WARNING: this is a *huge* info-dump; think of it as a class syllabus. you're meant to absorb this information over the course of many moons, like a college degree except FREE. Section 1 and 2 you can start right away; try and integrate those into your somewhat-daily life to help build a brain stew that gets perpetually yummier. Save Section 3 stuff to try and tackle *at least* once every week or two; making a few hours of uninterrupted time to carve some brain grooves doing the real deal. In a few months, you'll notice concepts starting to stick together more clearly and you’ll have madly employable skills.
SO…
you’re thinking about dipping your toes into the world of infosec? GREAT. I used to draw cartoons for a living, but 80 hour weeks with 40 hours of dismal pay did not bode well for my mental health and future happiness. Financial stability is one of the greatest gifts I’ve ever been given, and we can give it to ourselves thanks to the wealth of resources out there.
The top three things I think you need to mash into your brain in whatever-works-for-you amounts:
DAILY INFOSEC MATERIAL
if you want to "get" stuff, you're going to have to listen, read, and learn from material you might not "get" yet. Constant exposure keeps your brain brewing in the background thinking about the things you've been shoveling into it, plus, it's FASCINATING to learn about!
STUDYING COMPUTER FUNDAMENTALS
this is your traditional sort of classwork/homework kinda workwork, but you gotta know this to actually understand how all of the systems involved in computing interact. It’s interlocking, logical systems of turtles all the way down; finding out how they work together can be fun!
PROJECTS AND ACTIVITIES (scaled for emphasis)
it can feel incredibly good to ingest knowledge all the time, but if you're not creating, doing, or breaking something and problem solving your way out of or through it, it's not going to stick. the connections your brain makes while DOING the things you've just talked or read about are going to make you valuable to a company who is hiring you to DO THINGS, not just know about things. the primary skill for a security analyst is LOG ANALYSIS so you know how to find badness.
making yummy infosec stew
Infosec enthusiasts have a very active and supportive community on Twitter. As security professionals are naturally very curious types, everyone shares the curious things they've discovered, chats about the curious things they are working on, or laughs at the curious nature of the infosec business, and curiosity is infectious.
One can generate an endless stream of daily infosec nourishment with a few steps:
Follow some cool people; follow the people they retweet; follow streams of replies and hashtags down unexpected paths. I’ve saved some of my favorites into one handy Twitter list. Follow the list or just follow all the cool people!
It will feel like learning another language; if you don’t know what a word means or a system someone refers to does then Ask Jeeves and find out!
blogs
Blogs are another great source as they can dive deeper into topics with more than 280 characters. I use feedly.com to ingest all of my favorite blogs into one interface.
Krebs on Security - Brian Krebs is a sharp journalist who covers cybercrime from many angles; his book Spam Nation is a thrilling page turner which describes how criminal organizations make money from spam email.
Schneier on Security . Bruce Schneier started his career as a cryptographer, so his writing can get a bit more technical, but he is also a great writer and renaissance techfella.
Tao Security . Richard Bejtlich wrote the great book "The Practice of Network Security Monitoring" - which contains step by step instructions for setting up a security stack with Security Onion, a Linux distribution built for just that purpose. This is his blog!
Securosis . This security company posts some great content on the bleeding edge of modern infosec business practices. Sounds like gobbledegook at first, but may point you in the direction of a topic you'd like to explore!
The Hacker News . A smorgasbord of stories from all over the web, covering all the latest security goings on.
podcasts
Podcasts are GREAT for driving/cleaning/something-normally-mindless, and make that mindless time interesting. Some of the ones my friends know and love:
Darknet Diaries - *essential listening*
Defensive Security
Risky Business
Security Weekly
exciting infosec books
For me, reading some books that dive deep into the complexities of this wild world helps keep me excited about the world I’m learning about. Definitely check out at least one of these!
This Is How They Tell Me the World Ends - Nicole Perlroth - Darknet cyberweaponry sales
Countdown to Zero Day - Kim Zetter - Stuxnet Israeli/USA virus for Iranian nuclear enrichment facilities
Spam Nation - Brian Krebs - Organized crime involvement in spam
Sandworm - Andy Greenberg - Dive deep into Russian APT NotPetya
Ghost in the Wire - Kevin Mitnick - Benign hacker mindset and social engineering
security communities
There are all sorts of places people gather and talk cybersecurity stuff and gather resources. You should check out:
Black Hills Infosec - Discord - Webcasts - Pay What You Can Training - I HIGHLY suggest carving out time for John Strand’s SOC Core Skills whenever it is going on
DFIR Training - Discord - Free Training
7thdrxn - My Discord - If you ever want to ping me, feel free to jump in here!
This is a hodgepodge, but if you're going to be wasting an hour or two on reddit anyways might as well get some infosec articles in your feed!
reddit.com/r/netsec
reddit.com/r/netsecstudents
booklearnin'
that stuff is more like building your exposure to concepts and the world itself where you *will* be, ONE DAY, but you are going to have to take time to learn fundamentals. I recommend treating this stuff like a college-level class you have to study for to pass: take notes while you listen to the lecture, then type up organized outlines from your notes. When you have your data this way, you can organize flashcards for SPACED REPETITION LEARNING (google it), which is amazing and awesome and makes your brain store stuff long-term; also, this is a chance for you to practice TYPING and gettin' them words per minute up in the *dozens*.
The certifications I recommend for people with ZERO previous IT experience are CompTIA's A+, Network+, and Security+. A+ covers compsci fundamentals and troubleshooting, Network+ = networking fundamentals, and Security+ is an overview of the modern security program and how it functions. because these certification attempts cost money you could ALSO just learn everything you need for the A+ and Network+ certifications and make sure you actually KNOW IT then pass the Sec+, as this is bare minimum for most HR departments.
To start your training, I *highly suggest* you dive into the joy of reading Julia Evans' *AMAZING* zine on being a code wizard. It's aimed for people getting into programming, but her attitude embodies a really healthy relationship to learning, approaching tough problems, and getting better at stuff:
https://jvns.ca/wizard-zine.pdf
Okay, good. Yes. NOW:
You can learn everything you need to study for these exams from Professor Messer's free YouTube videos:
https://www.youtube.com/user/professormesser/playlists
Who is clearly a lovely human being; hopefully making lots of money for this free content. Another site that has a ton of free mini-courses on various topics is:
If you're able to shell out $35, you should absolutely definitely go through my friend Ryan Chapman's material. He is a hilarious and lovely human being who made a great intro course on Incident Response, which is the mindset and overall function of what a Security Operations Center (SOC) does via modern 24/7/365 Network Security Monitoring.
Regardless of whether you sign up for his class, DEFINITELY read his free articles:
https://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/landing-a-hands-on-security-gig-part-1/
https://www.tripwire.com/state-of-security/risk-based-security-for-executives/connecting-security-to-the-business/landing-a-hands-on-security-gig-part-2/
Which shares some perspective on what it takes to get these gigs. His Intro to Incident Response material is on PluralSight, which is $35 a month, but gives access to a bunch of great-but-not-as-good-as-Ryan's content:
https://app.pluralsight.com/library/courses/hands-on-incident-response-fundamentals/table-of-contents
actually doing stuff
THIS IS THE MOST IMPORTANT PIECE ; gathering knowledge from your studies is necessary to know the thing, but doing the thing is how you’re going to become a professional paid to do — not just know about — the thing. It’s the difference between studying for your driving exam and actually driving a car.
The activities here depend on how familiar you just so happen to be with computers, but always keep moving forward and trying things you’ve never done before. As long as you keep practicing, you’ll learn in leaps and bounds.
To me the coolest part about computers is how we use them to do things faster, thanks to their crazy fast computer brains. That means the better we’re able to interface with them, the more stuff we can have them do for us! If you’re just starting out, here is a progression of activities that exemplify how you can get more done with less:
typing games / exercises - increasing your WPM means you can get more work done at a keyboard. this is something that if you practice with games and goals, you'll generally get more practice the rest of the time you use a computer.
learning keyboard shortcuts for programs you use - keyboard shortcuts can increase productivity and replace repetitive tasks. Email, word processors, and browsers are a great place to start, as you’ll be using them often and can save thousands of hours in the long run.
setting up AutoHotKey - possibilities truly endless; create keyboard shortcuts for scripts/automation/typing out emoticons (/¯◡ ‿ ◡)/¯ - https://duckduckgo.com/?q=best+autohotkey+scripts&t=ffab&ia=web
setting up a virtual machine - once you set it up, you can play with Linux or Mac or Windows on a Windows, Mac, or Linux machine; it’s MAGIC. also there are lots of security related Linux distributions for collecting open source tools like Kali for penetration testing, digital forensics with SIFT , blowing up malware inside of Remnux, or crafting security infrastructure with Security Onion.
setting up Docker - docker is like virtual machines but... they're containers. containers are basically disposable, iterative, and efficient as HECK VMs, as they run with the bare minimum of connected drivers and services to make a single service or tool run in a virtual Linux environment. modern cloud hardware infrastructure companies like AWS and Google Cloud Project basically have a ton of containers running on beefy servers that can spin up hundreds of these things and provide always-on, self-healing, scalable virtual hardware... which they lease to people for cheaper than running and maintaining their own server infrastructure. and make bajillions of dollars.
FYI, if you utilize Docker directly within Windows, it will prevent you from utilizing VirtualBox or VMware and force you to use Windows Hyper-V; you can install Docker inside of a Linux VM to work around this.
After tackling these tasks, or if you feel you are ready, it’s time to begin The Great Work.
BUILDING A HOME LAB
This is where you’ll be cutting the edge of your own skills and learning what people will pay money for you to do! Your lab is your she-shed, your man-cave, your non-binary library, and it starts with the laptop or desktop you’re using right now. The more tools you install, virtual machine images you build, and systems you configure, the more your lab can do for you. Eventually, you can expand beyond one machine and get some additional hardware running things inside of your network permanently, or you could use someone else’s and set things up in the cloud.
Some ideas:
Home Video/Audio with Plex or Kodi
Digital Forensics with SIFT
Windows Identity/Access Management with Windows Server 2019 Evaluation
Penetration Testing with Kali
Vulnerable Web Services with Metasploitable or OWASP Broken Web Apps
Malware Reverse-Engineering with Remnux
Forensics / Penetration Testing with FLARE (Windows)
Network Security Monitoring with SecurityOnion
Malware Sandbox with Cuckoo
Log Analysis with Splunk
Remote Live Forensics with Google Rapid Response (GRR)
Pick whatever sounds interesting + not overwhelming to you and just start FIGURING IT OUT!
writeups
Reading how others have solved CTFs and forensics challenges will help give you a better idea of how the pros solve problems… but don’t just read! Read, but take notes on what programs they're using and why they need to use them for each step of the challenge, then process; you'll get far more out of this experience figuring out why you need to do X to do Y to get Z. When your lab is farther along, you can download the files and use all the same tools to find all of the same answers!
Some great challenge writeups to look into:
https://www.holidayhackchallenge.com/2017/winners/ncsa/report.html
https://www.holidayhackchallenge.com/2018/winners_answers.html
https://infosecuritygeek.com/defcon-dfir-ctf-2018/
https://defcon.org/html/links/dc-ctf.html
log analysis
the primary skill a blue team security analyst needs is knowing how to determine what is bad and what is not. a lot of the fundamentals come from understanding what’s covered in the A+, Network+, and Security+ exams. here is a blog post that covers some things that might help you get started!
challenges
You don’t just have to read about the pros doing all the fun stuff, you can do it too! Here are a few entry-level challenges to get you started:
https://www.picoctf.org - excellent introductory material that teaches what you need to learn and then activities to test your knowledge
https://www.hackthebox.eu/ - same
https://tryhackme.com/hacktivities - same, heard good things about all of them
http://overthewire.org/wargames/ - this CTF is focused on command line exploitation of linux systems, and will not hold your hand! it will tell you what commands you might need to use and you’ll need to study the manual pages to figure out how to use it to your advantage. Difficult but you will learn a lot!
ANYHOW
Bravo for making it this far.
This is my best distillation of what needs to get into your brain to get into this career. I've seen people gobble this up in a few months and others take their time over the course of a year or two; regardless, one day it can make you lots of money in a field that will be one of the last to be automated before the reign of machines!