Recently I’ve come across the question:

"Can you help someone to get into his first InfoSec position?"

I got it from multiple sources - friends from other industries, friends asking for their friends or partners, people interested in how to get into this field in general and specifically from people who just finished an InfoSec course. I know a lot of people already wrote about it, and I’m not trying to replace what they wrote. If I repeat something - it is probably important. If I add something - it is probably important from my point of view.

It is imperative to note before I begin writing what I think, this post only reflects what I think (I’m not affiliated with any of the links provided or the companies\products mentioned - make sure to read their TOS), I will address those that doesn’t have prior experience in the InfoSec field and will discuss the fields of SOC analysts & penetration testers - as those are the fields I’m more familiar with (there are also probably other good sources about malware research, reversing and the other bazillion fields in InfoSec).

Also, DO NOT, and I repeat, DO NOT try to gain experience by practicing or testing something that doesn’t belong to you\or and you don’t have the permissions to test. (later in this post I’ll suggest legal and safe ways to get the experience without risking someones else’s stuff and\or your freedom).

Your starting point

You want to get into the InfoSec industry. The starting point varies:

  • You just finished an InfoSec course and\or cert (online or in a college)
  • You work in a different field and want to move into the InfoSec field
  • It’s the point in life where you need\want to start your career

There are probably more, but the common characteristic between all of them is - You don’t have prior experience that you can share with your potential employers. Which brings us to the question: "If I don't have prior experience, I can't get a job - and if I won't get a job, I won't have experience".

My suggested solution - get personal experience.

Personal experience

Personal experience is a term I use to differentiate someone’s experience that was obtained while engaging in projects during their time and interest, as opposed to corporate experience which is obtained while performing work for a company (even if it’s your own company). We live in a time when SO MUCH information is available and free. Whether you participated in an InfoSec course\class or not, you can learn all the basics (and more) by simply googling the subject you wish to learn.

There are numerous videos on YouTube and similar sites, there are coding courses on sites like CodeAcademy and more, low-priced courses on specific topics in sites like Udemy, coursera, edx and more. All you need is a computer, an internet connection and to invest the time. So, let’s say you invested the time to enroll, learn and finish such courses and videos. You even completed the labs to see how stuff works and get some “keyboard thrills” when you got the Meterpreter session:

What’s next? How do you turn that into actual personal experience? You start by setting your labs.

You have several options:

  • Cloud-based
    Azure, AWS and GCP offer a “free-tier” Subscriptions that allow new users a specific number of hours that you can spin up virtual machines for free (terms apply).
  • Locally
    If you have the money to spend on it, you can buy dedicated hardware and do it on an ESX server. But if you want to save that money, you can use Oracle VirtualBox and download the trial Windows images and set up your lab.

Choose which one you prefer or even better, try both. You will encounter issues and errors, you will get frustrated (a lot) when you will try to configure stuff and that’s good, it means you will google the errors and will try different solutions until you will get it working.
Go a step even further and try to automate the lab creation (you can use any IaC you like - Terraform, Ansible, Chef, puppet or any other) which will present you with a new world of errors, problems and frustration - but with the same euphoria when it works…
Once you have the lab working (I suggest combining windows (with Active Directory) and Linux servers for the start) you can move forward to play around with security tools (defensive or offensive) and try to perform attacks and detect them.

That’s a never-ending story - you can always find other attacks to try and new detection mechanisms. If it’s working and you can explain how it’s working - then how should an organization should detect it, prevent it and fix it - you are ready for the next attack.
The next step will be playing around with harder challenges (AKA ones you don’t know the answer for because you are not the one to create them).
Those will typically be vulnerable VMs such as DVWA, Google’s Gruyere, OWASP Mutillidae II, Metasploitable II and Metasploitable III and much more. When you feel comfortable with all their respective vulnerabilities and then move forward to Bug Bounty programs (Bugcrowd & HackerOne) that companies will provide you with the scope of the assets that agree to be tested by you - so you can try to find the vulnerabilities in Real-life networks and assets.

Also, you would probably like to spice up your experience, and that’s where you should participate in CTFs - those are competitions which you can participate on your own or as part of a team - and most of them are entirely free and accessible from the internet.
There you will find many challenges in many fields of information security, including web applications, reverse-engineering, infrastructure, code review, network and more. Don’t expect to solve all of them. For the ones you didn’t solve look for a write-up of the CTF by someone who managed to solve them, read it and learn. You can also download boot2root VMs such as VulnHub that will allow you to locally deploy a vulnerable virtual machine which is aimed to be exploited - first for some kind of low-privileged command execution that will enable you to perform privilege escalation and take over the entire machine.

And now, after you did all of that, make sure you document what you did.
Not specifically the technical steps (which can be good for your documentation) but the overall challenges you faced and solved. Write down, which lab you planned, which components it has and why you chose them, which defense measures are deployed, and which attacks you learned and practiced. If it’s automated, document how. Consider documenting it online (GitHub, GitLab or BitBucket).
Use them as the experience topics to present to your potential employers. They might not be corporate experience and most of them aren’t the same as enterprise networks and vulnerabilities, but they taught you a lot and you should discuss what you learned and how.
Also, this can be what separates you from the other candidates — not the knowledge or the specific bug bounty — but the effort.
When I interview candidates for junior positions, I know they don’t have prior experience and I like to hear what they did on their own for several reasons:

  • It shows you the candidate wants to work in this field because they love it and passionate about it - a candidate who isn’t passionate won’t go those extra miles to learn and know more.
  • They are willing to work hard and invest time to learn and improve their skills - they aren’t waiting for someone else to lead them and teach them, they are actively looking for more stuff to learn and pushing forward to improve.
  • They DO have some experience. It might not be exactly what they will encounter with clients or the organization, but it is very close and provides an excellent ground to adjust the skills based on the relevant requirements.

Some key points to acknowledge

After we discussed on how to get that “personal experience”, we need to agree (and accept) some key points:

  • Personal experience is not corporate experience
    • Some people\interviewers don’t share my point of view and won’t consider personal experience. That’s fine, it’s their decision and they call the shots, they are hiring.
    • When you land your first job stuff will be entirely different from your labs. You should be much more careful with your approach, attacks and to consider a lot of business requirements\restrictions that weren’t in your environment.
      Remember - required skills for InfoSec professionals are not only to know how to break\exploit, they are also on how to operate in the business and work together with other stake-holders.
  • Breaking the law will shade on everything else
    • There are so many options that allow learning legally, But once you get the knowledge and confidence you might want to tackle a real-world network. I’ve already heard the sentence:
      "I know it's not part of the bug bounty scope, but should be happy I’ve found something more."
      NO. Again, NO. This is illegal, not ethical and unacceptable.
  • This will require time
    • We aren’t in the Matrix, where you can be injected with knowledge in seconds.
      Learning and improving takes time and will never end. You will fail countless times in deploying, learning and attempting things. Don’t let this discourage you, keep on trying, keep on googling for a solution, even tweet about the issue you are facing and maybe someone will be able to help.
  • Learning is not only technical
    • go over your CV think how you can improve it. Make sure you can discuss and backup every item in them and avoid writing items or topics you are only familiar with their names.
      Maybe even ask someone from the industry to take a look at them and to suggest changes. If you wish, I’m willing to try to assist (based on availability).
    • If you feel your interviews aren’t going well, ask someone to train you. By training, I don’t mean dictate which answer you should provide to which question but to simulate the interview and give you feedback on what you can improve.

The extra-extra mile

Infosec is not just an industry; it is also a community.
Strive to be a (helpful) part of it.
Go to conferences (This spreadsheet was made by @inbarraz. You won’t have writing permissions and please do not ask for such. use it only after you read the instructions on the first tab), hear others speak, present yourself, take a training and learn something new, meet new people, join discussion groups (doesn’t matter if Facebook, Slack or others) and even be part of team that organize some of them (I know, I’m biased.). Get involved in whatever way that makes you feel comfortable.
Start to create content - it doesn’t matter if it’s a tool you wrote that already exists, your blog or talking with people about what you have learned (which they are already familiar with). I did all of that.

Good luck and remember -
Strive not to be a success, but rather to be of value.
-Albert Einstein