The 90s, IRC, and breaking into cybersecurity without a degree or certs.
The idea of entering penetration testing has been a subject of debate for quite some time. Is a degree or formal education necessary to join the industry? Can individuals transition into a typical pentesting role without prior experience? Is it essential to gain experience in IT helpdesk before getting involved?
There are numerous pathways for individuals to enter the industry, and I'll share insights based on my own experience.
Throughout my childhood, I had a strong interest in computers, spending the majority of my time immersed in games like World of Warcraft and League of Legends, as well as frequenting forums such as reddit.com and various gaming communities.
During my time playing World of Warcraft and engaging in arena matches, I encountered a player on my server who had a reputation for conducting DDoS attacks. Unfamiliar with the term at the time, I turned to Google for more information and ended up exploring websites like hackforums.net, where services related to DDoS attacks were being advertised. Through this experience, I gained insight into the less sophisticated aspects of hacking, often referred to as "skiddie" behavior.
At that time, my brother got busted for hacking into several UK organizations. So, I hit him up with a bunch of questions about how to do DDoS attacks. He basically told me that what I was doing was pointless and if I really wanted to learn hacking, I should focus on "web application hacking." He hooked me up with resources like "The Web Application Hacker's Handbook" and some beginner stuff on the OWASP Top 10 vulnerabilities.
He also introduced me to IRC and hacking groups like Phrack, where I spent my nights immersed in reading about the "underground" scene of the 90s. I romanticized it greatly and believed that all the skilled hackers were proficient in writing C/asm code and exploiting buffer overflows and similar techniques.
After dedicating some time to online studying, I acquired a VPS and set up IRSSI, enabling me to join EFnet and access a channel called "Phrack." In this channel, I encountered some knowledgeable individuals who provided guidance and direction.
After experimenting for several weeks with a old version of Burp Suite and delving into "The Web Application Hacker's Handbook," I reflect on my experiences and wish I had approached my activities with a more structured and goal-oriented mindset. Most of my nights were spent casually exploring Burp Suite and acquainting myself with different vulnerabilities, such as Cross-Site Scripting and SQL Injection.
- I familiarized myself with the fundamentals of web security and networking, including understanding how HTTP/HTTPS protocols operate and the distinctions between various types of HTTP headers like GET and POST. Additionally, I delved into learning about the functionality of Nmap and gained knowledge about common ports often exploited by attackers, such as SSH, Telnet, SMTP, and FTP.
- After gathering basic knowledge from various sources, I decided to try my hand at bug bounty platforms like HackerOne and Bugcrowd. My aim wasn't just to make money or find bugs; I wanted to practice using tools like Nmap and Burp Suite and learn how to map out networks and IP ranges.
- It took a considerable amount of time, probably several months of randomly reading bug bounty write-ups before I finally stumbled upon my own issue in Apple.com's bug bounty program. The vulnerability I discovered was a Reflected/Stored XSS.
- After about a year, a similar pattern emerged where I would occasionally uncover low-level issues on various bug bounty programs. However, after a while, I began to feel bored and questioned whether I was wasting my time. The notion of pursuing employment in the infosec field hadn't crossed my mind at that point. I would spend my time reading and hanging out on IRC, where I often heard individuals engaged in "shady" activities express disdain for working in the "whitehat" industry, describing it as dull and unfulfilling.
- Anyway, I decided to update my LinkedIn profile and work on my resume. I thought that my hacking experience and ability to spot vulnerabilities would land me a penetration tester job easily. But I was dead wrong. After applying for several penetration tester roles for a couple of days, I realized I was getting nowhere. Recruiters kept asking me the same questions: "Do you have your OSCP?" and "Do you have any CREST certifications?"
- This setback didn't shake my confidence. I had two options: keep applying and enhance my hacking skills, or go for the OSCP certification. While some of my buddies from IRC and the old days dismissed certs, I figured they're pretty important for getting ahead, especially in cybersecurity. So, going for certification seemed like the smart move.
- I applied for a ton of roles, ranging from US-based and remote positions to ones based in the UK, and everything in between. I realized that my resume was strong enough to catch the attention of recruiters and even have calls with hiring managers.
- I got lucky with a call. I saw an alert on my LinkedIn that NCC Group was hiring for their graduate program, so I applied right away. The next day, I think I got connected with Ryan Cookson, the talent recruiter at NCC. What stood out to me was that they mentioned I'd be doing a "practical" lab to demonstrate my abilities, with no theory involved. This was a relief for me, as I'm much more comfortable with hands-on tasks.
- I had the pleasure of being interviewed by Matt Trueman, the technical director of NCC, who turned out to be an awesome guy. Our chat was comfortable, and then we moved on to the practical labs. From my personal experience, this felt more realistic than any other interviews I'd had before, as it allowed me to demonstrate what I'd actually learned rather than answering random theory questions like what TCP/IP is. I left the interview feeling good and eagerly awaited the outcome of whether I'd be accepted or not.
- After about a week of waiting, I received a call back from Ryan informing me that I had been accepted into the program, and that I would be starting as a "Junior Security Consultant." I felt a wave of relief wash over me, and it felt like an entire world of opportunities had opened up.
What I've learned from my experiences is that, technically, if I hadn't spent my time on IRC and hacking forums, and instead focused on pursuing clearer goals like obtaining the OSCP certification, I might have had an easier time with recruiters and finding work in general. However, I do believe that with the abundance of resources available nowadays, it's entirely possible to teach yourself the fundamentals of hacking. I can easily list numerous resources off the top of my head that can help with this. So, in my opinion, you don't necessarily need to start off in a helpdesk role or something similar. What's important is dedicating time to learning and mastering your skills, and then showcasing them through platforms like a blog or GitHub.
When I was younger, I thought every ezine I read from the early blackhat vs whitehat wars on IRC was so cool. I figured all the old-school hackers were right about certs and stuff. But, to be honest, a lot of them are stuck in the past. They don't want to move on from manually compiling their exploits and love to bash new hackers who use tools like Metasploit.
One important takeaway for me is that recruiters and companies highly value CREST certificates, particularly in the UK. Obtaining certifications like CRT/CPSA can significantly ease the process of securing pentesting roles. Even with 3-4 years of industry experience under my belt, I've found that the main question I still get asked is whether I have any CREST certs.
Cool Resources for people: