Breaking into InfoSec: A Beginners Curriculum

While perusing /r/netsecstudents, it seems that every other day there is a thread asking for advice on how to break into the InfoSec world and where to start studying.
As helpful as the responses are, they tend to vary widely and are dependent on who can be bothered replying with the same answer each and every time.

As such, I thought I’d post up a rough guide for beginning your adventures should you be a newbie looking to move into information security (primarily pentesting, bounty hunting, and red teaming). This is by no means comprehensive and is simply based on my own experiences. It’s also incredibly video-heavy, so that’s something I guess.

Everything you do will be based on networking fundamentals and as much as it sucks, the old adage of “You have to walk before you can run” really does apply.

Feel free to jump around the list. If something is draining your soul, move on and come back. Seriously, until you get to the OSCP stage in this list it can be crushingly boring and if your mind starts to wander you will begin glazing over and miss something pretty important.

The greatest lesson you can take from dealing with the fundamentals is developing patience and learning to manage frustration. If you cannot learn to control apocalyptic levels of frustration, then it’s probably not advisable to read any further because this whole industry feeds on frustration; it’s basically a kink.

I am currently a Managing Security Consultant for a small spearhead team in a global corporation. We perform red teaming, phishing training, pentests, vuln scanning, breach assessments, and baseline security assessments. I come from a healthcare IT and applications background and teach people how to go fast on motorbikes on the side.

*Word of caution: Be aware that a large majority of people who move into this industry come with at least 5 years experience in other IT fields (often more) and without being a downer, you’ll probably never out-dance an ex dev; those dudes turn into raid bosses.
While there are plenty of young guns straight out of uni and some naturally talented freaks in their teens doing this, it is an industry that heavily benefits those with career and life experience. It requires a constant desire to learn and significant mental fortitude.

*Second word of caution: This writeup is beginning to age, and some sites may have since changed for better or worse. If you feel something seems out of place or dodgey then please leave a comment and I’ll look into replacing it.

Networking Fundamentals:

  • CompTIA Network+ N10-007 Playlist
    • 101 videos taking you from an absolute beginner to competent in networking.
    • Set the videos to speed x1.25 or x1.5 to save yourself a lot of time and boredom.
    • Take notes to reference in the future (seriously, do it)
      *Updated to N10-007
  • CompTIA A+ Playlist 1 – Playlist 2
    • 137 total videos
    • This is really aimed at less experienced people. If you’ve got any IT background, you can skip it.
      *Updated to 220-1001 and 220-1002

Active Directory
This should give you an understanding of how AD works.

  • Introduction to AD infrastructure in Windows Server 2012
  • Installing AD, DNS, and DHCP to Create a Windows Server 2012 Domain Controller
  • Adding Windows Computers to a Windows Server 2012 Domain

Linux Essentials Playlist
An understanding of Linux, and comfort using it is a must. Install a VM or dual boot it; using it every day is the quickest way to learn. It’s pretty alien if all you’ve known is Windows, but boy is it beautifully efficient and simple once you understand it.
You can use the Linux Newbie Guide to quickly help you find or remember commands; bookmark it and then forget about it for years like I did.

Windows SysAdmin Essentials (suggested by LonerVamp)
This is a Lynda course which requires a membership, or you can try it for free. Well worth investing a months sub to go through it.
This course focuses on Server 2012, though it’d be worth browsing other material.
Server 2008 is a common find in the real world, and unfortunately, 2003 is all too common as well, so try become familiar with them all. Server environments are different beasts to everyday desktops.

Additionally, the Microsoft Video Courses ‘Windows Server Administration’ series is extremely well done, and you feel like you’re watching a sports show.

Security Fundamentals:

  • CompTIA Security+ Playlists
  • CISSP Playlist (For those completely new to security) *Updated to 2018 playlist. The old one was taken down. Be aware I have not watched this specific list.
  • Computerphile Channel
    • Watch everything from Tom Scott and Dr Mike Pound. They give extremely user-friendly explanations of common security concepts.
    • Tom’s SQL Injection Explanation
    • Mike’s SQL Injection Practical Example

Courses:

At this stage, you would be more than comfortable beginning your OSCP (Offensive Security Certified Professional) adventures. If you’re not feeling it, jump down to VulnHub and HackTheBox to get a bit more ready for free.
The OSCP is one of (if not) the best certifications out there and is birth by fire approach. You will receive detailed course material and VPN access to a virtual lab filled with machines you can learn to hack.
Lab access is from 15 to 90 days, with the ability to extend as much as you want so long as you have the dosh.
At the end is a 24-hour exam.

The OSCP is run by Offensive Security and worth every penny.

In the event you cannot afford to sign up for the OSCP yet (or you just want more stuff) then see below for a DIY approach.

Oh, and download Kali Linux here. *Don’t run Kali as your daily OS, it’s not designed for that and makes you look like a skiddy.

Cybrary Courses
Cybrary is a wonderful platform filled with a plethora of courses for the aspiring <insert role>. It’s free, and you can get little certification pictures to put on your LinkedIn. Neat. They’re not overly weighty when it comes to resume’s but they do show a commitment to learning which is taken into consideration.
*I was recently informed that Cybrary is no longer a primarily free resource and now requires an upgraded account for many of the courses – including the original recommendations below.
I have had a quick squizz at what is available for free and linked them instead. Please be aware that I have not done these newer linked courses and as such, I cannot speak to their quality. If you give them a try, let me know what you think.

  • Ethical Hacking and Penetration Testing with Kali Linux Certification Training Course
  • Web Application Penetration Testing Course
  • Introduction to IT & Cybersecurity Course
  • Penetration Testing and Ethical Hacking Course

Pentester Academy offers detailed video courses for an affordable subscription fee.
If you have not done the OSCP course work then I’d recommend completing at a minimum:

  • Pentesting with Metasploit Link
  • Network Pentesting Link
  • Web Application Pentesting Link
  • Python for Pentesters Link
  • Exploiting Simple Buffer Overflows on Win32 Link

Hacksplaining is a free to use site with expertly crafted mini-courses on all the fundamentals of web application hacking. You can chew through the whole site in an afternoon and it will greatly improve your understanding of website attack concepts.

PentesterLab is another site with short, self-contained lessons, both free and subscription-based. There are badges to complete which can also be displayed on your LinkedIn.

HackTheBox is a free to use virtual lab where you can practice your hacking skills. The only caveat is you have to hack your own invite code. There are videos and guides all over the net on how to do this, but I implore you, DON’T CHEAT. Get the code yourself, it’s not too hard and you will gain a tremendous amount of satisfaction from it. Also, if you can’t get the code, you sure as hell won’t get any of the boxes inside.

HTB is definitely one of my favourites on this list; they have a good-sized admin team with continuous development, a stream of new community-made vuln boxes to play with that rotate in, retired boxes available to VIP’s, and professional labs. The VIP memberships are well worth it as you get placed on a much smaller VLAN which avoids the hassle of other people hitting the same box as you.

Practical Pentest Labs is another virtual lab environment to practice hacking. I have not personally played in here yet, but I’ve heard good things so far.

Coding
A lot of people ask what is a good first language to learn, and without a doubt, one of the handiest to have in security is Python.
Practice Python takes you from a complete and utter novice to a hardcore Python programmer. Seriously, I suck at coding and always have. This site was the FIRST thing that has ever got me to understand programming language, and I can even write baby scripts to do things I’m too lazy to do now. I cannot recommend this site highly enough.

PHP is another must-have language as it is extremely common when dealing with web content.

VulnHub is a user-driven site filled with virtual machines to try and hack. You download them and host them yourself, then battle away. They range from easy to bananas. Check out beginner ones first and definitely look up Metasploitable.

OverTheWire is a site for war games where you move through levels designed to encourage skill growth and self-learning. This was suggested by a reader (Leithreas), and I have since gone and completed the ‘Bandit’ challenges, which were a tremendous amount of fun.
The learning process is very similar to ‘Practice Python’ and gives a lot of insight into messing around in Linux.
I did notice the difficulty has certain spikes and is not necessarily linear, but the knowledge gained is invaluable.

Books
If you enjoy reading or want to start building your collection, then a good start is anything from the list below. Obviously, there’s a tremendous (DT) amount of books to recommend, but I can’t remember them all so here’s a few. Be aware that the RTFM and BTFM won’t exactly “teach” anything, but are just excellent command reference books to have on hand.

  • RTFM – Red Team Field Manual
  • BTFM – Blue Team Field Manual
  • Violent Python
  • Nmap Network Scanning (only for those who chew through books like candy)
  • The Hackers Playbook 2
  • Basic Security Testing with Kali Linux 2
  • Intermediate Security Testing with Kali Linux 2

Podcasts
To play on the train or in your car.

  • Security Weekly Podcast
  • Risky Business Podcast
  • Secure Digital Life Podcast/Videos (Amusing as well as interesting)
  • Daily Information Security Podcast (5-10 mins, easy short listening)

Continued Learning

Blogs

If you don’t already follow certain blogs, then you’ll soon realise just how valuable random people posting stuff can be. Often you can find answers to anything you need on a blog or a forum post.
As such, the following are some good starter pages to bookmark and reference as you go.

I’ll make edits as I receive feedback and think of other things, so check back periodically.

Enjoy.

*Added Blogs
*Updated HackTheBox
*Updated Networking Fundamentals (N10-006)
*Added OverTheWire war games – Suggested by Leithreas
*Added ‘Linux Newbie Guide‘ under Linux Essentials, Lenny Zeltser cheat sheets, Secure Digital Life Podcast/Video, Daily Information Security Podcast (Suggested by PC509) – 11/05/18
*Updated CISSP playlist – 5/11/18
*Added ‘The Big Blog Post of Information Security Training Materials‘ – 6/11/18
*Updated Networking Fundamentals (N10-007) – 30/12/18
*Updated CompTIA A+ – 25/07/19
*Replaced Cybrary courses – 25/07/19
*Added a second word of caution – 25/07/19

 

42 thoughts on “Breaking into InfoSec: A Beginners Curriculum”

  1. How can you use the info gained from everything you posted into your resume without it being actual on the job training? Hopefully, that makes sense.

    Like

  2. Thanks a lot for this guide, it’s really helping but
    the Cybrary courses you linked are not free. When i try to enroll them it says i need to upgrade my account. Or am i doing something wrong?

    Liked by 1 person

    1. Hi Chris. It may be that they have begun charging for these courses since I wrote this – that is unfortunate. I will look into a replacement suggestion. Thanks for letting me know!

      Like

    1. Depends on which certifications really – and what you believe will be relevant for whatever job for which you intend to apply. If you have just completed the study, ensure you state that you have done the course work but not taken the certification exam. If you can demonstrate you clearly have the knowledge covered within the course then when hiring, for me at least, that is acceptable. Others may have a differing opinion though.
      But, nobody likes a cert whore. Pick and choose ones that actually hold some weight.

      Like

  3. Absolutely amazing guide s3ctur, thank you very much. Currently using it as a Computer Science student to try and find a part-time job in the field. Just a small update: the most current version of the CompTIA Network+ is now the N10-007 and the N10-006 is being phased out.

    Liked by 1 person

  4. Not so sure that you need a whole ton of networking. Way I see it you need to understand that IP addresses are a thing plus that ports and services are a thing and what they do. I’m over-simplifying but IMO you won’t fail hard if your networking sucks. You *will* fail hard if you don’t understand systems administration on both linux and windows and you will fail hard if you don’t understand how web servers work.

    Like

    1. True. Career wise as a tester though, network skills will be of great benefit. The ratio of CV’s I get with experienced network knowledge vs just your standard stuff is quite significantly skewed and I will immediately look at the former simply due to the shortage.

      This is of course only representative of the skill pool that I have available within my cities and I cannot speak for the rest of the world.

      Like

  5. This is an amazing list of resources. It’s EXACTLY what I’ve been looking for! I recently signed up to go back to school for CS and in preperation I’ve been taking CS50 and the Ethical Hacking and Penetration Testing with Kali Linux courses online. I’m still a complete noob so I’m still trying to grasp a lot of this stuff but I’m obsessed now and completely fascinated. I’ll be diving deep with everything mentioned here over the summer. Thanks a ton!

    Liked by 1 person

  6. Good write up! I’m starting an interest in InfoSec and considering changing careers here in my early 30s. These all sound like really good steps to focus in on and determine if this is the field for me. Thanks

    Liked by 1 person

  7. Just wanted to say thank you so much for these resources, s3ctur. Recently got my foot in the door in Information Security and this is helping me immensely. Been following this training path for the past month now!

    Like

    1. Hey! Congratulations on jumping into the waters. Always makes me happy to hear people have gotten use out of the write up; I really need to get around to adding more.
      Keep at it! It’s a vast and interesting world.

      Like

  8. Personally I think you’d garner more useful skills at the moment in your current role with the broad range of IT exposure, however; the incident manager role would be a good forward move perhaps after 18-24 months where you are, as it will start moving you into the security space. Once you spent some time there and with study, you’d be in a much stronger position to move your way over to a more specified InfoSec role.
    This is obviously just one of the many paths you can take, and timelines will differ depending on your learning rate and opportunities.
    Such a strong aspect of being good in InfoSec is that core IT knowledge you gain in your first fews years in the industry.
    Sorry for the slow reply, I didn’t notice this comment come through.

    Like

    1. Thanks again for all the advice. I check back on this every few months to check myself a little bit. Unfortunately I didn’t get the CSIRT role as it was put on hold. I did get offered a SOC analyst role but the pay cut was too signficiant for me to take.. Currently still working on my goals to get into the field eventually. Learning quite a bit on the job working at an MSP as a network admin right now so that’s a plus. A lot of people tell me the CISSP isn’t super necessary but I think it plays a good role looking for a position in the DMV area where DoD is everywhere… It might not mean much but it certainly was hard. I actually just passed it yesterday and my brain still hurts. The wording is horrible.

      I think I’m relatively qualified for an entryish role now I just don’t know if I want to transition before I get at least a year down on paper at my current role. My past 2 jobs have both been less than 12 months in length.

      Like

  9. Hey again, here I am back after a few months of grinding. Currently in a network admin position now but wanted to know how you feel about a incident manager position and the relativity to infosec or whether it holds value. I’ve been striking out in terms of look for entry soc positions and this one happened to come up…

    Like

    1. Nice work with the network admin role, you can learn a lot there. An incident manager in a SOC would be fantastic, as you’ll be exposed to threat hunting, anomalies, and the ins and outs of incident response and breach managements.
      A lot of cyber division guys cut their teeth in a SOC. Just make sure you have career path opportunity to move on and don’t get stuck in the role.

      Like

      1. The incident manager role is in a NOC but I’m not really too sure how much benefit I would have moving to this position, as it sort of falls outside the realm of “you’re a security engineer or network engineer or systems engineer…or you’re a developer” and I haven’t been able to find too much information on career progression from there.

        Do you think I’d benefit more staying in my current role at a MSP? Its more of a broad spectrum role touching on everything from desktop support to migrations/backups. The new position would be at a fortune 100 company with a significant pay bump.. thanks for any advice!

        Liked by 1 person

      1. I didn’t follow this step by step but pretty closely. I started out in IT 1/2017 w/ my first helpdesk job. Got CompTIA A+, Net+, Sec+, CCNA in 9 months before moving to a network/sys admin role. From here I went on to get a MCSA in windows 10/server 2016 and a MCSE in cloud and platform infrastructure, and my CISSP. By this point I was already getting offers for security roles but the ones that I was getting going up, salary wise. Just recently I started a role as a security analyst working in a SOC but I don’t plan to stay here for more than a year since it seems like a lot of T1-T2 work so far despite paying more than my T3 sysadmin role…

        fyi I definitely went OD on learning other things before taking a security position but I think it helps greatly. Many that I work with don’t understand the basics of how windows server work or how certain protocols are actually used for in production environments, I think having at least a year or two in a real sysadmin job can benefit one greatly. I’ve still yet to get to the programming portions.

        Liked by 1 person

      2. That’s great progress thomas. Sysadmin fundamentals are a much needed advantage when moving to security.

        Regarding your current role in the SOC; spending 12-18 months there will greatly improve your migration to more advanced security roles. SOC’s are somewhat of a breeding ground for security professionals.

        Like

  10. Would you put overthewire on your list anywhere? Bandit has been a fun way to learn about very simple network security and linux at the same time for a complete beginner, while I go through the drier net+/ccent stuff to learn networking fundamentals.

    Like

    1. I haven’t actually come across this before. Checking out the site now, looks interesting. Thanks for pointing this out. I might go through it myself and include it in the list.

      Like

  11. This is awesome! Thank you so much for creating this. I’ve been following along with this for the most part. I’m on the part where I’m going over some AD and windows server stuff.

    How fundamental would you say the windows server/linux essentials are parts are? Would I really need to know how to install DNS/DHCP onto a server etc to get into security? Or is this more of the needing general IT experience requirement (the idea that you need to walk before you can run)

    Liked by 1 person

    1. Definitely go through the essentials. You want a solid baseline to work from when doing security work. Think of it like being a mechanic or tuner; you can’t mess with the engine unless you know how it all works.

      Like

      1. Will do, any specific tasks you would say one needs to know how to do outside of installing the basic services listed above? It’s a little hard to decide how much is enough to know given there is so much to know. I’m going through server2016/2016 install and configuring dns/DHCP/etc videos but without Enterprise experience using I’m at a loss for what else I need to know to be able to do.

        I considered just going for the MCSA but I feel like that might be a little much just to get the essentials, what is your opinion?

        Liked by 1 person

      2. The MCSA is a bit overkill for what you’re wanting to do. Sure it’d be very helpful, but if you don’t want to go that deep it’s understandable.
        The biggest things you need to develop an understanding of is:
        -DNS
        -DHCP
        -TCP/IP, ranges, subnets, network structure (extremely important)
        -Domains
        -Active Directory (inclusive of groups, memberships, privileges etc)
        -Group Policies
        -Common cmd line use such as day to day administrator commands / being able to pull information about the network, users, admins, policies / running remote commands through things like psexec / moving around the network
        -Operating System permissions
        -Network management protocols
        -SMB
        -NTLM/Kerberos

        If you can get a decent understanding of the above, you’ll be more than confident in the Windows and networking world.

        Like

  12. Thank you very much for this article! It’s great and helpful.

    One question: isn’t CISSP pretty high on the difficulty scale? It’s not something an absolute beginner should start with, no? If I recall, it’s aimed towards the managerial side of things, not the day-to-day operations. Please correct me if I’m wrong.

    Liked by 1 person

    1. Pleasure.

      CISSP is at a moderate difficulty level. It’s theory based and aimed at managerial, compliance, auditing, etc. A large majority of CISSP holders I know personally have let their certification lapse due to it being of no benefit to them. If you’re someone who performs IRAP’s a lot etc, then it will hold more merit.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.