Knowing what path you may want to follow can be daunting enough, but actually taking the plunge and getting into the industry has been a discussion I’ve had with many noobs, and one that spurred me on to write this series.
The purpose of this series of articles is to share some unusual journeys into Infosec from a range of professionals, to encourage those that may have the perception they don’t have the experience or skill sets to join this wonderful industry!
Firstly, for those who don’t know me, I also have an non-traditional route into Infosec. I studied Ceramics (Pottery- and yes I get sent a lot of Ghost memes), and when I left University I decided that Ceramics was not a career I wanted to pursue. I had always had an interest in Technology and some basic technical skills, like coding, and building my own PC rigs.
In 2004 I was offered an opportunity to work in recruitment, and chose to specialise in IT Security, after building some credibility within my chosen field and was headhunted to join an pentesting company- mainly as a commercial person. Many years passed and I was presented with the opportunity to turn my hand to a Technical role, as I assisted in delivering some social engineering engagements, and my technical director and managing director at the time saw the potential in my ability.
Since then I’ve become a full time Social Engineer, Incident Manager, Trainer and now run a small team- and I will share my full journey in the final article.
Unusual Journey 1: FourOctets
I had the pleasure of speaking to FourOctets late last year about his journey into Infosec, being the first time I had learnt about his journey, I was genuinely inspired and I’m pretty sure you will be to!
CyberSecStu (CSS): My vision is to help break the illusion that you have to follow a certain route to have a career in infosec. Please tell me about your journey, the weirder the better?
FourOctets (FO): I didn’t graduate high-school. I worked construction for a short period of time before getting a job at a call center where I would call people in the Midwest to sell tools. That job did not last long. I ended up going to a technical school to be a mechanic.
I got really lucky on my way out of technical school and got picked up to be a mechanic for a team. I made it through one race season before I was burnt out. I had photography as a hobby and working the team as a mechanic got me in as a team photographer for half a season before I moved to other contracts.
A couple of years went by and things were pretty okay but I was bored. I had tinkered with computers a lot and decided I would give a “web developers bootcamp” a try.
I did an internship or two and did some free Lance stuff. I continued to take classes at the local community college to see if there was anything else.
I took a few programing classes and thought I might give > Comp Sci a go which I dropped shortly after. I took a few more classes and really like physics. I took anything and everything that had to do with physics at the school. I soon realized that a bachelor in physics is not going to get me a job.
I started to look for IT related stuffs after taking the ccna class at the school. I found a help desk position where I spent a year and while still doing photo stuff on the weekend. I moved from help desk into automatons which was pretty much making sure print servers and the services that ran the factory automatically restarted when they died which was all the time.
After a year and a half doing automatons the sys admin got canned and they moved me internally to his position. I was not qualified by any means to do that job. I did that for a year and a half before I put in my two weeks notice 4 times because I didn’t have a replacement.
I had also been tinkering with malware in my free time. Watching, reading and consuming any thing and everything I could. I was shit posting to Twitter about some sketchy apps and someone asked if I was looking for work.
That opportunity did not work out but I threw it out that I was looking for work in security. someone asked me for a resume and I got a job in a SOC. I spent 90% of my free time doing anything and everything I could with security, malware, asking people if I could help in any way shape or form so that I could learn.
I would say from 2011 was all security stuff but not professionally until 2016. I didn’t even realize I could get a job doing security stuff unless I was a developer or had a degree.
To be honest the turning point for when I wanted to be in security was when I was doxed a long time ago. It blew my mind that all that info was gathered on me. That all of my accounts were taken.
CCS: Yeah Doxing is really horrible.
FO: I never even considered password reuse an issue until all my stuff was stolen. So I see how normal user don’t see it either
CCS: What was the biggest challenge you faced when you decided to move professionally into Infosec?
FO: I also learned that my web development skills were dangerous and that I was not security minded at all and putting up vulnerable sites. That boot camp did not mention security at all.
I honestly haven’t had any big challenges moving in because of how slow of a process it’s been. I think one issue is people trying to jump into the deep end to quickly. Without the IT stuff I would be completely lost. Definitely a lot of luck.
To narrow of a focus is what I think holds a lot of people back. I would have taken any position and slowly moved to what I wanted to do if it didn’t turn out like it has.
CCS: What do you think prevents people from making the jump? Or barriers that exist from say employers?
FO: I definitely think people hiring are afraid to take chances on people that are willing to learn and learn quickly but don’t have the professional experience they are looking for. My biggest helper was community involvement. Taking malware apart,sharing research to make up for the lack of professional experience
CSS: Do you think the Twitter community helped in some way?
FO: 100%- I have dumped firmware with the help of folks in DM. Gotten into anti malware groups and written virus signatures. Helped and played with hundreds of tools because of Twitter.
Twitter has been my number one source for finding stuff to learn from. People posting their blogs, research or others stuff. I got hired because of Twitter
CSS: Excellent! Ok one last question. If someone was starting out or looking to jump into Infosec, what advice would you give them?
FO: You have to be willing to learn on your own, a lot. 90% of hacking is Googling. Don’t be afraid to ask questions even if you thinks it’s a stupid question. That will set you back. Get involved, slide into threads of things that interest you. Get noticed by being curious and wanting to learn.
CSS: I really appreciate you sharing this. I hope that someone reads this and makes that jump…
FO: Thank you I appreciate the opportunity to tell. I hope more folks make the jump as well.
I would like to thank a few people for the helping me out a lot. @DanielGallagher for giving me opportunity to work with professional malware analyst and teaching me all sorts of things when i was just some random approaching him on Twitter. I would also like to thank @highmeh for giving me weekend projects to do and giving me some very helpful advice and introducing me to the person that set my resume on the right desk. @pr1ntf for not letting me throw my resume in the trash and helping me get a security job. I want to thank anyone who takes the time to help others, post guides, technical blogs. I want to thank a few groups as well. The ransomware hunting team/ malware hunter team, The Many Hats Club, #Humanzoo, and Run bcc. These groups are full of extremely smart people who i have learned so much from and will continue to learn from.
So what lessons can we take from FourOctets journey? Firstly, pushing hard to learn and being constantly inquisitive is a quality that seems to work. Getting involved in conversations, and not being afraid to engage with the industry will always get you noticed.
I always see new people in the field getting recognised by sharing their work, especially via blog posts and especially using Twitter to help raise their profile. And FourOctets is a testament that this actually works! I also know it takes a lot of courage to put your work up for constructive feedback (and sometimes criticism), but the rewards will always outweigh the potential fear!
What is clear from FourOctets is that perseverance always pays off, so don’t be put off by your current progress, keep working at it and you will get noticed!!
Main Image Credit : The awesome piece of artwork used to head this article is called 'Back To Bits' and it was created by graphic designer Andrew Emery.