Breaking into InfoSec - My Story

Our industry is quite an interesting beast when it comes to breaking into the field. On one side we have gate keeping by various seasoned workers in fear of losing their jobs to competition, breaking traditional ways of doing things, or diluting the pay pool that our industry is very lucky to hold. On the other are companies who would pay pennies on the dollar for veteran workers with invaluable experience while requiring a masters and 3 years of experience for an entry level job or hiring the lowest bidders to save on expenses. While my story isn't anything spectacular, and quite frankly I feel it has been on the lucky end, it does show case what I feel are the absolute must haves to be "successful" in this industry and no, its not certifications or a masters degree.

TLDR:

My journey into infosec and what I've learned from it. This is not a technical post, so feel free to skip/skim. Basically in my opinion, you need these to be successful:

  • Discipline - you have to be able to work independently, having your hand held everyday will not help you here
  • Drive to learn - learn something new everyday - career related or not
  • Networking - Learn how to talk to colleagues and clients - make friends with people - you never know what doors they may open - remove any toxic influences
  • Maintain your mental/physical health - they are not independent of each other!

My Story

The start of my journey is nothing crazy. I had no intention of being in the industry as a kid, nor did I even know it existed to be honest. During high school I had no real dreams or ideas of what I exactly wanted to do besides the typical astronaut, crab fisherman (Used to love Deadliest Catch) or construction like my father did. At some point, detective work drew my eye, like in CSI or Forensic Files. So when I enlisted in the military at 17, I went for Military Police as my MOS, with the idea of going to college for Criminal Justice so that I could work towards the FBI (figured it had to be just like the movies right?). That was the dream pretty much until graduation, when I made a decision that would change my life. One of the local colleges I planned to attend was having a career fair for students. I just happened to catch the email for this right after enrolling and getting accepted for the spring semester. While I wasn't technically a student yet, I made the drive up there because I saw that the FBI was on the list of attendees. What more perfect way to figure out how to get in than from someone in the field! They technically required a student id to get in, but after explaining my situation to one of the registration workers, she kindly let me in. I made my way to the FBI booth where I met the recruiter. She was nice and very informative. After I divulged my plans for my degree plan, she made it very clear that it was not a wise one. She explained that CJ degrees were over saturated and hold little merit outside law enforcement without continuing on to law school. The FBI also did not really need CJ majors, and it would cause any resumes submitted with one to not stand out... giving a much lower chance of actually getting a chance. She said the best alternatives to actually stand out were accounting, business management, and computer science. Well the first two sounded quite boring to me so I thought about CS for a while. I liked to play computer games so I figured why not try it? I ended up switching my major that week and set forth a path I'd never look back on. I graduated 3 years later with a BS in Computer Science - Information Assurance. My degree laid some solid ground work for my career, but to be frank, I use less than say 5% of anything I learned in college in my day job. It did successfully ignite the spark for curiosity though. I dove into electives such as Astronomy and Cosmology, had a tease of the various fields in tech such as hardware, software development, and security. I was introduced to Linux and programming in my first language, good ol Java! So did I get out of college and make 50k the day after graduation?

I spent 6 months job hunting for literally anything, with several interviews where I look back and cringe at how bad I bombed them, getting ghosted on the regular or rejection emails coming in daily. I finally ended up getting a job at a local dealership for an IT position for around $17 an hour, which was absolutely amazing to me. I had never had a job pay that much so I went in ready to go. I came into a system still using backup tapes, no AD, and admin passwords that looked like "dealername1". It would be a literal cake walk for any operator today to get in. Thankfully, I made a recent visit and all of that has been addressed so no worries now. My job duties then were to provide general IT support (did you turn it on? Is it plugged in?), fixing printers and other hardware, and general admin duties like employee access to internal systems etc. It's here I realized just how inefficient some of these processes were. Why am I having to keep a folder with every printer web interface on our network to check ink levels of 30+ printers? Is there no other way to do this? Incoming drive to improve efficiency alert! This is where I learned about Powershell and built a script to actually check all printers via SNMP for ink levels and alerts for replacement parts. Cut a 40+ minute task to 30 seconds. All my free time was then dedicated to watching random Defcon talks or finding anything interesting to read. I also had my first dose of ransomware at this dealership. We had a parts computer get hit with a trivial variant that didn't manage to run as Administrator luckily, so it didn't cause much harm but allowed me to tinker with it and learn more about this type of malware. I tried learning basic forensics and how to fix it. In the end we just provisioned a new system since that one was old anyway, but the curiosity was still there. Two months later my next big break came.

I had a friend from college who had got a gig with a local cybersecurity company in the Houston area as a L1 Log analyst. He had informed me that they were hiring, with starting pay around 45 to 50k a year! I figured I throw a resume at them just for the giggles, with no real intention they would call me at all. Luckily my friend went to bat for me internally and it got pushed to a hiring manager. They called me for a phone interview! I studied long and hard for that interview, at work, the gym, and during dinner. When they called, I nailed it so well that they pushed me to another team, the team responsible for active alert monitoring in the SOC. I interviewed a second time with that team, and got a job offer for around 50k a year with OT opportunity. I was beyond ecstatic and while I did enjoy my little IT team at the dealership, I knew this couldn't be passed up. I moved jobs not long after and for an entire year, got exposed to so much knowledge that has built the pillars of my success. I learned about all kinds of security related topics, attacks, worked active incidents, interacted with different software, learned how to work in command line environments and much more. One thing didn't change though, I never stopped wanting to learn more. Any free time I had was spent learning. It was during this time I found well known InfoSec individuals such as John Hammond, Ippsec, and Colin Hardy along with getting my GCIA certification. I spent hours watching their videos, particularly Ippsec and the HackTheBox videos. I rooted my first active machine during a night shift all on my own because of these people. It was quite an achievement to me at the time. This is where my interest with Pentesting and red team operations began. I liked breaking into stuff and wanted to get paid for it. Almost a year to the date, my new break came.

Said friend from the college had left the company to move to a startup. After some hassling, I also made the leap to this startup as a threat analyst for their SOC, with the intentions of building out the evening shifts to reach 24x7 coverage. A fully remote position with tons of freedom and little to no micro-managing. It was quite the dream come true as I no longer had one to two hour commutes to sit at a desk in a fish bowl along with getting a sizable raise. I worked solo for months, escalating alerts, working tickets, and continuing to learn. I also aimed to improve my workflows, building out a HandoverBot in slack since I hated rooting around Confluence. Eventually it also monitored SLA so I wouldn't miss alerts (wasn't real time on the app) along with pulling metrics for the boss (making their life easier can go a long way later). This bot is still in use today! I eventually made it to a Senior Threat analyst where I stayed till a buyout of the company. This eventually lead me to joining the new research team created as part of the acquisition. That is where I sit now, creating content for the latest threats, conducting research on topics of interest, and continuing to build out our workflows and tools to be used for future team members. Not long after joining the team, I got my OSCP on the first go with plans to continue to collect certifications if possible. One thing has not changed though, I continue to want more.

The point

You may be wondering what that entire life rant has to do with the must haves of breaking into InfoSec. The answer is quite simple: Discipline and the hunger to learn. It's easy to scrape by and maintain a role. Do just enough to keep bosses happy. But that mindset will not get you far in this career path (Not advocating over-working or free labor to a company. The idea here is you are working on SELF improvement). Our world is evolving every second, the mentality of learning a skill then 9 to 5 it for 40 years does not apply for anyone looking to succeed in this field. You may have outliers who do, but do you want to risk your chances on such things? You don't need a degree to be successful. Some of the smartest people I know have GEDs and zero college. Certificates do not instantly make you a master, they are great resume fluff and personal accomplishments with some required for niche roles but they do not define you. You need to be disciplined, able to work independently without someone over your shoulder to tell you every step. You need to be able to maintain your mental health and goals to sustain yourself long term. You also need to be hungry to learn, basically until you retire if not longer. Becoming static in this field will lead to you falling behind. Another important key is networking. Networking can get your farther than any degree or certificate can. Knowing how to interact with people, clients, colleagues, and supervisors will go a long way. Making connections with big names in other fields can provide doors that open later in life when you need them. One of the very reasons I spun up this blog is to improve my writing and networking. I could just as easily not worry about this site. Go play a video game or watch some Netflix. Yet I am here, looking for topics to write about. Working on TryHackMe or researching a new TTP to create content for. Working on my home lab to practice my offensive skills. I also sometimes work more than I ought to. Its not uncommon to find me threat hunting on a weekend or looking at work related topics. I do this out of my own choice, because I want to make that difference, to catch that one incident just in time. One of my goals is to be more mindful on taking breathers, getting away from a computer and hitting the gym or hanging out with loved ones. It's hard sometimes to unhinge the work life and personal life but it's needed to maintain your mental clarity. I'll close this by advocating that everything is a learning experience, the rejections, the failures, and the success you have. Never let just one thing define your career, but look to always be improving your life in some aspect, whether its work or personal.

Till next time, farewell and happy hacking!