The Five Pillars of an InfoSec Professional
TL;DR:
“Mastering the basics will make you exceptional.”
Master the basics and then specialize to be an invaluable asset to your team.
To start, or level up, a career in Information Security (aka cybersecurity) you need to be proficient in five key areas of technical skills. You don’t have to master each one of them, but you need to have a good understanding of them. Whether you want to go offense or defense you will need to be functional in these five areas:
- General Computing
- Computer Networking
- Scripting and Programming
- Linux / MacOS
- Windows
Note:
I did not come up with the 5 pillars idea on my own. I believe I heard this originally during a very large conference call with someone from SANS the CyberStart program. Also, I do remember hearing the 5 areas (or close to these) laid out and it immediately fits into my belief system of mastering the basics to become exceptional. Nonetheless, that idea was hammered home during a good butt-chewing delivered during Special Forces training where the instructor told us between flutter kicks and sprints, “We look special because we master the basics”. I have applied this to every complex task I have learned from flying helicopters to hacking and it has served me well. It will certainly serve you well too.
I was asked to write a paper in 2017 to help some DoD assets get a jump start on InfoSec proficiency. I took the 5 pillars and aligned a lot of resources to them. In 2019 I open sourced it to help the community and those interested in getting into the industry.
Don’t be scared! While you won’t learn it all overnight you only need the fundamentals.
If you want to excel in this industry you must also love learning. While it takes a lot of dedication. A healthy balance is definitely key. Make sure your family and friends get time with you as well as making time for the hobbies you love.
Quick FAQ(ish)
Wait! Where is the hacking!? Nowhere in the list is there hacking or security
Correct. These are the fundamentals that defense and offense alike require! More focused security paths are added to the second section of this document. Build the foundation and then build the house.
A Note about Certification Pipelines / Schools
The cert farms that tell you A+, Net+, Sec+, and CEH in 6 weeks will get you a career are stealing your money. Indeed, certifications are important and you will likely need some. However, you DO NOT need 5 in 5 weeks or 5 in 5 months. In any event, do your homework before handing anyone your money.
A Note about College Degrees
You do not need a degree in cybersecurity. In all honesty, you do not need a degree in cybersecurity. If you just have to get a degree, get it in Computer Science. There are sadly an overwhelming amount of people with cybersecurity degrees who do not know their way around a keyboard and only know academic theory…they can only talk the talk without being able to walk the walk. Most degree programs do not provide nearly enough hands-on fundamentals to set someone up for success.
Typical Career Path
There is no typical career path. Some of the best cybersecurity pros were musicians prior to switching! If you have the talent (not to be confused with “the knowledge”) and drive you can work your way in. That said, a good path would be something like this:
IT Help Desk -> Systems Administrator -> Security Admin -> Specialized Security Role
You can absolutely skip right into security but you will have to study hard and practice a lot of labs that ensure you really have the 5 Pillars well-cemented.
A Note About the Image and Attraction of PenTesting
Before you start: Perhaps Penetration Testing is all that interests you – or “catching bad guys” is the only thing you want in life. Remember that learning both sides of the force will benefit you. The better your understanding of defense the more lethal you can be on offense. There are probably 10 Blue (defense) jobs to Red (offense). There are a lot of fun jobs outside of Penetration Testing. That said, Penetration testing is a blast and is addicting. It is also a lot of work and not simply pwning networks and dropping mics.
Now on to the document…
readme.txt
This document is a path forward for new, and experienced, cyber professionals in obtaining a concrete foundation of knowledge to enable them for success in the industry. Mastering the basics of each functional area is required to operate on a cyber team (or alone) in a meaningful and effective way. A lack of fundamentals in any one pillar can quickly render a team member ineffective during dynamic and rapidly evolving situations. Conversely, no one person on the team should be—or can be—a cyber unicorn.
Ideally, everyone will have a specialty they excel at in addition to a solid baseline in the fundamentals. In fact, it should not be expected that everyone completely masters each pillar. The intent is to master the fundamentals. The fundamentals are simply primal blocks of knowledge of each topic; somewhere between the absolute basics and intermediate. As an example, a team member should understand the following: sub-netting, routing, internetworking, OSI model, packet capture, DNS, and analysis basics. This does not mean they need to be a Cisco network engineer with a CCNA.
Document Layout (roughly):
- Fundamentals and getting started
- Lab Set-Up Advice
- Security Focused Training and Immersion
- Security Career Pathways
whoami
Twitter: @DFIRmadness
- Veteran
- Former pilot
- Senior Information Security Professional
- Perpetual n00b (always learning)
- Adjunct Professor
- Aspiring SANS Instructor
I have seen folks in multiple industries who would be rockstars if only they had a solid mastery of all the basics and not simply pigeon-holed into one niche of the field.
Security Tips to Get Started
As you dive into security you should start with good security practices.
- Don’t pirate software.
- Always have your Admin Account separate from your daily driver account.
- Never click a link you didn’t ask for.
- Never use a free VPN (OK – except maybe Proton’s).
- Always check executables and files from others at virustotal.com.
- Use time-based multi-factor on critical accounts like e-mail.
- Use a password manager and have unique passwords for everything.
- Use passphrases when able. Example: 1DeerCloudSubmarine91* XKCD Password Generator.
What You Need (Equipment)
You do not need a $3000 Gaming Laptop or a Desktop with 2 GPU’s and 10 TB SSD. This is completely based on your budget. You can get away with a $500 laptop if needed. I will explain.
Level | Explanation |
Good ($500) | A computer capable of web browsing and reading books. Seriously. The trade off is you will need to pay for web accessible labs versus building a small virtualized environment. |
Better ($1100ish) | A laptop capable of building a small lab of 2-3 Virtual Machines. Something like an i7, 16 Gigs or RAM and 500 Gigs storage. |
Best ($2k +) | The sky is the limit. Something capable of cracking passwords decently (read a mid tier GPU), i9, 32 Gigs, and 1 TB storage. |
Note: A GPU is mentioned for password cracking. You absolutely DO NOT NEED ONE to learn or level up cybersecurity. Keep in mind this document is about learning and labs you encounter will be geared towards this anyhow. You get the same training value in cracking a simple password with your CPU as you do with letting a GPU pound on a hash for 2 weeks.
The Five Pillars (Functional Areas) of Cyber Security
- General Computing
- Computer Networking
- Programming and Scripting
- Windows
- Linux
Fundamentals Breakdown
The following are key skillsets within each pillar. It is not an exhaustive list.
Pillar | Skills |
General Computing | Functions of: Science: |
Networking | |
Programming and Scripting | |
Windows | Commands: Tools: |
Linux | Commands: w, find, whoami, which, who, ss, watch, ssh, lsof, ssh-add, top, htop, sudo, nano and vim. |
Certs to Shoot for Early On
GSEC or Sec+.
NOT A+. Friends don’t let friends actually get the A+ cert!
GSEC or Sec+: If you live around a lot of Department of Defense facilities that are hiring there is a set of requirements known as 8570. You will basically need GSEC or Security + for anyone to touch you during the hiring process. SANS GSEC is the recommended cert here. It is much more expensive to go through the course but well worth it.
PenTest+: This is actually a pretty good body of knowledge to get you started. It’s miles above CEH.
CEH: Certified Ethical Hacker does not make you a penetration tester and doesn’t go very far outside of DoD circles. For the same price, you can get the course material for Penetration Testing with Kali Linux from Offensive Security. Even if you can’t pass the OSCP challenge the material and labs are well worth the $800 or so – certainly more so than CEH.
The trick when you are first starting out is to find an employer willing to pay for the certs you need or want. Get it in writing. If you can’t then understand than the investment of paying for an initial cert or two to get a job will be an investment that will almost certainly have great returns.
Resources: How Do We Get ‘There’?
Now may be a good time to think about how you approach learning this mountain of information. How to learn anything…fast by Josh Kaufman.
General Approach
- Start free and cheap to see if you like it. You may find it isn’t for you.
- While studying the five functional areas ensure you are getting your hands on the keyboard and not just your nose in a book. Do both! Also—sprinkle in security lessons along with your general studies. Also, try and rotate through the five continuously so you are leveling up in them all somewhat evenly. Of course, you can do it in a serial fashion (in order one through five) if you want. However, these skills are perishable. This means if you go through in order and haven’t touched networking in 5 months (or 2 books ago) it is going to be rusty and you will have to relearn it!!!
- Try and have fun!
- Keep an eye out for things you think you may be passionate about! You will want to specialize later on.
Recommended Security Focused Resources to go with General Studies
Hack and Detect: Leveraging the Cyber Kill Chain for Practical Hacking and its Detection via Network Forensics
The book to start with: Hack and Detect! by Nik Alleyne. This book can be purchased or viewed free with a Kindle Unlimited account. This book can’t be recommended enough for beginners and experienced folks alike. It is amazing in its presentation of both offense and defense methodologies with break downs and explanations of each and every command. This is a great book to sprinkle in along with the 5 pillars studies. Consider it the quick start guide into security.
The Cyber Mentor
The Cyber Mentor: hands down is one of the first people you should start watching as you build your skill sets. He focuses on Penetration Testing. He, along with the community he has created in discord etc., will be a great place to find motivation, knowledge, and support. Even if you want to go blue side/forensics etc. you will need an understanding of how people penetrating networks etc. move through the network and he does a superb job of teaching and explaining.
General Studies Resources
These resources will have materials for all or multiple pillars.
- Safari Books Online Free for military members and families.
- Humble Bundle Books They often (every few weeks) have cheap (12 dollars) bundles of books
- Packtpub daily free book give away Free IT and Security books given away daily! Some really good ones on occasion.
- ITPro.tv – is one of the best resources out there if you can afford it. They have tiered pricing models that start as low as $30 bucks a month! That is a crazy cheap investment to get into a career with the potential to get you to between 65K and 100K+ annually. This is the first item on the list that you are required to pay for if you choose to use them. They have current, and constantly updated, video series on everything in the five pillars and beyond. Additionally, they offer virtual labs you can remote into with step by step guides, test question banks, and more. It’s an amazing resource.
- CBT Nuggets – A direct competitor with ITPro.TV. They have comparable pricing, virtual labs, and *really* good instructional videos. Their video library does not seem as extensive as that of ITPro.tv.
- Professor Messer – Another solid instructor that gives A LOT for free. The community there is also a great resource to connected to. He sells “notes” for 10 bucks a piece for each cert that are great overviews and resources to keep in your kit bag.
- Computerphile – an epic YouTube channel of PhDs explaining computer science and security concepts.
- Twitter – Later there will be a list of people to follow but essentially you can get started with #infosec and #dfir and start a daily ingest of what is going on in the community. Immerse yourself!
There are so many more amazing people and channels that I will list later in the Security Specific Section later.
Pillar Specific Resources
A Quick Table. Certs listed here are only pointers to good sources of learning material. In most cases, the first few chapters are probably what you need and then specific topic lookups.
Pillar | Skills |
General Computing | A+ Cert videos from Professor Messer and ITPro.tv. Remember the objectives from above. You aren't actually getting the cert. Threads v Processes video from udacity/Georgia Tech Professor Messer A+ Professor Messer A+ Associated Certifications (Good references): A+ Books |
Networking | Professor Messer Network+ malware-traffic-analysis.net - Collection of PCAPs filled with evil along free tutorials on how to find it with WireShark Any CCENT (Cisco Certified Entry Networking Technician) Materials in ITPro.TV, Safari Books etc. Typically the first few chapters. Once it gets deep into iOS (Cisco Op System) specific material you’ve hit the limit of the fundamentals Todd Lammle Internetworking on ITPro - Todd Lammle gives an amazing internetworking fundamentals course in 15 minutes. Watch this often. ITPro 2018 CCENT Course - Remember you aren't getting the cert here, but watch the first few hours. Microsoft Network Fundamentals - Concise and to the point! Excellent videos. Associated Certifications (Good references): Net+, CCENT, CCNA Cisco Packet Tracer - Not only is this software free for personal use but they have some free intro courses there too. |
Programming and Scripting | learnpython.org Under The Wire - An awesome CTF to learn PowerShell. Walkthroughs littered through out the internet if you get stuck. Python for Beginners with Mosh - Programming with Mosh. He gets you functional in Python in 6 hours! Looks like a great course. Code School Season 1 - Learn to code by following along to make a video game! Season 2. You don't need to do both seasons or even all of season 1. Remember we are going for the fundamentals. The more you watch and learn the better, but its not necessary to be a developer to get into Cyber Security. Microsoft Instructional videos on programming with Python EdX Python Course - Free course from top academic and industry leaders. A good dive into the science behind it. Googles Python Course Learn Python The Hardway |
Windows | ITPro.tv Windows Server Windows 101 - GREAT intro course into Windows Servers and Administration. Comes with the associated E-Book! ITPro.tv PoSh Basics - ITPro's take on PowerShell. Great course. PoSh-Hunter) - A jeopardy style Capture The Flag game to learn PowerShell for InfoSec nerds. Microsoft Video Series on PowerShell - Another great video series on PowerShell. Microsoft Virtual Academy Active Directory Course - A video series on Active Directory from Microsoft. Cyber Mentors Active Directory Hacking Lab - Admittedly outside the "general studies" path here but a good one on setting the AD lab up and quick intro, then hacking it. Remember the targeted fundamentals here... you do not need to be an MCSA (Msoft Certified Systems Admin.) to get started. |
Linux | Over The Wire Bandit - The most fun way to learn Linux. This site has many other goodies beyond Bandit games. Levels 0-10 are a solid intro into Linux. Kali Linux Revealed Free Legit PDF Downlaod - An extensive and **FREE** professional book on using Linux! ITPro.tv Becoming A Linux Power User - A great video series to level up zero's, beginners and intermediate users. TCM's Linux Course - The TCM does it again. A well thought out course in Linux to get you started. Linux Journey - An amazing resource! With HTML labs you can do this anywhere on the go. |
Local Lab
THERE WILL BE A DEDICATED ARTICLE TO THIS COMING SOON!
A local lab is built either on your laptop or home-built server. Again, budget dependent. Building a local lab is actually pretty easy and the process alone will teach you quite a bit. The world is using a lot of virtualized systems and networks. Any progress in learning you make here will be a win either way.
To build a local lab on your laptop you will need either of the following (yes there are many more but these are the main staples and finding walk through’s and tutorials are easy) pieces of software:
- (Paid) VMware Workstation Pro or VMware Fusion for MacOS
- (Free) VirtualBox
Sadly, you get what you pay for here. While Virtual Box works fine enough it is certainly no VMware. You will save hours of troubleshooting and workarounds with VMWare. It is expensive. Though its probably a legal gray area, you can find keys for cheap on E-Bay. The Cyber Mentors Active Directory Hacking Lab is a good crash-course on setting up a security lab. There are a ton of YouTube walk through’s and blogs on how to do this. More will be added here in the future.
Local Lab Cyber Range Set-Up Overview
A well-outfitted local cyber range that can run on a laptop may look something like this:
Subnet | Hosts |
Internal | Windows Domain Controller Windows Client Machine Sensor Platform (GRR, or ELK etc) Vulnerable Web Server* |
"External" Not really external - just another lab subnet. | Kali Attack Box Vulnerable Web Server* |
Remote Labs
Another great resource is lab networks set-up and maintained for you to VPN into and go after vulnerable servers or follow along with exercises.
Hack The Box – One of the most popular pentesting lab environments. In addition, they have forensics challenges etc with stand-alone files. The community can be very welcoming and educational. You have to hack your way in to get a membership. Just follow their directions and have fun! They have free and paid tier memberships. Paid memberships are something like 12 bucks a month. Their Discord community is top-notch.
PenTester Academy – The video quality isn’t amazing, but the write-ups, walkthroughs, and lab environment are great. You can catch great deals on membership from time to time. The pricing is between $49 and $69 a month depending on when you catch them. Well worth it for the Attack and Defense Labs.
PenTester Labs – These are great labs! They are pentesting focused but they have a lot of other skills and labs for building your base knowledge. Once you get a membership you download walkthroughs and an accompanying ISO (a virtual machine image).
Security Specific Studies and InfoSec Immersion
Start your immersion immediately!
Once you have a good handle on fundamentals or need some motivation (or just a break from the more basic stuff)
Vuln Hubs List of Resources – A great list of security-specific resources!
Training Companies
SANS! – Hands down the best security training on the planet! The instructors are highly-vetted security professionals with time in the trenches in the area of studies that they teach. They are pricey. HINT: If you can’t afford $6-8K a course then look up how to become a SANS facilitator. By volunteering your time and efforts to help the classes happen you can get a course for about $1500 which is a steal!
A SANS cert is recognized immediately by members of the industry as truly demonstrating that the beholder really understands the topic and can execute the skills associated.
Youtube Channels and Personalities
- Live Overflow – This guy breaks down complex hacking concepts into smaller easier concepts. He is a good teacher and entertaining.
- IPPSec – One *the* best at cracking open boxes on Hack The Box and a great teacher.
- Cyber Mentor – One of the best teachers of penetration testing on the internet. He really gears his videos towards beginners with plenty of new tricks for more experienced folks to pick up.
- Pauls Security Weekly – Security Weekly is one of the best podcasts to watch. Friday shows have great tech segments. The entire show is informative and entertaining.
- Brakeing Down Security BDS Podcast – The BDS Podcast is one of the best places to stay up with current security trends.
- BDS Videos – Look around here. There are a ton of free training courses and other gems buried throughout.
- Tyler Hudak Reverse Engineer Training – A great class that is free! Tyler Hudak is one of the best in the industry and is also a great teacher.
- NahamSec – A very talented and successful bug bounty hunter and hacker who loves to share techniques with his audiences.
Twitter Accounts and Personalities
No particular order.
- Cyber Mentor (@thecybermentor)
- Jake Williams (@MalwareJake)
- Derek Root (@\_r00k\_)
- Tyler Hudak (@SecShoggoth)
- Live Overflow (@LiveOverflow)
- Brad from malware traffic (@malware_traffic)
- IPPSec (@ippsec)
- Azeria (@Fox0x01)
- Kody Kinzie (@KodyKinzie)
- Tinker (@TinkerSec)
- Jack Rhysider (@JackRhysider)
- Cyber Gibbons (@cybergibbons)
- Lesley Carhart (@hacks4pancakes)
- Paul Asadoorian (@securityweekly)
- Rob Lee (@robtlee)
- Ed Skoudis (@edskoudis)
- SANS DFIR (@sansforensics)
- MalwareTech (@MalwareTechBlog)
- Malware Unicorn (@malwareunicorn)
- Malware Breakdown (@DynamicAnalysis)
- SANS Institute (@SANSInstitute)
- Ben Sadeghipour (@NahamSec)
There are a ton more I am not recognizing here but this will get you started. Welcome to the community! And it is a community. Most hackers out there are some of the best primates on the planet who are willing to help, teach, and share.
Slack Channels
- **Brakeing Down Security**(BDS) – One of the best collections of hackers on the planet. This is easily one of the best places to hang out and chat, learn, and share. You’re never alone with the Internet nearby. You may soon find that your friends and family have little interest in your new passion.
Discord Channels
- Cyber Mentor
- Hack the Box
Podcasts
- Darknet Diaries
- Pauls Security Weekly
- Security Now
- Brakeing Down Security
- Brakeing Down Incident Response (It seems dead now but still worth listening to over and over again)
- SANS Internet Storm Center
- The Cyber Wire
- Smashing Security
- Hackable?
- Breach
Beyond here is in the early stages of fleshing out
- Career Paths and Guidance
- Materials for Moving Beyond Foundations (to the Hacking!!)
Career Paths and Guidance
How to Decide
As you work on the fundamentals you will almost certainly come across various aspects of security that interest you. All of the following are simply a different flavor of hacker. They are all vital for any team to function. A general layout of the roles in the security field are (no particular order):
Red (Offensive Security):
- Penetration Tester – They find and validate vulnerabilities in networks and web applications by demonstrating an attack on that vulnerability.
- Exploit Developer – They find vulnerabilities in software and develop exploits to give an attacker unauthorized access to the software or the underlying system.
- Red Team – Similar to Penetration Testers except the aim is to not simply validate a vulnerability but to emulate a realistic threat to that particular environment. Most likely this means a longer time period for them to operate low and slow to avoid detection and remain in the network for a long(er) period of time.
Note: Offensive teams (white hat and black hat alike) are typically made up of specialists. A rough outline of that looks something like this:
- Entry Team – The initial exploitation to the team to get access.
- Developers – The team ready to develop custom malware as needed
- Post Exploitation Team – A collection of folks who are fast at Privilege Escalation and lateral movement.
Blue (Defensive Security):
- Security Operations Center Analyst – They analyze alerts from intrusion detection sensors and find the root cause of the issue to detect if it is an anomaly or a malicious actor.
- Security Engineer – They design and build solutions to support security objectives and requirements.
- Developer – Often just another blend of Engineer or even the same title; they automate defense systems and things like forensics triage.
- Forensic Analyst – A digital sherlock holmes; an investigator that solves the whodunnits of cybercrime.
- Incident Responder – The digital firefighter who responds to an intrusion and determines the scope of the compromise and how to fight it.
- Threat Hunter – The digital patrolman who actively cruises the enterprise sniffing for specific clues of intrusion known ahead of time. They look in specific places for specific signs of intrusion.
General Bodies of Knowledge Per Role
None of this is “law“.
Recommended certs below are merely recommendations and in no way should this list be taken as all-inclusive or a rule to be followed. It also in no way guarantees successful employment in the respective fields.
You do not need every cert listed to work in that field!
For the SANS recommended pathway you should see their official guidance. They have a recommended road map.
Engineering
Recommendation Type | Recommendation |
Certifications | |
Skill sets |
Defensive Forensics and Incident Response (DFIR)
Recommendation Type | Recommendation |
Certifications | |
Skill sets |
Threat Hunting
Recommendation Type | Recommendation |
Certifications | |
Skill sets |
Malware Reverse Engineer
Recommendation Type | Recommendation |
Certifications | |
Skill sets |
Penetration Testing
Recommendation Type | Recommendation |
Certifications | |
Skill sets |