PCI, HIPAA, SOX, NERC-CIP, ISO, FedRAMP, CMMC, NIST CSF, CIS Controls, etc.)
- Incident Response (detection, investigation, evidence collection/chain of custody, containment, notification/communication, eradication, etc. This is an often-overlooked area, but if you're leaning in to make incident response faster/smoother/more automated, you're setting the whole organization up for success)
Most conventional IT environments will also generally require familiarity with the following:
- Active Directory (This is a HUGE topic, you'll need to understand organizational units, security groups, GPOs, authentication, and identity management concepts)
- Endpoint Protection (not just antimalware, but actual EDR/XDR capabilities and how to supplement/complement to facilitate detection and response)
- Microsoft Windows OS (especially built-in security capabilities/features)
- Mobile Device Management
- Email (this is one of the most challenging things for most organizations to do well and should be offloaded/migrated to a cloud-based solution as soon as possible if secure managed email is not a core competency)
- Vulnerability management (beyond just scanning/patching/updates, but looking at configuration settings, architecture, etc.)
Cloud-based environments require some different concepts and knowledge, especially if the organization you're supporting uses a cloud platform to host a publicly accessibly application or system. I'd consider security-focused training for the specific platform/applications/tools they're using.
If you have the time and resources for it, consider setting up a complex lab environment (https://github.com/microsoft/MSLab is a helpful starting point) with a few different types of targets. Within that environment, you can break whatever you want, try different hardening techniques, etc. I like to use that type of lab to test detection capabilities and scripted/triggered automations using sysmon, wazuh, and caldera.
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
https://github.com/mitre/caldera
Finally, you'll hear (if you haven't already) a lot of buzz and hype about MITRE ATT&CK. There's a lot to be said about ATT&CK as a resource and knowledge base, but it is not a magic pill and leveraging that collection of knowledge for your organization requires a TON of work. That being said, it's 100% work your time to dive deep into what MITRE has put together across their entire suite of cyber analytics capabilities. Ask yourself: how would you detect these types of attacks in your environment? How would you detect them reliably? How would you detect them at scale? What complementary data sources can be leveraged to increase the reliability of detections and reduce the noise in all of those logs and alerts? What will you do when you get a positive detection? MITRE ATT&CK is a starting point, CAR is a good complementary tool to understand where you can find the indicators in your environment, Evals is a good data set to describe how commercial solutions would show those indicators, and Caldera is a good tool to help you assess your own environment's capabilities.
Some resources to complement u/No-job-no-money's post:
BHIS/Anti-Syphon https://wildwesthackinfest.com/antisyphon/soc-core-skills-john-strand/
Also, check out the ATT&CK fundamentals, CTI, and SOC assessment courses on Cybrary, each are free. https://www.cybrary.it/catalog/refined/?q=att%26ck
Microsoft specific training linked here https://azurecloudai.blog/2021/05/12/all-the-microsoft-ninja-training-i-know-about/
Fortinet https://training.fortinet.com/
For federal, state, local, tribal, and territorial government employees, federal contractors, and US military veterans FedVTE is free, https://fedvte.usalearning.gov/
Pen Tester Blueprint book: https://www.amazon.com/Pentester-BluePrint-Your-Guide-Being/dp/1119684307
OSCP-like machines: https://docs.google.com/spreadsheets/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/edit#gid=1839402159
I've been compiling resources for a while, here's a list i added to a post in a different sub a while back:
https://www.reddit.com/r/AskNetsec/comments/chek0z/whats_the_best_way_to_learn_and_get_into_ctf_if_i/?utm_source=share&utm_medium=web2x
This post has a ton of great resources for more general infosec knowledge, but a lot that applies to offensive security and can help with OSCP prep:
https://www.reddit.com/r/ITCareerQuestions/comments/dvynd8/im_seeing_a_lot_of_the_how_do_i_get_started_in/
And there's a decent blog post with links to a combination of free and paid resources here:
https://niiconsulting.com/checkmate/2017/06/a-detail-guide-on-oscp-preparation-from-newbie-to-oscp/